Hi there,
In these days is running another malicious domain specifically developed to Steal MSN Credentials, the propagation system is always the same, you receive an offline message by an already infected user of your msn list.
http://{ACCOUNT_NAME}zopblob.com/
The Server used is as usual lighttpd
HTTP/1.0 200 OK
Connection: close
X-Powered-By: PHP/4.4.8
Content-type: text/html
Content-Length: 791
Date: Sun, 25 Jan 2009 01:01:51 GMT
Server: lighttpd/1.4.19
and the link dissected appears as:
<>
<>
<> < / title >
< / head >
< cols = " 0 , * " frameborder =" 0">
< src =" ”" name =" ”"> < src =" ”" name =" ”"> var sc_project=4080201;
< / frameset >
This time we have also a little difference, this time malicious domain presents a tracking
functionality
< type = " text / javascript ">
var sc_invisible=1;
var sc_partition=49;
var sc_click_stat=1;
var sc_security="0c7fe093";
< / script >
< type = "text/javascript ">
var gaJsHost = ((" https:" == document.location.protocol) ? " https://ssl. " : " http://www. " );
docum ent.write(un escape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js'
type='text/javascript'%3E%3C/script%3E"));
< type="text/javascript">
var pageTracker = _gat._getTracker("UA-1033286-4");
pageTracker._trackPageview();http://www.networksolutions.com/whois-search/zopblob.com
< / script >
< / script >
A Domain Whois reveals that the Source of this Malicious Domain is always the same..from Panama:
See you to the next post.. :)
Saturday, January 24, 2009
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment