[nsp-sec] msn trojan (ping microsoft)
Ross, Jason
Jason.Ross at GlobalCrossing.com
Wed Jun 18 21:48:21 EDT 2008
random chatter with miscreants tonight led me to this.
Virustotal already has it, and it's far from undetectable: hxxp://www.virustotal.com/analisis/99efa2f129a6e19f99e92c48593b0cf4 so it is likely already known to those on this list, but I figured I'd pass it on since the malware appears to be hosted at Microsoft owned space (based on the AS description anyway)
====
hxxp://gusanito.selfip.com/?/recoge/postal/342/rst342SdG3 loads hxxp://oiolop.cn/wp-admin/index.html?/recoge/postal/342/rst342SdG3 inside a frameset (a regular one, not even iframe!)
That site in turn has a (badly) hidden <a> tag for hxxp://ajuvoa.bay.livefilestore.com/y1pP6f-tkgzZfiwlAy1krq27hyhQ1jWTQXfjAX5tr8nLXGcRAn3b2tzmdnlT-ip7y_OC0jQY0ph-WM-Ly9T3ptTwlUtufbSDv5q/Tarjeta.exe
gusanito.selfip.com has address 63.208.196.110
oiolop.cn has address 74.220.220.67
ajuvoa.bay.livefilestore.com is an alias for baylfs.storage.msn.com.nsatc.net.
baylfs.storage.msn.com.nsatc.net has address 207.46.120.36
ajuvoa.bay.livefilestore.com is an alias for baylfs.storage.msn.com.nsatc.net.
ajuvoa.bay.livefilestore.com is an alias for baylfs.storage.msn.com.nsatc.net.
====
AS | IP | AS Name
33517 | 63.208.196.110 | DYNDNS - Dynamic Network Services, Inc.
11798 | 74.220.220.67 | BLUEHOST-AS - Bluehost Inc.
8075 | 207.46.120.36 | MICROSOFT-CORP---MSN-AS-BLOCK - Microsoft Corp
--
Jason Ross
Global Crossing
Information Security
GPG Key ID : 0xEC11B25A
More information about the nsp-security
mailing list