Friday, June 29, 2007

Exploits Serving Domains - Part Two

The saying goes that there's no such thing as free lunch, so let me expand it - there's no such thing as free pr0n, unless you don't count a malware infection as the price. What follows is a demonstration of the Zlob trojan in action that occurs though the usual redirectors, and here's a related article emphasizing on the IFRAME embedded pr0n sites directing traffic to the redirectors :

"Right now, we are not sure whether the porn sites are compromised to host the IFRAMES, are created to do so or are being paid to host the IFRAMES," acknowledged Trend Micro. The attack probably began June 17, the company said. Other researchers have continued to dig into the Mpack-based attacks and have shared some of their findings. Symantec Corp., for instance, asked how hackers were able to infect so many sites in such a short time and how they could inject the necessary IFRAMES code -- the malicious code they added to the legitimate sites' HTML that redirected visitors to the Mpack server -- so quickly."

Psst - they are hosting the IFRAMES, whether compromised or equal revenue sharing among the parties is a question of another discussion. The attack is quite widespread in the time blogging, check for yourself to get a full listing of all the IFRAME-ed pr0n sites in question. Let's dissect the central hosting locations where all other sites ultimately lead to.

At miss-krista.info - 66.230.171.36 - we have an IFRAME pointing us to todaysfreevideo.com/ad/6811214.html - 81.0.250.239 - where we are offered to download two pr0n videos, todaysfreevideo.com/teens/mr-tp01-2g2s1/1/movie1.php and todaysfreevideo.com/teens/mr-tp01-2g2s1/1/movie2.php, but the actual malware is hosted at an internal page at downloadvax.com - 85.255.118.180 -- and while as usual we get a 403 Forbidden at the main index, within to domain the pr0n surfer gets infected with the Zlob Trojan.

File size
: 70853 bytes
MD5: 009ca25402ee7994977f706b96383af0
SHA1: ab60ecefcf27420a57febd5c8decc5c9f34f0e74
packers: BINARYRES

Obviously, unsafe pr0n surfing leads to malware transmitted diseases, but why exploit serving domains when no vulnerabilities get exploited at these URLs? Mainly because miss-krista.info is part of the exploits hosting domain farm I discussed in part one.

Related posts:

No comments:

Post a Comment