Author Topic: More Blackhole Kits  (Read 13521 times)

0 Members and 1 Guest are viewing this topic.

February 16, 2012, 06:46:08 pm
Reply #30

pktguy

  • Jr. Member

  • Offline
  • **

  • 39

February 20, 2012, 07:28:45 pm
Reply #31

pktguy

  • Jr. Member

  • Offline
  • **

  • 39

February 21, 2012, 09:15:08 pm
Reply #32

pktguy

  • Jr. Member

  • Offline
  • **

  • 39


February 23, 2012, 09:25:19 pm
Reply #34

pktguy

  • Jr. Member

  • Offline
  • **

  • 39
Wepawet is still having trouble with these

iron.onlineadvocacy.me/main.php?page=4c8b25108c8e6bcf
http://wepawet.iseclab.org/view.php?hash=cce7db80bb4fd7b7cb61722093adf711&t=1330019596&type=js

yahooreturn.com/main.php?page=d74fc241f9c44e5c
http://wepawet.iseclab.org/view.php?hash=9568f7cd13d03d6e575c33f07ee11456&t=1330019835&type=js

February 24, 2012, 12:59:30 am
Reply #35

mercutio

  • Special Members
  • Full Member

  • Offline
  • *

  • 52
Wepawet is still having trouble with these

iron.onlineadvocacy.me/main.php?page=4c8b25108c8e6bcf
http://wepawet.iseclab.org/view.php?hash=cce7db80bb4fd7b7cb61722093adf711&t=1330019596&type=js

yahooreturn.com/main.php?page=d74fc241f9c44e5c
http://wepawet.iseclab.org/view.php?hash=9568f7cd13d03d6e575c33f07ee11456&t=1330019835&type=js

It turns out they're serving a (slightly) different code. One of the versions of the code they send does not work in IE, where it causes a parsing exception (but it does work as expected in FF); this causes the analysis you linked to to fail to show the full chain of pages and exploits.

Here are two re-analysis that succeeded (it just happened that the servers were giving out a different version of the code that does work in IE):
http://wepawet.cs.ucsb.edu/view.php?hash=9568f7cd13d03d6e575c33f07ee11456&t=1330041812&type=js
http://wepawet.iseclab.org/view.php?hash=cce7db80bb4fd7b7cb61722093adf711&t=1330041690&type=js

Thanks!

February 27, 2012, 10:14:23 am
Reply #36

michajp

  • Full Member

  • Offline
  • ***

  • 59
Fake IRS spam email, containing following link:

Code: [Select]
hxxp://iibm.in/acpatna/wp-content/uploads/fgallery/rep.html
Contains obfuscated iframer, VT-result:
https://www.virustotal.com/file/565dc176b664e1a8431789f13bcca2be1bf52846b5579c54867f77ee37af5ad5/analysis/

Blackhole at:
Code: [Select]
hxxp://110hobart.com/main.php?page=25e3203444ce0d83
----------


File: script-blackhole-2012-02-27.19-12.txt
Time: 2012-02-27 10:11:25 UTC
VT Result: 0 / 43

MD5:  5db425668150db05716864d62b65d2a5
First seen by VT:  2012-02-27 10:11:25 UTC ( 1 minute ago )
----------

https://www.virustotal.com/file/60d9e4133e982be2fc451cb10dea4ff22b583d86634876f4948048a97de65c91/analysis/1330337485/

February 27, 2012, 03:07:23 pm
Reply #37

michajp

  • Full Member

  • Offline
  • ***

  • 59
Fake IRS spam email, containing following link:

Code: [Select]
hxxp://iibm.in/acpatna/wp-content/uploads/fgallery/rep.html
Two more:

Code: [Select]
hxxp://willitscharter.org/wp-wcs/wp-content/uploads/fgallery/rep.html
hxxp://ultimateadvehicles.com/wp-content/uploads/fgallery/rep.html

February 28, 2012, 03:34:08 pm
Reply #38

pktguy

  • Jr. Member

  • Offline
  • **

  • 39
Serving what looks like Cridex

twistedtarts.net/main.php?page=f231b7d2647c237a
http://wepawet.iseclab.org/view.php?hash=45f9c9216818812939ab78071e9c9f54&t=1330442417&type=js


February 28, 2012, 06:34:53 pm
Reply #39

pktguy

  • Jr. Member

  • Offline
  • **

  • 39

March 01, 2012, 10:29:33 pm
Reply #40

pktguy

  • Jr. Member

  • Offline
  • **

  • 39

March 08, 2012, 04:50:46 pm
Reply #41

pktguy

  • Jr. Member

  • Offline
  • **

  • 39