A Guide of confirming a hacked legit service by Blackhole Exploit Kit | BOT24

A Guide of confirming a hacked legit service by Blackhole Exploit Kit


// #MalwareMustDie - Crusaders diary
// @unixfreaxjp of MMD is responsible 100% of this check.
// A Guide of confirming a hacked legit service by Blackhole Exploit Kit.
//
// Background:
// while I was checking malicious domain bilainkos.ru, found out DNS was renewed just now.
// I remembered the reminder of fellow crusader asked me about hacked IP in TW,
// so let's use this opportunity to proof it:

//Malicious Host targeted
bilainkos.ru A 91.224.135.20
bilainkos.ru A 187.85.160.106
bilainkos.ru A 210.71.250.131

//SOA
bilainkos.ru
        origin = ns1.bilainkos.ru
        mail addr = root.bilainkos.ru
        serial = 2012010101
        refresh = 604800
        retry = 1800
        expire = 1800
        minimum = 60

//WHOIS
domain:        BILAINKOS.RU
nserver:       ns1.bilainkos.ru. 62.76.186.24
nserver:       ns2.bilainkos.ru. 110.164.58.250
nserver:       ns3.bilainkos.ru. 42.121.116.38
nserver:       ns4.bilainkos.ru. 41.168.5.140
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     NAUNET-REG-RIPN
admin-contact: https://client.naunet.ru/c/whoiscontact
created:       2012.12.16
paid-till:     2013.12.16
free-date:     2014.01.16
source:        TCI
Last updated on 2012.12.25 05:51:35 MSK <===========  HERE, JUST RENEWED


// Let's check the infection of 210.71.250.131
// URLQuery of 210.71.250.131 :
// http://urlquery.net/search.php?q=210.71.250.131&type=string&start=2012-12-10&end=2012-12-25&max=50

2012-12-23 01:17:02 http://bilainkos.ru:8080/forum/links/column.php [Taiwan] 210.71.250.131
2012-12-22 01:18:03     http://bilainkos.ru:8080/forum/links/column.php [Taiwan] 210.71.250.131
2012-12-21 05:50:54 http://akionokao.ru:8080/forum/links/public_version.php [Taiwan] 210.71.250.131
2012-12-20 23:20:48 http://akionokao.ru:8080/forum/links/public_version.php [Taiwan] 210.71.250.131
2012-12-20 18:46:22 http://apendiksator.ru:8080/forum/links/column.php [Taiwan] 210.71.250.131
2012-12-20 04:21:25 http://akionokao.ru/forum/links/public_version.php [Taiwan] 210.71.250.131
2012-12-19 20:53:24 http://akionokao.ru:8080/forum/links/public_version.php [Taiwan] 210.71.250.131

// A second opinion checks, dns requests aimed for 210.71.250.131

bunakaranka.ru A 210.71.250.131
afjdoospf.ru A 210.71.250.131
angelaonfl.ru A 210.71.250.131
akionokao.ru A 210.71.250.131
apendiksator.ru A 210.71.250.131
bilainkos.ru A 210.71.250.131

// realizing the status of 210.71.250.131 bind to legit Taiwan business page:
// http://www.tecom.com.tw/

// what/where's 210.71.250.131 ?

/Backbone:
AS Number: AS3462
inetnum: 210.71.128.0 - 210.71.255.255
netname: HINET-TW
descr: CHTD, Chunghwa Telecom Co.,Ltd.
descr: Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
descr: Taipei Taiwan 100
country: TW
admin-c: HN27-AP
tech-c: HN28-AP

//IP Owner:
inetnum: 210.71.250.131 - 210.71.250.131
netname: TECOM-921-TW
descr: Taipei Taiwan
country: TW
admin-c: JS1343-TW
tech-c: JS1343-TW
mnt-by: MAINT-TW-TWNIC

====================
PoC is here...
It is proved that the legit server can
be implemented a proxy (in this case is 8080)
which is served Blackhole Exploit Kit
====================

// send normal http request to 210.71.250.131:80

--2012-12-25 11:26:05--  http://210.71.250.131/
Connecting to 210.71.250.131:80... connected.
Created socket 3.
GET / HTTP/1.1
User-Agent: Mozilla 5.0 (WinNT 6.0; IE 6.0)
Accept: */*
Host: 210.71.250.131
Connection: Keep-Alive
HTTP request sent, awaiting response...

---response begin---
HTTP/1.1 302 Found
Date: Tue, 25 Dec 2012 02:24:57 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
Location: http://www.tecom.com.tw/en/
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8  // A legit reply!


// So let's send debug request to port 8080 of same IP:
// I the latest infection URL structure to make sure that-
// I aimed a page:

--2012-12-25 11:21:47--
h00p://210.71.250.131:8080/forum/links/column.php
Connecting to 210.71.250.131:8080... connected.
GET /forum/links/column.php HTTP/1.1
User-Agent: Mozilla 5.0 (WinNT 6.0; IE 6.0)
Accept: */*
Host: 210.71.250.131:8080
Connection: Keep-Alive
HTTP request sent, awaiting response...

---response begin---
HTTP/1.1 500 Internal Server Error
Server: nginx/1.0.10
Date: Tue, 25 Dec 2012 02:20:39 GMT
Content-Type: text/html; charset=CP-1251
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Vary: Accept-Encoding
Content-Length: 0            // It is a Blackhole service/

---
#MalwareMustDie




//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

Share on Google Plus

About Bradley Susser

    Blogger Comment
    Facebook Comment

0 comments :

Post a Comment