Qai.jar malware (CVE-2010-1885)

[NotBuyingIt]

A well-know spam expert is reporting an aggressively promoted malware exploit which uses multiple sites together. Deceptive web pages planted on dozens of sites load a set of JavaScripts which in turn attempt to load a malicious webpage. Several variations were detected yesterday and today.<!--break-->

This set of scripts
hXXp://50.57.29.172/hVg3GFAo/js.js
hXXp://finantariauto.ro/5ZqETXNE/js.js
hXXp://ipecturkey.com/E2UNfoGY/js.js
hXXp://oompa.de/VTwQKwDD/js.js
attempt to load
hXXp://209.59.217.193/showthread.php?t=d7ad916d1c0396ff
that leads to malware at
hXXp://209.59.217.193/q.php?f=ba33
hXXp://209.59.217.193/content/Qai.jar

This set of scripts
hXXp://216.205.49.67/CD5s3Ne3/js.js
hXXp://activetours.pttk.pl/Eaz0Mz8g/js.js
hXXp://copymax.gr/jbbaaFCK/js.js
hXXp://offvip.com/TtMQy1sw/js.js
hXXp://solocyberday.com/oDYibUuh/js.js
attempt to load
hXXp://slickicus.com/showthread.php?t=8d80b8c3f87a9538
that leads to malware at
hXXp://slickicus.com/q.php?f=db757
hXXp://slickicus.com/content/Qai.jar

This set of scripts
hXXp://officefurnituremart.com/sT1SFMyf/js.js
hXXp://orvosokafrikaert.hu/Bsz1CQg0/js.js
hXXp://qqprints.com.my/37ErBpvj/js.js
hXXp://romanjewelers.com/mnbCaEYY/js.js
hXXp://samx.zzl.org/crF5iYsT/js.js
attempt to load
hXXp://slicksphere.com/showthread.php?t=d7ad916d1c0396ff
but the domain slicksphere.com has been suspended

