Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday 22 June 2011

Part 3: Interserver, malware, and the Scottish weather

Well, the bad guys tried fooling everyone by changing the filename yet again (sorry Mr Bad Guy - we're not that stupid).

You'll remember that they were using HostNOC as of the latest incarnations, and I both e-mailed, and phoned HostNOC on the 20th, the day the move was made, and the person I spoke to advised me they were giving the customer a 24 hour warning. 3 days later, and it was still online, still serving malicious content.

I've just phoned HostNOC yet again, and they're finally taking it offline, advising me the entire account would be suspended within the next 5 mins (and yes HostNOC, I'll be verifying that).

Sadly, it seems Interserver STILL haven't taken action, as .38 is STILL spewing the malicious file (again, with the new filename);

66.45.243.38/FlashPlayer.40028.exe

Seems it's polymorphic too, as I've recorded 2 pull downs of the file, with 2 different MD5s;

b7d396384ab66ffb3a248708125cb809
4ee758a8e8e43d543875795d6d1d1dc6

So Interserver, what's your excuse?

References

Part 2: Interserver, malware, and the Scottish weather
http://hphosts.blogspot.com/2011/06/part-2-interserver-malware-and-scottish.html

Interserver, malware, and the Scottish weather
http://hphosts.blogspot.com/2011/06/interserver-malware-and-scottish.html

No comments: