Tuesday, June 3, 2014

Two years later...

By chance I just noticed that I wrote the Introducing Ponmocup Finder blog post exactly two years ago.

So it's time to celebrate the second anniversary :-)

Well, I was wondering if anyone else is currently detecting the .htaccess infections that Ponmocup Finder (PF) reports. Let's see...

Let's just look at any of the almost 500 domains currently being detected by PF as infected.

http://security-research.dyndns.org/pub/botnet/ponmocup/ponmocup-finder/ponmocup-infected-domains-history-days-sort.txt

439 www.pino-travel.com
439 www.log-in-verlag.de
438 www.oople.com
438 www.franken-gmbh.de
438 www.brichzin.de
438 www.bad-saulgau.de
437 www.vitaminbude.de

This German site has been seen infected since more than 430 days.

Here's todays "evidence" from my PF scripts that this domain is infected. It sets a cookie and redirects to Zuponcic Kit as discussed in previous (linked) blogs and presentations.

http://security-research.dyndns.org/pub/botnet/ponmocup/ponmocup-finder/www.bad-saulgau.de_wget_log.txt

--12:06:50--  http://www.bad-saulgau.de/
           => `www.bad-saulgau.de_out.txt'
Resolving www.bad-saulgau.de... 82.165.95.226
Connecting to www.bad-saulgau.de|82.165.95.226|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 302 Found
  Date: Tue, 03 Jun 2014 10:06:50 GMT
  Server: Apache
  Set-Cookie: tTF=50; path=/; domain=www.bad-saulgau.de; expires=Wed, 11-Jun-2014 08:44:50 GMT
  Location: http://solent.alloyradianttubes.com/neo/darla/php/fc.php?trace=folder_inbox&tID=6&d=0&f=978500093&l=SKY%2CREC%2CMNW&rn=1341221058138&en=utf-8&filter=no_expandable%253Bajax_cert_expandable%253Bexp_iframe_expandable%253B&ref=http%3A%2F%2Fwww.bad-saulgau.de%2F&sa=content%253D%2522minty_tenure%253A%2520week%25203+%2522
  Content-Length: 536
  Keep-Alive: timeout=2, max=200
  Connection: Keep-Alive
  Content-Type: text/html; charset=iso-8859-1
Location: http://solent.alloyradianttubes.com/neo/darla/php/fc.php?trace=folder_inbox&tID=6&d=0&f=978500093&l=SKY%2CREC%2CMNW&rn=1341221058138&en=utf-8&filter=no_expandable%253Bajax_cert_expandable%253Bexp_iframe_expandable%253B&ref=http%3A%2F%2Fwww.bad-saulgau.de%2F&sa=content%253D%2522minty_tenure%253A%2520week%25203+%2522 [following]
--12:06:50--  http://solent.alloyradianttubes.com/neo/darla/php/fc.php?trace=folder_inbox&tID=6&d=0&f=978500093&l=SKY%2CREC%2CMNW&rn=1341221058138&en=utf-8&filter=no_expandable%253Bajax_cert_expandable%253Bexp_iframe_expandable%253B&ref=http%3A%2F%2Fwww.bad-saulgau.de%2F&sa=content%253D%2522minty_tenure%253A%2520week%25203+%2522
           => `www.bad-saulgau.de_out.txt'
Resolving solent.alloyradianttubes.com... 31.210.96.155
Connecting to solent.alloyradianttubes.com|31.210.96.155|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 302 Moved Temporarily
  Server: nginx/1.1.4
  Date: Tue, 03 Jun 2014 10:06:50 GMT
  Content-Type: text/html
  Content-Length: 160
  Connection: close
  Location: http://www.google.com/
Location: http://www.google.com/ [following]
 
The redirection to Google is an anti-detection method from Zuponcic Kit also discussed before on the Fox-IT blog.

So now the question is: Is anyone else detecting these .htaccess infected sites?

I haven't found any other detections. If you know of one, please let me know.

http://www.urlvoid.com/scan/bad-saulgau.de/

Website Information

Analysis Date8 seconds ago
Safety Reputation0/28
Domain 1st RegisteredUnknown
Server LocationFlag (DE) Germany
Google Page RankGoogle Page Rank
Alexa Traffic Rank1,751,096

URLQuery can detect the redirection to Zuponcic Kit (assuming the user sets a required referrer URL), but there are no indications in the report that there is anything malicious.

http://urlquery.net/report.php?id=1401817329491

Overview

URLwww.bad-saulgau.de/
IP82.165.95.226
ASNAS8560 1&1 Internet AG
Location Germany
Report completed2014-06-03 19:42:06 CET
StatusReport complete.
urlQuery Alerts No alerts detected

Settings

UserAgentMozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0
Refererhttp://www.google.com/url?q=ponmocup+finder
Pool
Access Levelpublic

Intrusion Detection Systems

Snort /w Sourcefire VRT No alerts detected
Suricata /w Emerging Threats Pro No alerts detected

Blacklists

DNS-BH / malwaredomains.com No alerts detected
PhishTank / phishtank.com No alerts detected
Spamhaus DBL / spamhaus.org No alerts detected

Files Captured

Suricata IDS No files captured

And also VirusTotal doesn't have any malware or malicious activity associated with this domain:

https://www.virustotal.com/en/domain/www.bad-saulgau.de/information/
(none)


https://www.virustotal.com/en/url/c6ef57b6a1eee4ec6dacb3cea61541137d6cd5da8daec570c8444db63fc08e1d/analysis/1401828323/

URL: http://www.bad-saulgau.de/
Detection ratio: 0 / 52
Analysis date: 2014-06-03 20:45:23 UTC ( 0 minutes ago )


I wonder who will be the "first" to detect these .htaccess infections... anyone? No? OK then...

If you're not familiar with the Ponmocup malware / botnet yet, my previous post may be a good starting point linking all together.

Yours truly,

Ponmocup Hunter :-)