LuckySploit ** *.8866.org,podzone.org,chulaiba.net

podzone.org domain (204.13.248.119- Blacklisted)

Level 0:http://office.podzone.org/office.js?google_ad_format=728x90_as

Level 1:http://ff33fer.8866.org/aa/a3.htm?wwcc

Level 2:http://ff33fer.8866.org/aa/360.htm

Level 3:http://ff33fer.8866.org/aa/he.htm

Level 4:http://ff33fer.8866.org/aa/h.js

Level 5:http://chulaiba.net/svchost.exe

Level 3:http://ff33fer.8866.org/aa/test.htm

Level 4:http://ff33fer.8866.org/aa/go.jpg

Level 5:http://chulaiba.net/svchost.exe Virustotal (13/41)

Level 4:http://ff33fer.8866.org/aa/go1.jpg

Level 3:http://ff33fer.8866.org/aa/02.htm

Level 4:http://ff33fer.8866.org/aa/02.js

Level 3:http://ff33fer.8866.org/aa/pp.htm

Level 4:http://ff33fer.8866.org/aa/p.htm

Level 5:http://ff33fer.8866.org/aa/pef.pdf
Level 6:http://chulaiba.net/svchost.exe Virustotal (13/41)

Level 4:http://ff33fer.8866.org/aa/f.htm

Level 5:http://ff33fer.8866.org/aa/i.html

Level 5:http://ff33fer.8866.org/aa/f.html

Level 6:http://ff33fer.8866.org/aa/swfobject.js

Level 4:http://ff33fer.8866.org/aa/of.htm

Level 5:http://ff33fer.8866.org/aa/a.js

Level 4:http://ff33fer.8866.org/aa/r.htm

Level 1:http://ddv.sarl.tk/cnzz1.html

Other domains hosted at same IP address (204.13.248.119)

at-band-camp.net

ath.cx

better-than.tv

blogdns.net

blogdns.org

blogsite.org

boldlygoingnowhere.org

dinedns.net

dlinkddns.com

dnsalias.com

dnsalias.net

dnsalias.org

dnsdojo.com

dnsdojo.net

dnsdojo.org

doesntexist.com

doesntexist.org

dontexist.com

dontexist.org

dvrdns.org

dyn-o-saur.com

dyn.com

dynalias.com

dynalias.net

dynalias.org

dyndns.biz

dyndns.info

dyndns.org.uk

dyndns.tv

dyndns.ws

dynds.org

dyndsn.org

dynect.net

dyntld.net

endofinternet.net

endofinternet.org

endoftheinternet.org

for-some.biz

for-the.biz

from-ak.com

from-az.net

from-ny.net

ftpaccess.cc

game-host.org

game-server.cc

getmyip.com

gotdns.com

gotdns.org

ham-radio-op.net

hobby-site.com

homedns.org

homeftp.net

homeftp.org

homeip.net

homelinux.com

homelinux.net

homelinux.org

homeunix.com

homeunix.net

homeunix.org

is-a-chef.net

is-a-chef.org

is-a-geek.com

is-a-geek.net

is-a-geek.org

is.dreaming.org

istmein.de

kicks-ass.net

kicks-ass.org

leitungsen.de

mailhop.org

merseine.nu

mine.nu

mydyndns.com

mydyndns.net

mydyndns.org

mypets.ws

myphotos.cc

office-on-the.net

podzone.net

podzone.org

recursivedns.org

scrapping.cc

selfip.com

selfip.info

selfip.net

selfip.org

sells-it.net

servebbs.com

servebbs.net

servebbs.org

serveftp.net

serveftp.org

servegame.org

shacknet.nu

site-redirect.dyndns.com

thruhere.net

tlddns.net

www.blogdns.com

www.blogdns.org

www.dvrdns.org

www.dynalias.com

www.dynalias.org

www.dyndns.biz

www.dyndns.ws

www.for-the.biz

www.getmyip.com

www.here-for-more.info

www.homeip.net

www.homelinux.net

www.is-a-hard-worker.com

www.kicks-ass.net

www.mine.nu

www.office-on-the.net

www.podzone.net

www.podzone.org

www.selfip.com

www.selfip.org

www.servebbs.org

www.serveftp.net

www.servegame.org

8866.org domain (218.5.106.90-Blacklisted)

Other domains hosted at the same IP address 218.5.106.90

*.8866.org

.8866.org

45hrtt.8866.org

6ik76.8866.org

76ith.8866.org

8866.org

8oy4t.8866.org

bailan.8866.org

dread.8866.org

ds355.8866.org

h65uj.8866.org

lmap.8866.org

lqxi.8866.org

qd334t.8866.org

qunfa8.8866.org

skytwo4drei.8866.org

u5hjt.8866.org

windowsupdatery.8866.org

chulaiba.net domain(61.191.61.22-Blacklisted)

Domains sharing nameservers (ns7.cdncenter.com, ns8.cdncenter.com)

