« previous next »
Pages: [1]   Go Down

Author Topic: Unknown html = s p a m seo malware  (Read 6917 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34067
  • malware fighter
Unknown html = s p a m seo malware
« on: February 21, 2013, 09:23:04 PM »
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37700
Re: Unknown html = s p a m seo malware
« Reply #1 on: February 21, 2013, 09:56:46 PM »
« Last Edit: February 21, 2013, 10:03:35 PM by Pondus »
Logged

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34067
  • malware fighter
Re: Unknown html = s p a m seo malware
« Reply #2 on: February 21, 2013, 10:40:09 PM »
Hi Pondus,

Thank you very much for checking,

polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34067
  • malware fighter
Re: Unknown html = s p a m seo malware
« Reply #3 on: February 22, 2013, 09:55:23 PM »
What is the malware here? Unknown httml = tracking: http://urlquery.net/report.php?id=1073320 (nothing)
http://www.urlvoid.com/scan/alec.tv/ (nothing)
Potential suspicious: wXw.alec.tv/wp-content/plugins/wp-lightboxJS/lightbox.js benign
[nothing detected] (script) wXw.alec.tv/wp-content/plugins/wp-lightboxJS/lightbox.js
     status: (referer=wXw.alec.tv/)saved 12015 bytes 091957fb24d31cb11763dd94049961b91abde382
     info: [decodingLevel=0] found JavaScript
     error: undefined function document.getElementsByTagName("body").item
     suspicious:
Flagged here: https://www.virustotal.com/nb/url/c0d3a1e74937474bea3faa636b12956f83e8cc3e758c347a6ef864f4709f2f90/analysis/1361565274/
Evidence of twitter SEO spam malware: http://support.clean-mx.com/clean-mx/view_evidence?id=9552486&table=viruses (htxp://www.wpshower.com)
line 194 has 194: < li> < a href="mailto:wpshowerATgmail dot com" title="E-mail"> Send me an E-mail< /a> < /li>
Also read: http://www.makeuseof.com/tag/5-tips-tricks-avoid-facebook-phishing-scams/ (link article author =  Nancy Messieh) on facebook scams ! Facebook phishing...

polonus
« Last Edit: February 22, 2013, 10:21:11 PM by polonus »
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37700
Re: Unknown html = s p a m seo malware
« Reply #4 on: February 22, 2013, 10:26:28 PM »
Logged

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34067
  • malware fighter
Re: Unknown html = s p a m seo malware
« Reply #5 on: February 23, 2013, 02:10:31 PM »
Hi Pondus,

And what about this unknow html, flagged by clean-mx VM: Up(nil):   unknown_html   ARIN   US   abuse at support.olm dot net   65.18.171.86    to 65.18.171.86   tinbuent.com   htxp://www.tinbuent.com/ent/js/tinbuEntertainment.js
Nothing here: http://sitecheck.sucuri.net/results/www.tinbuent.com nor here: http://www.urlvoid.com/scan/tinbuent.com/
Obfuscated js decodes to this link:  src='htxp://www.tinbuadserv.com/js/integrate/ads_common.js
from wXw.tinbuserver.com/tbst/go.php -> var tbxldnebs = "rmxb6a99c694s8t207195h83kkj083a422mq7r4golix0";
wXw.tinbuent.com/ent/new/js/integrate/module.js to a chunk of obfuscated script decoding to Quantcast code...
See: -http://jsunpack.jeek.org/?report=d8e7341a335ec946e0078432fdfe6c73b94dc0b0 (for the security aware only, visit link with NoScript and RequestPolicy extensions active and in a VM/sandbox) for code see attached image
And here it is finally alerted for what it is: http://urlquery.net/report.php?id=1080208
IDS alert: ET WEB_CLIENT Hex Obfuscation of Script Tag % Encoding
Gmane lists this group of alerts here: Various Shellcode/Obfuscation: http://permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/8916
(link article author = Kevin Ross) Read a Sophos write up on this: http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/malware-with-your-mocha.aspx (link article author = Fraser Howard)

pol
« Last Edit: February 23, 2013, 02:32:36 PM by polonus »
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37700
Re: Unknown html = s p a m seo malware
« Reply #6 on: February 23, 2013, 04:53:13 PM »
Logged

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34067
  • malware fighter
Re: Unknown html = s p a m seo malware
« Reply #7 on: February 23, 2013, 05:52:07 PM »
Hi Pondus,

