Meanwhile, dekalab.info is yet another malicious URL exploiting MDAC ActiveX code execution (CVE-2006-0003) for you to analyze, among the many already patched vulnerabilities used in the latest version of Mpack. The question remains - how many zero days are currently exploited in the wild through the MPack kit? The "best" is yet to come, paying attention to the periodical new supply of loaders -- 58.65.239.180 got last updated Date: Thu, 21 Jun 2007 22:02:08 GMT -- indicates commitment.
Input URL: dekalab.infoResponding IP: 203.121.78.127
203.121.64.0 - 203.121.127.255
TIME Telecommunications Sdn Bhd
Interesting enough, the original source of the IFRAME attack 58.65.239.180 remains active, still acting as a redirector to 64.62.137.149/~edit/ which is again an exploit embedded page generated with the MPack kit :
- 58.65.239.180
58.65.232.0 - 58.65.239.255
HostFresh
- alpha.nyy-web.com (64.62.137.149)
64.62.128.0 - 64.62.255.255
Hurricane Electric
Evasive malware embedded attacks are aiming the improve their chances of not getting detected. If your browser
cannot be exploited all you will see at these IPs/URLs is a :[ sign, the rest is the obfuscated javascript attack you can see in the screenshot. Here's the deobfuscated reality as well. Periodically monitoring these IPs will result in a great deal of undetected malware variants. AVs detecting the current payload
eTrust-Vet - Win32/Chepvil!generic
cannot be exploited all you will see at these IPs/URLs is a :[ sign, the rest is the obfuscated javascript attack you can see in the screenshot. Here's the deobfuscated reality as well. Periodically monitoring these IPs will result in a great deal of undetected malware variants. AVs detecting the current payloadFile size: 7283 bytes
MD5: ae4e60d99ec198c805abdf29e735f1a7
SHA1: b0d1b68460683d98302636ab16a0eaa4b579397d
Aruba.it's comments on the case as well. Now, let's move on, shall we?
No comments:
Post a Comment