• Login

• Download
• Manual
• Research
  • Blog
    • 2007
    • 2006
    • 2005
  • Sites
  • Criteria
  • Glossary
• About

• Home »
  • Research »
    • Blog »
      • 2005 »
        • Judin.ru Exploit

28 June 2005

Exploit at judin.ru

by Roger Karlsson

The Judin.ru video shows how system settings are changed and software installing without consent by exploiting a security hole in the operating system or in its accompanying software.

Observations

The video shows (05:28) that searches entered into Internet Explorer address bar forwards the browser to find-help.org and the same applies for a non-existing domain name. Three new entries appear in the "Add/Remove programs" dialog (08:32), named "MDS Search Booster", "SB Soft" and "Winds 2.4".

The HijackThis logs generated during the exploit offers additional insights into the changes carried out and the following lists some of the files and system changes that appear. Please note that multiple logs are quoted.

C:\DOCUME~1\Roger\LOKALA~1\Temp\svkhost.exe
C:\WINDOWS\System32\xabqc\dgivhmoe.exe
C:\WINDOWS\System32\jisjiyjx\yuemdyq.exe
C:\WINDOWS\System32\down0.exe
C:\WINDOWS\System32\down2.exe
C:\WINDOWS\System32\tiny\waby.exe
C:\WINDOWS\System32\yklrhhns\riquxekb.exe
C:\DOCUME~1\Roger\LOKALA~1\Temp\qalljcay.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search--control.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web--search.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web--search.com/to.php ?ID1=1871&ID2=61832905&ID3=347245441833&ID4=0 &ID5={86BCCCFD-431B-46F0-9A34-D6DAB6F239D7}
R3 - URLSearchHook: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\webdlg32.dll
O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\DOWNLO~1\ipreg32.dll
O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494} - C:\WINDOWS\winres.dll
O2 - BHO: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\webdlg32.dll
O2 - BHO: Pop Class - {A9AEE0DD-89E1-40EE-8749-A18650CC2175} - C:\WINDOWS\winsx.dll
O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\webdlg32.dll
O4 - HKLM\..\Run: [dgivhmoe] C:\WINDOWS\System32\xabqc\dgivhmoe.exe
O4 - HKLM\..\Run: [yuemdyq] C:\WINDOWS\System32\jisjiyjx\yuemdyq.exe
O4 - HKLM\..\Run: [combo.exe] combo.exe
O4 - HKLM\..\Run: [combop.exe] combop.exe
O4 - HKLM\..\Run: [waby] C:\WINDOWS\System32\tiny\waby.exe
O4 - HKLM\..\Run: [riquxekb] C:\WINDOWS\System32\yklrhhns\riquxekb.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297B} - http://start1.aaa1screensavers.com/30005.exe

Related domains and ip addresses

Judin.ru is not the only web site that triggers the exploit documented in the video, in fact there are almost 100 additional web sites where the exploit occur, which I was able to find thanks to Fred de Vries and WebHelper's VladZone list. The following are the known domains which triggers the exploit:

