[nsp-sec] Priceline

Scott A. McIntyre scott at xs4all.net
Thu Jul 24 15:54:47 EDT 2008 

Hi tim,


On Jul 23, 2008, at 21:26 , BATTLES, TIMOTHY A (TIM), ATTLABS wrote:

> ----------- nsp-security Confidential --------
>
>
> 13:40 GMT July 22nd. It died off right around 00:00 GMT and then  
> picked
> back up again the same time today at 13:40 GMT.
>
> Yesterday there were only a couple thousand zombies sending lots of
> request, up to 20,000. Today, they changed the vector to 30,000+  
> zombies
> making ~5-20 request.  Mostly are european sources.
>
> Here is one of the agent logs
>
> Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; MRSPUTNIK 2,  
> 0,
> 0, 20 SW; MRA 5.0 (build 02094); .NET CLR 2.0.50727)
> Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html 
> ;
> MRSPUTNIK 1, 8, 0, 17 HW; WebMoney Advisor; MRA 4.10 (build 01952);
> Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR
> 2.0.50727; .NET CLR 3.0.04506.03)
>
> Obviously not coming from googlebot.

This has been a real pain to track down.  Basically the queries are  
coming in to our own customer's websites "live" with no malware  
actually resident in memory nor on the filesystem.

Can you verify that the types of requests you're seeing are:

0x0000	 4500 0144 b944 4000 4006 5691 c26d 166a	E..D.D at .@.V..m.j
0x0010	 4006 1101 0981 0050 1bb2 4297 75fe b20b	@......P..B.u...
0x0020	 8018 e240 2b15 0000 0101 080a 01ae af3b	... at +..........;
0x0030	 01ae af30 4745 5420 6874 7470 3a2f 2f77	...0GET.http://w
0x0040	 7777 2e70 7269 6365 6c69 6e65 2e63 6f6d	ww.priceline.com
0x0050	 2f70 726f 6d6f 2f34 3075 6e64 6572 3430	/promo/40under40
0x0060	 5f68 746c 2e61 7370 2048 5454 502f 312e	_htl.asp.HTTP/1.
0x0070	 300d 0a55 7365 722d 4167 656e 743a 204f	0..User-Agent:.O
0x0080	 7065 7261 2f39 2e35 3020 284a 324d 452f	pera/9.50.(J2ME/
0x0090	 4d49 4450 3b20 4f70 6572 6120 4d69 6e69	MIDP;.Opera.Mini
0x00a0	 2f34 2e30 2e39 3830 302f 3330 383b 2055	/4.0.9800/308;.U
0x00b0	 3b20 7275 290d 0a41 6363 6570 743a 202a	;.ru)..Accept:.*
0x00c0	 2f2a 0d0a 5265 6665 7265 723a 2068 7474	/*..Referer:.htt
0x00d0	 703a 2f2f 7777 772e 7072 6963 656c 696e	p://www.pricelin
0x00e0	 652e 636f 6d2f 7072 6f6d 6f2f 3430 756e	e.com/promo/40un
0x00f0	 6465 7234 305f 6874 6c2e 6173 700d 0a48	der40_htl.asp..H
0x0100	 6f73 743a 2077 7777 2e70 7269 6365 6c69	ost:.www.priceli
0x0110	 6e65 2e63 6f6d 0d0a 436f 6e6e 6563 7469	ne.com..Connecti
0x0120	 6f6e 3a20 4b65 6570 2d41 6c69 7665 0d0a	on:.Keep-Alive..
0x0130	 5072 6167 6d61 3a20 6e6f 2d63 6163 6865	Pragma:.no-cache
0x0140	 0d0a 0d0a                              	....


Even though this doesn't match your above mentioned bits, the GET  
string I see against our customer's site looked suspicious:

QUERY_STRING 
= 
wx 
= 
wxmg1 
&type 
= 
attack 
&name 
= 
d3d3LnByaWNlbGluZS5jb20 
= 
&url 
= 
aHR0cDovL3d3dy5wcmljZWxpbmUuY29tL3Byb21vLzQwdW5kZXI0MF9odGwuYXNw 
&port=80&numat=50000

In this case, it's coming from:

AS      | IP               | AS Name
11388   | 209.25.195.74    | MAXIM - Peer 1 Dedicated Hosting

And the malware in question which was "somehow" stashed on our  
customer's website (in a Joomla/Mambo /admistrator/ path) has the  
following browser strings:

"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; MRSPUTNIK 2,  
0, 0, 20 SW; MRA 5.0 (build 02094); .NET CLR 2.0.50727)",
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/ 
20060909 Firefox/1.5.0.7)",
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR  
1.1.4322; .NET CLR 2.0.50727)",
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR  
1.1.4322; InfoPath.1)",
"Opera/9.25 (Windows NT 5.1; U; ru)",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.14) Gecko/ 
20080404 Firefox/2.0.0.14",
"Opera/9.10 (Windows NT 5.1; U; ru)",
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.4) Gecko/20070515  
Firefox/2.0.0.4",
"Opera/9.22 (Windows NT 5.1; U; ru)",
"Opera/9.50 (J2ME/MIDP; Opera Mini/4.0.9800/308; U; ru)",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.14) Gecko/ 
20080404 AdCentriaIM/1.7 Dealio Toolbar 3.1 Firefox/ 
2.0.0.11;MEGAUPLOAD 1.0",
"Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) 
",
"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/ 
bot.html; MRSPUTNIK 1, 8, 0, 17 HW; WebMoney Advisor; MRA 4.10 (build  
01952); Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET  
CLR 2.0.50727; .NET CLR 3.0.04506.03)");

Which looks pretty much spot-on for what you are seeing.

I am attaching the file in question to this email, the password is  
"infected"

Based on my hunting I'm finding several other customers with the same  
http-malware installed on their sites and will do what I can to shut  
it down.

The second site issuing the request here was:

AS      | IP               | AS Name
32392   | 98.130.2.25      | OPENTRANSFER-ECOMMERCE - Ecommerce  
Corporation

Those were the only two remote sites who have been issuing the attack  
query string against our infected customer's systems so far.

Hope this helps!

Scott A. McIntyre
XS4ALL Internet B.V.




-------------- next part --------------

More information about the nsp-security mailing list