Interesting to see that the WebAttacker kit can still be seen in the wild. Here are the redirectors in action :Input URL: _http://rulife.info/traffic/go.php?sid=1
Effective URL: _http://greencunt.org/crap/index.php
Responding IP: 203.223.159.110
Name Lookup Time: 1.290261
Total Retrieval Time: 5.987628
=> _http://rulife.info/traffic/go.php?sid=1
=> _http://xorry.org/backup/atds/out.php?s_id=1
=> _http://greencunt.org/crap/index.php
What follows is the (sandboxed) infection : file: Write C:\Program Files\Internet Explorer\IEXPLORE.EXE -> C:\sysykiz.exe
Several more URLs are to be found at the "green" domain as well :
_http://greencunt.org/anna/fout.php
_http://greencunt.org/spl1/index.php
Despite that the tool is outdated compared to mature malware platforms and exploitation kits which I'll be covering in upcoming posts, the leak
of its source code made it easy for someone to tweak it for their personal needs and simply feed with undetectable binaries, new vulnerabilities, and newly registered domains -- even hijacked ones through web application vulnerabilities for instance.In case you're interested in a proof that attackers are still successfully infecting victims by using vulnerabilities for which patches have been released months ago, here's another URL that's exploiting two vulnerabilities at once namely :
MDAC ActiveX code execution (CVE-2006-0003)
IE COM CreateObject Code Execution (MS06-042)
The domain in question is - _http://www.avvcc.com and _http://www.avvcc.com/lineage/djyx.htm
Related posts:
RootLauncher Kit
Nuclear Grabber Kit
Shots from the Malicious Wild West - Sample Seven
Shots from the Malicious Wild West - Sample Six
Shots from the Malicious Wild West - Sample Five
Shots from the Malicious Wild West - Sample Four
Shots from the Malicious Wild West - Sample Three
Shots from the Malicious Wild West - Sample Two
Shots from the Malicious Wild West - Sample One
No comments:
Post a Comment