123868.com

126dy.com

127128.com

1300000000.com

333game.com

365ic.com

3jianke.com

51peihuo.com

668e.net

91software.com

99loves.com

aishow8.cn

aiwebpay.com

ali66.com

baoxiaoluntan.cn

basinmedia.com

ctdms.com

dazhe91.com

dtwl8.cn

eninghai.com

gdbj.net

greatyourshop.com

gzjmbj.com

havesoft.com

hi999.com

hk-outside.com

home1919.com

hslcb.com

jet-li.net

jooxee.com

kk126.com

kwang.net.cn

leshantong.com

li100.com

ling0.com

linshi888.com

m2box.com

milllk.com

mmpda.com

netocc.com

nrwww.cn

qq889.com

ransing.com

reezee.com.cn

shanghaizaojiao.com

sixun.net

sngames.net

ttthhh.com

tvshop.net.cn

txd1.com

tzok.net

verypp.cn

wn18.com

wy13.com

wyzfbbs.cn

xn--voro3dz09g.net

ydzgc.com

yetrip.com

yy555.com

yzuowen.com

ziyoutu.com

--X0end

Spam ** 29 July

Spam Domains:

*.wqneusd.cn

*.isznfmq.cn

*.omsnfbz.cn

www.juntaiuto.com

www.mconuvik.cn

www.hi-meetinng.com

cxahhyhe.info

mygethomeworklive.info

www.emailonsteroids.com

csscvogr.info

www.vkecalem.cn

www.lzevitic.cn

wego123.info

gcogiwug.cn

webcamresort.com

ootpucjj.info

www.surveyslive.com

www.clickstrue.com

www.qbototop.cn

www.jcibagud.cn

plateplate.com

skamuweq.cn

tagline.beliefnet.com

ad.doubleclick.net

context2.kanoodle.com

view.beliefnet.com

meantcaring.com

kmed.bmwdirectparts.com

nouvelle-vision.extranet-e.net

*.wqneusd.cn

www.gahoiura.com

bbounty.com

icims.com

www.icims.com

61e64.omsnfbz.cn

55788b.isznfmq.cn

singleadd.com

www.jdizulik.cn

LuckySploit ** siyou.org.cn

w.siyou.org.cn (63.216.57.186)

Level 0:http://w.siyou.org.cn

Level 1:http://w.siyou.org.cn/02.htm

Level 2:http://w.siyou.org.cn/02.htm

Level 3:http://w.siyou.org.cn/456.htm

Level 4:http://w.siyou.org.cn/1.jpg

Level 4:http://w.siyou.org.cn/2.jpg

Level 4:http://w.siyou.org.cn/3.jpg

Level 4:http://w.siyou.org.cn/4.jpg

Level 4:http://w.siyou.org.cn/5.jpg

Level 4:http://w.siyou.org.cn/6.jpg

Level 4:http://w.siyou.org.cn/7.jpg

Level 4:http://w.siyou.org.cn/8.jpg

Level 4:http://w.siyou.org.cn/9.jpg

Level 4:http://w.siyou.org.cn/10.jpg

Level 4:http://w.siyou.org.cn/11.jpg

Level 3:http://w.siyou.org.cn/dex.htm

Level 4:http://w.siyou.org.cn/ct14.htm

Level 5:http://w.siyou.org.cn/14.js

Level 5:http://w.siyou.org.cn/15.js

Level 5:http://w.siyou.org.cn/16.js

Level 4:http://w.siyou.org.cn/ctfl.htm

Level 5:http://w.siyou.org.cn/ct11.htm

Level 5:http://w.siyou.org.cn/ct22.htm

Level 4:http://w.siyou.org.cn/z.htm

Level 5:http://w.siyou.org.cn/do.css

Level 5:http://w.siyou.org.cn/z.css

Level 4:http://w.siyou.org.cn/ctvod.htm

Level 5:http://w.siyou.org.cn/ytvod.js

Level 5:http://w.siyou.org.cn/b.js

Level 5:http://w.siyou.org.cn/d.js

Level 4:http://w.siyou.org.cn/ctqm.htm

Level 5:http://arplgm.cn/a.exe (Trojan - Virustotal 36/41)

