loadadv.exe

Published: 2005-11-19
Last Updated: 2005-11-19 21:54:01 UTC
by Daniel Wesemann (Version: 2)
0 comment(s)

Back in July, I already posted on the subject (Who needs .info/.biz, anyway?), and it turns out that the same scam is still in operation today. By putting too much trust into the topmost result returned by a search engine, a user of mine ended up ringing quite a few bells on the IDS and AV late yesterday night. Turns out the page the user got redirected to was hxxp://iframebiz.biz/dl/adv443.php (DONT click).

The content returned by this link is obfuscated and encoded JavaScript. Once decoded, it reads as follows (included as an image, to keep your antivirus from panicking):



Yes. A bunch of malware, no doubt, and trying to exploit quite a number of recent and not-so-recent vulnerabilities commonly found on a badly patched Windows workstation.  The Trojans it tries to download are by now pretty well known and recognized by most of the anti virus software. What irks me most, though, is that this sort of thing has been around for months. Checking with a DNS cache, I found that no less than nine different  DNS names have been used for this scam within the past week alone.

traffsale.biz 81.9.5.10; iframesite.biz 81.9.5.10; iframetraff.biz 81.9.5.10; toolbartraff.biz 81.9.5.10; buytraff.biz 81.9.5.10; iframecash.biz 81.9.5.10; toolbarurl.biz 81.9.5.10; iframebiz.biz 81.9.5.10; toolbarbiz.biz 81.9.5.10;

And guess what country 81.9.5.10 resides in ?  Yes, one of the CWIIAC, country-where-ISPs-ignore-all-complaints. I'm about to send them one more.


Keywords:
0 comment(s)

Comments


Diary Archives