![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgly_xKqe5S1KmDZ-mFITpC_TsRQn2bp2EsGfpa312GkD8wBWl3GQzjFYUAvOd2LL_bfTopQCX5vsbIBpMenkFqPUqXItglu9VmOHTpA-RCmxOXPsaqisyxaQVfVFlzfStxFb204g/s200/rulife.info.jpg)
Input URL: _http://rulife.info/traffic/go.php?sid=1
Effective URL: _http://greencunt.org/crap/index.php
Responding IP: 203.223.159.110
Name Lookup Time: 1.290261
Total Retrieval Time: 5.987628
=> _http://rulife.info/traffic/go.php?sid=1
=> _http://xorry.org/backup/atds/out.php?s_id=1
=> _http://greencunt.org/crap/index.php
What follows is the (sandboxed) infection : file: Write C:\Program Files\Internet Explorer\IEXPLORE.EXE -> C:\sysykiz.exe
Several more URLs are to be found at the "green" domain as well :
_http://greencunt.org/anna/fout.php
_http://greencunt.org/spl1/index.php
Despite that the tool is outdated compared to mature malware platforms and exploitation kits which I'll be covering in upcoming posts, the leak
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2bf5RXjJ1s0MPFRz4stm9gp7SwisTssLrhDNZqhp6mAsP3EPmUvHV0pY_53MbwHjqHKwTlf2b0BU3ZCk7a9AAdimelL0m7XOXqkrVZQvPExqIAz9-CwKlLKTCOEg7ZtVqqJslcg/s200/web_atkr.jpg)
In case you're interested in a proof that attackers are still successfully infecting victims by using vulnerabilities for which patches have been released months ago, here's another URL that's exploiting two vulnerabilities at once namely :
MDAC ActiveX code execution (CVE-2006-0003)
IE COM CreateObject Code Execution (MS06-042)
The domain in question is - _http://www.avvcc.com and _http://www.avvcc.com/lineage/djyx.htm
Related posts:
RootLauncher Kit
Nuclear Grabber Kit
Shots from the Malicious Wild West - Sample Seven
Shots from the Malicious Wild West - Sample Six
Shots from the Malicious Wild West - Sample Five
Shots from the Malicious Wild West - Sample Four
Shots from the Malicious Wild West - Sample Three
Shots from the Malicious Wild West - Sample Two
Shots from the Malicious Wild West - Sample One
No comments:
Post a Comment