Sistem Televisyen Malaysia Berhad (STMB) or TV3 was incorporated in 1983 and was officially launched it started began broadcasting on 1 June 1984 as Malaysia’s first commercial television station for launched terrestrial based in Kuala Lumpur (a national capital of Malaysia). It is part of Media Prima group of companies. It now transmits opened broadcasting business private 24-hours a day, 7 days a week since 1 January 2010. (wiki)
According to Alexa, www.tv3.com.my gain high ranking especially at Malaysia with rank 229 and world rank is 45,854 . The website is especially popular amongst from home users and estimated lots of users's computer without latest patch will be infected by this malware.
TV3's external link (adnetwork.treez.my) has been compromised and injected with malicious URL.
Redirection chain:
hxxxp://www.tv3.com.my/
->hxxxp://adnetwork.treez.my/www/delivery/spcjs.php?id=9&target=_blank=_blank
-->hxxxp://adnetwork.treez.my/www/delivery/spcjs.php?id=9&target=_blank=_blank
--->hxxxp://adnetwork.treez.my/www/delivery/spc.php?zones=51%7C73%7C72%7C67%7C68%7C69%7C70%7C71%7C52%............................
---->hxxxp://2j1rpzr.co.cc/tds/in.cgi?default
----->hxxxp://6he6420.co.cc/x22
------>hxxxp://6he6420.co.cc/x22/load.php?spl=java_ws
------>hxxxp://6he6420.co.cc/x22/helpctrall.asx.php
------>hxxxp://6he6420.co.cc/x22/load.php?spl=mdac_3&h=
------>hxxxp://6he6420.co.cc/x22/pdf.php?
---->hxxxp://2j1rpzr.co.cc/tds/in.cgi?default
----->hxxxp://parametrg.in:8080/axb/
------>hxxxp://parametrg.in:8080/axb/8c10e5fc7d85aa037840ada903d3fa63.php
------>hxxxp://parametrg.in:8080/axb/?showtopic=2&view=MSIE&showuser=30449499&showforum=%2F&s=6.0
adnetwork.treez.my image:
After analyzing the content, noticed that it target few different type of vulnerability, which download an executable file called "a22273b.exe.
-MDAC
-Java
-Microsoft Help and Support Center (CVE-2010-1885)
-PDF
Payload of injected sites:
malware:
Without suprise, malware was submitted to Virustotal gain very low detection (4/42) or 9.5%. Please do scan again your whole computer with latest virus definition.
Malware ("a22273b.exe")
MD5 : 07c077fa5b2c3b981f8a9d8c87f1ff2b
SHA1 : 0d365a13a176355b7fe0ebfcc077670c136f6ad0
SHA256: bd24a6df5408cf0a7cf45a3813c604a187fd69de00ce7f5f4036dd53c6ec2a17
Browsershots showed that Firefox browser able to block from users when visiting to this website, but not for IE8.
IE 8 Browser
Malicious link and others:
178.18.243.4
2j1rpzr.co.cc
64.74.179.120
flying-city-2011.com
iuhweigiwe.com
parametrg.in
qefoma.com
traff-2012.com
tyklip.com
wotremb.com
yahoo-services.net
0 comments:
Post a Comment