Monday, September 20, 2010

Decoding html viruses followup

The last post was getting too long so it was time to start a new one.

Now the subject line says "contract for sports complex" and going to through some of the previous decoding steps and feeding it into jsunpack leads us to a complicated scenario that the CyberCrime & Doing Time blog goes into here.

The browser visits a hostile site
h[broke]ttp://chautoy.co.za/x.html

It tells me that x.html is
info: [meta refresh] URL=xxxvideo-eyyc.cz.cc/video7/?afid=24
info: [iframe] findepotdirect.com/news/

which just looks like your basic Can we sell you some cheap pills? SpamRx. or in this case a porn site. BUT! you get this free surprise inside an iframe (that's an HTML thingy).

The sports complex one I went through decoded to (I've removed the opening angle bracket to keep the browser from trying to interpret it and changed http to h.ttp):

PLEASE WAITING.... 4 SECONDS meta h.ttp-equiv="refresh" content="4;url=h.ttp://xxxvideo-eyyc.cz.cc/video7/?afid=24" /> iframe width="0" height="0" src="h.ttp://findepotdirect.com/news/"> /iframe>

So while you are seeing xxxvideo-eyyc.cz.cc your browser is getting something else entirely.
jsunpack tells me it contains a file called 3.wav file which I find pretty strange., but on further examination it's part of the xxxvideo porn site so it's more smoke.

What I need is more info about: findepotdirect.com/news

A quick google of findepotdirect.com/news shows one link and it was created by yours truly when I did the above jsunpack run.

So I finally finished my local install of the text only browser "Lynx" running on a Linux system only to find out the site is gratefully down.

However the domain name is owned by someone:
   Domain Name: FINDEPOTDIRECT.COM
Registrar: MONIKER ONLINE SERVICES, INC.
Whois Server: whois.moniker.com
Referral URL: http://www.moniker.com/whois.html
Name Server: NS1.DRAMCHINATEA.NET
Name Server: NS2.DRAMCHINATEA.NET
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 13-sep-2010
Creation Date: 13-sep-2010

Expiration Date: 13-sep-2011

And the contact info is hidden by the registrant Monkier:

Domain Name: FINDEPOTDIRECT.COM
Registrar: MONIKER

Registrant [3157846]:
Dennis Nanni root@munnuhome.com
6310 Rock Creek Rd
Tullahoma TN 37388 US


This domain was just registered a week ago, but still isn't really functional or was and is no longer.


So I still don't know what they're up to, but it's getting harder and harder to find out just what it is, though I have a feeling that if the findepotonline.com site answered then jsunpack would have more to say about it.

No comments: