Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-11-19 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

loadadv.exe

Published: 2005-11-19
Last Updated: 2005-11-19 21:54:01 UTC
by Daniel Wesemann (Version: 2)
0 comment(s)

Back in July, I already posted on the subject (Who needs .info/.biz, anyway?), and it turns out that the same scam is still in operation today. By putting too much trust into the topmost result returned by a search engine, a user of mine ended up ringing quite a few bells on the IDS and AV late yesterday night. Turns out the page the user got redirected to was hxxp://iframebiz.biz/dl/adv443.php (DONT click).

The content returned by this link is obfuscated and encoded JavaScript. Once decoded, it reads as follows (included as an image, to keep your antivirus from panicking):



Yes. A bunch of malware, no doubt, and trying to exploit quite a number of recent and not-so-recent vulnerabilities commonly found on a badly patched Windows workstation.  The Trojans it tries to download are by now pretty well known and recognized by most of the anti virus software. What irks me most, though, is that this sort of thing has been around for months. Checking with a DNS cache, I found that no less than nine different  DNS names have been used for this scam within the past week alone.

traffsale.biz 81.9.5.10; iframesite.biz 81.9.5.10; iframetraff.biz 81.9.5.10; toolbartraff.biz 81.9.5.10; buytraff.biz 81.9.5.10; iframecash.biz 81.9.5.10; toolbarurl.biz 81.9.5.10; iframebiz.biz 81.9.5.10; toolbarbiz.biz 81.9.5.10;

And guess what country 81.9.5.10 resides in ?  Yes, one of the CWIIAC, country-where-ISPs-ignore-all-complaints. I'm about to send them one more.


Keywords:
0 comment(s)

Mambo exploit making the rounds

Published: 2005-11-19
Last Updated: 2005-11-19 18:19:00 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
Rumour has it that exploit attempts of the web portal / content management system "Mambo" through the vulnerability first reported in http://seclists.org/lists/fulldisclosure/2005/Nov/0528.html have started in earnest. SecurityFocus http://www.securityfocus.com/archive/1/417215/30/0/threaded reports defacements. (thanks to Juha-Matti for the heads-up)
Keywords:
0 comment(s)
Diary Archives