Threat Level: green Handler on Duty: Tom Webb

SANS ISC: loadadv.exe - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
loadadv.exe

Back in July, I already posted on the subject (Who needs .info/.biz, anyway?), and it turns out that the same scam is still in operation today. By putting too much trust into the topmost result returned by a search engine, a user of mine ended up ringing quite a few bells on the IDS and AV late yesterday night. Turns out the page the user got redirected to was hxxp://iframebiz.biz/dl/adv443.php (DONT click).

The content returned by this link is obfuscated and encoded JavaScript. Once decoded, it reads as follows (included as an image, to keep your antivirus from panicking):



Yes. A bunch of malware, no doubt, and trying to exploit quite a number of recent and not-so-recent vulnerabilities commonly found on a badly patched Windows workstation.  The Trojans it tries to download are by now pretty well known and recognized by most of the anti virus software. What irks me most, though, is that this sort of thing has been around for months. Checking with a DNS cache, I found that no less than nine different  DNS names have been used for this scam within the past week alone.

traffsale.biz 81.9.5.10; iframesite.biz 81.9.5.10; iframetraff.biz 81.9.5.10; toolbartraff.biz 81.9.5.10; buytraff.biz 81.9.5.10; iframecash.biz 81.9.5.10; toolbarurl.biz 81.9.5.10; iframebiz.biz 81.9.5.10; toolbarbiz.biz 81.9.5.10;

And guess what country 81.9.5.10 resides in ?  Yes, one of the CWIIAC, country-where-ISPs-ignore-all-complaints. I'm about to send them one more.


Daniel

367 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!