Author Topic: Real trojan dropper here?  (Read 1738 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Real trojan dropper here?
« on: March 15, 2012, 07:58:19 PM »
See: htxp://zulu.zscaler.com/submission/show/e66e15874416bdd9a98f60f30828bb1c-1331837415
See: htxps://www.virustotal.com/file/9adc195082d1bfc59baf5a9036c8c60c8d0325934ab3e356ef853f476e2e20ab/analysis/
Analysis see: hxtp://anubis.iseclab.org/?action=result&task_id=1ce5256b86470a4a4416c834172a11b26
Reported to virus AT avast dot com,

polonus
« Last Edit: March 15, 2012, 08:00:45 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37491
  • Not a avast user
Re: Real trojan dropper here?
« Reply #1 on: March 15, 2012, 08:19:25 PM »
well...difficult to say since the link is dead    http://www.downforeveryoneorjustme.com/http://tube142-hosting.fartit.com/download-id58046/

but from the zulu link it seems there used to be a flash_player.exe there....since the link is dead i guess it was fake   ;)
http://zulu.zscaler.com/submission/show/9f6699a45bbb88611a57ed582c373ac4-1331838890

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Re: Real trojan dropper here?
« Reply #2 on: March 15, 2012, 11:21:59 PM »
Hi Pondus,

Some links on that page fartit dot com sure were laden with many malcious scripts, trojans and exploits

Trying to go there, I get a failure: Name or service not known>resolves to a private IP address -> Accept-Encoding: gzip
GET /submission/show/e66e15874416bdd9a98f60f30828bb1c-1331837415 HTTP/1.0

Received  Header Data
HTTP/1.1 403 Forbidden
Date: Thu, 15 Mar 2012 22:08:50 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 336
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /submission/show/e66e15874416bdd9a98f60f30828bb1c-1331837415
on this server.</p>
<hr>
<address>Apache/2.2.14 (Ubuntu) Server at 127.0.0.1 Port 80</address></body></html>
Analysis for fartit dot com found these issues:
This is not encouraging: hxtp://www.mywot.com/en/scorecard/fartit.com?src=addon-popup-donuts
This link there is suspicious: hxtp://www.google.com/safebrowsing/diagnostic?site=http%3A//freeddns.com/
and this outward link  is even worse: htxp://www.google.com/safebrowsing/diagnostic?site=http%3A//freetcp.com/
and then there is this link also with malcontent: htxp://www.google.com/safebrowsing/diagnostic?site=freewww.biz

polonus

« Last Edit: March 15, 2012, 11:23:46 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!