Malware Domain List

Malware Related => Malicious Domains => Topic started by: Drusepth on November 08, 2007, 01:13:05 am

Title: hxxp://ebaumsworld.on.nimp.org/Shatner/
Post by: Drusepth on November 08, 2007, 01:13:05 am

I found this being linked to on 4chan.
If I remember correctly, their official myspace phisher they're using for operation myspays is located somewhere on this domain.  (http://www.news.com.au/heraldsun/story/0,21985,22687438-662,00.html)

This looked to me like it was just trying loads of exploits.  Luckily I didn't have my sound on or the right things installed to view the images when I first went, because in the source code it says:

Code: [Select]

<!-- This object plays the "hey everybody, I'm watching gay porno!" sound -->
  <object classid= "clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0" width="1" height="1" id="hey">;)

Also to note, there's different javascript being generated by the php depending on what User Agent you use.

Title: Re: hxxp://ebaumsworld.on.nimp.org/Shatner/
Post by: JohnC on November 08, 2007, 07:03:13 am

That code is used for macromedia flash player. Below it you will see the flash file (.swf) which it uses to play.

I think it was created as an annoyance and used to post on forums, IRC, messengers etc to troll people. But it is detected as Exploit MS05-013, so as it tries to use an exploit it can go in the domain list :)

It is interesting to note that as long as "on.nimp.org" is left the same, you can use any subdomain and directory that you like. For example mdl.on.nimp.org/Drusepth/ is valid.

This will be added soon, thank you.