Level 4:http://w.siyou.org.cn/ctlb.htm

Level 5:http://w.siyou.org.cn/do.css

Level 5:http://w.siyou.org.cn/e.css

Level 4:http://w.siyou.org.cn/ct122121.htm

Level 5:http://w.siyou.org.cn/Turl.js

Level 5:http://w.siyou.org.cn/real.js

Level 5:http://w.siyou.org.cn/real1.js

Level 3:http://w.siyou.org.cn/click.js

Level 4:http://www.qqsse.com/1.htm

Level 3:http://js.tongji.linezing.com/1209024/tongji.js

Domains hosted on the same IP (63.216.57.186)

ckt5.cn

arplgm.cn

--X0end

Spam ** 27July

Spam Domains:

www.aixnyewo.cn

www.aimxjbso.cn

www.kjecoqin.cn

www.aildfvzo.cn

www.klosolip.cn

*.tyosekuk.cn

*.zjepicul.cn

*.noxihej.cn

*.udgoxwx.cn

*.nroyunim.cn

*.bpicajon.cn

*.wpivizuk.cn

--x0end

LuckySploit ** nttyhg.com/g/360.htm

LuckySploit http://www.nttyhg.com, LuckySploit is a set of .HTML files that are full of malicious JavaScript obfuscated code. Normally, the website contain hidden iframe, or obfuscated codes. Users will be redirected to exploit websites that contain different type of exploit such as Adobe, RealPlayer, ActiveX, DirectShow MPEG2 and etc.

Figure: 3.htm

Level 1:http://www.nttyhg.com/g/360.htm

Level 2:http://bbc.ch.ma/xie.htm

Level 3:http://bbc.ch.ma/hell1.swf

Level 3http://bbc.ch.ma/hell.swf

Level 3http://bbc.ch.ma/hell2.swf

Level 2:http://bbc.ch.ma/iie.swf

Level 2:http://bbc.ch.ma/fff.swf

Level 2:http://bbc.ch.ma/x.htm

Level 3:http://bbc.ch.ma/all.css

Level 4:http://bbc.ch.ma/3.htm

Level 5:http://bbc.ch.ma/3.css

Level 4:http://bbc.ch.ma/4.htm (RealPlayer IERPCtl.IERPCtl.1, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5601)

Level 5:http://bbc.ch.ma/2.css

Level 3:http://bbc.ch.ma/1.htm

Level 4:http://bbc.ch.ma/1.css

Level 5:http://www.mysnda.com/ppk/a.css

http://www.virustotal.com/analisis/c8c3de2649d925e7c870ac45178da59b9a86ad76302bfe2b2c86eb2d1dac3de9-1248698873

Level 4:http://bbc.ch.ma/15.js

Level 4:http://bbc.ch.ma/16.js

Level 3:http://bbc.ch.ma/of.htm

Level 4:http://bbc.ch.ma/of.css

Level 3:http://bbc.ch.ma/office.htm

Level 3:http://bbc.ch.ma/newlz.htm

Level 3:http://bbc.ch.ma/bf.htm

Level 4:http://bbc.ch.ma/2.css (Ultra Star Reader LoadPage overflow, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5807)

Level 5:http://www.mysnda.com/ppk/a.css

Level 4:http://bbc.ch.ma/bf.js

Level 3http://bbc.ch.ma/cx.htm

Potential Malicious Domain(222.185.254.135-Blacklisted)

a.wuc9.com

b.wuc9.com

c.wuc9.com

cao360.vu.cx

carloon.cn

cav.qc.cx

cnn.vu.cx

czanibase.com

czbljc.com

czflying.com

czgfy.com

czxcdz.com

juditrade.com

mysnda.com

news.85580000.com

rec.cztv.tv

tec.vu.cx

wdjsc.com

www.85580000.com

www.carloon.cn

www.laishe.com

www.mysnda.com

www.tec.vu.cx

zlflawyer.com

zshxz.com

ztb.cztv.tv

ad.cztv.tv

edu.cztv.tv

gdb.cztv.tv

jk.cztv.tv

tv.cztv.tv

www.carloon.cn

www.cnwlzx.com

www.czmtv.net

www.laishe.com

www.mysnda.com

www.zlflawyer.com

www.zshxz.com

ztb.cztv.tv

This exploit site lead user to download malware (a.css) that detected mostly by antivirus according Virustotal .

--x0end

Mebroot ** 24July

Mebroot domains:

Blacklisted IP: 69.175.10.18

abjodvsves.com

abtjsgsves.com

cdqnedvves.com

cdqnydpves.com

efscgfgves.com

ghabimdves.com

ghuqihsves.com

hildjxdves.com

ijhagtvves.com

ijmkkyjves.com

--x0end

Zero-Day Exploit for Adobe issue

Since 0Day Exploit for Adobe was revealed particular in Adobe 9.1.2, Flash 9 and Flash 10. Security vendors are putting lots of effort to cover the detection in their respective products. The exploit arrives as a PDF file which embedded with Flash and malicious binary files. The Flash contains shellcode that allocate heaps (using heap spraying technique) of blocks in a system memory.

There have no patches solution yet for moment, however few suggestion steps been raised up to prevent or reduce the risks while surfing net.

1. Disable Flash in Adobe Reader 9 on Windows platforms by renaming the following files: “%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll” and “%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll”.

2. Disable Flash Player or selectively enable Flash content as described in the Securing Your Web Browser Document.

Reference: US-CERT

Spam **24July

Spam domains

virl.ws

www.rhapoqaw.cn

www.surveymav.com

www.sup-777net.com

www.postcards.org

EASYALMOST.COM

gcjoy.directmarketusa.com

1be.yxosogib.cn

www.iech.org

www.rayuela.ec

www.naturalvideo.pt

mjj1958-2009.ning.com

www.wood96.com

urljv.com

urlredo.com

tcbp.net

www.wakasagiga.com

www.tyuhagab.cn

odehvj.brightgreet.com

www.rairauo.com

www.vegas555club.net

dallasbillions.com

ca-hardmoney.com

pitbullseminars.com

parentcool.com

tracking.datalinksolution.com

www.sinergiaempresarial.net

www.kxalesid.cn

jnefipoj.cn

aafter.us

wayare.com

--x0end

Spam ** 22 July

Spam domains:

www.aigkzqmo.cn

www.ttugegom.cn

www.lnibagil.cn

www.mu77.net

esiplus.com

EASYAFFECT.COM

www.blauxip.com

www.surf305.com

wvqbr.fathersafternoon.com

www.topmedssafety.com

5f3.fjimifac.cn

www.topmedssafety.com

5f3.fjimifac.cn

699d6.lhecakal.cn

www.tcexofod.cn

www.virtuefurniture.co.nz

www.moneyforjewelrypayout.com

ableserene.com

alerthour.com

allowserene.com

angeratom.com

bettertold.com

bodyseem.com

bodyvalued.com

bornmind.com

bothpolite.com

boxmeek.com

chordcreate.com

citykept.com

cleanpull.com

clothetrack.com

coursebrief.com

coursecorn.com

creaseclass.com

cuddlygave.com

dadthese.com

dadvary.com

ase.emv3.com

secure.ally.com.jukhyt.com.mx

secure.ally.com.thitll.gb.com

talebit.com

www.EASYAFFECT.COM

CAKIVUHD.INFO

exclusivenetoffers.co.uk

www.18wheelerpower.com

profitagents.com

clicks.exclusivenetoffers.co.uk

www.wakasagiga.com

whitetalebit.com

click.directworldbrands.com

exactgas.com

www.drjude.co.za

www.exclusiveseminars.co.za

www.sportmedia.hu

www.blauxip.com

www.paradisog.com

LEMIUGXI.INFO

secure.ally.com.gerask.com.mx

LEMIUGXI.INFO

www.mu77.net

--x0end

Spam ** 20 July

Spam Domains:

wwv.kaixin.com

www.htidovig.cn

www.hnomawij.cn

www.htidovig.cn

www.airmlqro.cn

d62.wbiyafis.cn

kduziluv.cn59f0.bzegexef.cn

--x0end

Rogue Antivirus ** 17 July

Rogue security software is a form of computer malware that deceives or misleads users into paying for the fake or simulated removal of malware.

Once installed, the rogue security software may then attempt to entice the user into purchasing a service or additional software by:

-Alerting the user with the fake or simulated detection of malware or pornography
-Displaying an animation simulating a fake system crash and reboot
-Selectively disabling parts of the system to prevent the user from uninstalling them.
-Installing actual malware onto the computer







Domains:
driverrobot.com
antispyware2009.com
antispyware2011.com
errorsrepair.com
errortune.com
remover.org
repairerrors.com
antispyware2012.com
antispyware2013.com
antiviruspros.com
xoftspy.net
spyware-remover-comparisons.com
registrycleanercompared.com/regfix.htm
adware-remover.net
adwarespy.com
spywarespy.com
comparespywareremovers.com
noadware.com
pcbugdoctor.com
spywareremovercomparisons.com
spywareremoversreview.com
scanspyware.net
adwarepro.com
defenza.com
easy-antivirus.com
error-doctors.com
free-spybot.com
myxptools.com
netspyprotector.com

--x0end

Hacker left trail in legitimate website (gov, edu, my, sg and etc)

When trying to search for under "Index of /" in Google search engine, I accidentally find out that lots of legitimate website were compromised to host files and left trails. Hackers leave their trail in those websites and some of them if belong to education and government domain.


Figure 1


Figure 2


Figure 3


Figure 4: Malaysia government website http://www.customskedah.gov.my


Below are the links suspected were compromised to host malicious files.

SG Domains

http://zhikai.shooting-stars.sg/phpfg/forms/voipbuster-2009-username-password.html
http://lovebydesign.com.sg/admin/backups/intergraph-plant-design-system-8-0-password.html
http://iloveyou.sg/memories/data/password-partyhardcore.html
http://shop.noble.sg/downloader/pearlib/download/Mage_Downloader-1.2.1/downloader/js/WP/ugas-password.html
http://eyera.com.sg/catalog/images/of-myspace-password.html
http://lovebydesign.com.sg/admin/backups/password-rising_tied.rar.html
http://eyera.com.sg/catalog/images/ghettogaggers-password.html
http://sunlink.com.sg/intra/include/altiverb-password.html
http://herbalworks.com.sg/media/content/thumb/pandora-sims-password.html

MY Domains
http://customskedah.gov.my/bkh/administrator/backups/keygen-de-msn-password-finder-v.2.0.html
http://www.tunhabab.edu.my/v2//components/com_pollxt/password-ishotmyself-2009.html
http://www.giacomo.com.my/userfile/password-kinder-para-msn.html
http://mbm.com.my/catalog/intel/images/password-rapidshare.html
http://landasan.com.my/onlinestore/sites/all/modules/WP/password-recovery-radmin.html
http://thetasp.com.my/cms/content/gt/msn-password-local-cracker-torrent.html
http://pasadana.com.my/images/cms/wpThumbnails/rubbervita-password.html
http://webpresence.com.my/joomla2/administrator/backups/xtcs-password.html
http://investor.net.my/PDF/http-www-nicolegraves-com-password.html
http://teochew.net.my/forum/images/avatars/conquer-password.html
http://ikhlas.com.my/admin/data/rcon-password-hack.html
http://thedesignstudio.com.my/images/dooza-password.html
http://dsi.com.my/v1ws/components/com_shell/ppb-password.html
http://www.skshas.my/v1/templates/eplusv2.skin/images/teen-gfs-password.html
http://riverbankacademy.com.my/data/falconstudios.com-free-password.html
http://flexxi.com.my/languages/redtube-password-username.html
http://thetasp.com.my/cms/content/gt/folder-password-expert-serial.html
http://investor.net.my/PDF/kryztalred-password.html
http://landasan.com.my/onlinestore/sites/all/modules/WP/als-scan-password.html
http://www.bidadari.com.my/wp-content/uploads/2008/03/michelle-trachtenberg.jpg&imgrefurl=http://www.bidadari.com.my/masalapornmovies.com-username-&-password.html
http://www.proactiv.com.my/wordpress/wordpress/mr-skin-password-hacks.html
http://www.tunhabab.edu.my/v2//components/com_pollxt/free-password-for-assparade.html
http://mbm.com.my/catalog/intel/images/40320543-password.html
http://adg.my/desaparkcity/wearelittlestars-site-password.html
http://chakri.com.my/e-zine/WP/groped-asians-password.html
http://win.mpcs.com.my/tmp/password-celebmoviearchive.html
http://howabout.my/wp-content/uploads/password-login-x.com.html

IN Domains
http://graycells.in/demo/awortinkos/all/album2/password-index-porn.html
http://www.nitte.ac.in/admin/css/convent-rar-password.html
http://crb.co.in/demo/files/forum-downloadexcel-password-recovery-master.html
http://coffeecreek.co.in/images/torturesru-password.html
http://graycells.in/demo/awortinkos/all/album2/belami-password-hack.html
http://eastcoastaudios.in/ecv/getid3/download-habbo-sg-password-hack.html
http://truevision.co.in/home/admin/images/graphs/nokia-series-40-theme-studio-cracks-password.html
http://connect2mayank.in/cache/redclouds.com-password.html
http://malayattoorkurisumudy.in/admin/htmls/mr-skin-login-and-password.html
http://adsplanet.in/adpics/twisted-metal-ii-password.html
http://stonecastle.in/images/image/freeware-Quicken-password-recovery-forum.html
http://jks.net.in/discussionforum/images/avatars/gallery/free-password-copart.html
http://re-feel.in/sugar/ModuleInstall/PackageManager/metadata/free-sexkey-password.html
http://lovebyte.co.in/lovebyte/userimages/mikrotik-os-password-how-to.html
http://icba.in/act-rules/wp-content/uploads/domkarin-password.html
http://rabs.in/blog/hydra-password-txt.html
http://xcelcom.in/joomla/language/password-recovery-nzb.html
http://loc.net.in/images/wpThumbnails/active-speed-username-and-password-crack.html
http://poweryourweb.in/joom/administrator/backups/abby-part1-password.html

Phishing wwwbankofamericacomlogin.eoczoqmc.cn and bankofamerica-privacyassist-vx86.luglum.cn

Phishing site (bankofamerica.com)

wwwbankofamericacomlogin.eoczoqmc.cn (89.149.225.89 -- Blacklisted)

bankofamerica-privacyassist-vx86.luglum.cn (potential phishing url)

Spam:

http://www.ailkcgao.cn

http://www.amelaus.net/

http://lethour.com/

http://nyavekep.cn/

http://www.whosoldoutfik.net/

http://8c5.nzaveduf.cn/

http://fmemumor.cn/

http://ed09a.rmodadas.cn/

http://www.bars68.com/

http://www.privilegecazino.net/fr/

http://www.zqaxopih.cn/l

http://www.whosoldoutfik.net/

http://wallmotion.com/

http://xzijefad.cn/

WordPress 2.8.1 XSS

One of the famous Chinese blog website published PoC article regarding XSS in WordPress 2.8.1

