Author Topic: iamcome.in  (Read 3910 times)

0 Members and 1 Guest are viewing this topic.

June 11, 2010, 06:02:10 pm
Read 3910 times

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Seeing infected hosts reaching out to:
http://d.iamcome.in/u.txt

That returns a URL of an EXE which trips 29/41 on VirusTotal:
http://d.iamcome.in/ma.exe
Report: http://www.virustotal.com/analisis/ed8d7ddb7e865d0e0151490ae811f80bf968078e6542b6be25e55a5e86f6011c-1276258210

June 11, 2010, 06:23:52 pm
Reply #1

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Looks like this is related to the massive SQL injection attack against IIS, similiar to the robint.us domain checkin that has been ongoing. Infected sites will toss you over to the following URL which is a drive by:

http://2677.in/yahoo.js

Looks like it is exploiting flash player, which is causing the download of the loader here:

http://2677.in/log.exe
Report: http://www.virustotal.com/analisis/85344c5db45eb5bba6702091afdefe634387038d9c7f7704d5e8648507b9482e-1276270061

June 11, 2010, 06:33:09 pm
Reply #2

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
The iframes:
http://2677.in/cnzz.html
http://2677.in/ie.html

Flash:
http://2677.in/anhey.swf
Report 2/41: http://www.virustotal.com/analisis/725f0cc85e34151e7e6af81a4f221b47a6825944cbaf68a4b5daf4023e5143e4-1276280998

Symantec classifies this flash file as a trojan? wepawet claims it to be benign.

Also pulls script from below site for tracking purposes, the guys handle is dnf666 (how charming):
http://s11.cnzz.com/stat.php?id=1990191&web_id=1990191