Friday, December 11, 2009

318x.com, 7o8.net and other evil "Eldorado" domains

The domain already well-documented 318x.com is represented by the following IP address as Malwareurl web site said:



The domain such 318x.com as domain 3b3.org does not currently appear active. It remains a third domain which at this time apparently still operating:

z360.net/c.js

It remains a third person who apparently still in operation. To check the spreading ratio of this domain via google will try the following query (as seen with 318x.net) gives this result:

The google query:

http://www.google.it/search?hl=en&safe=off&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=Kbr&num=100&q=%22%3Cscript+src%3D%22z360.net%2Fc.js%22%3E%3C%2Fscript%3E%22&btnG=Search&aq=f&oq=

The result:


....about 871,000 result.

More in deep what contains
"z360.net/c.js " ? Some iframe for another domain a bit more interesting:



Whois behind 7o8.net
:


To make more quickly the script hosted by 708.net is were analyzed via wepawet:

http://wepawet.cs.ucsb.edu/view.php?hash=a78cf4440cf2330241663f84b2bfda19&t=1260713628&type=js

Trying to retrieve the URL http://7o8.net/a.htm appears another redirection step:



Calling hzzzzp://aa345.7766.org:8688/downhtml/alt.html?ff appears the following malicious exploiter and spreading URLs
(replace hzzzp with http at your risk):

hzzzzp://aa345.7766.org:8688/downhtml/share.html
h
zzzzp://js.tongji.linezing.com/1364033/tongji.js
h
zzzzp://www.linezing.com
h
zzzzp://img.tongji.linezing.com/1364033/tongji.gif

Specifically within http://aa345.7766.org:8688/downhtml/share.html are called the following URL:

h
zzzzp://aa345.7766.org:8688/downhtml/a4.htm

which calls:

hzzzzp://aa345.7766.org:8688/downhtml/14.js
hzzzzp://aa345.7766.org:8688/downhtml/15.js
hzzzzp://aa345.7766.org:8688/downhtml/17.js
hzzzzp://aa345.7766.org:8688/downhtml/16.js
hzzzzp://aa345.7766.org:8688/downhtml/18.js
hzzzzp://aa345.7766.org:8688/downhtml/19.js

The first once (14.js) script call this strange URL:
hzzzzp://down.ismydns.com.cn:8788/down.css

From where is possible download once of "Eldorado" rootkit dropper (Virustotal analysis):
https://www.virustotal.com/analisis/7110a7dafa4c30c307b291787c6670149508a2e03616bc1c6a9e2d73d3e2de34-1260805081


...and what Robtex said about: down.ismydns.com.cn


The whois response:



Remain to check the other URLs that invoke the various . Js script, but from a first analysis seems to contain exploiters code for trigger certain vulnerabilities
.

Finally the threatexpert analysis for the binary above:
http://www.threatexpert.com/report.aspx?md5=bfe0223fe1d1883de1baeae607c88740

No comments:

Post a Comment