Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: salefale-dot-com is bad - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
salefale-dot-com is bad

We are currently analyzing several reports on sites that contain malicious iframes from google-analitics-dot-net (no, this has nothing to do with the real Google).  The iframes redirect to several sub-domains under salefale-dot-com, where a big pile of exploits lurks. All 8 exploits that we identified so far in the end download the same EXE (Virustotal Link). The pretty good coverage that this fresh file already has indicates that many people must have tripped over those malicious iframes today and sent them in to the AV companies.

The image above shows a small section of the malicious iframe as dished out by salefale-dot-com. The code politely checks to see which version of Adobe Acrobat is installed, and then serves up the PDF exploit most digestible to the target at hand - ranging from the old "collab.geticon" to the recent "media.newplayer" vulnerability.

google-analitics-dot-net, by the way, has interesting whois information ... the domain is registered to ??? in the state of Taliban.  <sarcasm> Some DNS registrars are obviously doing their utmost to catch bogus domain registrations </sarcasm>.

A special thanks to ISC reader Tom for his detailed report, and to Jan B for spotting this one early on!

Daniel

367 Posts
ISC Handler
This particular domain, google anilitics has been around since 2008. Do you mean to imply that attacks related due to this particular domain are on the rise?

-A
Anonymous
It looks like the former "owner" of this domain let the registration expire in December 09, and a different gang of malware crooks snapped it up. Yes, we verified several reports today with samples off both domains that were clearly malicious.
Daniel

367 Posts
ISC Handler
This domain joins many others registered with similar information. A search for the phone number, 84.4562425583, shows registrations and domains associated with 419 scams, banking scams, malware (including Zeus botnets).
bonsaiviking

5 Posts

Sign Up for Free or Log In to start participating in the conversation!