Baby, baby!
When Brad went to a web site in search of fluffy clothing for his toddler, little did he know that each web page of that baby site was booby trapped. The bottom of each page contained an obfuscated section framed by comments that claimed that the javascript code was for "Yahoo Counter". Well, it wasn't.
What it did was download a heavily obfuscated Javascript, followed by a download of a PDF with embedded exploit code, followed by a download of an EXE. The EXE has almost no detection (Virustotal) at this time.
The analysis of this case was made a tiny bit more interesting than usual .. because the self defense mechanisms of the obfuscated JavaScript code were pretty good. Whoever wrote this thing probably read my ISC diary on how to patch SpiderMonkey to even untangle obnoxious Javascript. Because when I simply ran the code through my patched Spidermonkey, what I got was:
daniel@debian:~$ js i.js
File i.js Line 68 calls eval with the following parameter:
//Just f**k off...
The ** have been added, of course. Eventually, this protection fell as well though. If you want to make sure your users haven't been "had" likewise while shopping for baby clothes, check your logs for connections to 218.93.202. 61 and 78.110.175. 21 . Don't go there though, both sites are BAD.
Been updatin' your Flash player lately?
We received a couple of submissions from ISC readers that indicate that a new wave of rogue "Flash Player" updates is making the rounds. This latest version is pretty artfully done - the pages hosting this malware actually do contain a real flash movie that is not malicious and plays in a Youtube-like embedded frame. After the movie has been running for a couple seconds though, a pop-up opens that indicates that a "Flash Player Update is available". It all looks credibly enough like one of those usual auto-update pop-ups, but if you click OK, you get an EXE which isn't really a Flash player update of course.
So far, the URLs where the malware is coming from all seem to have in common that port 7777 is used. This is rare enough that trolling through your proxy logs for any of your users going to a URL containing :7777/dt might give you a better indication than your anti-virus. Because AV coverage (VirusTotal) is only slowly improving.
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago