So it's time to celebrate the second anniversary :-)
Well, I was wondering if anyone else is currently detecting the .htaccess infections that Ponmocup Finder (PF) reports. Let's see...
Let's just look at any of the almost 500 domains currently being detected by PF as infected.
http://security-research.dyndns.org/pub/botnet/ponmocup/ponmocup-finder/ponmocup-infected-domains-history-days-sort.txt
439 www.pino-travel.com
439 www.log-in-verlag.de
438 www.oople.com
438 www.franken-gmbh.de
438 www.brichzin.de
438 www.bad-saulgau.de
437 www.vitaminbude.de
This German site has been seen infected since more than 430 days.
Here's todays "evidence" from my PF scripts that this domain is infected. It sets a cookie and redirects to Zuponcic Kit as discussed in previous (linked) blogs and presentations.
http://security-research.dyndns.org/pub/botnet/ponmocup/ponmocup-finder/www.bad-saulgau.de_wget_log.txt
--12:06:50-- http://www.bad-saulgau.de/ => `www.bad-saulgau.de_out.txt' Resolving www.bad-saulgau.de... 82.165.95.226 Connecting to www.bad-saulgau.de|82.165.95.226|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 302 Found Date: Tue, 03 Jun 2014 10:06:50 GMT Server: Apache Set-Cookie: tTF=50; path=/; domain=www.bad-saulgau.de; expires=Wed, 11-Jun-2014 08:44:50 GMT Location: http://solent.alloyradianttubes.com/neo/darla/php/fc.php?trace=folder_inbox&tID=6&d=0&f=978500093&l=SKY%2CREC%2CMNW&rn=1341221058138&en=utf-8&filter=no_expandable%253Bajax_cert_expandable%253Bexp_iframe_expandable%253B&ref=http%3A%2F%2Fwww.bad-saulgau.de%2F&sa=content%253D%2522minty_tenure%253A%2520week%25203+%2522 Content-Length: 536 Keep-Alive: timeout=2, max=200 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Location: http://solent.alloyradianttubes.com/neo/darla/php/fc.php?trace=folder_inbox&tID=6&d=0&f=978500093&l=SKY%2CREC%2CMNW&rn=1341221058138&en=utf-8&filter=no_expandable%253Bajax_cert_expandable%253Bexp_iframe_expandable%253B&ref=http%3A%2F%2Fwww.bad-saulgau.de%2F&sa=content%253D%2522minty_tenure%253A%2520week%25203+%2522 [following] --12:06:50-- http://solent.alloyradianttubes.com/neo/darla/php/fc.php?trace=folder_inbox&tID=6&d=0&f=978500093&l=SKY%2CREC%2CMNW&rn=1341221058138&en=utf-8&filter=no_expandable%253Bajax_cert_expandable%253Bexp_iframe_expandable%253B&ref=http%3A%2F%2Fwww.bad-saulgau.de%2F&sa=content%253D%2522minty_tenure%253A%2520week%25203+%2522 => `www.bad-saulgau.de_out.txt' Resolving solent.alloyradianttubes.com... 31.210.96.155 Connecting to solent.alloyradianttubes.com|31.210.96.155|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 302 Moved Temporarily Server: nginx/1.1.4 Date: Tue, 03 Jun 2014 10:06:50 GMT Content-Type: text/html Content-Length: 160 Connection: close Location: http://www.google.com/ Location: http://www.google.com/ [following]
The redirection to Google is an anti-detection method from Zuponcic Kit also discussed before on the Fox-IT blog.
So now the question is: Is anyone else detecting these .htaccess infected sites?
I haven't found any other detections. If you know of one, please let me know.
http://www.urlvoid.com/scan/bad-saulgau.de/
Website Information
Analysis Date | 8 seconds ago |
Safety Reputation | 0/28 |
Domain 1st Registered | Unknown |
Server Location | (DE) Germany |
Google Page Rank | |
Alexa Traffic Rank | 1,751,096 |
URLQuery can detect the redirection to Zuponcic Kit (assuming the user sets a required referrer URL), but there are no indications in the report that there is anything malicious.
http://urlquery.net/report.php?id=1401817329491
Overview
URL | www.bad-saulgau.de/ |
|
IP | 82.165.95.226 | |
ASN | AS8560 1&1 Internet AG | |
Location | Germany | |
Report completed | 2014-06-03 19:42:06 CET | |
Status | Report complete. | |
urlQuery Alerts | No alerts detected |
Settings
UserAgent | Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0 |
Referer | http://www.google.com/url?q=ponmocup+finder |
Pool | |
Access Level | public |
Intrusion Detection Systems
Snort /w Sourcefire VRT | No alerts detected |
Suricata /w Emerging Threats Pro | No alerts detected |
Blacklists
DNS-BH / malwaredomains.com | No alerts detected |
PhishTank / phishtank.com | No alerts detected |
Spamhaus DBL / spamhaus.org | No alerts detected |
Files Captured
Suricata IDS | No files captured |
And also VirusTotal doesn't have any malware or malicious activity associated with this domain:
https://www.virustotal.com/en/domain/www.bad-saulgau.de/information/
(none)
https://www.virustotal.com/en/url/c6ef57b6a1eee4ec6dacb3cea61541137d6cd5da8daec570c8444db63fc08e1d/analysis/1401828323/
URL: | http://www.bad-saulgau.de/ |
Detection ratio: | 0 / 52 |
Analysis date: | 2014-06-03 20:45:23 UTC ( 0 minutes ago ) |
I wonder who will be the "first" to detect these .htaccess infections... anyone? No? OK then...
If you're not familiar with the Ponmocup malware / botnet yet, my previous post may be a good starting point linking all together.
Yours truly,
Ponmocup Hunter :-)
No comments:
Post a Comment