polonus
December 23, 2012, 4:52pm
1
See: http://zulu.zscaler.com/submission/show/dc1046ebe6e206bc472b42d57ca7650d-1356279366
According VW the malware has been closed after 4.6 hrs of activity.
I get a HTTP Status 404 - /
type Status report
message /
description The requested resource (/) is not available.
Apache Tomcat/6.0.26 See all the vulnerabilities for this older version ->: http://tomcat.apache.org/security-6.html
That server in China needs hardening and upgrading. It sure does…http://urlquery.net/report.php?id=488241
polonus
polonus
December 23, 2012, 7:47pm
2
Then another one on this site: http://zulu.zscaler.com/submission/show/d6d7632e151fd9ff3d720250427d631d-1356289576
Nothing here: http://urlquery.net/report.php?id=488811
Well enough vulnerabilities for the PHP version run: http://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/version_id-125887/PHP-PHP-5.3.10.html Site might have been a vicitim of arbitrary remote code execution vulnerability
that way…The IP address belongs to a High Risk Hosting Provider ISP: SoftLayer Technologies…
Could have been active spreading this malware: http://securehomenetwork.blogspot.com/2010/07/movie-sites-spreading-malware.html
Content after the < /html> tag should be considered suspicious.
< !-- PopStar | 0.2151 | rswfire → and suspicious script inside the code: see attached image…
consider for the attack-> htxp://share.auditory.ru/2014/Pavel.Kondratenko/edu/3%20level/bd/bdlabs_index.sql
tabContentSidebar.​ = Unicode Character ‘ZERO WIDTH SPACE’ (U+200B): this character is intended for line break control; it has no width, but its presence between two characters does not prevent increased letter spacing in justification (see image for the use of the spacing)…
Firekeeper will flag this
alert(url_content:“%3C”; url_content:“%22”; url_content:“%3E”; as a supicious looking GET request. About unicode abuse, read:
http://sandfly.net.nz/blog/2012/05/blackletter-unicode-abuse/ (link article author = andrew) &
http://blog.commtouch.com/cafe/email-security-news/using-unicode-to-trick-users-to-install-malware/
(link article authors = Commtouch Contributors →
http://blog.commtouch.com/cafe/contributors/
polonus
polonus
December 23, 2012, 8:36pm
3
Here we can read that the avast company team member, Jindrich Kubec, head of Avast’s labs, already detected this “unitrix” exploit back in September 2011: http://www.computerworld.com/s/article/9219808/Hackers_flip_characters_to_disguise_malware?taxonomyId=89
(link article author = Gregg Keizer)
But the flip-character exploit did a comeback in the previous post’s example.
You can hide a malcious executable that way that opens next to another file (document etc.)…the exploit can also be used with Hebrew and Arabic languages, languages that are read reversely…
polonus