polonus
February 24, 2011, 10:27pm
1
polonus
February 25, 2011, 2:24pm
3
Hi Pondus,
As threats seems to be shortlived in the everchanging threat-landscape, this one apparently also was. In jsunpack I get:"[not analyzed] rumintuiha dot org/dududu.js
status: (referer=www.google.com/trends/hottrends )failure:
for the second one I also get: "[not analyzed] rumintuiha dot org/ywdngzevkw.php?n=2202
status: (referer=www.google.com/trends/hottrends )failure:
But when I open the wepawet analysis in wepawet, I get an avast webshield block for JS:ScriptSH-inf [Trj] in chrome.exe.
Rumintuiha.org is currently hosted at LLC Stone Star. The IP 194.247.58.51 links to a server in Star, Russian Federation. The company behind this all is LLC Stone Star. Webutation says: Domain cannot be accessed at this time. Please try again later or check for the typos, when trying to access the pointed by me url, the main domain is clean: http://www.webutation.net/en/review/rumintuiha.org
Also look here: http://amada.abuse.ch/?search=194.247.58.51 given as online and infected, this concerns
htxp://194.247.58.51/ir7.php?i=15 → analyzed here: http://www.virustotal.com/url-scan/report.html?id=f06c0b1a48b42ee908eba4e7eb47038c-1298639706
This where our particular trojan that avast flagged was present on the Internet:
http://support.clean-mx.de/clean-mx/viruses.php?virusname=mdl_trojan%20Carberp&sort=first%20desc
but the response there is apparently dead.
But there was Phoenix Toolkit for sure at that IP, and not detected:
http://www.virustotal.com/file-scan/report.html?id=2051f64ba897925e4c33867d7edf69e8a5880272b497dfe7a3616313cdca8370-1297619267
more recent, where avast detect it as Win32:Carberp-E, so SOLVED
polonus
nmb
February 25, 2011, 5:08pm
4
There is a recent version on virus total where AVG detects it. Check here I guess they have added after the js was submitted to VT, that is why it didnt detect previously but now it detects.
polonus
February 25, 2011, 10:54pm
5
Hi nmb,
There is a nice write up here by evilfingers on Phoenix Exploit´s Kit to be found at his blog:
http://evilfingers.blogspot.com/2009/09/phoenix-exploits-kit-another.html
another Web application developed in PHP and originally from Eastern Europe,
can be found in this list as well →
http://page2rss.com/page?url=www.malwaredomainlist.com/mdl.php?sort=Date%26search=%26colsearch=All%26ascordesc=DESC%26quantity=100%26page=0
e.g. 011/02/14_20:20 taklonaft dot com/ywdngzevkw.php?n=dekrek 194.247.58.51 vpn6-dip-t-pool2-194-247-58.51.sevpn.com . Phoenix exploit kit Ilnar Galimov etc.
polonus