// #MalwareMustDie - Crusaders diary
// @unixfreaxjp of MMD is responsible 100% of this check.
// A Guide of confirming a hacked legit service by Blackhole Exploit Kit.
//
// Background:
// while I was checking malicious domain bilainkos.ru, found out DNS was renewed just now.
// I remembered the reminder of fellow crusader asked me about hacked IP in TW,
// so let's use this opportunity to proof it:
//Malicious Host targeted
bilainkos.ru A 91.224.135.20
bilainkos.ru A 187.85.160.106
bilainkos.ru A 210.71.250.131
//SOA
bilainkos.ru
origin = ns1.bilainkos.ru
mail addr = root.bilainkos.ru
serial = 2012010101
refresh = 604800
retry = 1800
expire = 1800
minimum = 60
//WHOIS
domain: BILAINKOS.RU
nserver: ns1.bilainkos.ru. 62.76.186.24
nserver: ns2.bilainkos.ru. 110.164.58.250
nserver: ns3.bilainkos.ru. 42.121.116.38
nserver: ns4.bilainkos.ru. 41.168.5.140
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: NAUNET-REG-RIPN
admin-contact: https://client.naunet.ru/c/whoiscontact
created: 2012.12.16
paid-till: 2013.12.16
free-date: 2014.01.16
source: TCI
Last updated on 2012.12.25 05:51:35 MSK <=========== HERE, JUST RENEWED
// Let's check the infection of 210.71.250.131
// URLQuery of 210.71.250.131 :
// http://urlquery.net/search.php?q=210.71.250.131&type=string&start=2012-12-10&end=2012-12-25&max=50
2012-12-23 01:17:02 http://bilainkos.ru:8080/forum/links/column.php[Taiwan] 210.71.250.131
2012-12-22 01:18:03 http://bilainkos.ru:8080/forum/links/column.php[Taiwan] 210.71.250.131
2012-12-21 05:50:54http://akionokao.ru:8080/forum/links/public_version.php[Taiwan] 210.71.250.131
2012-12-20 23:20:48http://akionokao.ru:8080/forum/links/public_version.php[Taiwan] 210.71.250.131
2012-12-20 18:46:22http://apendiksator.ru:8080/forum/links/column.php[Taiwan] 210.71.250.131
2012-12-20 04:21:25http://akionokao.ru/forum/links/public_version.php[Taiwan] 210.71.250.131
2012-12-19 20:53:24http://akionokao.ru:8080/forum/links/public_version.php[Taiwan] 210.71.250.131
// A second opinion checks, dns requests aimed for 210.71.250.131
bunakaranka.ru A 210.71.250.131
afjdoospf.ru A 210.71.250.131
angelaonfl.ru A 210.71.250.131
akionokao.ru A 210.71.250.131
apendiksator.ru A 210.71.250.131
bilainkos.ru A 210.71.250.131
// realizing the status of 210.71.250.131 bind to legit Taiwan business page:
// http://www.tecom.com.tw/
// what/where's 210.71.250.131 ?
/Backbone:
AS Number:AS3462
inetnum:210.71.128.0 - 210.71.255.255
netname:HINET-TW
descr:CHTD, Chunghwa Telecom Co.,Ltd.
descr:Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
descr:Taipei Taiwan 100
country:TW
admin-c:HN27-AP
tech-c:HN28-AP
//IP Owner:
inetnum:210.71.250.131 - 210.71.250.131
netname:TECOM-921-TW
descr:Taipei Taiwan
country:TW
admin-c:JS1343-TW
tech-c:JS1343-TW
mnt-by:MAINT-TW-TWNIC
====================
PoC is here...
It is proved that the legit server can
be implemented a proxy (in this case is 8080)
which is served Blackhole Exploit Kit
====================
// send normal http request to 210.71.250.131:80
--2012-12-25 11:26:05-- http://210.71.250.131/
Connecting to 210.71.250.131:80... connected.
Created socket 3.
GET / HTTP/1.1
User-Agent: Mozilla 5.0 (WinNT 6.0; IE 6.0)
Accept: */*
Host: 210.71.250.131
Connection: Keep-Alive
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 302 Found
Date: Tue, 25 Dec 2012 02:24:57 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
Location: http://www.tecom.com.tw/en/
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8 // A legit reply!
// So let's send debug request to port 8080 of same IP:
// I the latest infection URL structure to make sure that-
// I aimed a page:
--2012-12-25 11:21:47--
h00p://210.71.250.131:8080/forum/links/column.php
Connecting to 210.71.250.131:8080... connected.
GET /forum/links/column.php HTTP/1.1
User-Agent: Mozilla 5.0 (WinNT 6.0; IE 6.0)
Accept: */*
Host: 210.71.250.131:8080
Connection: Keep-Alive
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 500 Internal Server Error
Server: nginx/1.0.10
Date: Tue, 25 Dec 2012 02:20:39 GMT
Content-Type: text/html; charset=CP-1251
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Vary: Accept-Encoding
Content-Length: 0 // It is a Blackhole service/
---
#MalwareMustDie
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information