Currently, these scripts are subjected to obfuscation, is being used by botnet Zeus to recruit zombies PCs through Drive-by-Download attack.
When accessing the website only displays a blank page, but to check its source code is a code written in JavaScript like this:
The script is encrypted with the RSA algorithm. This information is displayed at the end of the code.
Another interesting fact is that the script is displayed only once, ie, if you try to log back in to the same address, again to check the HTML source code, the script is no longer available.
Some of the domains that contain LuckySploit are reflected below:
r-state .com/ equi/It's worth noting that many of these URL's are active, therefore if you decide to access any of it, keep in mind the safety measures appropriate to the case.
trafffive .cn/wait/ ?t=15
trafffive .cn/bm/ ?t=15
directlink9 .cn/wait/ ?t=15
directlink4 .cn/bm/ ?t=15
directlink2 .cn/wait/ ?t=15
directlink1 .cn/bm/ ?t=15
directlink0 .cn/wait/ ?t=15
superioradz .info/opis3/ ?t=2
superioradz .info/opis2/ ?t=2
rodexcom .org/parus/ ?t=5
dvlorg .net/parus/ ?t=25
top.sei-keine .com/u-store/ ?t=1
statclick .net/main/ ?t=1
deinglaube .com/ images/
202.73.57.6/ tomi
federalreserve.banknetworks .net/bb/ ?t=2
fuadrenal .com/mito/ ?t=2
fuck-lady .com/prn/index .php
hello-to-you .net/rttz/ ?t=6
In some script clearly read at the end of a message that says:
attack_level = 0;;In this way, Zeus is adhering to its network equipment malicious computer infected.
try {
f = 'Welcome to LuckySploit:) \n ITS TOASTED';
Related information:
Zeus botnet. Mass propagation of trojan. Part two - Spanish version
Zeus botnet. Mass propagation of trojan. Part one - Spanish version
Malware attack via Internet - Spanish version
# Jorge Mieres
No comments:
Post a Comment