| View previous topic :: View next topic |
| Author |
Message |
AlphaCentauri
SIRT Handler
Premium Member
Joined: Nov 20, 2003
Posts: 2898
|
 Posted: Sun Aug 17, 2008 6:49 pm Post subject: Fake security software |
|
|
Spammed link http://www.vo-software.de/1.html is advertised as being a Britney Spears video. It is actually an animated gif of a video loading. I have Noscript, and the site does absolutely nothing in my browser. But I can see an i-frame which links to 79.135.167.18/antivirus/
The only reverse dns I can find for 79.135.167.18 is ns1.maseratto.info . I add the directory name and voilą!
ns1.maseratto.info/antivirus/ is the same page. (maseratto.info, on the other hand is a blank page, and maseratto.info/antivirus/ fails to load.)
Both claim to offer "Antivirus XP 2008." Again, without javascript, the site does nothing and I can't find what the URL of the payload is. But I would be highly surprised if a visitor running ActiveX and Javascript would come away without a malware infection.
|
|
| Back to top |
|
 |
tetak
MIRT Team Lead
Premium Member
Joined: Jan 19, 2007
Posts: 5879
|
|
| Back to top |
|
|
AlphaCentauri
SIRT Handler
Premium Member
Joined: Nov 20, 2003
Posts: 2898
|
| Posted: Sat Aug 30, 2008 6:30 pm Post subject: |
|
|
http://www.dhs.com.co/index99.html has been getting spammed for several days, and the download, video99.exe, is well-detected: http://www.virustotal.com/analisis/0f5f9aa7372a3896418204f5e5e3de0b
But the site hasn't gotten cleaned yet.
I tried to visit dhs.com.co to find a contact link, and it's one of those stupid sites that won't let you enter if you don't let their .swf file run. (Hel-looo! I'm here precisely because the files on your site can't be trusted!) But I found an iframe on that page. http://www.dhs.com.co/stat.html, which refreshes to http://79.135.167.18/cgi-bin/index.cgi?user2
I'm over my depth figuring out what I can learn from that link, and there is no "video99.exe" file there. But there is an "install.exe" which is a different download, also fairly well detected: http://www.virustotal.com/analisis/1764cba4b13d39f11757b3af21c02236
What's the story on 79.135.167.18? It's well known at spamhaus http://www.spamhaus.org/query/bl?ip=79.135.167.18 as part of a IP range controlled by criminals. It would seem to be a good idea for ISP's to block access to it if so many of these hacked sites seem to depend on it.
|
|
| Back to top |
|
|
Spockish
Captain
Joined: May 19, 2006
Posts: 340
|
| Posted: Sun Aug 31, 2008 12:00 pm Post subject: |
|
|
Why should ISP's have to block it?
Why isn't the damn IP address demolished by a responsible authority?
|
|
| Back to top |
|
|
AlphaCentauri
SIRT Handler
Premium Member
Joined: Nov 20, 2003
Posts: 2898
|
| Posted: Sun Aug 31, 2008 2:40 pm Post subject: |
|
|
| Spockish wrote: | Why should ISP's have to block it?
Why isn't the damn IP address demolished by a responsible authority? |
It's a Turkish ISP. I'd love to see the EU require Turkey to wrest control of their IP range back from the Russian Business Network as a condition of membership, since Turkey does seem motivated to do what it takes to be accepted.
|
|
| Back to top |
|
|
tetak
MIRT Team Lead
Premium Member
Joined: Jan 19, 2007
Posts: 5879
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
