Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Run, Forest! - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Run, Forest!


Yeah, I know, I probably get the prize for the ISC Diaries with the weirdest titles lately. Blame it on the bad guys, who are showing more creativity in naming their malware than I ever would be able to muster ... and who also don't seem to know the difference between a forest and a Forrest :).

The latest malware sample is what Symantec calls "JS.Runfore". A recent URL might tell you why:

http:// xmexlajhysktwdqe. ru/runforestrun?sid=cx   (don't click)

Plenty of web pages currently seem to be infected with manipulated / changed jsquery files, which contain obfuscated Java Script code that generates the foresty URLs. The domain names generated change based on time and date. "Successful" connections are met by a series of 302 redirects that so far (for me) have not resulted in any real payload. The above URL redirects via moneyold. ru to freshtds. ru, where it ends (for me) in a 404 Error.

Here's a recent Wepawet report for an infected site (OK to click, but better don't click on any of the links in the report)
http://wepawet.iseclab.org/view.php?hash=e89cfa2fa6a91f90acfeb125c10c1f0f&t=1340389400&type=js


Please let us know in the comments below or via our contact form if you have additional information on Forrest (or Jenny, or Lieutenant Dan :).


 

 Daniel

385 Posts
ISC Handler
Jun 22nd 2012
Thread locked Subscribe Jun 22nd 2012
9 years ago
Perhaps it's a clever pun. As in, "Can't see the forest for the trees." If you think of bots as trees, then bot herders are simply trying to get a forest to run!
 Anonymous
Quote Jun 22nd 2012
9 years ago
Final sentence of paragraph 4 lists one of the redirection urls as freshtds.RU, however, Wepawet states it is freshtds.EU .
 REB

3 Posts
Quote Jun 23rd 2012
9 years ago
This is what happens when you get hit by a payload from one of these site's (Blackhole Exploitkit):
http://wepawet.cs.ucsb.edu/view.php?hash=d3e3cd3e4620cc7f2ad9e3252976d7f3&t=1340286074&type=js

Java, PDF, Flash and HCP exploits try to install zbot and other malware. Detection now is decent but when I investigated these samples on 21-6-12 detection was very poor.
https://www.virustotal.com/file/63001ffaae0e931486062f74a5a2976713adc99734f961cc42b2f0c755e96444/analysis/
https://www.virustotal.com/file/dcc3071540c6194f8971af0ed6a821c6cd0ad46caf07e95f73d257430c89409e/analysis/
https://www.virustotal.com/file/8ddc64b321ee7615eab3b6f7504b98422acb7b939a171a466c04706195300d59/analysis/
 Anonymous
Quote Jun 24th 2012
9 years ago

Sign Up for Free or Log In to start participating in the conversation!