Throughout my daily incident response thought process I contemplate whether any given issue is the result of a new "Web 2.0 worm". Well, I didn’t necessarily find a new one in this case, but I almost can't avoid stumbling into surges of fast flux network activity. What follows here is not new, but certainly worthy of rehashing the state of flux.
If we "Flash back" to the
The malicious life cycle of this specific flux net is maintained through:
Only the domains and IPs of the innocent have been changed.
If you are unlucky enough to fall prey [or intentionally fall prey!] during a visit to one of the many Flux net hosted MySpace Phish sites: (By no means is the following an attempt to build a complete list of active flux domains, I can't cut/paste faster than domains are being registered)
*** LIVE BROWSER EXPLOIT CODE - BE WARNED ***
http://profile.mysp ace.com.fuseaction.id.user.viewprofile.198 7383.cn/
The resulting drive-by would attempt to add your computer into the fast flux fold and begins it’s iframe journey through the inclusion of:
http://currentses sion.net/session/file.php (file.exe)
I'm going to skip the technical deep dive involved in foot printing the local host activity for a host that has been compromised and file.exe was executed. I will only offer that the criminal goal has been accomplished. A Fast Flux proxy node has been deployed and you would find that both
My T-Shirt today says,
If the NoScript browser plug-in were a person, they would so be on my buddy list. Consider yourself introduced, and it goes without saying, be careful when and where you choose to browse.
Handler on Duty ;)
Dec 7th 2007
|Thread locked Subscribe||
Dec 7th 2007
1 decade ago