[Dshield] all1count.net: Multiple Exploit Attempts

[Roger Roberts]

Looks like a pretty recent threat (see results below)


Also there are other tools that will scan urls remotely so you don't have to
have a linux system with wget/reverse engineer and will expedite the ir
process of identification:

http://www.explabs.com

http://siteadvisor.com (McAfee)


although signature (or seems signature like based) these sites may not
identify threats all of the time.  Also I have noticed that using the
explabs scan you have to put in exact url to the threat meaning
threat.com/win32.exe, not just the threat.com   The McAfee seems to crawl
the website better in scrubbing out further directory structures.  explabs
missed this one completely though.


McAfee Siteadvisor results

all1count.net is serving the same role as stat1count.net, serving a mix of
exploits to infect victims. For an easy lock on what they're up to, and
their successor when the domain is replaced, just connect the dots, starting
with the pr0n sites that send traffic to these exploit-hosting sites, for
example:

hardsaloon.com
teenlemon.com
olderpassion.com
juicymatures.com
tntteens.com
gameteenvids.com
sunlovegalz.com
matureskin.net
maturesvid.com
tntteens.com
777-teens.com
cabareteens.com
teenloveonline.com
oldpleasure.com
findmamas.com
virtualbbw.com
teenwells.com
maturestime.net
bestfreemature.com
bestteenspics.com
bigboobsmovies.info
everymatures.com
freebigboobs.info



//End McAfee Siteadvisor results



sorry for the formatting but below is the results for the win32.exe binary.
These results are from virustotal.com which is a good tool to get a quick
analysis from numerous AV vendors so you can know what you are dealing with.




Antivirus   Version     Last Update       Result

AhnLab-V3   2007.7.14.0       2007.07.17 no virus found

AntiVir     7.4.0.42    2007.07.17 WORM/Zhelatin.Gen

Authentium 4.93.8      2007.07.17 no virus found

Avast       4.7.997.0   2007.07.17 no virus found

AVG   7.5.0.476   2007.07.16 no virus found

BitDefender       7.2   2007.07.17 Trojan.Peed.Gen

CAT-QuickHeal     9.00 2007.07.17 no virus found

ClamAV      devel-20070416    2007.07.17 no virus found

DrWeb       4.33 2007.07.17 no virus found

eSafe       7.0.15.0    2007.07.17 Suspicious Trojan/Worm

eTrust-Vet 30.8.3789   2007.07.17 no virus found

Ewido       4.0   2007.07.17 no virus found

FileAdvisor       1     2007.07.17 no virus found

Fortinet    2.91.0.0    2007.07.17 no virus found

F-Prot      4.3.2.48    2007.07.17 no virus found

Ikarus      T3.1.1.8    2007.07.17 no virus found

Kaspersky   4.0.2.24    2007.07.17 no virus found

McAfee      5075 2007.07.16 no virus found

Microsoft   1.2704      2007.07.17 TrojanDownloader:Win32/Vxgame

NOD32v2     2403 2007.07.17 no virus found

Norman      5.80.02     2007.07.17 Tibs.gen122

Panda       9.0.0.4     2007.07.17 no virus found

Sophos      4.19.0      2007.07.16 Mal/Dorf-A

Sunbelt     2.2.907.0   2007.07.16 VIPRE.Suspicious

Symantec    10    2007.07.17 no virus found

TheHacker   6.1.7.148   2007.07.16 no virus found

VBA32       3.12.2      2007.07.16 no virus found

VirusBuster       4.3.23:9    2007.07.16 no virus found

Webwasher-Gateway       6.0.1       2007.07.17 Worm.Zhelatin.Gen

Additional information

File size: 12294 bytes

MD5: 2ff4da29bf02c63dcfd9049daa8842f9

SHA1: 85ef8ea5f28d591a2969e3b8d0af93e5b7c2a72b

Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats
that are deemed suspicious through heuristics.




