A tangled web...

显示全部楼层 · 发表于 2012-4-28 07:17:04

http://blogs.technet.com/b/mmpc/ ... /a-tangled-web.aspx

3175.FakeMS1.JPG-550x0.jpg

So, if the site is a real users group (if not Microsoft endorsed per se), then how are visitors getting infected? When we looked further into the webpage source a suspicious iframe emerges at the end of the page. This iframe, which referenced a different host (rvideos.info), soon redirected to another one. Upon being redirected the new webpage contained several malicious Java applets that tried to exploit vulnerabilities on the system and download other malware. When we visited, these exploits were detected as variants of Exploit:Java/CVE-2010-0840 (example file SHA1s observed 626D495992C77BE9E47A9F2A1ED573739F34636F and A67C7CC6BD6C516D865C8BB37134F457E0B89A3D) and Exploit:Java/CVE-2012-0507 (example SHA1 of file observed 374F8FDB2EB49D5C883785A6ED627BE6CF9BACC9).

hxxp://mspinoy.net/

显示全部楼层 · 发表于 2012-4-28 07:59:58

本帖最后由帅就是帅于 2012-4-28 08:28 编辑

关于:hxxp://mspinoy.net/解密的日志(全体输出 -  4):

Level  0>hxxp://mspinoy.net/
Level  1>hxxp://zone.hoahoc.org/images.php?t=44443094
Level  2>hxxp://zone.hoahoc.org/images.php?t=81118
Level  3>hxxp://zone.hoahoc.org/images.php?t=2

日志由 Redoce2.1第28次修正版于 2012/4/28 07:59:35 生成。

====

质量还不错:
https://www.virustotal.com/file/ ... nalysis/1335571239/

====

额, 扩展名为 exe 时 10 家报, 改扩展名为 exe0 时就红伞 1 家报

https://www.virustotal.com/file/ ... nalysis/1335572817/

[转载] A tangled web...

评分