Here are some of the deceptive URLs that have been reported earlier today

hXXp://02f40c1.netsolhost.com/jXh3opQk/index.html
hXXp://02f40c1.netsolhost.com/pVXky4P3/index.html
hXXp://184.164.129.5/H0PL9q26/index.html
hXXp://3eras.com/0X98aHUS/index.html
hXXp://5seis.com.ar/jXh3opQk/index.html
hXXp://91.93.110.150/JYjJE2q2/index.html
hXXp://acriancafeliz.org.br/vyEryYcH/index.html
hXXp://advanced-web-hosting-solutions.com/H0PL9q26/index.html
hXXp://advancedcopier.net/tMYwdbsB/index.html
hXXp://aerospacend.com/0X98aHUS/index.html
hXXp://autolorentzos.gr/46iU2yx2/index.html
hXXp://autolorentzos.gr/k4H1CSBf/index.html
hXXp://autouniversal.ro/tMYwdbsB/index.html
hXXp://bestdeal.com.vn/H0PL9q26/index.html
hXXp://binhanphat.vn/pVXky4P3/index.html
hXXp://chinchunhoo.com/tp3G2sKH/index.html
hXXp://criadero-duancos.com.ar/jXh3opQk/index.html
hXXp://dhtics.webou.net/8pe5eCMZ/index.html
hXXp://dhtics.webou.net/N7hwdmet/index.html
hXXp://dhtics.webou.net/vyEryYcH/index.html
hXXp://fundoohairstyles.com/0X98aHUS/index.html
hXXp://getstrength.com/pVXky4P3/index.html
hXXp://glamourspa.com.vn/H0PL9q26/index.html
hXXp://goksen.com.tr/H0PL9q26/index.html
hXXp://goksen.com.tr/JYjJE2q2/index.html
hXXp://goksen.com.tr/tp3G2sKH/index.html
hXXp://hajashaza.hu/JYjJE2q2/index.html
hXXp://hajashaza.hu/pVXky4P3/index.html
hXXp://hajashaza.hu/W9x9Xomw/index.html
hXXp://hellenic-antiaging-academy.gr/k4H1CSBf/index.html
hXXp://hidroprojekt-consult.hr/W9x9Xomw/index.html
hXXp://hippocrafts.com/46iU2yx2/index.html
hXXp://hippocrafts.com/8pe5eCMZ/index.html
hXXp://hippocrafts.com/svaVeSkm/index.html
hXXp://hyperbeesmedia.com/svaVeSkm/index.html
hXXp://ibafo.com.br/LTWJaNR9/index.html
hXXp://ibafo.com.br/N7hwdmet/index.html
hXXp://inour.biz/JYjJE2q2/index.html
hXXp://inour.biz/pVXky4P3/index.html
hXXp://isravilon1.com/tMYwdbsB/index.html
hXXp://junglecreativestudio.gr/k4H1CSBf/index.html
hXXp://jurjev.com/8pe5eCMZ/index.html
hXXp://koala.unas.cz/N7hwdmet/index.html
hXXp://kolling.com.my/LTWJaNR9/index.html
hXXp://kongo.co.hu/N7hwdmet/index.html
hXXp://kongo.co.hu/svaVeSkm/index.html
hXXp://kongo.co.hu/tMYwdbsB/index.html
hXXp://laflcargo.com/vyEryYcH/index.html
hXXp://laleyurtseven.com/8pe5eCMZ/index.html
hXXp://laleyurtseven.com/tMYwdbsB/index.html
hXXp://ledsociety.com/7ik7M03n/index.html
hXXp://ledsociety.com/tp3G2sKH/index.html
hXXp://leikar.net/vyEryYcH/index.html
hXXp://linemenu.com/8pe5eCMZ/index.html
hXXp://linemenu.com/svaVeSkm/index.html
hXXp://littlelordspreschool.com/0X98aHUS/index.html
hXXp://lsquarednetworks.com/7ik7M03n/index.html
hXXp://lsquarednetworks.com/tp3G2sKH/index.html
hXXp://mage.ibraggiotti.com/0X98aHUS/index.html
hXXp://mage.ibraggiotti.com/W9x9Xomw/index.html
hXXp://magneticlodestone.com/46iU2yx2/index.html
hXXp://magneticlodestone.com/tMYwdbsB/index.html
hXXp://maxiesolutions.com/svaVeSkm/index.html
hXXp://mayerdobrasil.com.br/W9x9Xomw/index.html
hXXp://mcms.xs2theworld.com/LTWJaNR9/index.html
hXXp://mcms.xs2theworld.com/vyEryYcH/index.html
hXXp://metrofincaraiz.com/0X98aHUS/index.html
hXXp://minds.com.pk/8pe5eCMZ/index.html
hXXp://mishelart.com/tp3G2sKH/index.html
hXXp://mixtle.com/tMYwdbsB/index.html
hXXp://mkultura.lt/7ik7M03n/index.html
hXXp://musicalchemylab.lh.pl/46iU2yx2/index.html
hXXp://myghanaonline.com/N7hwdmet/index.html
hXXp://notebooktamiri.gen.tr/vyEryYcH/index.html
hXXp://objebi.com/xBu5dukk/index.html
hXXp://olla-de-felix-buenos-aires.com/Qyuv8XX1/index.html
hXXp://olla-de-felix-buenos-aires.com/xBu5dukk/index.html
hXXp://oneblr.com/a65oSoKL/index.html
hXXp://optimizacija-seo.com/a65oSoKL/index.html
hXXp://overhill.comicgenesis.com/xBu5dukk/index.html
hXXp://paperbuzz.net/3BvC2cTf/index.html
hXXp://party-chat.hu/a65oSoKL/index.html
hXXp://party-chat.hu/xBu5dukk/index.html
hXXp://povilasc.ipower.com/tp3G2sKH/index.html
hXXp://pp.premiumpage.pl/vyEryYcH/index.html
hXXp://Privatesandbox.com/qVsVjYfe/index.html
hXXp://prodmovie.com/xBu5dukk/index.html
hXXp://psytrip.com.br/LTWJaNR9/index.html
hXXp://public.smartbe.be/0X98aHUS/index.html
hXXp://rajtr.com/7ik7M03n/index.html
hXXp://realestatebootcamp.ca/LTWJaNR9/index.html
hXXp://redencionsofro.com.ar/3BvC2cTf/index.html
hXXp://revivalgospelministries.org/LTWJaNR9/index.html
hXXp://riwex.hu/3BvC2cTf/index.html
hXXp://sarahyong.com/CzEjfCRK/index.html
hXXp://sereflikochisarzob.org/LTWJaNR9/index.html
hXXp://sezam.home.pl/CzEjfCRK/index.html
hXXp://silentstartupwebsite.com/CzEjfCRK/index.html
hXXp://silentstartupwebsite.com/xBu5dukk/index.html
hXXp://siranmuftulugu.gov.tr/46iU2yx2/index.html
hXXp://sisrs.org/tMYwdbsB/index.html
hXXp://sixdimensions.co.id/xBu5dukk/index.html
hXXp://softwarepark-galati.ro/xBu5dukk/index.html
hXXp://swcc.marknetdev.com/LTWJaNR9/index.html
hXXp://sxs-bwn.org/vyEryYcH/index.html
hXXp://techleadsolution.com/QnXBRiWS/index.html
hXXp://tehranmaltbeer.com/30VtVqEf/index.html
hXXp://tempo-www.defisduchott.com/CzEjfCRK/index.html
hXXp://themainmall.com/svaVeSkm/index.html
hXXp://transcamila.com/tMYwdbsB/index.html
hXXp://upedagogica.edu.bo/N7hwdmet/index.html
hXXp://www.tesan.com.tr/vyEryYcH/index.html

