Guess who's back... "RunForestRun" @MalwareMustDie >> http://t.co/DnyaS6eNpI For everyone else, FYI: http://t.co/HjMJm53qr3 #malwaremustdie
— Bart (@bartblaze) October 31, 2013
Yes I fetched and take a look at it:
--2013-11-02 17:06:54-- h00p://portail-val-de-loir.com/ Resolving portail-val-de-loir.com... seconds 0.00, 85.10.130.29 Caching portail-val-de-loir.com => 85.10.130.29 Connecting to portail-val-de-loir.com|85.10.130.29|:80... seconds 0.00, connected. : GET / HTTP/1.0 Referer: remember.us.malwaremustdie.org Host: portail-val-de-loir.com HTTP request sent, awaiting response... : HTTP/1.1 200 OK Date: Sat, 02 Nov 2013 08:06:30 GMT Server: Apache/2.2.9 (Debian) mod_jk/1.2.26 PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl /2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0 Last-Modified: Thu, 12 Jul 2012 01:52:59 GMT ETag: "18f21da-32bd2b-4c498391b34c0" Accept-Ranges: bytes Content-Length: 3325227 Vary: Accept-Encoding Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html : 200 OK Registered socket 1896 for persistent reuse. Length: 3325227 (3.2M) [text/html] Saving to: `index.html' 100%[============================>] 3,325,227 103K/s in 39s 2013-11-02 17:07:35 (83.0 KB/s) - `index.html' saved [3325227/3325227]This is the real worst case of code injection, the index html was injected more than 50 times with the obfuscation javascript code, sample is here with password=infected -->>[MMD Mediafire]. Obfuscation method used is improved as per marked parts below by trying to make gesture of the script used in Google Analytics:
The first decoding process can e viewed here -->>[MMD Pastebin]
And the result is as per below well-known DGA code:
Which is completely equal code to our case posted on July 23, 2013 here-->>[MMD PREV.POST]
So, we saw the RunForrestRun for almost one year and the logic haven't changed a bit. Just in case someone will meet with the similar case or codes in the future hereby I made simple script for you to use if you see one, as per snipped GOOD code and a "howto" below:
// manual crack...@unixfreaxjp // erase the setTimeout(function () all of it, we don't need those mess.. // and replace with the below code... // (make sure you include the rest of the functions..) // The code : var nextday = new Date(); nextday.setFullYear(2013); for (var yyy=0;yyy<13;yyy++) { nextday.setMonth(yyy); for (var xxx= 1;xxx<33;xxx++) { var unix = Math.round(nextday.setDate(xxx)/1000); var domainName = generatePseudoRandomString(unix, 16, 'ru'); document.write(xxx+" | "+domainName+ " | "+nextday+"\n"); }}Using the script above you can extract the domains per dates as per snipped below:
1 | oxkjnvhjnvnegtyb.ru | Tue Oct 01 2013 17:36:40 GMT+0900 2 | bloxgsfzinxmdspt.ru | Wed Oct 02 2013 17:36:40 GMT+0900 3 | mxpgggggukxqteoy.ru | Thu Oct 03 2013 17:36:40 GMT+0900 4 | yjsovtnpgbwqcbbd.ru | Fri Oct 04 2013 17:36:40 GMT+0900 5 | lwtcxuzbdrsnpqfb.ru | Sat Oct 05 2013 17:36:40 GMT+0900 6 | xiwlnutkxsqxwjge.ru | Sun Oct 06 2013 17:36:40 GMT+0900 7 | kwyyhhqtwxupnhyu.ru | Mon Oct 07 2013 17:36:40 GMT+0900 8 | wicjgufeimlbmcus.ru | Tue Oct 08 2013 17:36:40 GMT+0900 9 | ivewawjppavmkhwx.ru | Wed Oct 09 2013 17:36:40 GMT+0900 10 | uihgxtcniyolbobp.ru | Thu Oct 10 2013 17:36:40 GMT+0900 11 | hvitmnanuzbabudp.ru | Fri Oct 11 2013 17:36:40 GMT+0900 12 | thldkvcgbkzcbfxw.ru | Sat Oct 12 2013 17:36:40 GMT+0900 13 | gunqeyhnrhskxjdr.ru | Sun Oct 13 2013 17:36:40 GMT+0900 14 | shqyztdrsofsjnib.ru | Mon Oct 14 2013 17:36:40 GMT+0900 15 | eusngyfurlziprua.ru | Tue Oct 15 2013 17:36:40 GMT+0900 ((snipped))with the complete list of 709 days extracted here --->>[MMD PASTEBIN]
