Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: Malware Megabucks International - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malware Megabucks International

A reader alerted us to a bunch of malware that he had found after starting to unravel a pile of interlinked exploit pages. The exploit pages are spammed with "adult movie" kinda themes into search engines, etc, and thus most likely find enough "volunteers" who click on the links.

Domains involved are clipsforadults-dot-com and several of 9u???-free-movies-dot-cn, with the ??? standing for several letter combinations like eyd,gfo,fdo, etc. Someone's been busy registering throw-away domains.

The one bit that was of interest to us is ... that at the very end of this pile, the links try to download a "codec" off the site installobject-dot-com. The link used contains a 4-digit number, and each number, over a wide range, seems to return a slightly different binary.  Installobject-dot-Com resolves to 85.255.113.235, a known bad address range for years - see isc.sans.org/diary.html?storyid=1873

AV detection is still thin, we are trying to help it along some. The files are of the W32/Zlob family, Kaspersky calls it Trojan-Downloader.Win32.Zlob.bxt, and Trend Micro has it as TROJ_ZLOB.DND

Adult sites from China, nasty trojans from Ukraine - the Malware Megabucks International, Inc, at its best.

Daniel

367 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!