Some other reported URLs return HTTP 404 ("Not Found") or their domains have been suspended, so I suspect efforts are underway to combat the malware campaign.

[NotBuyingIt]

Other people are also reporting virtually the same exploit which is also running on other sites.

This set of scripts
hXXp://50.57.29.172/hVg3GFAo/js.js
hXXp://oompa.de/VTwQKwDD/js.js
attempts to load
hXXp://matormaster.com/showthread.php?t=d7ad916d1c0396ff
that leads to malware at
hXXp://matormaster.com/q.php?f=ba33e
hXXp://matormaster.com/content/Qai.jar

This set of scripts
hXXp://officefurnituremart.com/sT1SFMyf/js.js
hXXp://orvosokafrikaert.hu/Bsz1CQg0/js.js
hXXp://romanjewelers.com/mnbCaEYY/js.js
hXXp://samx.zzl.org/crF5iYsT/js.js
attempts to load
hXXp://slickcurve.com/showthread.php?t=d7ad916d1c0396ff
that leads to malware at
hXXp://slickcurve.com/q.php?f=ba33
hXXp://slickcurve.com/content/Qai.jar


Here are some of the deceptive URLs that have been reported within the past few hours

hXXp://clubrepublique.com/LTWJaNR9/index.html
hXXp://gfclock.com/tMYwdbsB/index.html
hXXp://maxiesolutions.com/N7hwdmet/index.html
hXXp://orangesoft.co.uk/xBu5dukk/index.html
hXXp://palm-schools.com/xBu5dukk/index.html
hXXp://paperbuzz.net/xBu5dukk/index.html
hXXp://parfum-mester.hu/a65oSoKL/index.html
hXXp://parfum-sziget.hu/a65oSoKL/index.html
hXXp://party-chat.hu/3BvC2cTf/index.html
hXXp://photo-howto.com/a65oSoKL/index.html
hXXp://popi-indonesia.org/Qyuv8XX1/index.html
hXXp://probatik.com/3BvC2cTf/index.html
hXXp://psytrip.com.br/8pe5eCMZ/index.html
hXXp://riwex.hu/30VtVqEf/index.html
hXXp://riwex.hu/a65oSoKL/index.html
hXXp://saturnosistemas.com/xBu5dukk/index.html
hXXp://sezam.home.pl/a65oSoKL/index.html
hXXp://silentstartupwebsite.com/a65oSoKL/index.html
hXXp://sinarled.com/CzEjfCRK/index.html
hXXp://sreesaiproperty.com/CzEjfCRK/index.html
hXXp://szomaliaiegyesulet.hu/30VtVqEf/index.html
hXXp://tamanbungaku.com/a65oSoKL/index.html
hXXp://tanyaeco.co.za/30VtVqEf/index.html
hXXp://terangkecil.com/3BvC2cTf/index.html
hXXp://thechange180.com/a65oSoKL/index.html