And by our useful tools here--->>[MMD Google Code] and following the DGA Procedure Wiki here-->>[MMD Wiki], I came to result the below domains are activated NOW: (format: domain, IP, DNS, and DATE):
yalkzsvudybexfgd.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Apr 16 lomxtgmgrswlgrrn.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Apr 17 wzbdwenwshfzglwt.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Aug 17 jnfrqmekhoevppvw.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Aug 18 vygzhvfiuommkqfj.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Aug 19 imjosxuhbcdonrco.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Aug 20 bhigmqckbqhleqlo.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Nov 06 nsjosicxuhpidhlp.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Nov 07And also found the below domains are blocked/sinkholed:
gatrxzmokglyvnqh.ru, 195.22.26.253, 195.22.26.254, ns1.csof.net. ns2.csof.net. smvydqivtigcadxb.ru, 195.22.26.253, 195.22.26.254, ns1.csof.net. ns2.csof.net.I can say the reputation in IP: 91.233.244.102 is not good:
Virus Total history (with thank's!) -->>[HERE]
URLQuery records (many thank's) -->>[URLQuery]
Sometimes the bad guys has a unique ways to greet us! :-))
Below are bad URLs that can be switched alive:
h00p://yalkzsvudybexfgd.ru/runforestrun?sid=botnet2 h00p://lomxtgmgrswlgrrn.ru/runforestrun?sid=botnet2 h00p://wzbdwenwshfzglwt.ru/runforestrun?sid=botnet2 h00p://jnfrqmekhoevppvw.ru/runforestrun?sid=botnet2 h00p://vygzhvfiuommkqfj.ru/runforestrun?sid=botnet2 h00p://imjosxuhbcdonrco.ru/runforestrun?sid=botnet2 h00p://bhigmqckbqhleqlo.ru/runforestrun?sid=botnet2 h00p://nsjosicxuhpidhlp.ru/runforestrun?sid=botnet2Just in case I recorded them all in URLQuery (Thank's guys!):
http://urlquery.net/report.php?id=7388672 http://urlquery.net/report.php?id=7388677 http://urlquery.net/report.php?id=7388681 http://urlquery.net/report.php?id=7388683 http://urlquery.net/report.php?id=7388687 http://urlquery.net/report.php?id=7388692 http://urlquery.net/report.php?id=7388694 http://urlquery.net/report.php?id=7388701Those detected domains, are all activated in REGGI.RU of Russia Federation:
domain: YALKZSVUDYBEXFGD.RU nserver: dns1.webdrive.ru. nserver: dns2.webdrive.ru. state: REGISTERED, DELEGATED, UNVERIFIED person: Private Person registrar: REGGI-REG-RIPN admin-contact: https://panel.reggi.ru/user/whois/webmail/ created: 2013.04.15 paid-till: 2014.04.15 free-date: 2014.05.16 source: TCI Last updated on 2013.11.02 13:21:36 MSK domain: LOMXTGMGRSWLGRRN.RU nserver: dns1.webdrive.ru. nserver: dns2.webdrive.ru. state: REGISTERED, DELEGATED, UNVERIFIED person: Private Person registrar: REGGI-REG-RIPN admin-contact: https://panel.reggi.ru/user/whois/webmail/ created: 2013.04.15 paid-till: 2014.04.15 free-date: 2014.05.16 source: TCI Last updated on 2013.11.02 13:21:36 MSK