Is JS:Trojan.Script.AAR on this site detected?

Re: https://www.virustotal.com/url/48ecd28f1252d20c9f132efb3b5cac30ef93270b9189f63487b932806b429036/analysis/

See: https://www.virustotal.com/file/fb523956e34d9b3ae4f01a0bc1426ee83f11a5aeeefb398c87df53ada2d2ae8a/analysis/

Analysis: http://wepawet.iseclab.org/view.php?hash=991d497b0353713c0ae5f55ee7ccc425&t=1354247317&type=js
Malware is up and alive…
reported to virus AT avast dot com

polonus

The threat is in this list of what is being blocked by ExploitShield 0.7:
http://www.zerovulnerabilitylabs.com/webconsole/lv.php
Re: on this request from that URL: htxp://dimarikanko.ru:8080/forum/links/column.php
Read: http://blog.dynamoo.com/2012/11/wire-transfer-spam-dimarikankoru.html (post link author = Conrad Longmore)
Now redirected to: htxp://podarunoki.ru:8080/forum/links/column.php Site blacklisted at ws.surbl.org (sa-blacklist web sites),
consider for this: http://wepawet.iseclab.org/view.php?hash=c84606715f3df702cd706d51fd82d780&t=1354312824&type=js

polonus

Hi Polonus,

I get:
HTTP/1.1 200 OK
Date: Fri, 30 Nov 2012 22:09:16 GMT
Server: Apache/2.2.3 (Red Hat)
Last-Modified: Fri, 30 Nov 2012 21:56:41 GMT
ETag: “3c80d6-1a6-797f5840”
Accept-Ranges: bytes
Content-Length: 422
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

See the image attached. It’s a pretty simple JavaScript redirect, no obfuscation or any of those sorts. There is also no use of HTML’s meta refresh tag, so disabling JavaScript for that website will prevent the redirect. Since the redirected file is .php, you have the ability to check the referrer and return different content based upon that knowledge. For example, accessing the site directly redirects you to Google whilst the defined ‘exploit sites’ will be validated and the exploit code will be executed.

~!Donovan

Hi !Donovan,

Thanks for the analysis of the workings of this malcode redirect, dangerous through the sheer simplicity of it…

pol

Gigantic outbreak of this trojan, example: http://zulu.zscaler.com/submission/show/162a5c3ae27dfd624d8575fb11359240-1354370860
See how many sites are being reported on VirusWatch and missed on VT:
https://www.virustotal.com/url/3df01cb7cea21ab96358f3a410c83860130c297271ab34af188e7586e5e34cab/analysis/1354371196/
100/100 malicious: http://zulu.zscaler.com/submission/show/7bf24bf5fd0f22b64b3ecc7e7b621203-1354371258

pol

Hello!

I yesterday sent a sample to the lab, but it has not yet added.

But now, at this location is another sample. (also sent).

https://www.virustotal.com/file/7bf84b13b4fdb5ff64b116f0c66558425b2cd8bd98399208efd6b853e8bfbf8d/analysis/1354374333/
https://www.virustotal.com/file/c33eb2756a4c33d107f4199a0765d9a8fedd4d0ffc8a2dba3bf027e99ca15796/analysis/1354374511/

But that’s sad for heuristic avast just refreshed base one Redirect added, and the same … the only difference is the address is not defined.

1.jpg
https://www.virustotal.com/file/fb523956e34d9b3ae4f01a0bc1426ee83f11a5aeeefb398c87df53ada2d2ae8a/analysis/1354375911/

2.jpg
https://www.virustotal.com/file/a7cfba9dbfd214604c071102b867a605ee0e633930007f8af8199db2a7169570/analysis/1354375913/

Hi Dim@rik,

You are right considering these scan results: http://vscan.urlvoid.com/analysis/0bb5e8bb9d37d66cd88bffb7123bd8f6/aW5mb3JtLWh0bQ==/
Missed here: http://quttera.com/detailed_report/cooltech.sh.cn
DrWeb’s doing a far better job here: http://zulu.zscaler.com/submission/show/6ff1084e23dfb6e6cd6a8111ef8fabb1-1354376569
Found us here: http://page2rss.com/0c669301342daa7531783b3e1be8979b/6271619_6271863/issues
9.55 min. htxp://cooltech.sh.cn/inform.htm
Checking:http://cooltech.sh.cn/inform.htm
DrWeb’s URL checker:
Engine version:7.0.4.9250
Total virus-finding records:3425145
File size:422 bytes
File MD5:0bb5e8bb9d37d66cd88bffb7123bd8f6

htxp://cooltech.sh.cn/inform.htm - archive JS-HTML

htxp://cooltech.sh.cn/inform.htm/JSTAG_1[11b][6e] infected with JS.Redirector.155
Given as suspicious here: http://zulu.zscaler.com/submission/show/6ff1084e23dfb6e6cd6a8111ef8fabb1-1354376569
Going there the redirect is being blocked by NoScript "Please wait a moment … You will be forwarded…
Internet Explorer / Mozilla Firefox compatible only
In second instance then the avast Networkshield will alert to:
htxp://podarunoki.ru:8080/forum/links/column.php
And when we should go there the avast Networkshield will block this url as URL mal
See: http://urlquery.net/queued.php?id=4049412
IDS alert for ET CURRENT_EVENTS Blackhole 2 Landing Page (5)

polonus

The malicious payload is at [donotclick]podarunoki.ru:8080/forum/links/column.php hosted on some familiar IP addresses which should be blocked if you can (spamvertising bot net activity)

202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
see: http://www.mywot.com/en/scorecard/203.80.16.81/comment-48798241

The following domains are also on the same servers:
gurmanikia dot ru
ganiopatia dot ru
ganalionomka dot ru
genevaonline dot ru
podarunoki dot ru
binaminatori dot ru
ganadeion dot ru
dimarikanko dot ru
delemiator dot ru
as reported by Conrad Longmore on Dynamoo’s Blog
variation on fake Nacha spam and other similar spam runs…

Another one not detected here: https://www.virustotal.com/url/2d44a09b29d5003e519697359cb9f108c4fdab6f0fbbcdbc8ce7ddf28e964f89/analysis/1354390121/
and flagged here: http://urlquery.net/report.php?id=267815

polonus

Sucuri http://sitecheck.sucuri.net/results/chaikot.ru/

Another one as to show that this is a real campaign:
Checking:htxp://sleep360.cn/inform.htm
Engine version:7.0.4.9250
Total virus-finding records:3425215
File size:422 bytes
File MD5:0bb5e8bb9d37d66cd88bffb7123bd8f6

htxp://sleep360.cn/inform.htm - archive JS-HTML

htxp://sleep360.cn/inform.htm/JSTAG_1[11b][6e] infected with JS.Redirector.155

Noscript stops like:
Please wait a moment … You will be forwarded…
Internet Explorer / Mozilla Firefox compatible only

htzp://podarunoki.ru:8080/forum/links/column.php
With only wepawet flagging this, see:
https://www.virustotal.com/url/78e8957d03b369b76ca32897d5bf5f23187ad606a4f8abc8cfc3ee22d3b21ad1/analysis/1354397371/

polonus

Recent detection rates stand at 10 out of 45 and 8 out of 33

http://www.virustotal.com/latest-report.html?resource=0bb5e8bb9d37d66cd88bffb7123bd8f6
https://www.virustotal.com/file/a7cfba9dbfd214604c071102b867a605ee0e633930007f8af8199db2a7169570/analysis/
https://www.virustotal.com/file/06cf22f2e474d1a140808d8f14931c0914b5307fb0162d04f86845e95f54c085/analysis/
Malware campaign started 2012-12-01 02:31:02
Google Safebrowsing blocks this malware from:
htxp://recyclingthewind.com/inform.htm
htxp://www.prostyle.com.tw/inform.htm
and
htxp://www.camelieantiche.com/inform.htm

polonus