Thursday, November 29, 2007

Malware Serving Online Casinos

Don't play poker on an infected table part two. The following three online casinos are currently serving embedded malware in the form of IFRAMES and the average javascript obfuscation.

The first one is ( with current obfuscation loading ( where another obfuscation loads, deobfuscated attempts to load p423ck.exe (Zlob) at, playing around with the host for too long results in zero malicious activity, at least they make you think so. Here's another internal URL

Detection rate : Result: 7/32 (21.88%)
File size: 43008 bytes
MD5: 08f445712adcef5ef091378c51bbbaaa
SHA1: 3478fe6a600251b2ee147dbd50eaf4f204a884cb

Last week's obfuscation at this online casino was pointing to which is now down.

The second casino is ( with current obfuscation attempting to connect to the now down, a host residing on a netblock I covered before showcasing a scammy ecosystem. The third one is which was resolving to early this week, and taking advantage of WebAttacker at Now it resolves to and promotes

Detection rate: 9/32 (28.13%)
File size: 194077 bytes
MD5: 26da6f81349ff388d08280ababab9150
SHA1: f20e8fee439264915710f9478ec1e74583563851

It's interesting to monitor how people behind these manually change the obfuscations to further expand their connections with other scammers, or services and attack approaches they use, and even more interesting to see it happen on-the-fly just like for instance.

Don't play poker on an infected table.