_vti_bin/nav_links.php
From the second layer, obviously this code launched multiple exploits in one page. And it seem exploiting is not enough until it redirecting to "tapiroten.info"
First layer - De-obfuscated code "nav_links.php"
From second layer de-obfuscated, there have few URL links:
- http://tapiroten.info/lin.cgi?XceKRRySKWKKZKeKKYgYluSiFWKeKRWlclXuKYlYcYWieFKKKYKyKXKKKKKKKKKYK
- http://tapiroten.info/lin.cgi?XceKRRySKWKKZKeKKWgYluSiFWKeKRWlclXuKYlYcYWieFKKKYKyKXKKKKKKKKYK (DirectShow 0Day)
-http://tapiroten.info/lin.cgi?XceKRRySKWKKZKeKKWgYluSiFWKeKRWlclXuKYlYcYWieFKKKYKyKXKKKKKKKKKe (QuickTime)
- http://tapiroten.info/lin.cgi?XceKRRySKWKKZKeKKYgYluSiFWKeKRWlclXuKYlYcYWieFKKKYKyKXKKKKKKKKKjK
- http://tapiroten.info/lin.cgi?XceKRRySKWKKZKeKKWgYluSiFWKeKRWlclXuKYlYcYWieFKKKYKyKXKKKKKKKKWS (PDF Exploit) VirusTotal (4/41)
Analyst standalone malicious PDF will end with nothing, because there have separate function that visible after second-layer de-obfuscated. It will make analysis work harder. Vulnerable Adobe PDF will crashed when open the PDF file, and it will downloading malware to system that detected by most of Anti-Virus (Virustotal 38/41)
From the second layer, obviously this code launched multiple exploits in one page. And it seem exploiting is not enough until it redirecting to "tapiroten.info"
-tapiroten.info/lin.cgi?jzo
-tapiroten.info/lin.cgi?XceKRRySKWKKZKeKKKgYluSiFWKeKRWlclXuKYlYcYWieSZZKYeFeRYlSFSjKKKKKKKKKK
-tapiroten.info//lin.cgi?XceKRRySKWKKZKeKKYgYluSiFWKeKRWlclXuKYlYcYWieFKKKYKyKXKKKKKKKKKYK0 (exe) VirusTotal (23/41)
-tapiroten.info/lin.cgi?jzo
De-obfuscated code:
CLSID found:
- BD96C556-65A3-11D0-983A-00C04FC29E36 (MS06-014)
- 0955AC62-BF2E-4CBA-A2B9-A63F772D46CF (CVE 2008-0015)
- 02BF25D5-8C17-4B23-BC80-D3488ABDDC6B (CVE-2007-0717)
- FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6 (CVE-2007-6250)
- AB9BCEDD-EC7E-47E1-9322-D4A210617116 (MDAC Vulnerability)
- BD96C556-65A3-11D0-983A-00C04FC29E3o
- BD96C556-65A3-11D0-983A-00C04FC29E36
- 0006F033-0000-0000-C000-000000000046
- 0006F03A-0000-0000-C000-000000000046
- 6e32070a-766d-4ee6-879c-dc1fa91d2fc3
- 6414512B-B978-451D-A0D8-FCFDF33E833C
- 7F5B7F63-F06F-4331-8A26-339E03C0AE3D
- 06723E09-F4C2-43c8-8358-09FCD1DB0766
- 639F725F-1B2D-4831-A9FD-874847682010
- BA018599-1DB3-44f9-83B4-461454C84BF8
- D0C07D56-7C69-43F1-B4A0-25F5A11FAB19
- E8CCCDDF-CA28-496b-B050-6C07C962476B
- 527196a4-b1a3-4647-931d-37ba5af23037 (CVE-2006-0003)
- d27cdb6e-ae6d-11cf-96b8-444553540000 (CVE-2006-0003)
Malicious IP address involved:
- jeanietomanek.com - 216.39.57.106
- tapiroten.info - 216.150.79.76
- 216.155.153.212
- 174.139.241.2
- 209.31.180.144
Domains sharing same IP address: 216.150.79.76
cacorq.info
clxhbz.info
dgrxqh.info
diwiowano.info
dmdurz.info
ftp.centod.com
funkol.info
geetol.info
gitoer.info
gutrandin.info
hizfek.info
hopore.info
ivgzda.info
jopqae.info
kolpao.info
nadotraza.info
ns.centod.com
ns2.centod.com
ofahitino.info
oirjsa.info
ornotivec.info
pirtaf.info
pop.centod.com
popsto.info
qxfcuc.info
rellok.info
ruhcsy.info
sacmtf.info
sdoras.info
tapiroten.info
tiizwb.info
traxemere.info
tuerog.info
ulmqmq.info
vivibt.info
www.cacorq.info
www.centod.com
www.clxhbz.info
www.dmdurz.info
www.geetol.info
www.gitoer.info
www.hizfek.info
www.hopore.info
www.jimlkn.info
www.jopqae.info
www.kolpao.info
www.niraynome.info
www.oirjsa.info
www.pirtaf.info
www.popsto.info
www.qxfcuc.info
www.rellok.info
www.ruhcsy.info
www.sdoras.info
www.tapiroten.info
www.tiizwb.info
www.tuerog.info
www.vivibt.info
www.yyoqny.info
xsxydj.info
yuncdjbiw.info
yyoqny.info
Sigh...it really make me tire to analysis this malicious link. The efforts are become harder and harder when evade techniques are improved lots. While Anti-virus have cloud-security computing, and hacker/bad guys have cloud-antisecurity computing.
--X0end
1 comments:
The site has probably been hacked and becomes a danger when visiting it. Avast reported it and also found infections when visiting this site.
Post a Comment