daily something......

[sowhat-x]

These two are quite well detected...

hxxp://put.ghura.pl/81.exe
hxxp://put.ghura.pl/wr.exe

This one isn't very well detected...

hxxp://nemesis.feed.parkingspa.com/NemesisClient.cab

http://www.virustotal.com/analisis/d8f47e014b7190ba7ec12112ea7c5ba8

And the well-known friends from zief.pl once again...

hxxp://zief.pl/iraq.jpg/
http://www.virustotal.com/analisis/7e573eac2d13fbc94bf9d81d2702c140
--->
hxxp://jl.chura.pl/rc/pdf.php?id=456346
http://wepawet.iseclab.org/view.php?hash=c5ec3e0138dd5d5b4d9c204654deb18a&t=1239017754&type=js

Zief.pl crap in attachment as well,password is "infected" as always...

[SysAdMini]

exploit

Code: [Select]

http://www.poshlivse.com/index.phphttp://wepawet.iseclab.org/view.php?hash=92dff88b48386b1b933001ca33b73212&t=1239014786&type=js

trojan

Code: [Select]

http://www.poshlivse.com/load.phpMD5...: 38970d48df49ca67e06a755350ca9029
http://www.virustotal.com/analisis/ef07a0f7e3e2b1413a9fd591ceede630 2/40
eSafe    7.0.17.0    2009.04.05    Suspicious File
Sophos    4.40.0    2009.04.06    Mal/EncPk-HJ

A compromised site which contains an Iframe to this site is

Code: [Select]

limitin.dehttp://wepawet.iseclab.org/view.php?hash=cd2389a3c5064493afe100c17c953d11&t=1239015252&type=js

trojan Koobface

Code: [Select]

79.119.2.227/pid=1000/setup.exe
98.200.26.126/pid=1000/setup.exe

[sowhat-x]

Another Koobface...

hxxp://96.35.12.230
hxxp://96.35.12.230/player.swf?pid=6123
hxxp://96.35.12.230/setup.exe

What's kinda interesting actually is the .swf itself...
http://www.virustotal.com/analisis/428b28603b7ef35dfa4b35d85ae65fcc
And after being decompressed also...
http://wepawet.iseclab.org/view.php?hash=c17f6d015c0bc212850fc20e9133e700&type=swf
http://www.virustotal.com/analisis/388afb42ca35d977a980b631b6f7419b
Can't really say it's not to be considered at least as a malware component... 

hxxp://61.235.117.70/update.exe

http://www.virustotal.com/analisis/b6d794becce8fad6b6a20a581998dbe1

"It works!" -> is that so? 

hxxp://usacaaugb.cn/life/iepdf.php?f=new
hxxp://usacaaugb.cn/life/iepdf.php?f=old
hxxp://usacaaugb.cn/life/load.php

hxxp://www.ohtas.biz/stproj/flash.php

Result: 11/40 (27.5%)
http://www.virustotal.com/analisis/809a0e88b7935b661a46fab342169c8a

hxxp://www.vivne.cn/vn.exe

http://www.virustotal.com/analisis/e3ae284eb9482b92f5cd7f09781c451a
http://anubis.iseclab.org/?action=result&task_id=1f8ac8cc0933668946de525e26eae0872&format=html

[SysAdMini]

pdf exploit/trojan

Code: [Select]

famajormusic.ru/jjkj/in.phphttp://wepawet.cs.ucsb.edu/view.php?hash=5bb19ee926f1557416d2ee2131adf36e&t=1239040477&type=js
http://www.virustotal.com/analisis/c6087121de76e697622bb78ded6e8e8d 6/40

[CkreM]

Rogue:

Code: [Select]

Soldiersoftware.net
Redirect to exploit:

Code: [Select]

fikalo.dehttp://wepawet.iseclab.org/view.php?hash=a3d3398c25bdc7262e98bd19cdee44c1&t=1239025317&type=js

[sparsha]

Code: [Select]

Fake scanners:

http://sys-scan-wiz.org/download.php?page=http://sys-scan-wiz.org/
scanner-wiz-1.com
Avs-online-scan.org
av-lookup.org
Free-web-scaners.net/disk/?code=286
http://am-scan.com/l3/index.html?ref_id=7091
http://am-scan.com/download.php?page=http://am-scan.com/l3/index.html?ref_id=7091

Rogue installers:

http://222.186.9.187/setup.exe
http://www.spy-protector-pro.com/install.exe
http://chorussoft.biz/install.exe

http://webwidesecurity.com/index.php?affid=09400
http://webwidesecurity.com/download.php?affid=00000

fastpayprocess.com -> Pandora Software

Fake codecs:
xviewworldmy2.com/view/1/1220/3


[SysAdMini]

exploits/Zbot

Code: [Select]

jeans0nline.cn/win/index.php?iuBgwPahttp://wepawet.iseclab.org/view.php?hash=2c245804906db1beb7aa12d7d6c18abd&t=1239091219&type=js
http://www.virustotal.com/analisis/fbc3fe9d822e4e95f6118663a438d051 5/40

It is a new Zbot variant which uses new file names.

http://www.threatexpert.com/report.aspx?md5=557c2e0a44e5fa46668383209dc7d65a

[sparsha]

