Run, Forest!

Published: 2012-06-22
Last Updated: 2012-06-24 14:46:24 UTC
by Daniel Wesemann (Version: 1)
3 comment(s)


Yeah, I know, I probably get the prize for the ISC Diaries with the weirdest titles lately. Blame it on the bad guys, who are showing more creativity in naming their malware than I ever would be able to muster ... and who also don't seem to know the difference between a forest and a Forrest :).

The latest malware sample is what Symantec calls "JS.Runfore". A recent URL might tell you why:

http:// xmexlajhysktwdqe. ru/runforestrun?sid=cx   (don't click)

Plenty of web pages currently seem to be infected with manipulated / changed jsquery files, which contain obfuscated Java Script code that generates the foresty URLs. The domain names generated change based on time and date. "Successful" connections are met by a series of 302 redirects that so far (for me) have not resulted in any real payload. The above URL redirects via moneyold. ru to freshtds. ru, where it ends (for me) in a 404 Error.

Here's a recent Wepawet report for an infected site (OK to click, but better don't click on any of the links in the report)
http://wepawet.iseclab.org/view.php?hash=e89cfa2fa6a91f90acfeb125c10c1f0f&t=1340389400&type=js


Please let us know in the comments below or via our contact form if you have additional information on Forrest (or Jenny, or Lieutenant Dan :).


 

Keywords: malware
3 comment(s)

Comments

Perhaps it's a clever pun. As in, "Can't see the forest for the trees." If you think of bots as trees, then bot herders are simply trying to get a forest to run!
Final sentence of paragraph 4 lists one of the redirection urls as freshtds.RU, however, Wepawet states it is freshtds.EU .
This is what happens when you get hit by a payload from one of these site's (Blackhole Exploitkit):
http://wepawet.cs.ucsb.edu/view.php?hash=d3e3cd3e4620cc7f2ad9e3252976d7f3&t=1340286074&type=js

Java, PDF, Flash and HCP exploits try to install zbot and other malware. Detection now is decent but when I investigated these samples on 21-6-12 detection was very poor.
https://www.virustotal.com/file/63001ffaae0e931486062f74a5a2976713adc99734f961cc42b2f0c755e96444/analysis/
https://www.virustotal.com/file/dcc3071540c6194f8971af0ed6a821c6cd0ad46caf07e95f73d257430c89409e/analysis/
https://www.virustotal.com/file/8ddc64b321ee7615eab3b6f7504b98422acb7b939a171a466c04706195300d59/analysis/

Diary Archives