Here’s a fake antivirus site that has a special *gift* for you when you visit: PDF exploits! When visiting site it will attempt a drive-by install using a exploit-embedded PDF file.
Bad Site:
hxxp://2008-noadware-antivirus.com (68.180.151.74)
AS36752 | 68.180.151.74 | YAHOO-SP1 – Yahoo
Goes to:
hxxp://abb192.cn/exp/index.php
hxxp://abb192.cn/exp/load.php?id=2926
abb192.cn (82.192.88.2)
AS16265 | 82.192.88.2 | LEASEWEB LEASEWEB AS
Launches a process called AcroRd32.exe (Acrobat Reader) and slows your machine down to a crawl.
Pulls down a PDF file. VT coverage is 10/37.
http://www.virustotal.com/analisis/28d3a59…f1ac43bd00fe253
Found a load.exe file from hxxp://abb192.cn/exp/load.php?id=2926
VT coverage is low 4/37.
http://www.virustotal.com/analisis/e22e2de…830413b3d949441
See a connection to:
hxxp://sp2.information.com/?epl=03220029R1UMXGYWVlEFDVFTDVBfA1MMUgBFUVgMAFxb
VllZVFgHBFIBWAtHXRdZEBZLSwVcDBIBWAxqRQQHUEddSglZEUFEWBcWVwMEWFEMF1ETD0EUR0hU
DFgYRxFaRU1WUFQXCFsEXh8BVkcIVww8UQFbB1MSFl8CRlJcDVpUXB5XUBFQUw1KQFhUUQ9VEApb
QwpcAlUKaAtaQhNcABNbV0FfEUdNX21yQ11bFW8AD1cGDVYFCVcRBlNRBAJBXE5da10EW1MXWV4A
DlEPFgM8UQFbB1AGXwdFVEIVDkFQS0xrXhVBXQ1WZgxXCVQAWlcBXV4GVg
abb192.cn was registered on 10/29 and hosted on a Leaseweb box in Amsterdam.
Other domains on that IP 82.192.88.2:
abbcp.cn
abc801.cn
bmanager.shadypart.net
shadypart.net
-mwdisector
0 Responses to “Fake antivirus site features drive-by install of PDF exploits”
Leave a Reply
You must login to post a comment.