Another one here, Trojan:JS/BlacoleRef.W missed: htxp://zulu.zscaler.com/submission/show/f58b27f17b497ce2c367cb12a7694ff5-1338582640
see VT results → htxps://www.virustotal.com/file/38addb00e677ec62da4d04da6344107aeaa00ba204ab3f02d9806d3e0284e85d/analysis/
see: htxp://urlquery.net/report.php?id=62312 mdl_Leads to exploit kit detected 2012-06-01 13:22:00 live malware,
which avast should normally detect as HTML:RedirME-inf [Trj]
Detected BlackHole exploit kit HTTP GET request
- Detected malicious injected iframe → iframe src='htxp://mazdaforumi.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c
(the one we reported in the previous posting)
We see this is an ongoing problem through a malware campaign (5 hrs ago, 6 hrs ago) when we search for: htxp://www.google.nl/search?sugexp=chrome,mod=9&ix=h9&sourceid=chrome&ie=UTF-8&q=iframe+src%3D’http%3A%2F%2Fmazdaforumi.ru%3A8080%2Fforum%2Fshowthread.php%3Fpage%3D5fa58bce769e5c2c
reported to virus AT avast dot com,
polonus
Another Trojan:JS/BlacoleRef.W, not detected, htxps://www.virustotal.com/file/07ca7776a566cc872c2fd0602da135072e780a10b062175e00c2710f3f63a365/analysis/
from: htxp://zulu.zscaler.com/submission/show/af5d670395a65113f12e98337f95bb64-1338587387
see: htxp://urlquery.net/queued.php?id=62630
- Detected BlackHole exploit kit HTTP GET request
- Detected malicious injected iframe
reported to virus AT avast dot com
Hi Polonus,
Not a new exploit method given in your post regarding “wire-transfer.htm”.
I’ve seen the exact algorithm somewhere else.
Hi !Donovan,
Well then they are running a new campaign with this again. So old wine in new sacks, so to say. Thanks for your evaluation.
I just report what I see happening while scanning and when I cannot get a avast detection, I immediately report back to the avast base,
well analysts. I think you are developing a very good “feel” for the various varieties of malcoded scripts out there,
as it is inspiring for both of us,
polonus
system
805
system
807
See: htxp://vscan.urlvoid.com/analysis/e88bca0faa4901001e23d338727d9327/aW5kZXg=/
See: htxp://sitecheck.sucuri.net/results/www.wandelhalle-hamburg.de
reported to virus AT avast dot com,
polonus
Hacktool or backdoor not detected by avast: htxp://zulu.zscaler.com/submission/show/61e0aaa070b0a7ac40098af1a3a433f0-1338986102
and VT results: htxps://www.virustotal.com/file/80725340b7830288dfe4969eb070a542516a040efc2c1e6473b6051d086f46ab/analysis/
reported to virus AT avast dot com,
polonus
system
815
system
816
Mal/FBJack-A
detection missed…contains obfuscated Iframe…new Facebook HTML malware/spam…redirects to faked Jason Bieber video
https://www.virustotal.com/file/57726a46a0debac32dec0a06d1fa9df2b79566f2f8a2ef8754a66775e86f939c/analysis/1339141426/
reported to avast!
system
817
Hi MDRockstar,
This because the suspicious file ltastd.exe is flagged as riskware. It might be opened by avast to be run first in sandbox for evaluation,
polonus
DavidR
819
Not many of the larger AVs are detecting it either. Many that are are using heuristics and are calling it PUP or riskware.
Hi DavidR,
Thank you for confirming the PUP status. The poster probably sent it because of this report: http://systemexplorer.net/db/ltastd.exe.html
polonus
