The story starts not surprisingly, at Google, where you're searching for your favourite TV show, news clip, or something completely random, such as why you always wake up on the right side of the bed when going to sleep on the left.
You find a result and go "Ooooh, that'll have my answer", and go clickity click - but woops! You find yourself going through the recognizable MITM (man in the middle), in this case, typeforman.net (195.88.144.80 - Failed resolution, AS48984 195.88.144.0/23 VLAF-AS Vlaf Processing Ltd), and on to an exploit (in this case, at splitssoft.com (91.188.59.55 - Failed resolution, AS6851 91.188.32.0/19 BKCNET _SIA_ IZZI) and vvvne.in (91.188.59.55 - Failed resolution, AS6851 91.188.32.0/19 BKCNET _SIA_ IZZI).
I've added the domains involved to MDL and hpHosts, and Malwarebytes AntiMalware users will be pleased to know, the IPs involved are already blocked by the IP Protection facility.
For those wanting samples, the headers are below.
shirleybarbers.com/polwe/xgfedn.php?jx=716054
http://typeforman.net/in.cgi?12
http://typeforman.net/redirect3/
http://splitssoft.com/x/?src=dg&id=20758
HTTP/1.1 302 Moved Temporarily
Date: Fri, 28 May 2010 10:03:17 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.12
Location: http://typeforman.net/in.cgi?12
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
HTTP/1.1 302 Found
Date: Fri, 28 May 2010 10:01:30 GMT
Server: Apache/2
Set-Cookie: SL_12_0000=_1_; domain=typeforman.net; path=/; expires=Sat, 29-May-2010 10:01:30 GMT
Location: http://typeforman.net/redirect3/
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
HTTP/1.1 302 Found
Date: Fri, 28 May 2010 10:01:30 GMT
Server: Apache/2
Location: http://splitssoft.com/x/?src=dg&id=20758
Content-Type: text/html; charset=iso-8859-1
HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Fri, 28 May 2010 10:03:20 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.3.2-0.dotdeb.2
Set-Cookie: bmb=1275041000; expires=Fri, 04-Jun-2010 10:03:20 GMT; path=/; domain=splitssoft.com
http://typeforman.net/redirect3/
http://splitssoft.com/x/?src=dg&id=20758
HTTP/1.1 302 Moved Temporarily
Date: Fri, 28 May 2010 10:03:17 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.12
Location: http://typeforman.net/in.cgi?12
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
HTTP/1.1 302 Found
Date: Fri, 28 May 2010 10:01:30 GMT
Server: Apache/2
Set-Cookie: SL_12_0000=_1_; domain=typeforman.net; path=/; expires=Sat, 29-May-2010 10:01:30 GMT
Location: http://typeforman.net/redirect3/
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
HTTP/1.1 302 Found
Date: Fri, 28 May 2010 10:01:30 GMT
Server: Apache/2
Location: http://splitssoft.com/x/?src=dg&id=20758
Content-Type: text/html; charset=iso-8859-1
HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Fri, 28 May 2010 10:03:20 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.3.2-0.dotdeb.2
Set-Cookie: bmb=1275041000; expires=Fri, 04-Jun-2010 10:03:20 GMT; path=/; domain=splitssoft.com
magnusbystrom.com/qosbi/hwsqbs.php?n=318039
http://typeforman.net/in.cgi?9
http://typeforman.net/redirect3/
http://splitssoft.com/x/?src=dg&id=20758
HTTP/1.1 302 Found
Date: Fri, 28 May 2010 10:59:30 GMT
Server: Apache/1.3.41
X-Powered-By: PHP/5.2.10
Location: http://typeforman.net/in.cgi?9
Connection: close
Content-Type: text/html
HTTP/1.1 302 Found
Date: Fri, 28 May 2010 10:57:41 GMT
Server: Apache/2
Set-Cookie: SL_9_0000=_1_; domain=typeforman.net; path=/; expires=Sat, 29-May-2010 10:57:41 GMT
Location: http://typeforman.net/redirect3/
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
HTTP/1.1 302 Found
Date: Fri, 28 May 2010 10:57:41 GMT
Server: Apache/2
Location: http://splitssoft.com/x/?src=dg&id=20758
Content-Type: text/html; charset=iso-8859-1
HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Fri, 28 May 2010 10:59:32 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.3.2-0.dotdeb.2
Set-Cookie: bmb=1275044372; expires=Fri, 04-Jun-2010 10:59:32 GMT; path=/; domain=splitssoft.com
http://typeforman.net/redirect3/
http://splitssoft.com/x/?src=dg&id=20758
HTTP/1.1 302 Found
Date: Fri, 28 May 2010 10:59:30 GMT
Server: Apache/1.3.41
X-Powered-By: PHP/5.2.10
Location: http://typeforman.net/in.cgi?9
Connection: close
Content-Type: text/html
HTTP/1.1 302 Found
Date: Fri, 28 May 2010 10:57:41 GMT
Server: Apache/2
Set-Cookie: SL_9_0000=_1_; domain=typeforman.net; path=/; expires=Sat, 29-May-2010 10:57:41 GMT
Location: http://typeforman.net/redirect3/
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
HTTP/1.1 302 Found
Date: Fri, 28 May 2010 10:57:41 GMT
Server: Apache/2
Location: http://splitssoft.com/x/?src=dg&id=20758
Content-Type: text/html; charset=iso-8859-1
HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Fri, 28 May 2010 10:59:32 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.3.2-0.dotdeb.2
Set-Cookie: bmb=1275044372; expires=Fri, 04-Jun-2010 10:59:32 GMT; path=/; domain=splitssoft.com
These are only allowing access once per IP, so you'll find the vURL Online results for the doorway pages below (I don't have caching written in for vURL Online yet, but incase you'd like it, the URL to the vURL dissection for this is http://vurldissect.co.uk/?url=1355697).
http://it-mate.co.uk/temp/vURL_Online_results_-_shirleybarbers_com.pdf
The exploits they're using include;
MSOfficeWebComponents
Snapshot Viewer Control
Acrobat PDF
MDAC (Microsoft Data Access Components)
Java Deployment Kit
No comments:
Post a Comment