http://proanalytics.cn/stats.txt
This text file of course, isn't a text file at all, it's a Javascript file that leads to a whole heap of malicious exploit goodness;
http://proanalytics.cn/tds/go.php?sid=1
http://proanalytics.cn/tds/got.php?sid=1
http://proanalytics.cn/frag2/show.php
http://proanalytics.cn/frag2/show.php?get_ajax=1&r=0.34832734843634716
http://proanalytics.cn/frag2/pdf.php
http://proanalytics.cn/frag2/directshow.php
http://proanalytics.cn/frag2/admin.php
http://proanalytics.cn/tds/got.php?sid=1
http://proanalytics.cn/frag2/show.php
http://proanalytics.cn/frag2/show.php?get_ajax=1&r=0.34832734843634716
http://proanalytics.cn/frag2/pdf.php
http://proanalytics.cn/frag2/directshow.php
http://proanalytics.cn/frag2/admin.php
Payloads:
http://proanalytics.cn/frag2/load.php?e=1
http://proanalytics.cn/frag2/load.php?e=2
http://proanalytics.cn/frag2/load.php?e=3
http://proanalytics.cn/frag2/load.php?e=2
http://proanalytics.cn/frag2/load.php?e=3
The payload, adobeupdate.exe is a Zbot variant (these almost always come with a keylogger and backdoor trojan, which leaves YOUR machine compromised, in this case, it also comes with a rootkit).
Anubis error'd out when trying to analyze this, suggesting it's VM aware (not surprising given it's associated with the Fragus exploit pack), and I've not got my test machine on at present as I'm still busy going through a ton of stuff for work, but I'll see about running it later (I don't do VM's, only test machine I use is a "real" machine).
ThreatExpert was able to work with this one, and showed some interesting results;
http://www.threatexpert.com/report.aspx?md5=faf4506500217a741767db68d9a5d72c
You'll notice, this variant also steals your Facebook credentials .....
proanalytics.cn is registered to "Mareks Vabels" (mareksvab@gmail.com), via Tucows domain registration. Only reference to that name I could find, aside from MalwareURL and MalwareDomainList, was this one, suggesting the individual, if he/she is real, is alledgedly from Latvia.
Domain Name: proanalytics.cn
ROID: 20091021s10001s07931514-cn
Domain Status: ok
Registrant Organization: Personal use
Registrant Name: Mareks Vabels
Administrative Email: mareksvab@gmail.com
Sponsoring Registrar: Tucows, Inc.
Name Server:ns1.proanalytics.cn
Name Server:ns2.proanalytics.cn
Registration Date: 2009-10-21 23:50
Expiration Date: 2010-10-21 23:50
WhoIs server: whois.cnnic.cn
ROID: 20091021s10001s07931514-cn
Domain Status: ok
Registrant Organization: Personal use
Registrant Name: Mareks Vabels
Administrative Email: mareksvab@gmail.com
Sponsoring Registrar: Tucows, Inc.
Name Server:ns1.proanalytics.cn
Name Server:ns2.proanalytics.cn
Registration Date: 2009-10-21 23:50
Expiration Date: 2010-10-21 23:50
WhoIs server: whois.cnnic.cn
This URL is amongst MANY others that are currently hiding in compromised websites, so if you're running a website yourself, or know a friend who has a website, PLEASE make sure you're peridically checking the files for signs of infection.
In the meantime, perhaps Hosting Panama would care to explain their lack of action?
No comments:
Post a Comment