Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Run, Forest! - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Run, Forest!


Yeah, I know, I probably get the prize for the ISC Diaries with the weirdest titles lately. Blame it on the bad guys, who are showing more creativity in naming their malware than I ever would be able to muster ... and who also don't seem to know the difference between a forest and a Forrest :).

The latest malware sample is what Symantec calls "JS.Runfore". A recent URL might tell you why:

http:// xmexlajhysktwdqe. ru/runforestrun?sid=cx   (don't click)

Plenty of web pages currently seem to be infected with manipulated / changed jsquery files, which contain obfuscated Java Script code that generates the foresty URLs. The domain names generated change based on time and date. "Successful" connections are met by a series of 302 redirects that so far (for me) have not resulted in any real payload. The above URL redirects via moneyold. ru to freshtds. ru, where it ends (for me) in a 404 Error.

Here's a recent Wepawet report for an infected site (OK to click, but better don't click on any of the links in the report)
http://wepawet.iseclab.org/view.php?hash=e89cfa2fa6a91f90acfeb125c10c1f0f&t=1340389400&type=js


Please let us know in the comments below or via our contact form if you have additional information on Forrest (or Jenny, or Lieutenant Dan :).


 

Daniel

367 Posts
ISC Handler
Perhaps it's a clever pun. As in, "Can't see the forest for the trees." If you think of bots as trees, then bot herders are simply trying to get a forest to run!
Anonymous
Final sentence of paragraph 4 lists one of the redirection urls as freshtds.RU, however, Wepawet states it is freshtds.EU .
REB

3 Posts
This is what happens when you get hit by a payload from one of these site's (Blackhole Exploitkit):
http://wepawet.cs.ucsb.edu/view.php?hash=d3e3cd3e4620cc7f2ad9e3252976d7f3&t=1340286074&type=js

Java, PDF, Flash and HCP exploits try to install zbot and other malware. Detection now is decent but when I investigated these samples on 21-6-12 detection was very poor.
https://www.virustotal.com/file/63001ffaae0e931486062f74a5a2976713adc99734f961cc42b2f0c755e96444/analysis/
https://www.virustotal.com/file/dcc3071540c6194f8971af0ed6a821c6cd0ad46caf07e95f73d257430c89409e/analysis/
https://www.virustotal.com/file/8ddc64b321ee7615eab3b6f7504b98422acb7b939a171a466c04706195300d59/analysis/
Anonymous

Sign Up for Free or Log In to start participating in the conversation!