[c۞g]

Qai.jar - 17.07 KB
VT 0/43
contents:
ua.class - 1.04 KB
cons.class - 4.27 KB
cr.class - 2.3 KB
G.class - 3.35 KB
ub.class - 15.63 KB
uc.class - 389 Byte
sys.class - 313 Byte

results with 404 not found

Code: Select all

matormaster.com/content/Qai.jar
matormaster.com/q.php?f=ba33e

[/i]

50.57.29.172/hVg3GFAo/js.js
oompa.de/VTwQKwDD/js.js
officefurnituremart.com/sT1SFMyf/js.js
orvosokafrikaert.hu/Bsz1CQg0/js.js
romanjewelers.com/mnbCaEYY/js.js
samx.zzl.org/crF5iYsT/js.js
results with:

Code: Select all

document.location='http://slickcurve.com/showthread.php?t=d7ad916d1c0396ff';

[/i]

slickcurve.com resides on IP:173.255.195.167

Code: Select all

hXXp://173.255.195.167/showthread.php?t=d7ad916d1c0396ff

results with same malware install

50.57.29.172
173.255.195.167

oompa.de
officefurnituremart.com
orvosokafrikaert.hu
romanjewelers.com
samx.zzl.org
slickcurve.com

[NotBuyingIt]

Spam email, transmitted via IP 82.127.14.217 (abo.wanadoo.fr), fraudulently claims to be a LinkIn notice. IP 82.127.14.217 may be blacklisted. The email contains a deceptive URL to a webpage at

hXXp://butelii-acetilena.ro/59N0J8h1/index.html

which attempts to load JavaScript from two sources

hXXp://interspeedy.com.br/zjSxmkDM/js.js
hXXp://limbongan.com/37hcGs54/js.js

The scripts, in turn, attempt to redirect to a malicious web page at

hXXp://bluecellular.com/showthread.php?t=977334ca118fcb8c

that leads to malware at

hXXp://bluecellular.com/content/Qai.jar
hXXp://bluecellular.com/q.php?f=2e457

The email contains two more suspicious URL which are either fakes or already have been disabled (HTTP 404):
http://inepalhotels.com/y7id9XXo/index.html
http://cgwood.net/U6PcaTcQ/index.html

[Edit: more]
Other malicious scripts that redirct to bluecellular.com are at


hXXp://muttonheadcollective.com/XvLBzokA/js.js
hXXp://auto-escolas.com/TfFQ7r6J/js.js
hXXp://rgexcel.com/CPD4MoEs/js.js
hXXp://turkwebalan.com/oUvuQ0b7/js.js
hXXp://vita-shop.hu/dSSjc0ag/js.js
hXXp://wilbrahamweddings.co.uk/qsTCVQXM/js.js
hXXp://www.bestcar.ee/0AfKWVDW/js.js
hXXp://www.unimoveis.net/jW57W6aZ/js.js

[NotBuyingIt]

bluecellular.com has been suspended; its domain registrar has set its status to clientHold. The malware exploit is now using the newly registered browncellular.com instead.

hXXp://174.133.92.122/MgGsg1Pp/js.js
hXXp://myparacord.com/cxW8X8xp/js.js
hXXp://prace.kupbilet.com/VTDeZmRF/js.js
hXXp://smapit.com/TaTj4D3f/js.js
hXXp://thebestguide1.com/arKwG4pE/js.js
hXXp://www.aeceventos.com.br/zEQSTHfq/js.js
hXXp://www.extrhema.com.br/cVspcegd/js.js
hXXp://www.industriacaxiense.com.br/HLAeMSAd/js.js
hXXp://www.inkontro.com/CXxLMToy/js.js
hXXp://www.inkontro.it/9e85Bru8/js.js
hXXp://www.teodo-tivat.com/osJYHU6u/js.js
hXXp://mrsmakeit.com/9jrgDjED/js.js


attempt to redirect to a malicious web page at

hXXp://browncellular.com/showthread.php?t=d7ad916d1c0396ff

that leads to malware at

hXXp://browncellular.com/content/Qai.jar
hXXp://browncellular.com/content/ap2.php?f=7245d

[NotBuyingIt]

Deceptive URLs at

hXXp://espacoquatro.com.br/3qZfYFbh/index.html
hXXp://sauschamber.com/sgc1MBef/index.html

load scripts from some of all of the following sources

hXXp://skueez.com/jKtfRnuL/js.js
hXXp://nhb.prosixsoftron.in/cJHrkMSb/js.js
hXXp://boemelparty.be/vnB4GozT/js.js
hXXp://www.alpine-turkey.com/YfTXsaR5/js.js
hXXp://sas.hg.pl/Th5Da66c/js.js
hXXp://www.vinhthanh.com.vn/8cACpVEr/js.js

that attempt to redirect to a malicious web page at

hXXp://cyancellular.com/showthread.php?t=d44175c6da768b70

that, in turn, leads to malware at

hXXp://cyancellular.com/content/Qai.jar
hXXp://cyancellular.com/q.php?f=44c23

Acknowledgement: I saw most of the URLs listed in this comment in the current malwaredomainlist.com report.

[NotBuyingIt]

A deceptive URL at

hXXp://www.kozmodisk.net/enzfjWNu/index.html

loads scripts from all of the following sources

hXXp://auto-escolas.com/TfFQ7r6J/js.js
hXXp://muttonheadcollective.com/XvLBzokA/js.js
hXXp://rgexcel.com/CPD4MoEs/js.js
hXXp://turkwebalan.com/oUvuQ0b7/js.js
hXXp://vita-shop.hu/dSSjc0ag/js.js
hXXp://wilbrahamweddings.co.uk/qsTCVQXM/js.js
hXXp://www.bestcar.ee/0AfKWVDW/js.js
hXXp://www.unimoveis.net/jW57W6aZ/js.js

that attempt to redirect to a malicious web page at

hXXp://purplecellular.org/showthread.php?t=d7ad916d1c0396ff

that leads to a suspicious file at

hXXp://purplecellular.org/content/Qai.jar

[NotBuyingIt]

Currently, many of the malware exploit's intermediary JavaScript files, including these

hXXp://thebestguide1.com/arKwG4pE/js.js
hXXp://www.extrhema.com.br/cVspcegd/js.js
hXXp://mrsmakeit.com/9jrgDjED/js.js

redirect to a malicious webpage at

hXXp://whitecellular.org/showthread.php?t=d7ad916d1c0396ff

which leads to the suspicious file

hXXp://whitecellular.org/content/Qai.jar

[MarkGiles]

From just the last 2 days, here is a list of 151 hijacked hosts found in spam. Each has an 8 random character string in the URL. They are sequenced by most frequent (127 hits) to least frequent (1 hit)

