Nytro Posted April 20, 2013 Report Posted April 20, 2013 [h=3]Kelihos via Redkit, mass-infection following unfortnate US disaster news..[/h]We all know about what had happened in US recently, it is a very sad & unfortunate situation. People died during the accident and the malware scums used this for their opportunity, we just can't tolerate it. Dropping the previous tasks and investigate this infection. The point of this post is exposing the malware used network pre and post infection for the dismantling purpose. The information will be added frequently for some deep investigation to mitigate the overall malicious scheme is still on going, and some matter just cannot be published yet. This is the pilot analysis of the current mass-infection, so many variation in the JARs, Kelihos downloaders, range of the new botnets used (it is growing/changing still now). What has been written here is not everything! There are more of these bad-stuff out there online now, so please take this post as a lead to dig and nail deeper. Please also bear me for the regular updates and several additionals. I will post all samples with captured data as usual as soon as I can get time to re-organize back my stuff. OK, here we go.. [h=2]Big picture of current infection[/h] Samples used for analysis: [h=2]Source of infection[/h] Redkit Exploit Kit was used in this scheme, the crocodiles was finally coming to the surface for the chance to perform a mass hit in timing like this. You'll see the front infector in spams with the below rules: ?[TABLE][TR][TD=class: gutter]123[/TD][TD=class: code]http://[whatever domain OR IP address]/news.htmlhttp://[whatever domain OR IP address]/boston.htmlhttp://[whatever domain OR IP address]/texas.html[/TD][/TR][/TABLE]Every researchers are also doing great job by putting the link in URLquery. You shall see it in here : [1] [2] [3] I took below first unique pattern as example for this analysis:Link: Malware Must Die!: Kelihos via Redkit, mass-infection following unfortnate US disaster news.. Quote