• aboutclicker.com
• afge2282.org
• amrmusic.com
• aod.ru
• as2.ru
• atfilmlounge.com
• awmguild.com
• awunit.com
• babylille.com
• bestofdotcom.com
• bluegrassycc.com
• booksbarelyused.com
• boyandboy.net
• casino-indiana.com
• casino-kansas.com
• ceased.org
• centropachamama.com
• cerinc.org
• cerritoskc.com
• c-i-t-a.org
• clickaire.com
• clickschool.net
• csurealestate.org
• dizzinesscenter.com
• eltango.org
• el-tel.com
• fcarsenal.ru
• fu2clan.net
• gambling-onlinecasino.com
• get-a-life.org
• gold-link.org
• hardtokill.org
• holdem-gambling.com
• hqball.com
• hydrochlorothiazide.net
• kajdogaja.com
• kinsarmar.org
• kr021.com
• lakenormanoffice.com
• loganhardrock.com
• lxusa.com
• meconnect.org
• meta-adult.com
• meta-casino.com
• mgamer.ru
• modget.com
• moonri.com
• monalisa21.com
• mosstown.com
• motorsportsorg.com
• moviecum.com
• mysticalchristmas.com
• nellyslyrics.com
• on-line-casino-online.net
• onlybrutalrape.com
• onyourdesk.com
• orbitalounge.com
• ovilan.ru
• panet.org
• partypoker-gambling.info
• pcsheriffsguild.org
• people-info.com
• planetbudtron.net
• pokerforeal.com
• pottinplanters.com
• quiksearchgenealogy.com
• ranitidine.org
• remakeremodel.org
• removethiscjforgood.com
• roothousemuseum.com
• rosewedding.net
• sailzz.com
• searchmeta.ru
• seohit.biz
• sevenfurrballz.com
• slim-cash.biz
• squareonerecords.com
• starimaribor.com
• taiwanlife.org
• teamcy.com
• teensguru.com
• totaledata.com
• unipay.info
• unissons.net
• up2you.ru
• vipcasinoonline.com
• virtualgabe.com
• vladzone.com
• way99.com
• webbet.ru
• webdesignventura.com
• webforhumans.com
• xibu315.com

The exploit will also trigger at any of the following IP addresses:

• 67.18.129.131
• 67.18.129.132
• 67.18.129.133
• 67.18.129.134
• 67.18.129.135
• 67.18.129.136
• 67.18.129.137
• 67.18.129.140
• 67.18.129.141
• 67.18.129.142
• 67.18.129.143
• 67.18.129.144
• 67.18.129.145
• 67.18.129.146
• 67.18.129.147
• 67.18.129.148
• 67.18.129.151
• 67.18.129.152
• 67.18.129.153
• 67.18.129.154
• 67.18.129.155
• 67.18.129.156
• 67.18.129.157
• 67.18.129.158
• 67.19.106.148
• 67.19.106.147
• 67.19.106.149
• 67.19.106.148
• 67.19.106.149
• 67.19.106.150
• 67.19.106.151
• 67.19.106.152
• 67.19.106.153
• 67.19.106.154
• 67.19.106.155
• 67.19.106.156
• 67.19.106.157
• 67.19.106.158
• 70.84.104.232
• 70.84.104.236
• 70.84.127.100
• 70.84.127.102
• 70.84.127.104
• 70.84.127.106
• 70.84.127.108
• 70.84.127.110
• 70.84.127.112
• 70.84.127.114
• 70.84.127.116
• 70.84.127.118
• 70.84.127.120
• 70.84.127.122
• 70.84.127.124
• 70.84.127.126
• 70.84.67.112
• 70.84.67.113
• 70.84.67.114
• 70.84.67.115
• 70.84.67.120
• 70.84.67.126

Whois details

domain: JUDIN.RU
type: CORPORATE
descr: judin project
nserver: ns1.nameself.com.
nserver: ns2.nameself.com.
state: REGISTERED, DELEGATED
person: Dmitry V Shipulin
phone: +7 8120000000
e-mail: netBLOCKEDtime@jps.ru
registrar: RUCENTER-REG-RIPN
created: 2003.10.21
paid-till: 2005.10.21
source: TC-RIPN

References

HijackThis logs (1, 2, 3, 4, 5, 6)
SystemSherlock log containing the names of all files and registry entries that was added, deleted or modified during the exploit.

Additional information

For your reference I have generated md5 and sha1 hashes for the files added during the exploit. Files are also available for analysis upon request.
Webhelper offers more information about the domains in the CWS and VladZone write-up.
Kephyr.com has documented a similar exploit at webbet.ru.
For your reference I've made a whois log listing detailed information about some of the domain names covered by this article.

• Web site powered by Brickup.
• XHTML
• CSS
• 508