Blog for hpHosts, and whatever else I feel like writing about ....

Saturday 17 September 2011

Alert: 70.85.43.147

I was sent a URL earlier, that redirected to fake meds (surprise surprise). Checking further however, I arrived at the sites homepage to discover two scripts being loaded, one from a site that has now been cleaned, and another loaded from 70.85.43.147, that is still there;

70.85.43.147/minitools.js

Trying a quick check, Malzilla, JSUnpack etc failed to decode it, so I figured I'd wait until I had a few mins spare, to do it manually. A look over the code showed the problem - the interpreters couldn't handle the way the script worked, so it required heavy modification to get it to decode.

I can't post the scripts themselves here, as your AVs will go haywire if they've got heuristics enabled, so will post screenshots instead.

Original (before modification)



Modified



The result of this, is a lovely little iFrame;



the iFrame itself is the blackhole exploit, loaded from;

twefwf.freewww.info/showthread.php?t=15410812

This is currently residing at;

IP: 89.201.174.28
IP PTR: Resolution failed
ASN: 34594 89.201.128.0/17 OT-AS OT - Optima Telekom d.d.

inetnum: 89.201.174.0 - 89.201.174.63
netname: INFONET
descr: InfoNET d.o.o.
descr: Livanjska 23
descr: 10000 Zagreb
country: HR
admin-c: DM1283-RIPE
tech-c: DM1283-RIPE
status: ASSIGNED PA
remarks: INFRA-AW
mnt-by: OT-MNT
source: RIPE # Filtered

person: Damir Maracic
address: InfoNET d.o.o.
address: Livanjska 23
address: 10000 Zagreb
address: Croatia
phone: +385 1 3840205
nic-hdl: DM1283-RIPE
abuse-mailbox: abuse@infoit.hr
mnt-by: OT-MNT
source: RIPE # Filtered

% Information related to '89.201.128.0/17AS34594'

route: 89.201.128.0/17
descr: OT - Optima Telekom d.d.
origin: AS34594
mnt-by: OT-MNT
source: RIPE # Filtered

% Information related to '89.201.160.0/19AS34594'

route: 89.201.160.0/19
origin: AS34594
descr: OT - Optima Telekom d.d.
mnt-by: OT-MNT
source: RIPE # Filtered


Personally I'd recommend putting a block on it if you've not already. I'll leave the decision as to whether to block just the IP or the entire range, up to you.

freewww.info itself is a dynamic DNS service operated by ChangeIP, a service heavily abused by miscreants (not all together surprising, but very disappointing that like no-ip.com and the likes, they're still seemingly doing very little to put a stop to it).

No comments: