The latest malware sample is what Symantec calls "JS.Runfore". A recent URL might tell you why: http:// xmexlajhysktwdqe. ru/runforestrun?sid=cx (don't click) Plenty of web pages currently seem to be infected with manipulated / changed jsquery files, which contain obfuscated Java Script code that generates the foresty URLs. The domain names generated change based on time and date. "Successful" connections are met by a series of 302 redirects that so far (for me) have not resulted in any real payload. The above URL redirects via moneyold. ru to freshtds. ru, where it ends (for me) in a 404 Error. Here's a recent Wepawet report for an infected site (OK to click, but better don't click on any of the links in the report)
|
Daniel 385 Posts ISC Handler Jun 22nd 2012 |
Thread locked Subscribe |
Jun 22nd 2012 9 years ago |
Perhaps it's a clever pun. As in, "Can't see the forest for the trees." If you think of bots as trees, then bot herders are simply trying to get a forest to run!
|
Anonymous |
Quote |
Jun 22nd 2012 9 years ago |
Final sentence of paragraph 4 lists one of the redirection urls as freshtds.RU, however, Wepawet states it is freshtds.EU .
|
REB 3 Posts |
Quote |
Jun 23rd 2012 9 years ago |
This is what happens when you get hit by a payload from one of these site's (Blackhole Exploitkit):
http://wepawet.cs.ucsb.edu/view.php?hash=d3e3cd3e4620cc7f2ad9e3252976d7f3&t=1340286074&type=js Java, PDF, Flash and HCP exploits try to install zbot and other malware. Detection now is decent but when I investigated these samples on 21-6-12 detection was very poor. https://www.virustotal.com/file/63001ffaae0e931486062f74a5a2976713adc99734f961cc42b2f0c755e96444/analysis/ https://www.virustotal.com/file/dcc3071540c6194f8971af0ed6a821c6cd0ad46caf07e95f73d257430c89409e/analysis/ https://www.virustotal.com/file/8ddc64b321ee7615eab3b6f7504b98422acb7b939a171a466c04706195300d59/analysis/ |
Anonymous |
Quote |
Jun 24th 2012 9 years ago |
Sign Up for Free or Log In to start participating in the conversation!