Sponsored by..

Thursday, 29 July 2010

freead.name / mybar.us / toolbarcom.org / adsnet.biz

A slightly novel attack, found injected into a Javascript library and using freshly-registered domains. The attack uses obfuscated Javascript to send visitors to one of the following domains: myads.name, adsnet.biz, toolbarcom.org, mybar.us, freead.name, and to the front of this is appended a subdomain of vagi., vain., vale., vars., vary., vasa., vaut., vavs., viny., viol., vrow., vugs., vuln.

Despite all the combinations (a list is at the bottom of the post if you want to paste it in somewhere), there are only a small number of IP addresses involved:

66.221.212.92
66.221.212.94
66.221.212.96
66.221.212.98
66.221.212.99
69.13.73.203
69.13.73.205
69.13.73.248
69.13.73.250
69.13.154.250
69.13.154.251

All of those IPs belong to C I Host, some seem to have legitimate sites hosted on them.

One one domain (mybar.us) is not anonymised:

Registrar URL (registration services):       www.publicdomainregistry.com
Domain Status:                               clientTransferProhibited
Registrant ID:                               DI_11638984
Registrant Name:                             Andrew Black
Registrant Organization:                     N/A
Registrant Address1:                         555 Taylor Rd.
Registrant City:                             Enfield
Registrant State/Province:                   Connecticut
Registrant Postal Code:                      06082
Registrant Country:                          United States
Registrant Country Code:                     US
Registrant Phone Number:                     +860.7492291
Registrant Email:                            dday.rabbit@gmail.com
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C11


Although the address and phone number are no doubt fake, the email address of dday.rabbit@gmail.com is known.

The next hop uses a subdomain of a legitimate domain registered at GoDaddy that appears to have been phished: out.outdoorkitchendistributors.com - this site is hosted on 94.75.243.31.. it's just worth pausing to note that the legitimate domain specchart.com also appears to have been hijacked via a GoDaddy phish and moved to this server.

The endpoint is a Java exploit on a server at 79.135.152.194 belonging to microlines.lv (AS2588 / 79.135.128.0/19) which appears to be a pretty evil network. How the hell they got a /19 is a mystery when I can't see any verifiably legitimate sites.

If you want to block the intermediate domains, they are:
vagi.adsnet.biz
vain.adsnet.biz
vale.adsnet.biz
vars.adsnet.biz
vary.adsnet.biz
vasa.adsnet.biz
vaut.adsnet.biz
vavs.adsnet.biz
viny.adsnet.biz
viol.adsnet.biz
vrow.adsnet.biz
vugs.adsnet.biz
vuln.adsnet.biz
vagi.toolbarcom.org
vain.toolbarcom.org
vale.toolbarcom.org
vars.toolbarcom.org
vary.toolbarcom.org
vasa.toolbarcom.org
vaut.toolbarcom.org
vavs.toolbarcom.org
viny.toolbarcom.org
viol.toolbarcom.org
vrow.toolbarcom.org
vugs.toolbarcom.org
vuln.toolbarcom.org
vagi.mybar.us
vain.mybar.us
vale.mybar.us
vars.mybar.us
vary.mybar.us
vasa.mybar.us
vaut.mybar.us
vavs.mybar.us
viny.mybar.us
viol.mybar.us
vrow.mybar.us
vugs.mybar.us
vuln.mybar.us
vagi.freead.name
vain.freead.name
vale.freead.name
vars.freead.name
vary.freead.name
vasa.freead.name
vaut.freead.name
vavs.freead.name
viny.freead.name
viol.freead.name
vrow.freead.name
vugs.freead.name
vuln.freead.name

6 comments:

twksk8 said...

Thanks for posting this, it helped me find some injected code in one of our mootools js files.

HKagan said...

i think i have it on my site, okdork.com but i have NO idea how to find it...any help? help [at] okdork.com

Tarun, TJ said...

Thanks for the information. I recently decoded the infected JS on my website. they were using 3 letter words with X from http://www.squidoo.com/scrabblewordlists

namely "AXE BOX COX DEX FAX FIX FOX GOX HEX KEX LAX LEX LOX LUX MAX MIX NIX OXO OXY PAX PIX POX PYX RAX REX SAX SEX SIX SOX TAX TUX VEX VOX WAX XIS ZAX "


But what seems weird is that at some place there was no window.location code present to redirect the browser to the attack site.

Dave said...

HKagan, I'm in the same boat. I have no idea how to find the injected code. Anyone out there have any ideas?

Thanks in advance.

Judder said...

To find the code search each of your Javascript files on your site for the following code (only an edit so is not dangerous):

unescape("%6e%67%74%68")

which is the word ngth encoded. I also used the JSUNPACK site to decode any suspicious lookig files I found - it is very good

http://jsunpack.jeek.org/

Judder said...

We used JSUNPACK http://jsunpack.jeek.org/ to decode each of our sites' Javascript files to see if any of the files contained domains like those mentioned above and then deleted/replaced with new the infected file.

You can also search for the string

unescape("%43%6f%64%65%41%74")

which is the word CodeAt and can identify the obfusticated Javascript