This XSS can be triggered once the mouse pointer to posted crafted url within WordPress comments section. Showed in Example that the final destination link will redirect to http://www.inbreak.net/a.php

Translated webpage can be view by using Google translator ( accuracy is >90%) :)

Firefox 3.5 unicode stack overflow PoC

Firefox 3.5 unicode stack overflow PoC disclosed in milw0rm

This is second PoC published in milw0rm for Firefox 3.5

Reference

http://www.milw0rm.com/exploits/9158

Spam ** 15 July

Suspicious Spam domains:

http://aigekiko.cn/

http://www.aisqsjzo.cn

http://d9100.zjulivaw.cn/

http://iq.zoka.cc/iq-hu.html

http://syojousukui.0catch.com/

http://www.amfmetal.com/

http://www.yavonsu.com/

http://www.limayar.com/

http://yuletell.com/

http://dadvary.com/

http://www.yavonsu.com/

http://www.limayar.com/

http://latespruce.com/

http://www.thegathering2009.com/

http://page.jpahebug.cn/

http://amc2001.intway.info/

http://sweetcould.com/

http://untilmaster.com/

http://rcstly.2008usteamworld.com/t

http://lwiqaxut.cn/

http://www.ckoxemoj.cn/

http://www.muryou-on-love.com/

http://0fc1.jzudeqap.cn/

Microsoft Tuesday Patch July 2009

Microsoft issued six Security Bulletins on Tuesday. Three of vulnerabilities are rated "Critical" and other three are rated "Important". All these three critical vulnerabilities have remote code execution impact and hacker potentially gain control over infected machines.

Microsoft Security Bulletin Summary for July 2009

Published: July 14, 2009

Version: 1.0

This bulletin summary lists security bulletins released for July 2009.

With the release of the bulletins for July 2009, this bulletin summary replaces the bulletin advance notification originally issued July 9, 2009. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification.

For information about how to receive automatic notifications whenever Microsoft security bulletins are issued, visit Microsoft Technical Security Notifications.

Microsoft is hosting a webcast to address customer questions on these bulletins on July 15, 2009, at 11:00 AM Pacific Time (US & Canada). Register now for the July Security Bulletin Webcast. After this date, this webcast is available on-demand. For more information, see Microsoft Security Bulletin Summaries and Webcasts.

Microsoft also provides information to help customers prioritize monthly security updates with any non-security, high-priority updates that are being released on the same day as the monthly security updates. Please see the section, Other Information.

Reference: http://www.microsoft.com/technet/security/bulletin/ms09-jul.mspx

Microsoft Exploit ** OWC10.Spreadsheet ActiveX

Another Microsoft Office Web Components (OWX10.Spreadsheet) (owc10.dll) 0Day ActiveX revealed in wild and spread fast especially in China. The vulnerability named as OWX10.Spreadsheet msDataSourceObject Stack Overflow Exploit.

Malicious link: hxxp://www.fdsdffdfsf.cn/of.htm

After lookup, fdsdffdfsf.cn domain (59.34.198.57) and another few domains were blacklisted.

Other domains:

www.dgfdffdfs.cn

www.fdasfadf.cn

www.eweerwerre.cn

www.45sf8.com

www.520458.com

Content for "a.js"

After decode - malicious link (Trojan) hxxp:///new.exe

According to Virustotal, only 70.74% (29/41) of various scanners able to detect this malware file.

Reference: safelab.spaces.live.com

Mozilla Firefox-3.5 Heap Spray Vulnerability

Reference: Milw0rm

Heap Spray....

Spam ** 14 July

Spamming domains:

www.buyonline-med.cn

www.hjdsgkjshgirtg.com

www.12345wathces.com

www.xababaa.cn

www.generic-rx.cn

www.blanksweet.com

www.airmlqro.cn

www.loadcup.com

www.online-medd.cn

www.megasalesnow.cn

e89.ailsnjro.cn

057.aibnryuo.cn

808.aiehgygo.cn

b27.aijuydco.cn

88d0a.aijuydco.cnsubscibe

un.ktovegur.cn

thj94.mjehawij.cn

Combination Exploit and Spam ..."cinesc.com.br", "illusionfest.ru", "mp3musicsool.ru" and "qajtogap.cn"

New combination attack vector unveil, http://cinesc.com.br/ddjg.html website contain redirect link to spam's Canadian Pharmacy (qajtogap.cn) and contain obfuscated iframe link using DOM to redirect exploit sitehttp://illusionfest.ru/coperfild.html.

