Malware Megabucks International
A reader alerted us to a bunch of malware that he had found after starting to unravel a pile of interlinked exploit pages. The exploit pages are spammed with "adult movie" kinda themes into search engines, etc, and thus most likely find enough "volunteers" who click on the links.
Domains involved are clipsforadults-dot-com and several of 9u???-free-movies-dot-cn, with the ??? standing for several letter combinations like eyd,gfo,fdo, etc. Someone's been busy registering throw-away domains.
The one bit that was of interest to us is ... that at the very end of this pile, the links try to download a "codec" off the site installobject-dot-com. The link used contains a 4-digit number, and each number, over a wide range, seems to return a slightly different binary. Installobject-dot-Com resolves to 85.255.113.235, a known bad address range for years - see isc.sans.org/diary.html?storyid=1873
AV detection is still thin, we are trying to help it along some. The files are of the W32/Zlob family, Kaspersky calls it Trojan-Downloader.Win32.Zlob.bxt, Trend Micro has it as TROJ_ZLOB.DND, and McAfee has protection coming up as Puper.DR
Adult sites from China, nasty trojans from Ukraine - the Malware Megabucks International, Inc, at its best.
ISC / DShield e-mail now with PGP signature
I started implementing PGP signed e-mails across the web site. The goal is to have most of our automatically generated e-mail PGP signed with a key reserved for these automated e-mails.
The key we will use:
pub 1024D/163EF538 2007-07-30 [expires: 2008-08-23]
Key fingerprint = 9958 2ABF 0AEE 06B2 2126 5C88 C9D8 1A62 163E F538
uid Internet Storm Center (Automatic Signing Only) <handlers@sans.org>
sub 2048g/FD87BD37 2007-07-30 [expires: 2008-08-23]
This key will be used ONLY for automated e-mails. Please do not use it to send us encrypted e-mail. This key, including a lot of other keys (and old keys) can be found here: https://isc.sans.org/PGPKEYS
Enjoy. And please use our contact form to report bugs. Individual handlers (if they choose to sign e-mail), will still use their individual keys.
Comments