(The quickest way to register)

Check out our new Mobile App

Forum

  1. User picture
    • NotBuyingIt on Wed 21 Mar 2012
    • 09:15:45 PM UTC

    Qai.jar malware (CVE-2010-1885)

    A well-know spam expert is reporting an aggressively promoted malware exploit which uses multiple sites together. Deceptive web pages planted on dozens of sites load a set of JavaScripts which in turn attempt to load a malicious webpage. Several variations were detected yesterday and today.

    This set of scripts
    hXXp://50.57.29.172/hVg3GFAo/js.js
    hXXp://finantariauto.ro/5ZqETXNE/js.js
    hXXp://ipecturkey.com/E2UNfoGY/js.js
    hXXp://oompa.de/VTwQKwDD/js.js
    attempt to load
    hXXp://209.59.217.193/showthread.php?t=d7ad916d1c0396ff
    that leads to malware at
    hXXp://209.59.217.193/q.php?f=ba33
    hXXp://209.59.217.193/content/Qai.jar

    This set of scripts
    hXXp://216.205.49.67/CD5s3Ne3/js.js
    hXXp://activetours.pttk.pl/Eaz0Mz8g/js.js
    hXXp://copymax.gr/jbbaaFCK/js.js
    hXXp://offvip.com/TtMQy1sw/js.js
    hXXp://solocyberday.com/oDYibUuh/js.js
    attempt to load
    hXXp://slickicus.com/showthread.php?t=8d80b8c3f87a9538
    that leads to malware at
    hXXp://slickicus.com/q.php?f=db757
    hXXp://slickicus.com/content/Qai.jar

    This set of scripts
    hXXp://officefurnituremart.com/sT1SFMyf/js.js
    hXXp://orvosokafrikaert.hu/Bsz1CQg0/js.js
    hXXp://qqprints.com.my/37ErBpvj/js.js
    hXXp://romanjewelers.com/mnbCaEYY/js.js
    hXXp://samx.zzl.org/crF5iYsT/js.js
    attempt to load
    hXXp://slicksphere.com/showthread.php?t=d7ad916d1c0396ff
    but the domain slicksphere.com has been suspended

