MALICIOUS VISITOR OF THE WEEK (A BOTNET)
MALICIOUS (CHINA, POLAND & RUSSIA): Trojan-Downloader.HTML.IFrame.air
Reply Sinkhole - sinkhole.cert.pl 148.81.111.111 (Shadowserver Reported CnC Server IP group 3)
CVE-2008-2463 & CVE-2008-0015
http://19066.saeke.com/
https://www.virustotal.com/de/url/0768ee5a780f2d235f9b17e6789cd62fb2f9f2d08683d0351bd941ce0ea8c968/analysis/1392145114/
Exploit-IFrame.gen.ah
https://www.virustotal.com/de/file/d6c86c0aea173bb04a179812520b77e32b1f6f72b1f1d5f939898f3515cb92a0/analysis/1392205682/
Reply Sinkhole - http://sinkhole.cert.pl (148.81.111.111)
https://urlquery.net/report.php?id=9394745
https://urlquery.net/report.php?id=9394753
https://urlquery.net/report.php?id=9394749
https://urlquery.net/report.php?id=9394736
SCRIPT CODE: http://jsunpack.jeek.org/?report=6597a99bfac1a8733e9db2282b26a50e06efddc8
--->
http://19066.saeke.com/tj.js
https://www.virustotal.com/de/url/da19987591c4bfcceb3ff19582b77057402b4147172dbf9e5c9d2a1b496f8df3/analysis/1392217975/
https://www.virustotal.com/de/file/c17accf46049ffc28b33e8dfb56990ca0b035cc974dfc825952a7d94bc8e130e/analysis/1392217978/
--->
http://count45.51yes.com/click.aspx?id=450998701&logo=12
https://www.virustotal.com/de/url/34f490099e4c9785ddfba9018f2ee803943ad70736004f6bfd67d653ee4e6b26/analysis/1392218499/
https://www.virustotal.com/de/file/a9c13f407dd2befae9e13015941831b1c0a4433381700fd2210da2f4e4858cec/analysis/1392218278/
--->
http://count45.51yes.com/sa.htm?id=450998701
https://www.virustotal.com/de/url/f036a01fd81657fe43ac7724fd8bfef9279c67a13ff3823a763806a6edae7744/analysis/
--->
http://19066.saeke.com/gg.js
https://www.virustotal.com/de/url/be691723ba9286a06b1c95dc1855eb2fbff83c3b61f2774ab0d97fa38afcfe69/analysis/1392217936/
https://www.virustotal.com/de/file/2bde577fdaf14ced5c83ddc3e80c2ce78f5d06657aaf93aaeed628841597d7bf/analysis/1392217940/
--->
----------------------------
1st) http://www.0002555.com/
http://jsunpack.jeek.org/?report=b2b887ac1cc0b97c383d4d77550fa60c762d951b
https://www.virustotal.com/de/url/9f40196ff30f7143de35faba39e57193b52e11899b83e363f549254990f56033/analysis/1392212926/
JS:Decode-AHP [Trj] & JS/Exploit
https://www.virustotal.com/de/file/f2b87dd97c96d86679cc9db8050930e3c80d53fe86ee1f300a9c30ae2197dde7/analysis/1392213008/
JS/Exploit
https://www.virustotal.com/de/url/9f40196ff30f7143de35faba39e57193b52e11899b83e363f549254990f56033/analysis/1392212926/
--->
2nd) http://www.0002555.com/
http://jsunpack.jeek.org/?report=357f1217863b57f4544b34c7c90e26ace423885c
https://www.virustotal.com/de/url/9f40196ff30f7143de35faba39e57193b52e11899b83e363f549254990f56033/analysis/1392219336/
JS:Decode-AHP [Trj]
https://www.virustotal.com/de/file/da097870d62b19b49bd849e42d28536d05dbe4f3dc51f9c72c821d5bae746f4b/analysis/1392219103/
JS/Exploit
https://www.virustotal.com/de/file/37754a8ad7e8976ac0784fb7a6914854bcbcfea04cc4ac18506ba43a53672893/analysis/1392219542/
--->
http://www.0002555.com/?jdfwkey=ltxhx2
https://www.virustotal.com/de/url/e98cc7adf2b66b409f9c3f1a204bf92e07095e113f3507c155604d1a1963f343/analysis/1392220534/
Trojan.Url.IframeB.rrxhg
https://www.virustotal.com/de/file/ec46a7ddc9363450c29f79bec511b6d2910434744fd58b35c86efcda4f925d70/analysis/1392219094/
--->
http://count41.51yes.com/click.aspx?id=418575533&logo=11
https://www.virustotal.com/de/url/3ecfeb8d9385e5ce340628caf9bc5d54be6831df820b41bf5822d2bddf16350e/analysis/1392219731/
Trojan.Url.IframeB.rrxhg
https://www.virustotal.com/de/file/4b15dfa57083bb09ce49282b65290351ad27897ba9170aa00075fde2d7d21d86/analysis/1392219053/
https://www.virustotal.com/de/file/c2878b0fe3502325b658e57346d8c8bd78125a5b3cdfe6023a051724b66a5bf3/analysis/1392219061/
--->
http://count41.51yes.com/sa.htm?id=418575533
https://www.virustotal.com/de/url/29a17f881cb94afee5b57ae6d484a9dedc383b48352516fca1e73c2f06d11e66/analysis/1392220106/
--->
http://count30.51yes.com/click.aspx?id=308228346&logo=2
https://www.virustotal.com/de/url/8a02b1b560f3abf37ca36d1d57464716da3f03e9b56cb37628cd727808889991/analysis/1392220198/
https://www.virustotal.com/de/file/e879df4e1a5d975ca1418d14eb50f35a5330fcaadb4d198ed6a2fb4853b572e1/analysis/
--->
http://count30.51yes.com/sa.htm?id=308228346
https://www.virustotal.com/de/url/ec51f98a5309cc55f56af2ff7c9e9d50a06208b3526da6c5b329301a85e8913c/analysis/1392220375/
--->
http://player.youku.com/player.php/sid/XNjYwNDI1MTI4/v.swf
https://www.virustotal.com/de/url/992fad2fcdcc6b663dfbb25ca14a15a8c02656de0b2a7312fc749bee10ee558e/analysis/
https://www.virustotal.com/de/file/906fe6e47fe95ee6638b1e05195a5b3759a4a68f2967d6646d456b75acb71271/analysis/1392187035/
--->
http://static.youku.com/v1.0.0400/v/swf/loader.swf?VideoIDS=XNjYwNDI1MTI4
https://www.virustotal.com/de/url/357f07d6e7d50783a04222552b115c0e9826fc3c49a3ebe465e94bdc68130dc3/analysis/1392221033/
--->
http://player.youku.com/player.php/sid/XNDI4ODQxOTMy/v.swf
https://www.virustotal.com/de/url/51aac3efbee0778f03b8a6446e4cc3e3be69c8e0a009b1b578be6ac3af5cb4fb/analysis/1392221205/
--->
http://static.youku.com/v1.0.0400/v/swf/loader.swf?VideoIDS=XNDI4ODQxOTMy
https://www.virustotal.com/de/url/8cb172325549ac5a74c8208a58230f6699cd22a83618d53915ab6f47672af44e/analysis/1392221286/
--->
http://player.youku.com/player.php/sid/XNjU4ODk3MzU2/v.swf
https://www.virustotal.com/de/url/8e9692d910802f217669a3d4203d72e9499a25c6e5859394393cb4290872e070/analysis/1392221347/
--->
http://static.youku.com/v1.0.0400/v/swf/loader.swf?VideoIDS=XNjU4ODk3MzU2
https://www.virustotal.com/de/url/5f8a0f3dfb857fb4be2327fa72038115853e40274b309d9d240a724e47f0ad7d/analysis/1392221402/
--->
http://player.youku.com/player.php/sid/XNjY4MjQ4MzE2/v.swf
https://www.virustotal.com/de/url/68fb9fec46f372784f8193172829c26479024d3609687f75912cd77e30186f17/analysis/1392221486/
--->
http://static.youku.com/v1.0.0400/v/swf/loader.swf?VideoIDS=XNjY4MjQ4MzE2
https://www.virustotal.com/de/url/879301b1d169129c1b391d1eb68e411853a5a9ac63592112d8c30b187b07c4bc/analysis/1392221591/
--->
http://player.youku.com/player.php/sid/XNjY2MzQzODg4/v.swf
https://www.virustotal.com/de/url/7a85c31c8dd22d05e9d20297fd343d0b7f94faee7a1017832c2eb88b4c8b8236/analysis/1392221648/
--->
http://static.youku.com/v1.0.0400/v/swf/loader.swf?VideoIDS=XNjY2MzQzODg4
https://www.virustotal.com/de/url/ee1ef43787634c68ddc8b20b90baf8856b45758162fdefd7acf64764bbf40cb3/analysis/1392221724/
---->
CVE-2008-2463
Office Snapshot Viewer The Microsoft Office Snapshot Viewer ActiveX control allows remote attackers to download arbitrary files to a client machine
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2463
CVE-2008-0015
MsVidCtl Overflow Overflow in Microsoft Video ActiveX Control via specially-crafted data parameter
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0015
http://www.Brenz.pl/
https://www.virustotal.com/de/url/31ce243b2ef5dd3790be577eeb9d68df7afdda26be2131de243cb06b3d742efc/analysis/1392222143/
https://urlquery.net/report.php?id=9412380
http://www.Brenz.pl/rc/
https://www.virustotal.com/de/url/4df2dbeb23a75f5631c006b880092a8843ffb8451dd2acbec429878b5bc44e8a/analysis/1392221816/
Shadowserver Reported CnC Server IP group 3
https://urlquery.net/report.php?id=9412383
http://wepawet.iseclab.org/view.php?type=js&hash=12962b1916a95d5314edc824efbff88b&t=1270649249
---> FINAL ARRIVE
http://sinkhole.cert.pl/
https://www.virustotal.com/de/url/ef6aa460ada5cc7d5f8dd784ae083eb0f2f3654bfb6559444d2eff704aed4bb6/analysis/1392217250/
https://urlquery.net/report.php?id=9411000
--->
http://148.81.111.111/
https://www.virustotal.com/de/url/986707e69ef388d44bdee6824a6cf10819c16ded7874a3c0d5ea3ad880030489/analysis/1392217321/
https://urlquery.net/report.php?id=9411000
------------------------------------------
SEE ALSO:
http://wepawet.iseclab.org/view.php?hash=2a24c85462e9dc30ca3776286f99886a&t=1392145172&type=js
http://wepawet.iseclab.org/view.php?hash=7382f78798d46535438780e5eb9cabd2&t=1392219910&type=js
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=19066.saeke.com
http://zulu.zscaler.com/submission/show/40ce5691550607bbeab209159d154ad0-1392145179
http://app.webinspector.com/public/reports/20032993
http://www.urlvoid.com/scan/19066.saeke.com/
THE SAME SCHEME APPLIES AS WELL FOR THE FOLLOWING DOMAIN(S):
1) http://shenxingdubo.wuhou.ru/
https://www.virustotal.com/de/url/4b2a06f4a7e233b1cb50a0700997a697ac1acfe7c2524e0116a55f5777a7a8e2/analysis/1392222909/
Exploit-IFrame.gen.ah
https://www.virustotal.com/de/file/c2e1c253bd05372138c7da63f89152f5408923b2d7fac8147d4b5a10aebd0183/analysis/1392223274/
https://urlquery.net/report.php?id=9412757
http://jsunpack.jeek.org/?report=ac909241b96c177472a11c6d43f84b2ad74ac73a
2) http://bocaitonghaoxiangbo.se966.com/
https://www.virustotal.com/de/url/1d21050badc72f3864b75b0bf68e2856e2af881ba8a7dd9688665cd1571e1de1/analysis/1392223637/
3) http://kaihucaijinyulecheng.qkkyy.com/
https://www.virustotal.com/de/url/aab847e63610663609a5d62188cdf3971c3234b056ac619b97dbddf7ef608d6b/analysis/1392224039/
https://www.virustotal.com/de/file/a392b918860b282a2a1d8848060811228da928fd67ec8c9e487c8001f723fc6e/analysis/1392224103/
https://urlquery.net/report.php?id=9413126
ETC.
* http://aomenpujingyulechang.tpctr.com/
* http://songtiyanjin.cqchildren.cn/
* http://aomenyulecheng.aacpu.com/
* http://xinpujingyulecheng.ddy77.com/
* http://dota2bocaiba.130p.com/
* http://liuhehecaiwangzhi.mm532.com/
* http://zhangxinyouguanfangweibo.qkkyy.com/
* http://yulechengyouhui.sdhutao.com/
* http://wushengdongfangmingzhu.ddy77.com/
* http://bogoubodog.ningxi.net/
* http://dadongfangyulecheng.se966.com/
http://yulechengzaiwangshangzenmezhuce.jobflats.com/
http://007huangjiaduchangqvod.aacpu.com/
http://ribenzuqiubaobeishipin.ddy77.com/
http://guangdongtiyupindaoluxiang.bd84.com/
http://shengshiguoji.aacpu.com/
http://shuangseqiutouzhujiqiao27zhaofa.zhuolingxiu.com/
http://gaokejidubogongju.qkkyy.com/
http://F1wenzizhibo.hf025.com/
FOR MORE SEE & GO ON SCANNING WITH ZULU (ITs SIMPLY A BOTNET) :D:
http://zulu.zscaler.com/submission/show/fdbedf19d7cf1179c64c21c7f109c2df-1392224551
http://zulu.zscaler.com/submission/show/b7c15629a0ef5f92de4fcccf5d94164f-1392224591
http://zulu.zscaler.com/submission/show/80fbe6e5dd86bc2a8fbf68b2aaacc785-1392224731
http://zulu.zscaler.com/submission/show/f3d259b3bdb26c7f3c7f0253a9a6b1f0-1392225180
AND SO ON....