Few more

Code: [Select]

http://antiviral-scan-pro.com/11041/3/
http://files.load-pro-antispy.com/normal/setup_11041_3_1.exe

http://goforuniq.com/in.cgi?13&gai=csptop&gli=400&gff=cs_3578123074&al=

http://bonuspromooffer.com/vsm/adv/142/?a=csptop-sst&l=400&f=cs_3578123074&ex=&ed=&h=&sub=csp&prodabbr=3P_UVSM
http://dwnld.bonuspromooffer.com/secure/4f6c9cf2c210fefe73170ddfe8880e38/49db0f09/vsm/vsm_free_setup.exe
http://dwnld.promotion-offer.com/secure/2b686c9bbf54a2803cc230f1a3e6eb1d/49db1161/srm/srm_free_setup.exe

http://www.xp-shield.cn/download.html



[sparsha]

couple more links

Code: [Select]

best-av1.info
http://download.best-av1.info/en/PE/install.exe


Other files usually used by this rogue family [browser hijacker, Fake BSOD..]

Code: [Select]

http://download.best-av1.info/en/PE/N1.CAB
http://download.best-av1.info/en/PE/QWProtect.dll
http://download.best-av1.info/en/PE/svchost.exe


[SysAdMini]

pdf/flash exploit

Code: [Select]

truff.biz/myy/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=485a23bf02f4721e4170bffe1dfc0903&t=1239118663&type=js

trojan

Code: [Select]

http://truff.biz/myy/load.php?id=4http://www.virustotal.com/analisis/78ca3e1b17cf6b3499d9714cf2cdda15

[CkreM]

seems like Zeus in the end:

Code: [Select]

http://update3.cn/spl111/index.phphttp://wepawet.iseclab.org/view.php?hash=13b9fbbd568f6bbba6bfb2088e20610d&t=1239121445&type=js

[CkreM]

pdf exploit leading to zeus infection:

Code: [Select]

http://233242.info/1/include/spl.php
http://233242.info/1/load.phphttp://www.virustotal.com/analisis/d6fcdb78ed428bf52f47e6fb75bed6fc
http://wepawet.iseclab.org/view.php?hash=b03cbc6d02dc98d6b9527060c8a7ebe9&t=1239125074&type=js

now this exploit isn't working good for me(if anyone else could check it ,would be nice)
should start here but gave me some kind of error:

Code: [Select]

http://sh-hostz9.net/1/index.phphttp://wepawet.iseclab.org/view.php?hash=20c7f173f3a113538dea1ba392d13305&t=1239121977&type=js

Iframes to :

Code: [Select]

http://sh-hostz9.net/1/pdf.phphttp://wepawet.iseclab.org/view.php?hash=3c236eaec1299ed3c633aed33ae1736e&t=1239122033&type=js
and

Code: [Select]

http://sh-hostz9.net/1/vparivatel.php  (from here it gives you a screen to do some update)
http://wepawet.iseclab.org/view.php?hash=9a310342e3d2202d661d75be9333b869&t=1239131443&type=js
finally leads to the trojan:

Code: [Select]

http://sh-hostz9.net/1/load.php

Hamm now its starting from :

Code: [Select]

http://sh-hostz9.net/2/index.phphttp://wepawet.iseclab.org/view.php?hash=f883649411359a991e9f55e2cc541cc8&t=1239132145&type=js

leading also to:

Code: [Select]

http://sh-hostz9.net/2/pdf.php
lol changed after 30 min or so ~.~

[sowhat-x]

now this exploit isn't working good for me(if anyone else could check it ,would be nice)

Both of them are in the same ip address,220.196.59.26,meaning there's a good chance that if you first visited one of them first...
And the rest of the domains hosted there aren't much different,heh...but i didn't manually verified them,merely googled about them.

Earlier ips in the same netblock there host malicious domains from what i see...
will attempt digging them tomorrow though,need some sleep now ;-)

hxxp://goshak.biz/my/index.php

[CkreM]

now this exploit isn't working good for me(if anyone else could check it ,would be nice)

Both of them are in the same ip address,220.196.59.26,meaning there's a good chance that if you first visited one of them first...
And the rest of the domains hosted there aren't much different,heh...but i didn't manually verified them,merely googled about them.

Earlier ips in the same netblock there host malicious domains from what i see...
will attempt digging them tomorrow though,need some sleep now ;-)

hxxp://goshak.biz/my/index.php

changed my ip between trys

anyway its not that it recognize my ip or something,it just gives some error saying "file does not begin with %pdf " or something like that

also another one on that IP:

Code: [Select]

http://volimir.biz/my/index.phphttp://wepawet.iseclab.org/view.php?hash=57cae50b99f2591b0612eba32de4a67b&t=1239134249&type=js

the pdf exploit itself is at:(wepawet didnt analyze it)

Code: [Select]

http://volimir.biz/my/cache/readme.pdfhttp://wepawet.iseclab.org/view.php?hash=22ae140b9b2f549caffb7328bb4dbf0c&t=1239134421&type=js

[sowhat-x]

Oh,the .pdf file itself you meant?I'll check it tomorrow,my mind isn't working properly at the moment,plus i'm not in front of a vm...i need to sleep.
Last one for tonight - exploring the rest of this ip,is..."left as an excercise for the reader" 
http://www.bfk.de/bfk_dnslogger.html?query=220.196.59.17#result

hxxp://xdwlnbqsdsph5pc8rz81.cn/s_t.php