Author Topic: 212.150.164.0/24 - Drive By's and Malvertising  (Read 3550 times)

0 Members and 1 Guest are viewing this topic.

July 08, 2010, 05:48:30 pm
Read 3550 times

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Seeing some exploit kits and malvertising in the 212.150.164.0/24 netblock.

212.150.164.202 - pgpg.ws

Entry point:
http://pgpg.ws/dbcdefabcdefabcdefabcd/well.php

Malicious PDF:
http://pgpg.ws/dbcdefabcdefabcdefabcd/files/goodshootthebreezedino.pdf
Wepawet Report: http://wepawet.iseclab.org/view.php?hash=f4a2c5e4a4be19257d2cf84f3f093fa0&type=js

Malicious ASX (windows media player):
http://pgpg.ws/dbcdefabcdefabcdefabcd/files/simple.asx

Malicious JAR:
http://pgpg.ws/dbcdefabcdefabcdefabcd/files/intellectualguesses.jar
http://pgpg.ws/dbcdefabcdefabcdefabcd/files/hookedsecurity.jar

Payload:
http://pgpg.ws/dbcdefabcdefabcdefabcd/mothersdarlingcross.php
http://pgpg.ws/dbcdefabcdefabcdefabcd/yettiownssomelilz.php?e=9&n=
VirusTotal Results (9/41): http://www.virustotal.com/analisis/ec2a42238c55b8135c745889d2f87200698dbf9d5d37a869e82a3a9ba951faa9-1278553255

Post infection, hosts are checking in to:
wc-zone.info
wc-lost.info