[nsp-sec] Wannabrowser - possible embedded malcode
Matthew.Swaar at us-cert.gov
Matthew.Swaar at us-cert.gov
Thu Oct 30 18:09:00 EDT 2008
I'm now getting word that wannabroswer[dot]com has been cleaned, but I
cannot verify that myself.
When it was being abused (including earlier today), there was some
obfuscated javascript that downloaded a binary (targeting Adobe Flash I
think, don't know what version yet) from 91.142.64.91.
This installed a Trojan, which then got a config from:
hxxp://3876373tr.org/baasseulu/mix1/cfg.bin (91.142.64.112)
Keylogger data was apparently sent to:
hxxp://3876373tr.org/baasseulu/nehyaq.php (also 91.142.64.112
V/R,
Matt Swaar
US-CERT Analyst
-----Original Message-----
From: Swaar, Matthew
Sent: Thursday, October 30, 2008 4:29 PM
To: nsp-security at puck.nether.net
Subject: Wannabrowser - possible embedded malcode
Heads up, I'm getting (very credible) reports that wannabrowser[dot]com
has some obfuscated javascript on it and is installing malware. This
supposedly started around the 21st, but that date isn't firm. I've
heard that 'noscript' isn't preventing this, but I can't validate that.
More information when I have release authority.
V/R,
Matt Swaar
US-CERT Analyst
Matthew.swaar at us-cert.gov
(703) 235-5111
More information about the nsp-security
mailing list