So it's time to celebrate the second anniversary :-)
Well, I was wondering if anyone else is currently detecting the .htaccess infections that Ponmocup Finder (PF) reports. Let's see...
Let's just look at any of the almost 500 domains currently being detected by PF as infected.
http://security-research.dyndns.org/pub/botnet/ponmocup/ponmocup-finder/ponmocup-infected-domains-history-days-sort.txt
439 www.pino-travel.com
439 www.log-in-verlag.de
438 www.oople.com
438 www.franken-gmbh.de
438 www.brichzin.de
438 www.bad-saulgau.de
437 www.vitaminbude.de
This German site has been seen infected since more than 430 days.
Here's todays "evidence" from my PF scripts that this domain is infected. It sets a cookie and redirects to Zuponcic Kit as discussed in previous (linked) blogs and presentations.
http://security-research.dyndns.org/pub/botnet/ponmocup/ponmocup-finder/www.bad-saulgau.de_wget_log.txt
--12:06:50-- http://www.bad-saulgau.de/
=> `www.bad-saulgau.de_out.txt'
Resolving www.bad-saulgau.de... 82.165.95.226
Connecting to www.bad-saulgau.de|82.165.95.226|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 302 Found
Date: Tue, 03 Jun 2014 10:06:50 GMT
Server: Apache
Set-Cookie: tTF=50; path=/; domain=www.bad-saulgau.de; expires=Wed, 11-Jun-2014 08:44:50 GMT
Location: http://solent.alloyradianttubes.com/neo/darla/php/fc.php?trace=folder_inbox&tID=6&d=0&f=978500093&l=SKY%2CREC%2CMNW&rn=1341221058138&en=utf-8&filter=no_expandable%253Bajax_cert_expandable%253Bexp_iframe_expandable%253B&ref=http%3A%2F%2Fwww.bad-saulgau.de%2F&sa=content%253D%2522minty_tenure%253A%2520week%25203+%2522
Content-Length: 536
Keep-Alive: timeout=2, max=200
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Location: http://solent.alloyradianttubes.com/neo/darla/php/fc.php?trace=folder_inbox&tID=6&d=0&f=978500093&l=SKY%2CREC%2CMNW&rn=1341221058138&en=utf-8&filter=no_expandable%253Bajax_cert_expandable%253Bexp_iframe_expandable%253B&ref=http%3A%2F%2Fwww.bad-saulgau.de%2F&sa=content%253D%2522minty_tenure%253A%2520week%25203+%2522 [following]
--12:06:50-- http://solent.alloyradianttubes.com/neo/darla/php/fc.php?trace=folder_inbox&tID=6&d=0&f=978500093&l=SKY%2CREC%2CMNW&rn=1341221058138&en=utf-8&filter=no_expandable%253Bajax_cert_expandable%253Bexp_iframe_expandable%253B&ref=http%3A%2F%2Fwww.bad-saulgau.de%2F&sa=content%253D%2522minty_tenure%253A%2520week%25203+%2522
=> `www.bad-saulgau.de_out.txt'
Resolving solent.alloyradianttubes.com... 31.210.96.155
Connecting to solent.alloyradianttubes.com|31.210.96.155|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.1.4
Date: Tue, 03 Jun 2014 10:06:50 GMT
Content-Type: text/html
Content-Length: 160
Connection: close
Location: http://www.google.com/
Location: http://www.google.com/ [following]
The redirection to Google is an anti-detection method from Zuponcic Kit also discussed before on the Fox-IT blog.
So now the question is: Is anyone else detecting these .htaccess infected sites?
I haven't found any other detections. If you know of one, please let me know.
http://www.urlvoid.com/scan/bad-saulgau.de/
Website Information
| Analysis Date | 8 seconds ago |
| Safety Reputation | 0/28 |
| Domain 1st Registered | Unknown |
| Server Location |  (DE) Germany |
| Google Page Rank |  |
| Alexa Traffic Rank | 1,751,096 |
URLQuery can detect the redirection to Zuponcic Kit (assuming the user sets a required referrer URL), but there are no indications in the report that there is anything malicious.
http://urlquery.net/report.php?id=1401817329491
Overview
| URL | www.bad-saulgau.de/ |
|
| IP | 82.165.95.226 | |
| ASN | AS8560 1&1 Internet AG | |
| Location |  Germany |
|
| Report completed | 2014-06-03 19:42:06 CET | |
| Status | Report complete. | |
| urlQuery Alerts | No alerts detected |
Settings
| UserAgent | Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0 |
| Referer | http://www.google.com/url?q=ponmocup+finder |
| Pool | |
| Access Level | public |
Intrusion Detection Systems
| Snort /w Sourcefire VRT | No alerts detected |
| Suricata /w Emerging Threats Pro | No alerts detected |
Blacklists
| DNS-BH / malwaredomains.com | No alerts detected |
| PhishTank / phishtank.com | No alerts detected |
| Spamhaus DBL / spamhaus.org | No alerts detected |
Files Captured
| Suricata IDS | No files captured |
And also VirusTotal doesn't have any malware or malicious activity associated with this domain:
https://www.virustotal.com/en/domain/www.bad-saulgau.de/information/
(none)
https://www.virustotal.com/en/url/c6ef57b6a1eee4ec6dacb3cea61541137d6cd5da8daec570c8444db63fc08e1d/analysis/1401828323/
| URL: | http://www.bad-saulgau.de/ |
| Detection ratio: | 0 / 52 |
| Analysis date: | 2014-06-03 20:45:23 UTC ( 0 minutes ago ) |
I wonder who will be the "first" to detect these .htaccess infections... anyone? No? OK then...
If you're not familiar with the Ponmocup malware / botnet yet, my previous post may be a good starting point linking all together.
Yours truly,
Ponmocup Hunter :-)
No comments:
Post a Comment