Is this site dangerous?

A place to discuss malware of every flavor, e.g. Storm, Waledac, Conficker and Zeus

Is this site dangerous?

Postby Boonsiri » Sun Jun 19, 2011 1:17 pm

I received spam from cardershop.cc. That domain is described as 'dangerous' at urlvoid.com/scan/cardershop.cc , which refers to a listing at hpHosts which indeed exists. The information on hp Hosts (AS41947) is meaningless to me. On http://vurldissect.co.uk/?url=1597541 I then see "hpHosts Status: Not listed". And submission to wepawet also shows nothing malicious. The pagesource of cardershop.cc is:
<HTML><HEAD><SCRIPT language="javascript" src="/sc_db873705ba52b51ac0e39e06e32b5613.js"></SCRIPT></HEAD><BODY onload="scf('3942'+'ccc6','/');"></BODY></HTML>. Can somebody (SIL maybe?) explain why this site is listed as dangerous, and what the JavaScript does?
User avatar
Boonsiri
Spam Investigator
 
Posts: 299
Joined: Fri Jan 23, 2009 12:28 pm

Re: Is this site dangerous?

Postby Red Dwarf » Sun Jun 19, 2011 7:19 pm

I also got spam on this.

I captured the load using CURL and got something similar in format but different in content
Code: Select all
<HTML><HEAD><SCRIPT language="javascript" src="/sc_c6565a86baa172e45aff5d66b49c4b69.js"></SCRIPT></HEAD>
<BODY onload="scf('fe6a'+'1df7','/');"></BODY></HTML>


The javascript referenced above contains
Code: Select all
function scf(hsh,uri) {document.cookie="sitechrx" + "=" + escape(hsh + "33046fc8c787b81fde12b1ed") + ";Path=/";window.location=uri;}


Krebs on Security featured the similar site carders.cc in May last year
http://krebsonsecurity.com/2010/05/frau ... cc-hacked/
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10478
Joined: Tue Jun 27, 2006 2:01 am

Re: Is this site dangerous?

Postby AlphaCentauri » Sun Jun 19, 2011 9:24 pm

I think it's a joe job.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Is this site dangerous?

Postby Red Dwarf » Sun Jun 19, 2011 10:00 pm

I agree that it is a joe-job. Unlike most joe-jobs, this looks like a particularly unpalatable site.
"Open VPN and Socks Service"

I am also intrigued by the javascript, but I can not determine that it has anything malicious.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10478
Joined: Tue Jun 27, 2006 2:01 am

Re: Is this site dangerous?

Postby Red Dwarf » Mon Jun 20, 2011 12:14 am

The same peculiar code is used by another domain on the same IP 77.91.227.124

st0re.cc

And knuddels.me
Code: Select all
<HTML><HEAD><SCRIPT language="javascript" src="/sc_861b7b6e2ac3659a1d8e7b7efb3da525.js"></SCRIPT></HEAD><BODY onload="scf('338c'+'7e68','/');"></BODY></HTML>

"Domain suspended"
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10478
Joined: Tue Jun 27, 2006 2:01 am


Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

cron