Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
SUBSCRIBE
Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
Zerosecurity
No Result
View All Result
Home Malware

‘Gootkit’ Fast Fluxing Domains

Paul Anderson by Paul Anderson
August 3, 2012
in Malware, Malware Analysis
2
208193717
74
SHARES
1.2k
VIEWS
Share on FacebookShare on Twitter

Recently, Kaspersky came across web malware that – instead of injecting an iframe pointing to a fixed existing address – generates a pseudo-random domain name, depending on the current date.  This approach is not new and is widely used by botnets in C&C domain name generation, it’s called a Fast Flux domain and yet it’s not very common for the web malware we’ve seen so far.

You might also like

Emotet now utilizing Onenote for its spam campaigns

Netwire RAT seized by FBI and other worldwide police agencies

The Emotet botnet returns and is sending a slew of malicious emails

208193717

After deobfuscation, we can see that the iframe redirecting to the malicious URL with generated domain name is appended to the HTML file. All URLs consist of 16 pseudo-random letters, belonging to the ru domain and execute PHP script on the server side with the sid=botnet2 as argument:

208193724

Every day a new domain name is generated, so blacklisting malicious URLs as they become active is like tilting at windmills. Fortunately, if we know the algorithm, we may easily predict the domain names for each day in the future. This malware is detected by Kaspersky as Trojan-Downloader.JS.Agent.gsv.

A newer version of the same malware is even more tricky: instead of injecting obfuscated code into the plain JS file, it encrypts all the content of the infected file, so as to hide the malicious code together with the clean one:

208193725

Such malware is not so easy to discover: it doesn’t have the specific “signature” (like the comment string in the previous example) and every infected file will strongly differ from another, because the obfuscated version depends on the clean content. Moreover, as the whole file is encrypted, you can’t just point out the exact malicious part and delete it. Therefore, it’s also not so easy to get rid of this malware without doing harm to the website. If you don’t have clean, non-obfuscated copies of the infected files, in order to extract the clean content you need to decrypt these files, which may prove quite a difficult task.

After taking off the first layer of obfuscation by simply changing the eval() function to the alert() or the print() function, we can see more obfuscated code:

208193726

The second layer of obfuscation uses the domain name to encrypt the content of the file. For example, if the URL of infected file is: hxxp://www.somesubdomain.example.com/file-to-infect.js the key for decryption will be: example.com The clean part and the malicious part are stored in encrypted form in two separate variables:

208193727

To decrypt the code, we need to know the exact origin of the infected file. After full deobfuscation we can see slightly improved version of the function that generates random domain names, plus the clean code below:

208193728

This time the main domain is waw.pl instead of ru and the sid argument is botnet_api2. The name of the script remains the same and may suggest that the author is fond of the Forrest Gump film / novel. Also, from the comment the author apparently left for researchers, we know that the malware is called “gootkit” by its creator. A quick search on the Internet revealed that this word is not entirely unknown to Google in terms of malicious code and a few other pieces of malware had borne the same name. It’s hard to tell, though, if there are any connections between them (or the cybercriminals behind them) and the malware described above. The most similar case is the Gumblar-like Trojan, discovered in 2010, which steals credentials to FTP accounts and infects the HTML/PHP files on the server with the code that contain the “gootkit” strings.

The malware described in this blogpost is already detected by Kaspersky as:HEUR:Trojan.Script.Generic (in its obfuscated form) and HEUR:Trojan.Script.Iframer(deobfuscated).

Most probably, it spreads through the recent vulnerability in Plesk Panel, so we would like to appeal to every web administrator and every hosting provider to update the Plesk software on their servers to the newest version, apply all the security patches and change the passwords to all the FTP/SFTP/SSH accounts as soon as possible.

The malicious domains that we’ve checked resolved to the same IP address and seem to be “suspended due to abuse reports”, However, it’s possible that the rules defined on malicious server allow the redirection to malware only in specified circumstances (e.g. from particular regions and/or IP ranges) and the information about abuse is a fake. Previous version of this malware was known for redirecting users to the BlackHole Exploit Kit.

Source: Securelist.com

Tags: blackholedomainexploitfastfluxmalwarenewvirus
Share30Tweet19
Paul Anderson

Paul Anderson

Editor and chief at ZeroSecurity. Expertise includes programming, malware analysis, and penetration testing. If you would like to write for ZeroSecurity, please click "Contact us" at the top of the page.

Recommended For You

Emotet now utilizing Onenote for its spam campaigns

by Kyle
March 26, 2023
0
Emotet now utilizing Onenote for its spam campaigns

The infamous Emotet malware has adopted a new tactic to spread its infection. Cybercriminals are now distributing the malware via email attachments in Microsoft OneNote format. The move...

Read more

Netwire RAT seized by FBI and other worldwide police agencies

by Christi Rogalski
March 16, 2023
0
Netwire RAT seized by FBI and other worldwide police agencies

The FBI, in partnership with several police agencies worldwide, has carried out an international law enforcement operation resulting in the arrest of a suspected administrator of the NetWire...

Read more

The Emotet botnet returns and is sending a slew of malicious emails

by Kyle
March 14, 2023
0
The Emotet botnet returns and is sending a slew of malicious emails

The notorious Emotet botnet, considered one of the biggest threats to internet security, has resurfaced after a prolonged hiatus, armed with new tactics. The botnet's trademark strategy of...

Read more

Update-resistant malware infects SonicWall security appliances

by Paul Anderson
March 12, 2023
0
Update-resistant malware infects SonicWall security appliances

Researchers have discovered that threat actors linked to the Chinese government are using malware to infect SonicWall's Secure Mobile Access 100, a popular security appliance, which remains active...

Read more

Fake ChatGPT websites are popping up and spreading malware

by Paul Anderson
March 1, 2023 - Updated on March 2, 2023
0
ChatGPT is found spreading malware created in Python

It was only a matter of time before hackers would start using the growing popularity of ChatGPT to spread malware and steal sensitive personal information. Recently, multiple security...

Read more
Next Post
NetList – Penetration Testing Script Written in Ruby

NetList - Penetration Testing Script Written in Ruby

Related News

BreachForums Owner Arrested and Charged

BreachForums Owner Arrested and Charged

March 17, 2023
ChipMixer platform tied to crypto laundering scheme – seized by authorities

ChipMixer platform tied to crypto laundering scheme – seized by authorities

March 17, 2023
NSA intercepting U.S. Routers

NSA intercepting U.S. Routers

June 6, 2014 - Updated on March 17, 2023
Zerosecurity

We cover the latest in Information Security & Blockchain news, as well as threat trends targeting both sectors.

Categories

  • Crypto
  • Data Breaches
  • DotNet Framework
  • Downloads
  • Exploits
  • Exploits
  • Information
  • Legal
  • Malware
  • Malware Analysis
  • Mobile Security
  • Paper Downloads
  • Piracy
  • Privacy
  • Programming
  • Public
  • Security
  • Security
  • Software & Service Reviews
  • Technology
  • Tools
  • Tutorials
  • Video Tutorials
  • Whitepapers
  • Zero Security
  • Contact Us
  • List of our Writers

© 2022 ZeroSecurity, All Rights Reserved.

No Result
View All Result
  • Home
  • Security
  • Exploits
  • Data Breaches
  • Malware
  • Privacy
  • Mobile Security
  • Tools
  • Contact Us
  • Privacy Policy

© 2022 ZeroSecurity, All Rights Reserved.