List of domains/hosts

futurisima.com.ar
iips.edu.in
industriadaformatura.com.br
grimper.awardspace.com
gri.or.id
escoladailha.com.br
gardenmoveis.com.br
odontofamily.com.br
gerindra.or.id
giftformom.trei.ro
ttest.co.za
oscardelaolla.com.co
tubogas.com.br
peridot.com.vn
ogrodzeniamirko.home.pl
whiteoak.co.za
tatuielegante.com.br
sillinho.bplaced.net
andif.com.br
damhofer.com
planetafitnessltda.com.br
manczyl.webd.pl
spyder.snowpeak.com.tw
positivacomunicacao.com.br
newsletter.lavorosalute.it
test1991.mebyre.com
nafti.edu.gh
testeaza.trei.ro
lirahost.com.br
twilightbefore.bplaced.net
maxtone.nazwa.pl
dentalimplants123.com
seniordatinggroup.co.uk
corporateuniversity.com.br
mirrorfelder.cnh.at
sbemrj.org.br
cpm.borec.cz
istorie.usm.md
revistatempo.com.br
radicalatm.com.ar
intecone.com.br
elisaviscontinetwork.com
aluguechacaras.com.br
ayvitour.com.ua
chusto.lviv.ua
scsuprema.com.br
eventakustik.de
eurowire.it
aashirwad.com.hk
fitratder.org
mail2.direct.ee
balihai1.tempsite.ws
wp10647654.wp274.webpack.hosteurope.de
visualdesenvolvimento.com.br
ufmi.com.my
rlinux.moderna.com.br
rajniti.co.in
videos.newmotion.at
thebeautiq.com.au
suitesdojo.com.br
sospiscinaspr.com.br
romero12.mserwis.pl
revistalabarra.com.co
laseresp.com.mx
s373104026.online.de
municipioderawson.gob.ar
rmraguapura.com.br
afrohealing.co.za
smileshop.com.au
praxedysadesivos.com.br
hassansaeed.99k.org
ocgcoaching.co.il
rygy.com.br
micmusz.webd.pl
lulu.com.co
izaz.com.br
hoegie.be
marcusxl.blink.pl
z8mm.com.br
gfpesquisas.com.br
kadinmuhendisler.org
redleafapartments.co.in
saofranciscodocorumbau.com.br
oguzhanguzel.av.tr
nackageinvestmentgroup.com.au
newsite.itsgroup.it
barcuta.ro
artdelivery.it
witer.home.pl
v1.globaltransit.net
promocaolilicaetigor.com.br
portal365.freehosting.com
wproduct.99k.org
ssttice.bplaced.net
autoreinigung.at
tiborita.altervista.org
support.imatone.fr
scarletcourier.50webs.com
pm.weexcel.in
personnalis.com.br
prakash.clanteam.com
lawsystem.com.br
zegluga.lh.pl
cityofsutton.org
travian1000x.zzl.org
quickphoto.com.br
ftp.zimmerrestaurante.com.br
ftp.vilasek.com
ismailgunes.web.tr
gastrocomplexeu.pl
bizsizanayasaolmaz.org
wordpressitalia.altervista.org
vivaleboutique.com.br
ucscad.com.br
snowpeak.com.tw
monochromatic.art.pl
imobiliariacruzeirors.com.br
wahbischool.com
kemerburgazfutbolokulu.com
gruppoenter.eu
dimac.com.ar
cbac.com
voip.valorizaweb.com.br
vinicolaperini.com.br
travian250x.zzl.org
travelodubai.co.uk
topkids.com.br
tony.web.id
styling.krakow.pl
ssios.com.pk
snakeprotex.com.au
siwy010.webd.pl
shop.madamegrillet.it
seicommat.hospedagemdesites.ws
s391025613.onlinehome.fr
recantopaulista.com.br
radioresgateonline.com.br
pzas.nazwa.pl
proweb1.bplaced.net
piratrilhas.com.br
patentmall.com.my
pasandola.nixiweb.com
osteologia.org.ar
nortonmini.com.ar
metropolis.com.br
mcms.xs2theworld.com
mariotta.com.br
loja.weissblumenn.com.br
ftp.dariocandela.altervista.org
eminenceorganics.com.my
curicica.com.br

[NotBuyingIt]

hXXp://www.aiopgiovani.it/FoSxV9z1/index.html

loads scripts from all of the following sources

hXXp://www.bestcar.ee/0AfKWVDW/js.js
hXXp://turkwebalan.com/oUvuQ0b7/js.js
hXXp://www.unimoveis.net/jW57W6aZ/js.js
hXXp://uttonheadcollective.com/XvLBzokA/js.js

which redirect to a malicious webpage at

http://azurecellular.com/showthread.php?t=d7ad916d1c0396ff

which leads to the suspicious file

hXXp://azurecellular.com/content/Qai.jar


Many of the scam sites hosting Qai.jar may be divided into two groups, based upon their creation dated.

Creation Date: 13-mar-2012
slickcurve.com (clientHold)
slickicus.com (clientHold)
slickidian.com (clientHold)
slicksphere.com (clientHold)
slickvard.com (IP 74.91.120.189)

Creation Date: 22-mar-2012
azurecellular.com (IP 209.59.217.78)
bluecellular.com (clientHold)
browncellular.com (IP 174.140.168.207)
cyancellular.com (clientHold)
purplecellular.org (CLIENT HOLD)
whitecellular.org (CLIENT HOLD)