Here we have a plethora of such IDS alerts for IP 174.132.148.57: http://urlquery.net/report.php?id=1079518
2013-02-23 13:24:28    174.132.148.57    urlQuery Client   2   ET WEB_CLIENT Hex Obfuscation of document.write % Encoding
2013-02-23 13:24:28    174.132.148.57    urlQuery Client   2   ET WEB_CLIENT Hex Obfuscation of charCodeAt % Encoding
2013-02-23 13:24:28    174.132.148.57    urlQuery Client   2   ET WEB_CLIENT Hex Obfuscation of String.fromCharCode % Encoding
2013-02-23 13:24:28    174.132.148.57    urlQuery Client   2   ET WEB_CLIENT Hex Obfuscation of substr % Encoding
2013-02-23 13:24:28    174.132.148.57    urlQuery Client   2   ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
2013-02-23 13:24:28    174.132.148.57    urlQuery Client   2   ET WEB_CLIENT Hex Obfuscation of Script Tag % Encoding
2013-02-23 13:24:29    urlQuery Client    64.74.223.37   2   ET CURRENT_EVENTS TDS Sutra - request in.cgi
2013-02-23 13:24:29    urlQuery Client    64.74.223.37   2   ET CURRENT_EVENTS TDS Sutra - request in.cgi
4 blacklist rankings: http://www.urlvoid.com/scan/lawofattractionworld.com/
see: http://yandex.com/yandsearch?text=lawofattractionworld.com%2F
Compare: http://lists.emergingthreats.net/pipermail/emerging-sigs/2010-December/010879.html 
credits posted by Kevin Ross

polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34067
  • malware fighter
Re: Unknown html = koobface beaconing malware
« Reply #8 on: February 23, 2013, 11:00:32 PM »
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34067
  • malware fighter
Re: Unknown html = s p a m seo malware
« Reply #9 on: February 25, 2013, 04:56:32 PM »
Unknown html malware. Only flagged by viruswatch clean-mx -> http://urlquery.net/report.php?id=1117711
The location line in the header above has redirected the request to: /   is left blank (probably adware - see analysis below)
Intrusion Detection Systems
IDS   Alert 2013-02-25 16:38:08   urlQuery Client   95.100.2.110   severity: 2   ssp_ssl: Invalid Client HELLO after Server HELLO Detected
These snort alerts should probably be suppressed...but could be due to a  a SOAP exeption for "htxps://
a248.e.akamai.net/betterad.download.akamai.com/91609"
Nothing on external link to: htxp://logi118.xiti.com/hit.xiti?s=457972&s2=&p=&di=&an=&ac= (requested page button?)
Consider this report: http://www.seocert.net/analyzer.rustica.fr
Vulnerable on the site is PHP/5.3.2-1ubuntu4.14 see Header returned by request for: htxp://www.rustica.fr/articles-jardin/calendrier-travaux
http://unhackable.org/?tag=php  and here: http://www.devquotes.com/2011/06/15/php-cve-2011-2202/

polonus
« Last Edit: February 25, 2013, 05:05:34 PM by polonus »
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34067
  • malware fighter
Re: Unknown html = Trojan.Win32.Sasfis?
« Reply #10 on: February 27, 2013, 10:15:34 PM »
And what is out here? See: https://www.virustotal.com/en/url/c081057796c239fe0347c942bda398cb85e0912941f182214fa52d8fbaf12bd1/analysis/1361988982/
and
http://urlquery.net/report.php?id=1173917
phish and spam (iframe) reg.163 dot com/all.do
     status: (referer=wXw.lofter.com/mailEntry.do?blogad=1&blog)
code hick-up:
b1.bst.126 dot net/newpage/r/j/pc.js?v=1361935498086 benign
[nothing detected] (script) b1.bst.126 dot net/newpage/r/j/pc.js?v=1361935498086
     status: (referer=byleilei.blog.163 dot com/blog/static/2168350572013112545795/)saved 166831 bytes 7654abe071adb5888582ea8d1db40b0636103b03
     info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
     info: [javascript variable] URL=t.163.com/service/newMessage/
     info: [javascript variable] URL=msg.mail.163 dot com
     info: [javascript variable] URL=msg dot mail.
     info: [javascript variable] URL=api.blog.163 dot com/cap/captcha.jpgx?parentId=
     info: [iframe] b1.bst.126 dot net/newpage/r/j/
     info: [iframe] blog.163 dot com/pub/services/msnconnectnew.html
     info: [img] b1.bst.126 dot net/newpage/r/j/
     info: [img] b.bst.126 dot net/style/common/loading.gif
     info: [iframe] blog.163 dot com/pub/services/aipaiSpread.html?t=
     info: [decodingLevel=0] found JavaScript
     suspicious:
Here we may have what we were looking for: http://www.threatexpert.com/report.aspx?md5=f4b981cbfedfec6ea63d228f2b2ad0fc
....Trojan.Win32.Sasfis

pol
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pages: [1]   Go Up
« previous next »