Figure 1 http://cinesc.com.br/ddjg.html


Figure 2 qajtogap.cn


Figure 3: Decode


Copy below link and replace symbol "#", "@" and "!" with blank and will end result like figure 4 and unescape to get link showed in figure 5
#%@!6!8!#%@!7!4!#%@!7!4!#%@!7!0!#%@!3!a!#%@!2!f!#%@!2!f!#%@!6!9!#%@!6!c!#%@!6!c!#%@!7!5!#%@!7!3!#%@!6!9!#%@!6!f!#%@!6!e!#%@!6!6!#%@!6!5!#%@!7!3!#%@!7!4!#%@!2!e!#%@!7!2!#%@!7!5!#%@!2!f!#%@!6!3!#%@!6!f!#%@!7!0!#%@!6!5!#%@!7!2!#%@!6!6!#%@!6!9!#%@!6!c!#%@!6!4!#%@!2!e!#%@!6!8!#%@!7!4!#%@!6!d!#%@!6!c!

Figure 4 Unicode



Figure 5 exploit links http://illusionfest.ru/coperfild.html

http://illusionfest.ru/coperfild.html

Level 1: http://illusionfest.ru/sobolinghel.html

Level 2: http://mp3musicsool.ru/travel/index.php

Level 3: http://mp3musicsool.ru/travel/inEthicsIs.pdf

Level 3: http://mp3musicsool.ru/travel/bcWebSimply.swf

Level 4: http://mp3musicsool.ru/travel/update.php

Few potential suspicious domaisn using mp3musicsool.ru as nameserver under another name:

daratop.cn

dcn5100.com

degunter.cn

dresstott.cn

google-anallytics.cn (211.95.78.98)

killxp.cn

orzsystem.cn

vkreinting.cn

xuyloknite.com.cn

yahoo-robots.cn (211.95.78.98)

Visiting to that website is enough to infect your systems especially if visitors don't have latest Acrobat Reader and SWF Flash. Javascript embedded within the pdf or flash file will cause to download malicious executable file from http://mp3musicsool.ru/travel/update.php (Unable to download). For information, the pdf file will exploit Adobe util.pritf and Adobe getIcon function.


..the end

Penis Enlarge Patch Spam ** 10-July

Penis Enlarge Patch Spamming..

Domain: http://turingklanners.net/a/ (210.51.181.165)

Other domains hosted same as turingklanners.net (210.51.181.165)

akreznu.net

defeclu.net

nyafcb.cn

otimla.cn

senperu.net

turingklanners.net

www.otimla.cn

www.vabrra.cn

Spam domains:

WNIUTTAA.INFO

canboost.com

www.azpara.com

TNKGNQNN.INFO

ERXIFINF.INFO

www.youreceivedit.com

5dc.ytaxikoh.cn

KRFGDOAK.INFO

bestshopon.com

4OKCuozeqqDi4o66Ku6z.bestshopon.com

www.777fiestaclub.net

WUFOPABQ.INFO

aoj.dicpizway.com

WWZNZHKY.INFO

KCHJOXCB.INFO

kkehafaf.cn

WSUODLTE.INFO

PJCFZHLF.INFO

WSUODLTE.INFO

983146.kjabewuf.cn

www.mailbank.biz

www.gekizou.biz

PJCFZHLF.INFO

0845.com

www.uswaternews.com

124.42.121.39

PJCFZHLF.INFO

TWJWBALO.INFO

ofe28.dgokeyof.cn

aizakubo.cn

nqs17.rbuvotuq.cn

abigail.kkiwecoz.cn

aimee.kkiwecoz.cn

alma.nkipokut.cn

agatha.vzunadaq.cn

ada.kkiwecoz.cn

elr01.rvecotac.cn

apjhz90.rvecotac.cn

MS Internet Explorer 7 Video ActiveX Exploit (Advisory 972890) --PoC

Milworm online again after a day sent out leaving message in their banner. New MS IE7 Video ActiveX Exploit PoC was disclosed.

Full coding can be download from milw0rm. But milw0rm website is down when I post this article. However, you may refer to http://textbin.com/7632o to get content just incase the milw0rm site is down again. The content posted in textbin will expiring after 30days start from now.

I will going to post article again if find any IE7 exploits in real!

..end..

Spam ** 9 July

Spamming domains:

973d4.wxecoyap.cn

36be.wxecoyap.cn

219492.jlipanes.cn

be6e7e.jlipanes.cn

oha.simplemain.com

testwspft.cn

magicbefore.com

nmopibif.cn

mundolaboral.cl

kjuramox.cn

jqufunep.cn

fkusacaw.cn

www.jerrycorley.com

rtatulet.cn

www.CapFrozen.com

nmopibif.cn

fvoyavok.cn

www.nospammer.net

www.somtatil.com

qzeqeret.cn

www.shunkimunkihop.net

byatotar.cn

Canadian Pharmacy:

Domain: byatotar.cn (159.226.7.162)

www.qualitydruglevel.com (202.75.37.166)

DirectShow MPEG2...exploits ** continues..#2

Since MPEG2-BDATuningModelMPEG2TuneRequest successful gaining attentions from security vendors. Detection signatures and pattern had been added into their respective security products. This is still no the end, attacker start figure out ways to bypass the detection. One of the method is separate the exploit code into different files and rename as image file. This technique called "Script Fragmentation".However, detection was triggered when 3.jpg image #3 (payload) downloaded.