On 7/15/07, jayjwa <jayjwa at atr2.ath.cx> wrote:
>
>
> all1count.net is a site hosting multiple exploits. I first came upon this
> site
> thru a counter. The counter had a small picture, and it led here. They may
> be
> using the vulnerability described here
>
> http://www.auscert.org.au/render.html?it=7664
>
> So far, I've seen WMF SetAbortProc(), animated cursor exploit (I suspect),
> an
> unknown binary, and lots of Java applets. I noticed something was going on
> because a java_vm had started, so they did manage to run some applet code
> (I'm
> not worried), and this got my attention. Looking at the pages and
> following
> them back, I found classic Javascript obfuscation techniques, and those
> yielded the files I've named:
>
> new.php         <- Exploit's trap url, the one posted on the sites 1st
> tricky-js.jhtml <- Above file, saved so I could work with it
> tricky-js.js    <- Pure JS file of above, runnable in js (javascript
> shell)
> tricky-js-2.js  <- decoded unescaped document that is written. This is
> where
>                    the files are given out, an IFRAME, plus applets.
>
> These make the magic happen, and you'll get at least:
>
> count.jar <- includes Beyond.class BlackBox.class VerifierBug.class
> Dummy.class
>
> I dumped the classes using javap to file class-synopsis.txt.
>
> Other files:
>
> exploit-url.png:        The URL where all this takes place
> java-secret.png:        Java applet trying to launch, it didn't
> java-secret-launched.png: Java applet trying to launch, it did
> xpl.wmf:                WMF SetAbortProc() exploit, this file looks
> familiar..
> scan.log:               What F-Prot scanner thought of all this
> win32.exe:              Unknown binary, would've ran on Win32
> sploit.anr:             Possible w32 animated cursor exploit?
>                         "file" says: sploit.anr: RIFF (little-endian)
>                         data, animated cursor
>
>
> Blackbox.class <- http://www.viruslist.com/en/viruslist.html?id=72440
>
>
> all1count.net has address 81.95.146.112
>
> inetnum:        81.95.144.0 - 81.95.147.255
> netname:        RBNET
> descr:          RBusiness Network
> admin-c:        RNR4-RIPE
> tech-c:         RNR4-RIPE
> mnt-by:         RBN-MNT
> status:         ASSIGNED PA
> country:        PA
> remarks:        INFRA-AW
> source:         RIPE # Filtered
>
> role:           RBusiness Network Registry
> address:        RBusiness Network
> address:        The Century Tower Building
> address:        Ricardo J. Alfari Avenue
> address:        Panama City
> address:        Republic of Panama
> phone:          +1 401 369 8152
> remarks:        Points of contact for RBusiness Network Operations
> remarks:        ------------------------------------------------------
> remarks:        Routing and peering issues:         noc at rbnnetwork.com
> remarks:        SPAM and Network security issues: abuse at rbnnetwork.com
> remarks:        Customer support:               support at rbnnetwork.com
> remarks:        General information:               info at rbnnetwork.com
> remarks:        ------------------------------------------------------
> e-mail:         noc at rbnnetwork.com
>
> For those that want a closer look (at your own risk; the only
> 'auto-firing'
> exploit I think would be the animated cursor one inside, but make sure
> you're
> up-to-date):
>
> https://atr2.ath.cx/vx_lab/research/Non-Viral/all1count.net/all1count.rar
>
>
> --
> [RBL:Just A Bad Idea] Do not use DNS-RBL; Demand your ISP stop.
>   Tell RoadRunner/Adelphia, Netzero,etc: don't trash your mail.
> http://www.ifn.net/classic/rblstory.htm
> http://theory.whirlycott.com/~phil/antispam/rbl-bad/rbl-bad.html
> _________________________________________
> SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 courses, SANS top
> instructors, and a great tools and solutions expo. Register today!
> http://www.sans.org/info/4651 (brochure code ISC)
>