Author Topic: daily something......  (Read 832721 times)

0 Members and 2 Guests are viewing this topic.

April 06, 2009, 11:59:07 am
Reply #270

sowhat-x

  • Guest
These two are quite well detected...
Quote
hxxp://put.ghura.pl/81.exe
hxxp://put.ghura.pl/wr.exe

This one isn't very well detected...
Quote
hxxp://nemesis.feed.parkingspa.com/NemesisClient.cab
http://www.virustotal.com/analisis/d8f47e014b7190ba7ec12112ea7c5ba8

And the well-known friends from zief.pl once again...
Quote
hxxp://zief.pl/iraq.jpg/
http://www.virustotal.com/analisis/7e573eac2d13fbc94bf9d81d2702c140
--->
hxxp://jl.chura.pl/rc/pdf.php?id=456346
http://wepawet.iseclab.org/view.php?hash=c5ec3e0138dd5d5b4d9c204654deb18a&t=1239017754&type=js
Zief.pl crap in attachment as well,password is "infected" as always...

April 06, 2009, 12:06:30 pm
Reply #271

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
exploit
Code: [Select]
http://www.poshlivse.com/index.phphttp://wepawet.iseclab.org/view.php?hash=92dff88b48386b1b933001ca33b73212&t=1239014786&type=js

trojan
Code: [Select]
http://www.poshlivse.com/load.phpMD5...: 38970d48df49ca67e06a755350ca9029
http://www.virustotal.com/analisis/ef07a0f7e3e2b1413a9fd591ceede630 2/40
eSafe    7.0.17.0    2009.04.05    Suspicious File
Sophos    4.40.0    2009.04.06    Mal/EncPk-HJ

A compromised site which contains an Iframe to this site is
Code: [Select]
limitin.dehttp://wepawet.iseclab.org/view.php?hash=cd2389a3c5064493afe100c17c953d11&t=1239015252&type=js

trojan Koobface
Code: [Select]
79.119.2.227/pid=1000/setup.exe
98.200.26.126/pid=1000/setup.exe
Ruining the bad guy's day

April 06, 2009, 12:51:34 pm
Reply #272

sowhat-x

  • Guest
Another Koobface...
Quote
hxxp://96.35.12.230
hxxp://96.35.12.230/player.swf?pid=6123
hxxp://96.35.12.230/setup.exe

What's kinda interesting actually is the .swf itself...
http://www.virustotal.com/analisis/428b28603b7ef35dfa4b35d85ae65fcc
And after being decompressed also...
http://wepawet.iseclab.org/view.php?hash=c17f6d015c0bc212850fc20e9133e700&type=swf
http://www.virustotal.com/analisis/388afb42ca35d977a980b631b6f7419b
Can't really say it's not to be considered at least as a malware component...  :-\

Quote
hxxp://61.235.117.70/update.exe
http://www.virustotal.com/analisis/b6d794becce8fad6b6a20a581998dbe1

"It works!" -> is that so?  :D
Quote
hxxp://usacaaugb.cn/life/iepdf.php?f=new
hxxp://usacaaugb.cn/life/iepdf.php?f=old
hxxp://usacaaugb.cn/life/load.php

Quote
hxxp://www.ohtas.biz/stproj/flash.php
Result: 11/40 (27.5%)
http://www.virustotal.com/analisis/809a0e88b7935b661a46fab342169c8a

Quote
hxxp://www.vivne.cn/vn.exe
http://www.virustotal.com/analisis/e3ae284eb9482b92f5cd7f09781c451a
http://anubis.iseclab.org/?action=result&task_id=1f8ac8cc0933668946de525e26eae0872&format=html

April 06, 2009, 05:53:13 pm
Reply #273

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

April 06, 2009, 06:10:08 pm
Reply #274

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Mal-Aware

April 07, 2009, 07:32:52 am
Reply #275

sparsha

  • Special Members
  • Hero Member

  • Offline
  • *

  • 305
Code: [Select]
Fake scanners:

http://sys-scan-wiz.org/download.php?page=http://sys-scan-wiz.org/
scanner-wiz-1.com
Avs-online-scan.org
av-lookup.org
Free-web-scaners.net/disk/?code=286
http://am-scan.com/l3/index.html?ref_id=7091
http://am-scan.com/download.php?page=http://am-scan.com/l3/index.html?ref_id=7091

Rogue installers:

http://222.186.9.187/setup.exe
http://www.spy-protector-pro.com/install.exe
http://chorussoft.biz/install.exe

http://webwidesecurity.com/index.php?affid=09400
http://webwidesecurity.com/download.php?affid=00000

fastpayprocess.com -> Pandora Software

Fake codecs:
xviewworldmy2.com/view/1/1220/3

April 07, 2009, 07:59:44 am
Reply #276

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

April 07, 2009, 09:23:25 am
Reply #277

sparsha

  • Special Members
  • Hero Member

  • Offline
  • *

  • 305
Few more

Code: [Select]
http://antiviral-scan-pro.com/11041/3/
http://files.load-pro-antispy.com/normal/setup_11041_3_1.exe

