Today my readers sent me email reported about their University website was compromised to host malicious code. Iframe with link "hxxp://davtraff.com/lib/index.php" was inserted under main page.
Note: Second visit to similar website will redirecting users to Google page.
"hxxp://davtraff.com/lib/index.php" contain obfuscated exploit code (CVE-2006-0003)that will redirecting to another link "213.163.89.54" to download rogue av installer "e0ab531ec312161511493b002f9be2ee.exe" that detected as "SpywareGuard2008" by Symantec.
The summary ThreatExpert Report for "e0ab531ec312161511493b002f9be2ee.exe"
Besides that, malicious pdf file, adobe flash file and java class script were downloaded to perform modification and changes on the victim systems. Those files have low detection rate from Virustotal analysis report.
28_firstSomeLooks.pdf Virustotal Report
29_freeLooks.swf Virustotal Report
30_useGoingBook.class Virustotal Report
31_firstSomeLooks.pdf Virustotal Report
This time, exploit used in crafted PDF contains:
- Adobe util.printf overflow CVE-2008-2992
- Adobe getIcon CVE-2009-0927
Below is the screenshot for the Antivirus System Pro that installed in your systems with process name "jfppsysguard.exe" (Trojan) and gain low detection rate at 7/41 Virustotal Report.
hxxp://antiviraprof2009.com
Besides that, HOSTS file was updated with URL-to-IP mappings
********************************************************
127.0.0.1 localhost
::1 localhost
91.212.127.227 antiviraprof2009.microsoft.com
91.212.127.227 antiviraprof2009.com
91.212.127.227 www.antiviraprof2009.com
********************************************************
Domains and IP address involved:
- davtraff.com -> 213.163.89.54
- antiviraprof2009.com -> 193.169.12.50
- 91.212.127.227
Domains sharing same IP address "213.163.89.54"
*.davtraff.com
*.edcomparison.com
*.fuadrenal.com
*.google-analyze.cn
*.google-analyze.org
*.m-analytics.net
*.odile-marco.com
*.odmarco.com
*.reycross.cn
*.reycross.com
*.yahoo-analytics.net
57yq57.davtraff.com
7mzkrq.davtraff.com
davtraff.com
edcomparison.com
fuadrenal.com
fzfaw6.davtraff.com
google-analyze.org
kembe2.davtraff.com
m-analytics.net
odmarco.com
reycross.cn
reycross.com
statanalyze.cn
www.davtraff.com
www.edcomparison.com
www.m-analytics.net
www.odile-marco.com
www.odmarco.com
www.reycross.cn
www.reycross.com
www.yahoo-analytics.net
yahoo-analytics.net
Domains sharing same IP address "193.169.12.50"
coantivirus.com
euroantivirus.com
ns1.coantivirus.com
ns1.euroantivirus.com
ns1.os-secure2009.com
ns1.winsecure2009.com
ns1.winwarepro.com
os-secure2009.com
winsecure2009.com
winwarepro.com
www.coantivirus.com
www.os-secure2009.com
www.winsecure2009.com
www.winwarepro.com
Thanks
--X0end
0 comments:
Post a Comment