The MO in this case, is;
1. Site A
2. Exploit
There's no MITMs this time. There's also a slight change in the code used on the exploit page itself, though curiously, it's even easier to decode than the last one (only 3 lines needing commented out this time).
I've not got the headers for this one, but the e-mail apparently contains;
Dear Customer,
FLIGHT ELECTRONIC NUMBER 24-3054499
DATE & TIME / DECEMBER 12, 2011, 07:16 PM
ARRIVING AIRPORT: Chicago O'Hare International Airport
PRICE : 743.59 USD
Please download and print out your ticket here:
Download hxxp://thefire.org/reports/guides/1/tztei.htm?B9I5=Z66FITS&2Q5=5CO8CFG2ARLWIHHCFJHL0VG7G&
Jazlyn Warren,
Airlines America
4b1273d8-59cae6f0
FLIGHT ELECTRONIC NUMBER 24-3054499
DATE & TIME / DECEMBER 12, 2011, 07:16 PM
ARRIVING AIRPORT: Chicago O'Hare International Airport
PRICE : 743.59 USD
Please download and print out your ticket here:
Download hxxp://thefire.org/reports/guides/1/tztei.htm?B9I5=Z66FITS&2Q5=5CO8CFG2ARLWIHHCFJHL0VG7G&
Jazlyn Warren,
Airlines America
4b1273d8-59cae6f0
thefire.org lives at;
IP: 64.49.244.212
IP PTR: Resolution failed
ASN: 10532 64.49.192.0/18 RACKSPACE - Rackspace Hosting
Registrar: GoDaddy
This redirects to;
czredret.ru/main.php
Which is living on Infium IP space;
IP: 188.190.99.26
IP PTR: ip-188-190-99-26.hosted-in.infiumhost.com
ASN: 197145 188.190.96.0/19 ASINFIUM Infium Ltd.
inetnum: 188.190.96.0 - 188.190.127.255
netname: INFIUM
descr: Infium LTD
country: UA
org: ORG-INFI1-RIPE
admin-c: INF20-RIPE
tech-c: INF20-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: NETASSIST-MNT
mnt-routes: NETASSIST-MNT
mnt-domains: NETASSIST-MNT
source: RIPE # Filtered
organisation: ORG-INFI1-RIPE
org-name: Infium Ltd.
org-type: OTHER
address: 61129, Ukraine, Kharkov, Traktorostroiteley 156/41 ave, office 200
mnt-ref: INFIUM-MNT
mnt-by: INFIUM-MNT
source: RIPE # Filtered
person: Infium Ltd
address: 61129, Kharkov, Ukraine, Traktorostroiteley 156/41, office 200
abuse-mailbox: abusemail@infiumhost.com
phone: +380577632339
phone: +1425606-33-07
nic-hdl: INF20-RIPE
mnt-by: INFIUM-MNT
source: RIPE # Filtered
:: Information related to '188.190.96.0/19AS197145'
route: 188.190.96.0/19
descr: Infium LTD
origin: AS197145
mnt-by: NETASSIST-MNT
source: RIPE # Filtered
netname: INFIUM
descr: Infium LTD
country: UA
org: ORG-INFI1-RIPE
admin-c: INF20-RIPE
tech-c: INF20-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: NETASSIST-MNT
mnt-routes: NETASSIST-MNT
mnt-domains: NETASSIST-MNT
source: RIPE # Filtered
organisation: ORG-INFI1-RIPE
org-name: Infium Ltd.
org-type: OTHER
address: 61129, Ukraine, Kharkov, Traktorostroiteley 156/41 ave, office 200
mnt-ref: INFIUM-MNT
mnt-by: INFIUM-MNT
source: RIPE # Filtered
person: Infium Ltd
address: 61129, Kharkov, Ukraine, Traktorostroiteley 156/41, office 200
abuse-mailbox: abusemail@infiumhost.com
phone: +380577632339
phone: +1425606-33-07
nic-hdl: INF20-RIPE
mnt-by: INFIUM-MNT
source: RIPE # Filtered
:: Information related to '188.190.96.0/19AS197145'
route: 188.190.96.0/19
descr: Infium LTD
origin: AS197145
mnt-by: NETASSIST-MNT
source: RIPE # Filtered
In the case of this variation, all you need to do is comment out the following lines;
//a=(window.document.removeChild+'')['split']('')[1];
//if(a==='f'||a==='u') < this line appears twice, you'll need to comment out both
//if(a==='f'||a==='u') < this line appears twice, you'll need to comment out both
From here it's the same as the last one - locate the line containing "?f=" to get the value you'll need for the payload (in this case, /w.php?f=17).
References
Blackhole exploit: For those wondering
http://hphosts.blogspot.com/2011/12/blackhole-exploit-for-those-wondering.html
Posts
2 comments:
vds with ip 188.190.99.26 already blocked
Thanks for letting me know (though not quite sure what you mean by "already blocked" - it was very much live when I published this).
Post a Comment