« previous next »
Pages: [1]   Go Down

Author Topic: iamcome.in  (Read 4014 times)

0 Members and 1 Guest are viewing this topic.

June 11, 2010, 06:02:10 pm
Read 4014 times

eoin.miller

  • Sr. Member
  • Offline
  • ****
  • 179
iamcome.in
Seeing infected hosts reaching out to:
http://d.iamcome.in/u.txt

That returns a URL of an EXE which trips 29/41 on VirusTotal:
http://d.iamcome.in/ma.exe
Report: http://www.virustotal.com/analisis/ed8d7ddb7e865d0e0151490ae811f80bf968078e6542b6be25e55a5e86f6011c-1276258210
Logged
June 11, 2010, 06:23:52 pm
Reply #1

eoin.miller

  • Sr. Member
  • Offline
  • ****
  • 179
Re: iamcome.in
Looks like this is related to the massive SQL injection attack against IIS, similiar to the robint.us domain checkin that has been ongoing. Infected sites will toss you over to the following URL which is a drive by:

http://2677.in/yahoo.js

Looks like it is exploiting flash player, which is causing the download of the loader here:

http://2677.in/log.exe
Report: http://www.virustotal.com/analisis/85344c5db45eb5bba6702091afdefe634387038d9c7f7704d5e8648507b9482e-1276270061
Logged
June 11, 2010, 06:33:09 pm
Reply #2

eoin.miller

  • Sr. Member
  • Offline
  • ****
  • 179
Re: iamcome.in
The iframes:
http://2677.in/cnzz.html
http://2677.in/ie.html

Flash:
http://2677.in/anhey.swf
Report 2/41: http://www.virustotal.com/analisis/725f0cc85e34151e7e6af81a4f221b47a6825944cbaf68a4b5daf4023e5143e4-1276280998

Symantec classifies this flash file as a trojan? wepawet claims it to be benign.

Also pulls script from below site for tracking purposes, the guys handle is dnf666 (how charming):
http://s11.cnzz.com/stat.php?id=1990191&web_id=1990191
Logged
Pages: [1]   Go Up
« previous next »