Author Topic: Decoding the Global Crossing rogues  (Read 1828 times)

0 Members and 1 Guest are viewing this topic.

July 02, 2009, 06:06:20 pm
Read 1828 times

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Code: [Select]
Global Crossing are currently hosting a whole host of rogues such as Fast Antvirus. One thing the latest ones have in common, is their use of a seemingly randomly named .js file, that does the bulk of the work to ensure you get infected with it.

Most of us will either;

1. Load the site up in the browser
2. Analyze the sites source code to identify the download location so we can automate downloads of new samples

I tend to opt for the latter myself, which is why I'm posting this. When I looked at a site a couple of days ago, I got the .js file decoded, went through it's code, and identified the download URL as;

http://hphosts.blogspot.com/2009/07/decoding-global-crossing-rogues.html
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net