Author Topic: This fake Intuit s p a m leads/led to malware on forumligandaz dot ru (Read 2563 times)

polonus · « **on:** February 26, 2013, 10:10:58 PM »

See: http://urlquery.net/report.php?id=1130297
IDS alert for XPLOIT-KIT Blackhole v2 landing page - specific structure
see attached image of browser specific malcode (IE and fx only)
see: https://www.virustotal.com/en/url/9470dfda27a722d566219310421cc00586fb87c84be17d644bf1972f4f33ffc8/analysis/1361911866/
Read the write up on this so-called Intuit spam: http://blog.dynamoo.com/2013/02/intuit-spam-forumligandazru.html (link article author = Conrad Longmore)
Avast does not block: htxp://forumligandaz.ru:8080/forum/links/column.php (-> http://whoistory.com/2013/02/17/forumligandaz.ru.html )
But with file viewer I get: Your server has refused the connection from the File Viewer! for the above URL....
Luckily does not seem to resolve: HTTP/1.1 502 Bad Gateway
Server: nginx/1.0.10 IP 31.200.240.153 nada here: http://www.ipvoid.com/scan/31.200.240.153/
Date: Tue, 26 Feb 2013 21:07:22 GMT
Content-Type: text/html; charset=CP-1251
Connection: close
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Vary: Accept-Encoding

polonus

Pondus · « **Reply #1 on:** February 26, 2013, 11:57:20 PM »

Jotti
http://virusscan.jotti.org/en/scanresult/1cc741f29c5d32bf4e15319aa2157b480dbc33d0

polonus · « **Reply #2 on:** February 27, 2013, 12:01:28 AM »

Thank you, Pondus.
So we have detection as avast detects this as JS:Redirector-AFO,

polonus

P.S. Remember we have been looking into that malcode last November: http://forum.avast.com/index.php?topic=110553.0

D

Author Topic: This fake Intuit s p a m leads/led to malware on forumligandaz dot ru (Read 2563 times)

polonus

This fake Intuit s p a m leads/led to malware on forumligandaz dot ru

Pondus

Re: This fake Intuit s p a m leads/led to malware on forumligandaz dot ru

polonus

Re: This fake Intuit s p a m leads/led to malware on forumligandaz dot ru