[nsp-sec] Nasty fast-fluxed sites containing javascript malcode [FICORA #183472]

Sat Jul 12 18:44:44 EDT 2008

IIRC this is asprox/danmec.

new fast flux domain names appear every few hours active right away.

new names for the JS files appear every few days.

On Sat, 12 Jul 2008, Alan wrote:

> ----------- nsp-security Confidential --------
>
> Previous mail was deleted by gw
>
>
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Alan
> Sent: Friday, July 11, 2008 5:07 PM
> To: 'Huopio Kauto'; nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] Nasty fast-fluxed sites containing javascript malcode
> [FICORA #183472]
>
> ----------- nsp-security Confidential --------
>
> Ngg.js according to the code
>
> 1.not vulnerable to CN,TW,RU,KO..
> 2.other country will go into if statement, read cookie value"updngg", if
> exists, will do nothing.. (it only effect the first time browsing users, and
> the cookie period is 11 hr)
> We think this is to prevent analysis or some trigger condition.
> 3.condition meets then it will connect to the malicious iframe link.
>
> And We think these hackers don't want to become a global threats , because
> if it does, every security company will try to solve the sites,
> The other possibility is that many they have a uniq 0day exploit but
> targeting specified language version.
> That's why they use language to identify users
>
>
> Regards,
> Alan Lee
>
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Huopio Kauto
> Sent: Friday, July 11, 2008 4:13 PM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] Nasty fast-fluxed sites containing javascript malcode
> [FICORA #183472]
>
> ----------- nsp-security Confidential --------
>
> Hi folks,
>
> The following URL:s relate to a javascript that we found
> in a finnish website. Very fresh domain registrations
> and heavily fast-fluxed. Any analysis?
>
> Takedown of the domains and sites etc is more than welcome
>
>>> hxxp://bkpadd.mobi/cgi-bin/index.cgi?ad
>>> hxxp://usaadw.com/cgi-bin/index.cgi?ad
>>> hxxp://drvadw.com/cgi-bin/index.cgi?ad
>>> hxxp://adwnetw.com/cgi-bin/index.cgi?ad
>>> hxxp://loopadd.com/cgi-bin/index.cgi?ad
>
> This seems to be related with SQL injection attacks and
> ngg.js. Just google ngg.js..
>
> --Kauto
>
> Kauto Huopio - kauto.huopio at ficora.fi
> Senior information security adviser
> Finnish Communications Regulatory Authority  / CERT-FI
> tel. +358-9-6966772, fax +358-9-6966515, mobile +358-50-5826131
> CERT-FI watch desk daytime: +358-9-6966510
> CERT-FI 24/7 on-call duty officer: +358-44-0120123 / http://www.cert.fi
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>

-- 
-------------------------------------------------------------
jose nazario, ph.d.     <jose at arbor.net>
security researcher, office of the CTO,  arbor networks
v: (734) 821 1427 	      http://asert.arbornetworks.com/