domain: WZBDWENWSHFZGLWT.RU nserver: dns1.webdrive.ru. nserver: dns2.webdrive.ru. state: REGISTERED, DELEGATED, UNVERIFIED person: Private Person registrar: REGGI-REG-RIPN admin-contact: https://panel.reggi.ru/user/whois/webmail/ created: 2013.08.16 paid-till: 2014.08.16 free-date: 2014.09.16 source: TCI Last updated on 2013.11.02 13:21:36 MSK domain: JNFRQMEKHOEVPPVW.RU nserver: dns1.webdrive.ru. nserver: dns2.webdrive.ru. state: REGISTERED, DELEGATED, UNVERIFIED person: Private Person registrar: REGGI-REG-RIPN admin-contact: https://panel.reggi.ru/user/whois/webmail/ created: 2013.08.16 paid-till: 2014.08.16 free-date: 2014.09.16 source: TCI Last updated on 2013.11.02 13:26:32 MSK domain: VYGZHVFIUOMMKQFJ.RU nserver: dns1.webdrive.ru. nserver: dns2.webdrive.ru. state: REGISTERED, DELEGATED, UNVERIFIED person: Private Person registrar: REGGI-REG-RIPN admin-contact: https://panel.reggi.ru/user/whois/webmail/ created: 2013.08.16 paid-till: 2014.08.16 free-date: 2014.09.16 source: TCI Last updated on 2013.11.02 13:26:32 MSK domain: IMJOSXUHBCDONRCO.RU nserver: dns1.webdrive.ru. nserver: dns2.webdrive.ru. state: REGISTERED, DELEGATED, UNVERIFIED person: Private Person registrar: REGGI-REG-RIPN admin-contact: https://panel.reggi.ru/user/whois/webmail/ created: 2013.08.16 paid-till: 2014.08.16 free-date: 2014.09.16 source: TCI Last updated on 2013.11.02 13:26:32 MSK domain: BHIGMQCKBQHLEQLO.RU nserver: dns1.webdrive.ru. nserver: dns2.webdrive.ru. state: REGISTERED, DELEGATED, UNVERIFIED person: Private Person registrar: REGGI-REG-RIPN admin-contact: https://panel.reggi.ru/user/whois/webmail/ created: 2012.11.06 paid-till: 2013.11.06 free-date: 2013.12.07 source: TCI Last updated on 2013.11.02 13:31:37 MSK domain: NSJOSICXUHPIDHLP.RU nserver: dns1.webdrive.ru. nserver: dns2.webdrive.ru. state: REGISTERED, DELEGATED, UNVERIFIED person: Private Person registrar: REGGI-REG-RIPN admin-contact: https://panel.reggi.ru/user/whois/webmail/ created: 2012.11.06 paid-till: 2013.11.06 free-date: 2013.12.07 source: TCI Last updated on 2013.11.02 13:31:37 MSKAnd the IP information also pointed to St. Petersburg IDC:
$ whois 91.233.244.102 % Information related to '91.233.244.0 - 91.233.245.255' inetnum: 91.233.244.0 - 91.233.245.255 netname: OLBORG-NET descr: Olborg Ltd descr: St.Petersburg country: RU admin-c: OLCR1-RIPE tech-c: OLCR1-RIPE status: ASSIGNED PI mnt-by: OLBORG-MNT mnt-by: RIPE-NCC-END-MNT mnt-routes: OLBORG-MNT mnt-domains: OLBORG-MNT source: RIPE # Filtered role: Olborg Ltd - Contact Role address: Olborg Ltd address: St.Petersburg, Russia abuse-mailbox: [email protected] remarks: ************************************************* remarks: * For spam/abuse/security issues please contact * remarks: * [email protected] , not this address * remarks: ************************************************* org: ORG-OL89-RIPE admin-c: AK8017-RIPE tech-c: AK8017-RIPE nic-hdl: OLCR1-RIPE mnt-by: OLBORG-MNT source: RIPE # Filtered % Information related to '91.233.244.0/23AS57636' route: 91.233.244.0/23 descr: Olborg Ltd. origin: AS57636 mnt-by: OLBORG-MNT source: RIPE # FilteredI really hope to see all domains in this logic blocked.. otherwise they sure will come again with a much better obfuscation.
#MalwareMustDie!!