Zero-day MPEG2TuneRequest Exploit Leads to KILLAV

[SysAdMini]

http://blog.trendmicro.com/zero-day-microsoft-directshow-mpeg2tunerequest-exploit-leads-to-killav-malware/

[MysteryFCM]

Code: [Select]

I thought I'd give you guys a quick analysis of what myb88.com/t.js (IP: 203.158.16.18), as mentioned by DNS-BH, actually does. The first thing we need to look at, is the contents of t.js;

From here, we can see that it is loading an iFrame to bybyybyb.com (59.34.197.154 - AS4134), based on whether tmpdomain is equal to zero (which is based on whether or not the URL matches any of the items in the arydomain array). This iFrame, then loads another iframe to index.htm which contains;

http://hphosts.blogspot.com/2009/07/myb88comtjs-quick-analysis.html

[RS-232]

Seems to be related to the exploit mentioned above,
kinda proof of concept skiddie tool or so,but i didn't really bothered checking it...
http://www.popsky.org/article/MPEG-2_0DAY_20090708012249.html
http://www.virustotal.com/analisis/cba86df44f23b3d980c60c2bc8f287a8d734dbbf4687214b363d6bc02f2e1bc4-1247203655

[MysteryFCM]

NOD flagged it (the rar, as it was downloading) as the Statik trojan

[RS-232]

The executable there appears to be multi-packed,at least from a very quick first look...
probably also the reason that some AVs reported "unknown packer" etc.

...Here's another interesting thread that I stumbled upon:
http://bbs.pediy.com/showthread.php?t=92912
Related to the domains mentioned in pediy's thread above:
http://blog.scansafe.com/journal/2009/7/7/china-attacks-worsen.html

[RS-232]

http://milw0rm.com/exploits/9108