1.jpg

2.jpg

3.jpg

4.jpg

5.jpg

6.jpg

7.jpg

8.jpg

9.jpg

10.jpg

11.jpg

Bogus Softwares Mega Sales !! Spamming...

Bogus Software Sales websites is spamming wide to inbox, this kind technique not different with Pharmaceutic and etc. Each price for softwares sales are very attractive, they can offer up to 80% from the retail prices. Please don't make yourself in this trap. Nothing is FREE!

WebSite: http://satofepols.com (IP Address: 220.248.172.37)

Other domain hosted in the same IP address:

1200freecash.net

adult-action.cn

satofepols.com

tordesoft.com

woperoses.com

dortemundo.com

dromuvergo.com

gordesoft.com

mythicwatches.cn

phone.addresses.com

porombero.com

satofepols.com

software-cheap.org

tohcoqoy.cn

undigestedwatches.cn

winbuyer.com

wonderfulcasinostar.com

www.800789.cn

www.bestreplicawatches.net

www.black-plays.ru

www.cd520.net

www.cgboke.com

www.dytp.com

www.k55.cn

www.nervierwatches.cn

www.orbitwatches.cn

www.rotcasino.com

www.rpocasino.com

www.rxblackguard.cn

www.rxflea.cn

www.rxrevenues.cn

www.rxsingularitys.cn

www.rxstump.cn

www.seqcasino.com

www.v22.cn

xashomoc.cn

xeypimus.cn

Spam ** 8 July

Spam lists:

http://www.eyewealth.com

http://www.ailjnzvo.cn

http://www.socksweet.com

http://satofepols.com

http://www.xcdipher.cn

http://www.xdmapam.cn

http://adelaide.zdahidag.cn

http://fmtvb13.trixohih.cn

http://satofepols.com

http://dctpt21.qtuyipul.cn

http://amolinerowes.com

http://qxx57.qvubohol.cn

http://yfogezukit.kmeyadon.cn

http://fpm.prettypass.com

http://nwtxx95.tkimayaq.cn

http://yacz.xrujunop.cn

http://mimo.dhoyenip.cn

http://xhc55.zjehores.cn

MPEG2-BDATuningModelMPEG2TuneRequest exploits ** continues..

Thanks to safelab that providing a link to MPEG2-BDATuningModelMPEG2TuneRequest exploits link (8oy4t.8866.org).

At here, I will share more information about this "8oy4t.8866.org" link. "8866.org" domain with IP address "218.5.106.90" was listed in Blacklists. There have few sub-domains were share the same IP.

WHOIS:

GEOIP:

Domain:

These domains share at the same IP address "218.5.106.90"

8oy4t.8866.org

bailan.8866.org

dread.8866.org

imap.8866.org

lmap.8866.org

lqxi.8866.org

qunfa8.8866.org

skytwo4drei.8866.org

windowsupdatery.8866.org

Sub Domain

These domains registered under "8866.org" and might hosted with different IP address

*.8866.org

.8866.org

45hrtt.8866.org

8oy4t.8866.org

92sqg.8866.org

aol.8866.org

armymail.8866.org

backlihua.8866.org

bailan.8866.org

bailian.8866.org

c11.8866.org

cock.8866.org

comrite.8866.org

cv.8866.org

dns5.8866.org

downzh.8866.org

dread.8866.org

ekiss.8866.org

flyshu.8866.org

gdxl.8866.org

ggaann.8866.org

h65uj.8866.org - IP: 59.34.197.154

handball.8866.org

homeinside.8866.org

imap.8866.org

joxis.8866.org

js97gan.8866.org

jucheng.8866.org

keno.8866.org

lmap.8866.org

lqxi.8866.org

lqxji.8866.org

mamase.8866.org

microsoftupdate4.8866.org

netprint.8866.org

pilicloud.8866.org

qunfa8.8866.org

raydon.8866.org

rillinc.8866.org

riri3.8866.org

services.8866.org

shinemoon.8866.org

sjz-casq.8866.org

skytwo43.8866.org

skytwo4drei.8866.org

skywebs.8866.org

tidns.8866.org

tj97gan.8866.org

tpit.8866.org

tsaizhi.8866.org

windows2006.8866.org

windowsupdatary.8866.org

windowsupdate.8866.org

windowsupdatery.8866.org

www.8866.org

xzsd.8866.org

ynzp.8866.org

zyyln.8866.org

Blacklisted Domain - h65uj.8866.org

http://h65uj.8866.org/

http://h65uj.8866.org/html/jdwm

http://h65uj.8866.org/html/qinglv

http://h65uj.8866.org/html/boy

http://h65uj.8866.org/html/girls

http://h65uj.8866.org/html/ftz

http://h65uj.8866.org/html/gxqm

Reference:

safelab.spaces.live.com

robtex