Baby, baby!

Published: 2008-12-05
Last Updated: 2008-12-05 23:53:49 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)

When Brad went to a web site in search of fluffy clothing for his toddler, little did he know that each web page of that baby site was booby trapped. The bottom of each page contained an obfuscated section framed by comments that claimed that the javascript code was for "Yahoo Counter".  Well, it wasn't.

What it did was download a heavily obfuscated Javascript, followed by a download of a PDF with embedded exploit code, followed by a download of an EXE. The EXE has almost no detection (Virustotal) at this time.

The analysis of this case was made a tiny bit more interesting than usual .. because the self defense mechanisms of the obfuscated JavaScript code were pretty good. Whoever wrote this thing probably read my ISC diary on how to patch SpiderMonkey to even untangle obnoxious Javascript. Because when I simply ran the code through my patched Spidermonkey, what I got was:

daniel@debian:~$ js i.js
File i.js Line 68 calls eval with the following parameter:
//Just f**k off...

The ** have been added, of course. Eventually, this protection fell as well though. If you want to make sure your users haven't been "had" likewise while shopping for baby clothes, check your logs for connections to 218.93.202. 61 and 78.110.175. 21 . Don't go there though, both sites are BAD.

Keywords: malware
0 comment(s)

Been updatin' your Flash player lately?

Published: 2008-12-05
Last Updated: 2008-12-05 00:30:36 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)


We received a couple of submissions from ISC readers that indicate that a new wave of rogue "Flash Player" updates is making the rounds. This latest version is pretty artfully done - the pages hosting this malware actually do contain a real flash movie that is not malicious and plays in a Youtube-like embedded frame. After the movie has been running for a couple seconds though, a pop-up opens that indicates that a "Flash Player Update is available". It all looks credibly enough like one of those usual auto-update pop-ups, but if you click OK, you get an EXE which isn't really a Flash player update of course.

So far, the URLs where the malware is coming from all seem to have in common that port 7777 is used. This is rare enough that trolling through your proxy logs for any of your users going to a URL containing :7777/dt might give you a better indication than your anti-virus. Because AV coverage (VirusTotal) is only slowly improving.

 

Keywords: adobe flash malware
0 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives