Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: Malware hosted on 3322.org AGAIN! - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malware hosted on 3322.org AGAIN!

If you google for l61.3322.org you will find LOTS of “script” links to:

http://l61DOT3322DOTorg/eDOTjs. That first letter is an L not a 1.

Be careful that java script attempts to exploit vulnerabilities in some browsers.

Fellow Handler BojanZ stated this about that malicious piece of java:

“The attached JS file calls other JS files (from various servers). At
least one of them tries to exploit an old vulnerability (MS06-014 -
Microsoft Data Access Components (MDAC)). Other JS files redirect the
browser to different sites:
http://www.777seo.com/seo.php?username=happygold
http://www.ovosearch.com/advertising/?ref=happygold
http://kikclick.com/portal/?ref=happygold
(these are click through affiliate web sites)”

3322.org has hosted malware several times in the past including a element of the zero day word exploit that was reported in 05-2005
http://isc.sans.org/diary.html?storyid=1348

It was also used as the ftp download site for a SAV based worm 12-2005.
https://isc.sans.org/diary.html?storyid=1945

Thanks Bryan and Evan for bringing this to our attention.
I recommend you monitor your IDS, firewall and other logs for access to l61DOT3322DOTORG if you see any access you should check the systems that accessed it for malware. You may decide to block that site within your enterprise. Many enterprise and educational networks did block 3322.org during the word zero day exploit in 2005.

donald

206 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!