Ubuntugeek websites is one of favourite websites among Linux users expecially love to Ubuntu disto. Ubuntugeek provides lots of information such as articles, HowTo, Tutorials, Tips and etc.
Without suprise, Ubuntu gains high traffic ranking at Alexa with position 15,099 according Alexa's Site Info (http://www.alexa.com/siteinfo/ubuntugeek.com). From my personal point of view, Ubuntugeek.com compromised is serious because it gain high traffic, but operating systems other than Windows (base without latest patches) will immune from this threat for moment.
Injected malicious link is visible in clear text at the bottom of the main pages with iframe"hxxxp://xivee.com/redir/ddgrf3.php", which redirect user to exploit website that hosted "Incognito Exploit Kit", considered new exploit kit.
Exploit Site's main page.
Below is the de-obfuscated codes.
Exploits website exploits visitor systems which open wide with example vulnerabilities like below that I able gathered.
- CA8A9780-280D-11CF-A24D-444553540000 (CVE-2006-6027)
- CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA (CVE-2010-0886)
- BD96C556-65A3-11D0-983A-00C04FC29E36 (CVE-2006-0003)
- BD96C556-65A3-11D0-983A-00C04FC29E30
- 7F5B7F63-F06F-4331-8A26-339E03C0AE3D
- 6e32070a-766d-4ee6-879c-dc1fa91d2fc3
- 6414512B-B978-451D-A0D8-FCFDF33E833C
- 06723E09-F4C2-43c8-8358-09FCD1DB0766
- 639F725F-1B2D-4831-A9FD-874847682010
- BA018599-1DB3-44f9-83B4-461454C84BF8
- D0C07D56-7C69-43F1-B4A0-25F5A11FAB19
- E8CCCDDF-CA28-496b-B050-6C07C962476B
- AB9BCEDD-EC7E-47E1-9322-D4A210617116
- 0006F033-0000-0000-C000-000000000046
- 0006F03A-0000-0000-C000-000000000046
- 8AD9C840-044E-11D1-B3E9-00805F499D93 (CVE-2010-0886)
- Microsoft Help and Support Center 'hcp://system/sysinfo/sysinfomain.htm' (CVE-2010-1885)
Exploit website dropped malicious executable file with filename "setup.exe" which actually is rouge security program called "XP Total Security 2011". Once executed, it acts like legitimate virus scanner which scanning systems for viruses and other malicious files. At the end of scanning, it scare users into paying fee to remove the threats. User was redirected to "dojewoboji.com" which required users credentials and credit cards in details.
Details:
Sample:fgfhmdgfdzsasffbg.jar
SHA1:109d62c3690b761d863a0877ae1bdd46c4801e30
Virustotal: 21/41 (51.2%)
http://www.virustotal.com/file-scan/report.html?id=460e74e3c4a2968a19bdda91c25548b37aadf75028c1aaf6119e8bfd3f0adee4-1303217637
Sample:kmr.exe/setup.exe
SHA1:a3b70a1ecdc33fe87eeff6d0eff4d10a216b1498
Virustotal: 19 /41 (46.3%)
http://www.virustotal.com/file-scan/report.html?id=fce4f927682d15dd0abe0e0ae544c8b1d1d41d8f60f4ea1b836bc1ab2f8181a8-1303220994
Malicious links
hxxxp://xivee.com/redir/ddgrf3.php
hxxxp://anayadora.cz.cc/in.php?a=QQkFBg0DAQUCAQMDEkcJBQcEBQMADQwGBg==
hxxxp://anayadora.cz.cc/fgfhmdgfdzsasffbg.jar
hxxxp://dojewoboji.com/10150008123065903752
77.79.4.86
anayadora.cz.cc
gholbirim.cz.cc
178.63.14.10
bnetworks.us
funtarget.com
germek.net
gorasoft.us
mail.glintgames.com
mx.bnetworks.us
mx.funtarget.com
mx.germek.net
mx.gorasoft.us
mx.nsnix.com
mx.traffclub.com
mx.vli.li
mx.xivee.com
ns1.bnetworks.us
ns1.funtarget.com
ns1.germek.net
ns1.glintgames.com
ns1.gorasoft.us
ns1.nsnix.com
ns1.traffalizer.com
ns1.traffclub.com
ns1.vli.li
ns1.xivee.com
nsnix.com
root.bnetworks.us
root.glintgames.com
root.gorasoft.us
root.nsnix.com
root.traffclub.com
root.vli.li
root.xivee.com
static.10.14.63.178.clients.your-server.de
traffclub.com
vli.li
67.215.65.132
barcelonabus.es
bmmusau.co.ke
broshalon.com
bulonyc.com
candy.dyndns-wiki.com
croftpartnership.com
danny.dyndns-mail.com
dmftechnology.net
dragonace.info
dritest.com
eskilo.com.br
eu.unicredibanca.it
eu.unicreditbaca.it
expressmedcanada.org.in
floydcohen.net
haiphongmuaban.com
halleyinvest.com
hit-nxdomain.opendns.com
hostmaster.consumerwatchdog.org
hostmaster.traveltovietnamonline.com
idikpape.com
immc.biz
itelte.it
jmillershoes.com
kaplanauto.com
kralorme.com
latinfussion.com
lcbco.com
lintel.com.mv
mail.rosenbaumfineart.com
mail.unicreditgroup.eu.unicredibanca.it
mail.unicreditgroup.eu.unicreditbaca.it
mguardlive.co.uk
mida4.it
mobile-cii.com
mps.gov.sb
neomatran.com
ns1.footprints-seo.com
ns1.liderhost.pl
ns1.moria.co.nz
ns1.neonbd.com
ns1.paintingsoffish.com
ns1.vizontele.net
ns1.wj-design.com
ns14.iwebhostu.com
ns2.moria.co.nz
ns2.notebookvision.com
ns2.orbitnetwork.org
ns2.paintingsoffish.com
ns2.purplehazed.com
ns2.yttasarim.com
ns21.rastaval.com
ns3.myisp.co.ke
ns6.warezslavez.com
pdfoxy.in
sdis32.fr
tpfootwear.com
traveltovietnamonline.com
unicreditgroup.eu.unicredibanca.it
unicreditgroup.eu.unicreditbaca.it
waurnpondssc.com.au
withasoul.com
worldimaging.com
www.unicredibanca.it
yohai.biz
0 comments:
Post a Comment