Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Run, Forest! InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Run, Forest!

Published: 2012-06-22
Last Updated: 2012-06-24 14:46:24 UTC
by Daniel Wesemann (Version: 1)
3 comment(s)


Yeah, I know, I probably get the prize for the ISC Diaries with the weirdest titles lately. Blame it on the bad guys, who are showing more creativity in naming their malware than I ever would be able to muster ... and who also don't seem to know the difference between a forest and a Forrest :).

The latest malware sample is what Symantec calls "JS.Runfore". A recent URL might tell you why:

http:// xmexlajhysktwdqe. ru/runforestrun?sid=cx   (don't click)

Plenty of web pages currently seem to be infected with manipulated / changed jsquery files, which contain obfuscated Java Script code that generates the foresty URLs. The domain names generated change based on time and date. "Successful" connections are met by a series of 302 redirects that so far (for me) have not resulted in any real payload. The above URL redirects via moneyold. ru to freshtds. ru, where it ends (for me) in a 404 Error.

Here's a recent Wepawet report for an infected site (OK to click, but better don't click on any of the links in the report)
http://wepawet.iseclab.org/view.php?hash=e89cfa2fa6a91f90acfeb125c10c1f0f&t=1340389400&type=js


Please let us know in the comments below or via our contact form if you have additional information on Forrest (or Jenny, or Lieutenant Dan :).


 

Keywords: malware
3 comment(s)
Diary Archives