Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Google Counter ... isn't - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Google Counter ... isn't
Those of you who have seen the "google-analytics" URL in your logs before might be tempted to assume (as I was) that google-counter[dot]com is just another incarnation of the same. I even at first discounted that my anti-virus complained about "obfuscated javascript", thinking that Google must have cooked up some really complicated Ajax mess again that misled my AV to a false positive.

But no. On a second look, the site tries to download an ANI cursor exploit. And wait - there is lots more IFRAMES. Ouch! This definitely ain't Google!

z-014-1.php contains an obfuscated exploit for MS06-014
z-014-3.php contains another exploit for MS06-014
z-create-o.php contains the IE CreateObject exploit (as seen on Metasploit TV)
z-cs-an.php is an obfuscated exploit for MS07-017
z-java1.php is an oldie, Java-ByteVerify exploit

All of these try to download and run a file "down.exe" off the same site, which in turn downloads and runs a Browser Helper Object (BHO) off someplace else. The BHO is a key logger / banking trojan. We have decoded the configuration file that tells the trojan what to do - you can look at the file under http://handlers.sans.org/dwesemann/decoded-bho-helper.txt . Yes, lots of banks...    Thanks to fellow handlers Lorna and Pedro for help with the analysis.

Caution: The google-counter site is still live at the time of writing. Sink yourself at your own risk.
Daniel

367 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!