Fake antivirus site features drive-by install of PDF exploits
5 views
Skip to first unread message
ePCdoctor
Nov 30, 2008, 4:55:39 AM11/30/08
to EPCDOCTOR
Here’s a fake antivirus site that has a special *gift* for you when
you visit: PDF exploits! When visiting site it will attempt a drive-by
install using a exploit-embedded PDF file.
Bad Site:
hxxp://2008-noadware-antivirus.com (68.180.151.74)
AS36752 | 68.180.151.74 | YAHOO-SP1 - Yahoo
Goes to:
hxxp://abb192.cn/exp/index.php
hxxp://abb192.cn/exp/load.php?id=2926
abb192.cn (82.192.88.2)
AS16265 | 82.192.88.2 | LEASEWEB LEASEWEB AS
Launches a process called AcroRd32.exe (Acrobat Reader) and slows your
machine down to a crawl.
Pulls down a PDF file. VT coverage is 10/37.
http://www.virustotal.com/analisis/28d3a59…f1ac43bd00fe253
Found a load.exe file from hxxp://abb192.cn/exp/load.php?id=2926
VT coverage is low 4/37.
http://www.virustotal.com/analisis/e22e2de…830413b3d949441
See a connection to:
hxxp://sp2.information.com/?epl=03220029R1UMXGYWVlEFDVFTDVBfA1MMUgBFUVgMAFxb
VllZVFgHBFIBWAtHXRdZEBZLSwVcDBIBWAxqRQQHUEddSglZEUFEWBcWVwMEWFEMF1ETD0EUR0hU
DFgYRxFaRU1WUFQXCFsEXh8BVkcIVww8UQFbB1MSFl8CRlJcDVpUXB5XUBFQUw1KQFhUUQ9VEApb
QwpcAlUKaAtaQhNcABNbV0FfEUdNX21yQ11bFW8AD1cGDVYFCVcRBlNRBAJBXE5da10EW1MXWV4A
DlEPFgM8UQFbB1AGXwdFVEIVDkFQS0xrXhVBXQ1WZgxXCVQAWlcBXV4GVg
abb192.cn was registered on 10/29 and hosted on a Leaseweb box in
Amsterdam.
Other domains on that IP 82.192.88.2:
abbcp.cn
abc801.cn
bmanager.shadypart.net
shadypart.net
you visit: PDF exploits! When visiting site it will attempt a drive-by
install using a exploit-embedded PDF file.
Bad Site:
hxxp://2008-noadware-antivirus.com (68.180.151.74)
AS36752 | 68.180.151.74 | YAHOO-SP1 - Yahoo
Goes to:
hxxp://abb192.cn/exp/index.php
hxxp://abb192.cn/exp/load.php?id=2926
abb192.cn (82.192.88.2)
AS16265 | 82.192.88.2 | LEASEWEB LEASEWEB AS
Launches a process called AcroRd32.exe (Acrobat Reader) and slows your
machine down to a crawl.
Pulls down a PDF file. VT coverage is 10/37.
http://www.virustotal.com/analisis/28d3a59…f1ac43bd00fe253
Found a load.exe file from hxxp://abb192.cn/exp/load.php?id=2926
VT coverage is low 4/37.
http://www.virustotal.com/analisis/e22e2de…830413b3d949441
See a connection to:
hxxp://sp2.information.com/?epl=03220029R1UMXGYWVlEFDVFTDVBfA1MMUgBFUVgMAFxb
VllZVFgHBFIBWAtHXRdZEBZLSwVcDBIBWAxqRQQHUEddSglZEUFEWBcWVwMEWFEMF1ETD0EUR0hU
DFgYRxFaRU1WUFQXCFsEXh8BVkcIVww8UQFbB1MSFl8CRlJcDVpUXB5XUBFQUw1KQFhUUQ9VEApb
QwpcAlUKaAtaQhNcABNbV0FfEUdNX21yQ11bFW8AD1cGDVYFCVcRBlNRBAJBXE5da10EW1MXWV4A
DlEPFgM8UQFbB1AGXwdFVEIVDkFQS0xrXhVBXQ1WZgxXCVQAWlcBXV4GVg
abb192.cn was registered on 10/29 and hosted on a Leaseweb box in
Amsterdam.
Other domains on that IP 82.192.88.2:
abbcp.cn
abc801.cn
bmanager.shadypart.net
shadypart.net
Reply all
Reply to author
Forward
0 new messages