system
March 20, 2015, 4:26pm
1
This is one of the 5 links in a banner ad from baidu in a game site.
htxp://cpro.baidu.com/cpro/ui/uijs.php?c=news&cf=2&ch=0&di=1&fv=16&jk=91e2023920fb9368&k=%B3%E8%CE%EF%BE%AB%C1%E9&k0=%B3%E8%CE%EF%BE%AB%C1%E9&kdi0=1&luki=2&n=10&p=baidu&q=7k7kcom_cpr&rb=0&rs=1&seller_id=1&sid=6893fb203902e291&ssp2=1&stid=116&t=tpclicked3_hc&tu=u1999822&u=http%3A%2F%2Fwww%2E7k7k%2Ecom%2Fflash%2F121308%2Ehtm&urlid=0
I scan in Virustotal and get this: https://www.virustotal.com/en/url/e4482306d56d4ca8ae1d045674040ab506296797a9c0b80e57bdd419a68c7f17/analysis/1426867969/
In sucuri site check, it is detected as “MW:HTA:7” (http://labs.sucuri.net/db/malware/malware-entry-mwhta7 ).
see: http://sitecheck.sucuri.net/results/cpro.baidu.com
Is there a redirect to malware site as stated?
Hi rickyyeung,
The link you give is part of a PHISHing campaign, according to Sucuri’s:
Website Malware MW:HTA:7 htxp://cpro.baidu.com/cpro/ui/f.js" type="text/javascript"&g … ( View Payload )
Website Malware MW:HTA:7 htxp://cpro.baidu.com/cpro/ui/f.js"&g … ( View Payload )
Domain detected on spam or phishing campaigns. Details: http://sucuri.net/malware/entry/MW:HTA:7
This specific URL was identified in malicious campaigns to disseminate malware.
Example read here: http://www.whitefirdesign.com/resources/fgnfdfthrvbeepl-malware.html
Three warnings on this scan: https://asafaweb.com/Scan?Url=cpro.baidu.com
conditional redirects -htaccess malware - http://labs.sucuri.net/db/malware/malware-entry-mwhta7
Sucuri blacklisted - Site blacklisted for being used to distribute malware.
PHP / HPHP Compatibility Issues Detected - pol
IP badness survey: https://www.virustotal.com/en/ip-address/115.239.211.17/information/
Avast detects: Win32:Viking-CF -
Win32:Trojan-gen (a Spy-Agent family member)
Win32:Evo-gen [Susp]
polonus
In the cloud results from tracker-tracker tool:
-cpro.baidu.com/cpro/ui/uijs.php?c=news&cf=2&ch=0&di=1&fv=16&jk=91e2023920fb9368&k=%B3%E8%CE%EF%BE%AB%C1%E9&k0=%B3%E8%CE%EF%BE%AB%C1%E9&kdi0=1&luki=2&n=10&p=baidu&q=7k7kcom_cpr&rb=0&rs=1&seller_id=1&sid=6893fb203902e291&ssp2=1&stid=116&t=tpclicked3_hc&tu=u1999822&u=htxp%3A%2F%2Fwww%2E7k7k%2Ecom%2Fflash%2F121308%2Ehtm&urlid=0 -cpro.baidu.com/cpro/ui/uijs.php ad c=news&cf=2&ch=0&di=1&fv=16&jk=91e2023920fb9368&k=%B3%E8%CE%EF%BE%AB%C1%E9&k0=%B3%E8%CE%EF%BE%AB%C1%E9&kdi0=1&luki=2&n=10&p=baidu&q=7k7kcom_cpr&rb=0&rs=1&seller_id=1&sid=6893fb203902e291&ssp2=1&stid=116&t=tpclicked3_hc&tu=u1999822&u=htxp%3A%2F%2Fwww%2E7k7k%2Ecom%2Fflash%2F121308%2Ehtm&urlid=0 1572 2500 2015-03-20 22:09:10 (cpro|cbjs|hm).baidu.com nil Baidu Ads Here there is a trojan see GTTP request given here:
https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Clicker-GF/detailed-analysis.aspx
See tracker tracker results mentioned there. Do not open links in the txt file into a browser. Info for research purposes only. Re: http://totalhash.com/network/dnsrr:www.mootolola.com (hash ip mutex pdb registry url useragent version).
pol