Hi malware fighters, another fake AV redirecting site to include…
2010-06-12 23:14:18 (GMT 1)
Website schuiling*net
Domain Hash 9c082f0a211d3fc7877cc13d7742c219
IP Address 69.89.22.118
IP Hostname box118.bluehost.com
IP Country US (United States)
AS Number 11798
AS Name BLUEHOST-AS - Bluehost Inc.
Detections 2 / 20 (10 %)
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://schuiling.net/qamju.php?on=peruvian%20prisons
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://schuiling.net/qamju.php?on=prop%2016%20polling
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://schuiling.net/qamju.php?on=puzzle%20pirates%20forums
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://schuiling.net/qamju.php?on=realm%20status%20addon
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://schuiling.net/qamju.php?on=robert%20mutt%20lange%20and%20marie-anne%20thiebaud
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://schuiling.net/qamju.php?on=strasburg
Threat Name: HTTP Fake AV Redirect Request
Location: hxtp://schuiling.net/qamju.php?on=taboo%20black%20eyed%20peas%20son
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://schuiling.net/qamju.php?on=us%20open%20tennis%202010%20american%20express
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://schuiling.net/qamju.php?on=virtual%20retinal%20display%20pdf
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://schuiling.net/qamju.php?on=world%20cup%20brackets
presents us with a double redirect, after a failure:
STATUS suspicious…
This is the latest malware craze infected CNN adbanner code ;D
This all in fun, but it is a reality that no code is left alone by the malcreants to scheme another obfuscated injection scheme, the Internet is becoming a scary place for webmaster that want to keep their website’s code clean,
Another one reported here:
Website westernwinds.net
Domain Hash f75afbc2b730096197625b5e49c7a496
IP Address 66.96.130.112 [SCAN]
IP Hostname 112.130.96.66.static.eigbox.net
IP Country US (United States)
AS Number 29873
AS Name BIZLAND-SD - The Endurance International Grou…
Detections 2 / 18 (11 %)
Status SUSPICIOUS
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://westernwinds.net/fevcf.php?topic=obama%20address%20to%20students%20transcript
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://westernwinds.net/fevcf.php?topic=pic%20hunter
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://westernwinds.net/fevcf.php?topic=rick%20rubin%20myspace
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://westernwinds.net/fevcf.php?topic=san%20diego%20union%20tribune%20crossword
Threat Name: HTTP Fake AV Redirect Request
Location: hxtp://westernwinds.net/fevcf.php?topic=san%20diego%20union%20tribune%20newspaper
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://westernwinds.net/fevcf.php?topic=spirit%20airline%20strike
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://westernwinds.net/fevcf.php?topic=svk
Threat Name: HTTP Fake AV Redirect Request
Location: hxtp://westernwinds.net/fevcf.php?topic=swype%20for%20iphone
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://westernwinds.net/fevcf.php?topic=tony%20award%20winners%202009
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://westernwinds.net/fevcf.php?topic=watch%20true%20blood%20online%20for%20free%20streaming
Redirecting to cnn.com again
Here is where it happens
info: [decodingLevel=1] found JavaScript
error: line:4: SyntaxError: missing ] after element list:
error: line:4: [native code]
error: line:4: ................^
A series of redirect links ultimately leads to a site that looks similar to a Microsoft Windows screen with a popup claiming the PC is overrun with malware. The user is prompted to download rogue anti-virus to fix the imaginary problem.
While it’s not the most convincing attack we’ve ever seen, there’s nothing to stop attackers from using the same technique to push web-based exploits, say the Adobe Reader zero-day attack that’s now circulating in the wild.
The links work because appleinsider.com and the rest of the sites being abused fail to filter out harmful characters used in XSS attacks. Here are a few examples with some of the malicious XSS advertisements (do not follow these or other “hxxp” URLs below): http://cyberinsecure.com/wp-content/uploads/2009/12/xss.png (click to enlarge)
[=/quote]