Sponsored by..

Wednesday, 26 March 2014

Something evil on 173.212.223.249

There's some sort of evil at work here, but I can't quite replicate it.. however I would recommend that you put a block in for 173.212.223.249 (Network Operations Center, US).

The infection chain I have spotted here starts with a typical compromised website, in this case:

[donotclick]onerecipedaily.com/prawn-patia-from-anjum-anands-i-love-curry/

A quick look at the URLquery report shows a general alert, but no smoking gun..

Is there some trickery at work here? Yes, there's a telltale sign in the HTTP Transactions graph:


Right at the end you can see a redirect to google.no..

This is a tell-tale sign that some malware is redirecting the URLquery probe to Google to protect itself. Usually it means that we don't have the right user agent, referrer string or perhaps the IP is blocked by the bad guys.

However, I can look at the log files of the incident and I see that the next step is a jump to another compromised site:

[donotclick]autoselectosperu.com/de11edf0bcf9b7ce8d3a128934acda75.php?q=d6f53936c38ddad58c5a69d1d36c4904

This then jumps to the presumed payload site at:

[donotclick]bkbr.beuqnyrtz.com/gikhqqkdjc

What is the payload... errr.. I don't know. The incident logs come up with a generic detection and my query-fu isn't working today. You'll just have to trust me that it's going to be malicious.

The following malicious subdomains are also active on 173.212.223.249:
bkbr.beuqnyrtz.com
syb.beuqnyrtz.com
sxxmxv.beuqnyrtz.info

The simplest thing to do to protect yourself against this particular threat is to use the following blocklist:
173.212.223.249
beuqnyrtz.com
beuqnyrtz.info

4 comments:

Jeremy said...
This comment has been removed by the author.
Jeremy said...

Smoking gun at the following URL Query report I just submitted for the same IP.

http://www.urlquery.net/report.php?id=1395850247350

Conrad Longmore said...

@Jeremy.. nice!

Also spotted as Angler EK here: https://twitter.com/malekal_morte/status/448852977764143104

Chris Hammond said...

I was able to identify a payload for anyone interested originating from http://bkbr[dot]beuqnyrtz[dot]com/beq9klfi06.

MobileOptionPack.com (MZ header) - 8c3230a7f5543547ddb3addd35ea1e9105be2986f1aedb4b20ef17d73f16488c

https://www.virustotal.com/en/file/8c3230a7f5543547ddb3addd35ea1e9105be2986f1aedb4b20ef17d73f16488c/analysis/1395919007/

It was located in the AppData\Roaming\MobileOptionPack\ folder. I can't verify this is always the folder/filename.

The MZ file had a modified timestamp.

Hope this helps.