Unknown html = s p a m seo malware

And what about this unknow html, flagged by clean-mx VM: Up(nil): unknown_html ARIN US abuse at support.olm dot net 65.18.171.86 to 65.18.171.86 tinbuent.com htxp://www.tinbuent.com/ent/js/tinbuEntertainment.js
Nothing here: http://sitecheck.sucuri.net/results/www.tinbuent.com nor here: http://www.urlvoid.com/scan/tinbuent.com/
Obfuscated js decodes to this link: src='htxp://www.tinbuadserv.com/js/integrate/ads_common.js
from wXw.tinbuserver.com/tbst/go.php → var tbxldnebs = “rmxb6a99c694s8t207195h83kkj083a422mq7r4golix0”;
wXw.tinbuent.com/ent/new/js/integrate/module.js to a chunk of obfuscated script decoding to Quantcast code…
See: -http://jsunpack.jeek.org/?report=d8e7341a335ec946e0078432fdfe6c73b94dc0b0 (for the security aware only, visit link with NoScript and RequestPolicy extensions active and in a VM/sandbox) for code see attached image
And here it is finally alerted for what it is: http://urlquery.net/report.php?id=1080208
IDS alert: ET WEB_CLIENT Hex Obfuscation of Script Tag % Encoding
Gmane lists this group of alerts here: Various Shellcode/Obfuscation: http://permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/8916
(link article author = Kevin Ross) Read a Sophos write up on this: http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/malware-with-your-mocha.aspx (link article author = Fraser Howard)

pol

Pondus · February 23, 2013, 3:53pm

nope…nada
https://www.virustotal.com/nb/file/762041db4f91969406d17d83a8e9f1de4b659c7412325a0983bc25b889afba6b/analysis/1361634708/

polonus · February 23, 2013, 4:52pm

Hi Pondus,

Here we have a plethora of such IDS alerts for IP 174.132.148.57: http://urlquery.net/report.php?id=1079518
2013-02-23 13:24:28 174.132.148.57 urlQuery Client 2 ET WEB_CLIENT Hex Obfuscation of document.write % Encoding
2013-02-23 13:24:28 174.132.148.57 urlQuery Client 2 ET WEB_CLIENT Hex Obfuscation of charCodeAt % Encoding
2013-02-23 13:24:28 174.132.148.57 urlQuery Client 2 ET WEB_CLIENT Hex Obfuscation of String.fromCharCode % Encoding
2013-02-23 13:24:28 174.132.148.57 urlQuery Client 2 ET WEB_CLIENT Hex Obfuscation of substr % Encoding
2013-02-23 13:24:28 174.132.148.57 urlQuery Client 2 ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
2013-02-23 13:24:28 174.132.148.57 urlQuery Client 2 ET WEB_CLIENT Hex Obfuscation of Script Tag % Encoding
2013-02-23 13:24:29 urlQuery Client 64.74.223.37 2 ET CURRENT_EVENTS TDS Sutra - request in.cgi
2013-02-23 13:24:29 urlQuery Client 64.74.223.37 2 ET CURRENT_EVENTS TDS Sutra - request in.cgi
4 blacklist rankings: http://www.urlvoid.com/scan/lawofattractionworld.com/
see: http://yandex.com/yandsearch?text=lawofattractionworld.com%2F
Compare: http://lists.emergingthreats.net/pipermail/emerging-sigs/2010-December/010879.html
credits posted by Kevin Ross

polonus

polonus · February 23, 2013, 10:00pm

Not detected: https://www.virustotal.com/nb/url/db175455a5010cb5b4c374e3967f974779b37a78fb4aa56c0d7117d4f9a81357/analysis/
see: https://www.virustotal.com/nb/file/8c8df862b4615c0599e9ca630bf1169b9bf54299454854267b2e5cdc49a7c805/analysis/1361573729/
http://urlquery.net/report.php?id=1089125 Koobface worm ET TROJAN Likely Koobface Beaconing IDS alert
Blacklisted and detected: http://www.urlvoid.com/scan/ww2.transfertplus.com/ & http://urlquery.net/report.php?id=1022541
& http://www.urlvoid.com/scan/ntwira.com/
avast! Network Shield blocks connection to this malcode executable as URL:Mal
We are being protected!

pol

polonus · February 25, 2013, 3:56pm

Unknown html malware. Only flagged by viruswatch clean-mx → http://urlquery.net/report.php?id=1117711
The location line in the header above has redirected the request to: / is left blank (probably adware - see analysis below)
Intrusion Detection Systems
IDS Alert 2013-02-25 16:38:08 urlQuery Client 95.100.2.110 severity: 2 ssp_ssl: Invalid Client HELLO after Server HELLO Detected
These snort alerts should probably be suppressed…but could be due to a a SOAP exeption for “htxps://
a248.e.akamai.net/betterad.download.akamai.com/91609”
Nothing on external link to: htxp://logi118.xiti.com/hit.xiti?s=457972&s2=&p=&di=&an=&ac= (requested page button?)
Consider this report: http://www.seocert.net/analyzer.rustica.fr
Vulnerable on the site is PHP/5.3.2-1ubuntu4.14 see Header returned by request for: htxp://www.rustica.fr/articles-jardin/calendrier-travaux
http://unhackable.org/?tag=php and here: http://www.devquotes.com/2011/06/15/php-cve-2011-2202/

polonus

polonus · February 27, 2013, 9:15pm

And what is out here? See: https://www.virustotal.com/en/url/c081057796c239fe0347c942bda398cb85e0912941f182214fa52d8fbaf12bd1/analysis/1361988982/
and
http://urlquery.net/report.php?id=1173917
phish and spam (iframe) reg.163 dot com/all.do
status: (referer=wXw.lofter.com/mailEntry.do?blogad=1&blog)
code hick-up:
b1.bst.126 dot net/newpage/r/j/pc.js?v=1361935498086 benign
[nothing detected] (script) b1.bst.126 dot net/newpage/r/j/pc.js?v=1361935498086
status: (referer=byleilei.blog.163 dot com/blog/static/2168350572013112545795/)saved 166831 bytes 7654abe071adb5888582ea8d1db40b0636103b03
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
info: [javascript variable] URL=t.163.com/service/newMessage/
info: [javascript variable] URL=msg.mail.163 dot com
info: [javascript variable] URL=msg dot mail.
info: [javascript variable] URL=api.blog.163 dot com/cap/captcha.jpgx?parentId=
info: [iframe] b1.bst.126 dot net/newpage/r/j/
info: [iframe] blog.163 dot com/pub/services/msnconnectnew.html
info: [img] b1.bst.126 dot net/newpage/r/j/
info: [img] b.bst.126 dot net/style/common/loading.gif
info: [iframe] blog.163 dot com/pub/services/aipaiSpread.html?t=
info: [decodingLevel=0] found JavaScript
suspicious:
Here we may have what we were looking for: http://www.threatexpert.com/report.aspx?md5=f4b981cbfedfec6ea63d228f2b2ad0fc
…Trojan.Win32.Sasfis

pol

Unknown html = s p a m seo malware

Announcements