Malware hosted on 3322.org AGAIN!
If you google for l61.3322.org you will find LOTS of “script” links to:
http://l61DOT3322DOTorg/eDOTjs. That first letter is a lower case L not a 1.
Be careful that java script attempts to exploit vulnerabilities in some browsers.
Fellow Handler BojanZ stated this about that malicious piece of java:
“The attached JS file calls other JS files (from various servers). At
least one of them tries to exploit an old vulnerability (MS06-014 -
Microsoft Data Access Components (MDAC)). Other JS files redirect the
browser to different sites:
http://wwwdot777seodotcom/seodotphp?username=happygold
http://wwwdotovosearchdotcom/advertising/?ref=happygold
http://kikclickdotcom/portal/?ref=happygold
(these are click through affiliate web sites)”
http://isc.sans.org/diary.html?storyid=1348
https://isc.sans.org/diary.html?storyid=1945
I recommend you monitor your IDS, firewall and other logs for access to l61DOT3322DOTORG if you see any access you should check the systems that accessed it for malware. You may decide to block that site within your enterprise. Many enterprise and educational networks did block 3322.org during the word zero day exploit in 2005.
UPDATE: Jose Nazario @ arbor networks provided the following analysis:
“e.js fetches http://161dot3322dotorg/hxw/wmm.htm which has iframes pointing to
http://l61dot3322.org/hxw/0614.htm and http://l61dot332dotorg/hxw/IE.htm
0614.HTM exploits ADOB.Stream()
IE.HTM exploits the following:
ExploitedSoftware CVE ID (none listed means no cve match was found)
RDS.Dataspace MS06-014 CVE-2006-0003
Microsoft WMIScriptUtils.WMIObjectBroker CVE-2006-4704
SoftwareDistribution.WebControl.1
Outlook Data Object
DExplore.AppObj.8.0
Business Object Factory
Microsoft.DbgClr.DTE.8.0
VsaIDE.DTE
VisualStudio.DTE.8.0
Outlook.Application
VsmIDE.DTE"
AV vendors that did not detect these are not listed.
http://happy91dot9966dotorg/hxw/hx/200512.exe
AV engine Country Signature
Avira (antivir) DE HEUR/Crypted
ClamAV Trojan.Crypted-4
F-Secure FI Hupigon.gen130
Ikarus AT Backdoor.VB.EV
Securecomputing (webwasher) US Heuristic.Crypted
Sunbelt
http://happy91dot9966dotorg/hxw/hx/dd.exe
Aladdin (esafe) IL Suspicious Trojan/Worm
Avira (antivir) DE TR/Dldr.Delf.ALF.2
BitDefender RO Trojan.Downloader.Delf.ALF
CAT (quickheal) IN TrojanDownloader.Delf.bfu
Eset (nod32) US Win32/TrojanDownloader.Delf
Fortinet US W32/Delf.ALF!tr.dldr
F-Secure FI Trojan-Downloader.Win32.Delf.bfu
Ikarus AT Trojan-Downloader.Delf.ALF
Kaspersky RU Trojan-Downloader.Win32.Delf.bfu
Panda ES Trj/Downloader.PAG
Prevx GB Trojan.DownZero
Securecomputing (webwasher) US Win32.ModifiedUPX.gen!90 (suspicious)
Sophos GB Mal/Basine-C
VirusBlokAda (vba32) BY Trojan-PSW.Game.63 ()
Making it easy for bad guys with money to do what it used to take a geek with brains to do
http://www.theregister.com/2007/08/15/shark_trojan_creation_kit/
They claim it has vmware detection capabilities along with debugger detection. This is just yet another tool that makes malware creation simpler for the bad guys with money. I have not seen a copy of this tool kit yet but hope one of the “good guys” is analyzing it.
Comments