Well, the bad guys tried fooling everyone by changing the filename yet again (sorry Mr Bad Guy - we're not that stupid).
You'll remember that they were using HostNOC as of the latest incarnations, and I both e-mailed, and phoned HostNOC on the 20th, the day the move was made, and the person I spoke to advised me they were giving the customer a 24 hour warning. 3 days later, and it was still online, still serving malicious content.
I've just phoned HostNOC yet again, and they're finally taking it offline, advising me the entire account would be suspended within the next 5 mins (and yes HostNOC, I'll be verifying that).
Sadly, it seems Interserver STILL haven't taken action, as .38 is STILL spewing the malicious file (again, with the new filename);
66.45.243.38/FlashPlayer.40028.exe
Seems it's polymorphic too, as I've recorded 2 pull downs of the file, with 2 different MD5s;
b7d396384ab66ffb3a248708125cb809
4ee758a8e8e43d543875795d6d1d1dc6
So Interserver, what's your excuse?
References
Part 2: Interserver, malware, and the Scottish weather
http://hphosts.blogspot.com/2011/06/part-2-interserver-malware-and-scottish.html
Interserver, malware, and the Scottish weather
http://hphosts.blogspot.com/2011/06/interserver-malware-and-scottish.html
Wednesday, 22 June 2011
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment