[nsp-sec] ACK 174 RE: gumblar-style infections
Shelton, Steve
sshelton at Cogentco.com
Wed May 12 13:19:03 EDT 2010
Dirk,
Thanks! I'm on it! I've seen this now for a few weeks. The exploit
usually translates into a URL like the following. The payload appears
to be down, still looking for a live exploit site at the moment.
// hxxp://english.aviny.com/aviny/biography.aspx
//CreateElement script //
hxxp://youhelpnow.ru:8080/google.com/payserve.com/nikkansports.com.php
2010-04-29 10:22:56 2010-05-07 13:44:08
0/39 (0.00%) unknown_html_google_malware
http://youhelpnow.ru/
Steve Shelton
Security Engineer
Cogent Communications
-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Dirk Stander
Sent: Wednesday, May 12, 2010 12:43 PM
To: nsp-sec
Subject: [nsp-sec] gumblar-style infections
----------- nsp-security Confidential --------
Hi,
please find attached a list of web sites with javascripts/iframes
redirecting
to gumblar-style exploit hosts.
An example injection looks like this:
<script>this.v='';this.C=51578;this.C-=144;function W(){var
j="j";k={};var M=document;try [.. truncated ..]</script>
<!--8c831cfc3501fade343bbf9c5d556620-->
The format is:
<ASN> | <IP> | <CC> | <hits> | <domain> | <sample URL> | <first seen> |
<last seen> | <AS desc>
kind regards, Dirk :.
------------------------------------------------------------------------
-----------------------
174 | 38.117.97.172 | US | 1 | english.aviny.com |
http://english.aviny.com/aviny/biography.aspx | Thu May 6 10:28:06 2010
| Thu May 6 10:28:06 2010 | COGENT Cogent/PSI
174 | 38.99.186.4 | US | 3 | creative.clicksor.com |
http://creative.clicksor.com/network_1065/1065/c235489578.html | Mon May
10 17:49:51 2010 | Mon May 10 22:10:39 2010 | COGENT Cogent/PSI
174 | 70.35.19.82 | CA | 1 | perdemodel.com | http://www.perdemodel.com/
| Tue May 4 20:07:30 2010 | Tue May 4 20:07:30 2010 | COGENT
Cogent/PSI
More information about the nsp-security
mailing list