« previous next »
Pages: [1]   Go Down

Author Topic: goorpg.info/75.75.254.144 hosting malicious pdf  (Read 4548 times)

0 Members and 1 Guest are viewing this topic.

March 16, 2010, 05:33:56 am
Read 4548 times

crunchtime

  • Special Access
  • Full Member
  • Offline
  • *
  • 54
goorpg.info/75.75.254.144 hosting malicious pdf
An infected machine I worked on seems to have been infected by a PDF from goorpg.info. Could not reinfect with this but the timestamps line up on the payload. I thought I would post this because I found zero info on google.
PDF --> hxxp://goorpg.info/page/index.html/s002102317801r0409J07000601R68ae8cfaX164f9e76Y5dd51035Z03001f30

Interesting domains on the same IP that are also hosting malicious pdf:
goorpa.info    A    75.75.254.144
goorewa.info    A    75.75.254.144
goorpg.info    A    75.75.254.144
goorpt.info    A    75.75.254.144
Logged
March 16, 2010, 05:41:40 am
Reply #1

SysAdMini

  • Administrator
  • Hero Member
  • Offline
  • *****
  • 3335
Re: goorpg.info/75.75.254.144 hosting malicious pdf
It is a Neosploit kit. Neosploit is typically used for Mebroot distribution.
In the last months we have also seen other payloads like Zeus and fake av.
Logged
Ruining the bad guy's day
March 16, 2010, 09:19:05 am
Reply #2

CkreM

  • Special Access
  • Hero Member
  • Offline
  • *
  • 567
Re: goorpg.info/75.75.254.144 hosting malicious pdf
payload(fake AV):
Code: [Select]
goorpg.info/page/index.html/n002102317801r0409J07000601R68ae8cfaX164f9e76Y5dd51035Z03001320
Logged
Mal-Aware
Pages: [1]   Go Up
« previous next »