http://goforuniq.com/in.cgi?13&gai=csptop&gli=400&gff=cs_3578123074&al=

http://bonuspromooffer.com/vsm/adv/142/?a=csptop-sst&l=400&f=cs_3578123074&ex=&ed=&h=&sub=csp&prodabbr=3P_UVSM
http://dwnld.bonuspromooffer.com/secure/4f6c9cf2c210fefe73170ddfe8880e38/49db0f09/vsm/vsm_free_setup.exe
http://dwnld.promotion-offer.com/secure/2b686c9bbf54a2803cc230f1a3e6eb1d/49db1161/srm/srm_free_setup.exe

http://www.xp-shield.cn/download.html



April 07, 2009, 09:35:19 am
Reply #278

sparsha

  • Special Members
  • Hero Member

  • Offline
  • *

  • 305
couple more links
Code: [Select]
best-av1.info
http://download.best-av1.info/en/PE/install.exe


Other files usually used by this rogue family [browser hijacker, Fake BSOD..]
Code: [Select]
http://download.best-av1.info/en/PE/N1.CAB
http://download.best-av1.info/en/PE/QWProtect.dll
http://download.best-av1.info/en/PE/svchost.exe


April 07, 2009, 03:36:52 pm
Reply #279

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

April 07, 2009, 04:22:48 pm
Reply #280

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Mal-Aware

April 07, 2009, 07:14:39 pm
Reply #281

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
pdf exploit leading to zeus infection:
Code: [Select]
http://233242.info/1/include/spl.php
http://233242.info/1/load.php
http://www.virustotal.com/analisis/d6fcdb78ed428bf52f47e6fb75bed6fc
http://wepawet.iseclab.org/view.php?hash=b03cbc6d02dc98d6b9527060c8a7ebe9&t=1239125074&type=js

now this exploit isn't working good for me(if anyone else could check it ,would be nice)
should start here but gave me some kind of error:
Code: [Select]
http://sh-hostz9.net/1/index.phphttp://wepawet.iseclab.org/view.php?hash=20c7f173f3a113538dea1ba392d13305&t=1239121977&type=js

Iframes to :
Code: [Select]
http://sh-hostz9.net/1/pdf.phphttp://wepawet.iseclab.org/view.php?hash=3c236eaec1299ed3c633aed33ae1736e&t=1239122033&type=js
and
Code: [Select]
http://sh-hostz9.net/1/vparivatel.php  (from here it gives you a screen to do some update)
http://wepawet.iseclab.org/view.php?hash=9a310342e3d2202d661d75be9333b869&t=1239131443&type=js
finally leads to the trojan:
Code: [Select]
http://sh-hostz9.net/1/load.php

Hamm now its starting from :
Code: [Select]
http://sh-hostz9.net/2/index.phphttp://wepawet.iseclab.org/view.php?hash=f883649411359a991e9f55e2cc541cc8&t=1239132145&type=js

leading also to:
Code: [Select]
http://sh-hostz9.net/2/pdf.php
lol changed after 30 min or so ~.~
Mal-Aware

April 07, 2009, 07:41:32 pm
Reply #282

sowhat-x

  • Guest
Quote
now this exploit isn't working good for me(if anyone else could check it ,would be nice)
Both of them are in the same ip address,220.196.59.26,meaning there's a good chance that if you first visited one of them first...
And the rest of the domains hosted there aren't much different,heh...but i didn't manually verified them,merely googled about them.

Earlier ips in the same netblock there host malicious domains from what i see...
will attempt digging them tomorrow though,need some sleep now ;-)
Quote
hxxp://goshak.biz/my/index.php

April 07, 2009, 07:48:48 pm
Reply #283

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Quote
now this exploit isn't working good for me(if anyone else could check it ,would be nice)
Both of them are in the same ip address,220.196.59.26,meaning there's a good chance that if you first visited one of them first...
And the rest of the domains hosted there aren't much different,heh...but i didn't manually verified them,merely googled about them.

Earlier ips in the same netblock there host malicious domains from what i see...
will attempt digging them tomorrow though,need some sleep now ;-)
Quote
hxxp://goshak.biz/my/index.php


changed my ip between trys

anyway its not that it recognize my ip or something,it just gives some error saying "file does not begin with %pdf " or something like that

also another one on that IP:

Code: [Select]
http://volimir.biz/my/index.phphttp://wepawet.iseclab.org/view.php?hash=57cae50b99f2591b0612eba32de4a67b&t=1239134249&type=js

the pdf exploit itself is at:(wepawet didnt analyze it)
Code: [Select]
http://volimir.biz/my/cache/readme.pdfhttp://wepawet.iseclab.org/view.php?hash=22ae140b9b2f549caffb7328bb4dbf0c&t=1239134421&type=js
Mal-Aware

April 07, 2009, 08:09:55 pm
Reply #284

sowhat-x

  • Guest
Oh,the .pdf file itself you meant?I'll check it tomorrow,my mind isn't working properly at the moment,plus i'm not in front of a vm...i need to sleep.
Last one for tonight - exploring the rest of this ip,is..."left as an excercise for the reader:D
http://www.bfk.de/bfk_dnslogger.html?query=220.196.59.17#result
Quote
hxxp://xdwlnbqsdsph5pc8rz81.cn/s_t.php