Wednesday, June 27, 2007

Exploits Serving Domains

More cyber leads from the previous analysis of Mpack embedded dekalab.info with a particular malicious domains farm emphasis as follows. Multiple redirectors, blackhat SEO, XOR-ifying javascript obfuscation and a piece of rootkit installed, pretty much everything's in place as usual. The majority of redirectors are part of an exploit serving domains farm. The whole process starts from trancer.biz :

trancer.biz/sys/index.php
81.95.149.176
HTTP/1.1 302 Found
Server: nginx/0.5.17
Date: Tue, 26 Jun 2007 11:51:30 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: cawajanga.biz/ts/in.cgi?oscorp

HTTP/1.1 302 Found
Server: nginx/0.5.17
Date: Tue, 26 Jun 2007 11:51:31 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: blooded.biz/2103/index.php

Then we get redirected to blooded.biz's obfuscated payload
81.95.149.176 in between loading cawajanga.biz/ts/in.cgi?oscorp and mobi-info.ru where the deobfuscated XOR-ifying javascript leads us to the exact payload location the output of which is in the form of Rootkit.Win32.Agent.fb

File size: 7503 bytes
MD5: 09994afd14b189697a039937f05f440f
SHA1: b9832689aa1272f39959087df41cea13fc283910

No comments:

Post a Comment