Attack site or just SPAM? Keep getting emails that have a link that directs you to...

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
hxxp://dmssmgf.ru:8080/forum/links/column.php

I haven't clicked on it just in case.


Re: Attack site or just SPAM? Keep getting emails that have a link that directs you to...

Ant wrote:
 
Quoted text here. Click to load it

I followed that link and ended up downloading this file:

wgsdgsdgdsgsd.exe (193 kb)

I then uploaded it to virus total:

https://www.virustotal.com/file/ceff3481424510a54b84285d1089c9d1b267c7c6fb6d04e207661dc7139ae8f3/analysis/1358346170 /

Only one AV program (Kaspersky) got a positive hit on it:

Trojan.Win32.Bublik.abcn

Does anyone want a copy of that executable?

Re: Attack site or just SPAM? Keep getting emails that have a link that directs you to...

Virus Guy wrote:
 
Quoted text here. Click to load it

There's a pdf exploit you get by following that link that is not being
detected by VT:

https://www.virustotal.com/file/1a1d48b3de94b689fa9283a4585be6ca795f1f24cbd538c6b78149292475a292/analysis/1358348255 /

Here's what that file looks like:

===============
%PDF-1.5
%
1 0 obj<</Pages 2 0 R/Type/Catalog>>
endobj
2 0 obj<</Count 0/Kids[]/Type/Pages>>
endobj
3 0
obj<</ModDate(D:20130116091232-05'00')/CreationDate(D:20130116091232-05'00')>>
endobj
xref
0 4
0000000000 65535 f
0000000016 00000 n
0000000060 00000 n
0000000105 00000 n
trailer
<</Size 4/Root 1 0 R/Info 3 0
R/ID[<94a4b6b6f255054ebd4d43d24bc491bc><94a4b6b6f255054ebd4d43d24bc491bc>]>>
startxref
195
%%EOF
==============

Re: Attack site or just SPAM? Keep getting emails that have a link that directs you to...

Virus Guy explained on 1/16/2013 :
Quoted text here. Click to load it
https://www.virustotal.com/file/1a1d48b3de94b689fa9283a4585be6ca795f1f24cbd538c6b78149292475a292/analysis/1358348255 /
Quoted text here. Click to load it
That seems to be effectively "empty" of malware. Perhaps it wasn't
populated with malware yet when you downloaded it?



Re: Attack site or just SPAM? Keep getting emails that have a link that directs you to...

Virus Guy wrote:

Quoted text here. Click to load it

Is there an on-line java applet de-obfuscator?

I uploaded the java applet to VT and got this:

https://www.virustotal.com/file/ded36becdcd702ff96c2189a3f9d0bf73cc43ee61bcca3b804e66a0d29bc0442/analysis /


Detected by only 5 out of 46 AV programs:

Jiangmin     TrojanDownloader.Java.at
Kaspersky    Exploit.Java.CVE-2012-0507.qu
Microsoft    Exploit:Java/CVE-2012-0507
Sophos       Troj/JavaDl-FC
TrendMicro-HouseCall     TROJ_GEN.FCBHZJ8

It's downloading some or all of the payload from 89.111.176.125.

Re: Attack site or just SPAM? Keep getting emails that have a link that directs you to...


Quoted text here. Click to load it
https://www.virustotal.com/file/ded36becdcd702ff96c2189a3f9d0bf73cc43ee61bcca3b804e66a0d29bc0442/analysis /
Quoted text here. Click to load it

RUSSIA!

Chris


Re: Attack site or just SPAM? Keep getting emails that have a link that directs you to...

Ant pretended :

[...]

Quoted text here. Click to load it

Aha! I was using "Java Decompiler" for a while just to help me get used
to Java as far as malicious jars are concerned. It worked well enough
for some of them but for others I would get something like ...

//ERROR//

... and then what looked like a listing of bytecodes that I couldn't
make head nor tails of. I'm guessing now it was due to what you
mentioned above.



Re: Attack site or just SPAM? Keep getting emails that have a link that directs you to...

Ant laid this down on his screen :
Quoted text here. Click to load it

Thanks for the info.



Re: Attack site or just SPAM? Keep getting emails that have a link that directs you to...

Virus Guy has brought this to us :
Quoted text here. Click to load it

What you get depends somewhat upon what information the first part of
the script (plugindetect) reveals to the exploit kit server. If it find
that you run a vulnerable version of Adobe Reader it will give you a
PDF exploit - if you have a vulnerable Java version you'll likely get a
Java exploit (or FlashPlayer etc...) that is a download (and execute)
trojan.

Looks like I got a Cridex download by getting the URL from the
shellcode included right there in the deobfuscated JavaScript.
Quoted text here. Click to load it
https://www.virustotal.com/file/ceff3481424510a54b84285d1089c9d1b267c7c6fb6d04e207661dc7139ae8f3/analysis/1358346170 /

I posted the VT results of my downloaded file in another post.

Quoted text here. Click to load it

Clicking "view latest" shows your file being detected as Cridex too
now.
Quoted text here. Click to load it

Not me, but thanks anyway.



Re: Attack site or just SPAM? Keep getting emails that have a link that directs you to...


Quoted text here. Click to load it

Thanks to your submission, some of us already have it. :)
 



--
My take home pay isn't enough to take me home!

Re: Attack site or just SPAM? Keep getting emails that have a link that directs you to...

on 1/15/2013, Duh_OZ supposed :
Quoted text here. Click to load it

https://www.virustotal.com/file/ceff3481424510a54b84285d1089c9d1b267c7c6fb6d04e207661dc7139ae8f3/analysis /



Site Timeline