    Here are some of the deceptive URLs that have been reported earlier today

    hXXp://02f40c1.netsolhost.com/jXh3opQk/index.html
    hXXp://02f40c1.netsolhost.com/pVXky4P3/index.html
    hXXp://184.164.129.5/H0PL9q26/index.html
    hXXp://3eras.com/0X98aHUS/index.html
    hXXp://5seis.com.ar/jXh3opQk/index.html
    hXXp://91.93.110.150/JYjJE2q2/index.html
    hXXp://acriancafeliz.org.br/vyEryYcH/index.html
    hXXp://advanced-web-hosting-solutions.com/H0PL9q26/index.html
    hXXp://advancedcopier.net/tMYwdbsB/index.html
    hXXp://aerospacend.com/0X98aHUS/index.html
    hXXp://autolorentzos.gr/46iU2yx2/index.html
    hXXp://autolorentzos.gr/k4H1CSBf/index.html
    hXXp://autouniversal.ro/tMYwdbsB/index.html
    hXXp://bestdeal.com.vn/H0PL9q26/index.html
    hXXp://binhanphat.vn/pVXky4P3/index.html
    hXXp://chinchunhoo.com/tp3G2sKH/index.html
    hXXp://criadero-duancos.com.ar/jXh3opQk/index.html
    hXXp://dhtics.webou.net/8pe5eCMZ/index.html
    hXXp://dhtics.webou.net/N7hwdmet/index.html
    hXXp://dhtics.webou.net/vyEryYcH/index.html
    hXXp://fundoohairstyles.com/0X98aHUS/index.html
    hXXp://getstrength.com/pVXky4P3/index.html
    hXXp://glamourspa.com.vn/H0PL9q26/index.html
    hXXp://goksen.com.tr/H0PL9q26/index.html
    hXXp://goksen.com.tr/JYjJE2q2/index.html
    hXXp://goksen.com.tr/tp3G2sKH/index.html
    hXXp://hajashaza.hu/JYjJE2q2/index.html
    hXXp://hajashaza.hu/pVXky4P3/index.html
    hXXp://hajashaza.hu/W9x9Xomw/index.html
    hXXp://hellenic-antiaging-academy.gr/k4H1CSBf/index.html
    hXXp://hidroprojekt-consult.hr/W9x9Xomw/index.html
    hXXp://hippocrafts.com/46iU2yx2/index.html
    hXXp://hippocrafts.com/8pe5eCMZ/index.html
    hXXp://hippocrafts.com/svaVeSkm/index.html
    hXXp://hyperbeesmedia.com/svaVeSkm/index.html
    hXXp://ibafo.com.br/LTWJaNR9/index.html
    hXXp://ibafo.com.br/N7hwdmet/index.html
    hXXp://inour.biz/JYjJE2q2/index.html
    hXXp://inour.biz/pVXky4P3/index.html
    hXXp://isravilon1.com/tMYwdbsB/index.html
    hXXp://junglecreativestudio.gr/k4H1CSBf/index.html
    hXXp://jurjev.com/8pe5eCMZ/index.html
    hXXp://koala.unas.cz/N7hwdmet/index.html
    hXXp://kolling.com.my/LTWJaNR9/index.html
    hXXp://kongo.co.hu/N7hwdmet/index.html
    hXXp://kongo.co.hu/svaVeSkm/index.html
    hXXp://kongo.co.hu/tMYwdbsB/index.html
    hXXp://laflcargo.com/vyEryYcH/index.html
    hXXp://laleyurtseven.com/8pe5eCMZ/index.html
    hXXp://laleyurtseven.com/tMYwdbsB/index.html
    hXXp://ledsociety.com/7ik7M03n/index.html
    hXXp://ledsociety.com/tp3G2sKH/index.html
    hXXp://leikar.net/vyEryYcH/index.html
    hXXp://linemenu.com/8pe5eCMZ/index.html
    hXXp://linemenu.com/svaVeSkm/index.html
    hXXp://littlelordspreschool.com/0X98aHUS/index.html
    hXXp://lsquarednetworks.com/7ik7M03n/index.html
    hXXp://lsquarednetworks.com/tp3G2sKH/index.html
    hXXp://mage.ibraggiotti.com/0X98aHUS/index.html
    hXXp://mage.ibraggiotti.com/W9x9Xomw/index.html
    hXXp://magneticlodestone.com/46iU2yx2/index.html
    hXXp://magneticlodestone.com/tMYwdbsB/index.html
    hXXp://maxiesolutions.com/svaVeSkm/index.html
    hXXp://mayerdobrasil.com.br/W9x9Xomw/index.html
    hXXp://mcms.xs2theworld.com/LTWJaNR9/index.html
    hXXp://mcms.xs2theworld.com/vyEryYcH/index.html
    hXXp://metrofincaraiz.com/0X98aHUS/index.html
    hXXp://minds.com.pk/8pe5eCMZ/index.html
    hXXp://mishelart.com/tp3G2sKH/index.html
    hXXp://mixtle.com/tMYwdbsB/index.html
    hXXp://mkultura.lt/7ik7M03n/index.html
    hXXp://musicalchemylab.lh.pl/46iU2yx2/index.html
    hXXp://myghanaonline.com/N7hwdmet/index.html
    hXXp://notebooktamiri.gen.tr/vyEryYcH/index.html
    hXXp://objebi.com/xBu5dukk/index.html
    hXXp://olla-de-felix-buenos-aires.com/Qyuv8XX1/index.html
    hXXp://olla-de-felix-buenos-aires.com/xBu5dukk/index.html
    hXXp://oneblr.com/a65oSoKL/index.html
    hXXp://optimizacija-seo.com/a65oSoKL/index.html
    hXXp://overhill.comicgenesis.com/xBu5dukk/index.html
    hXXp://paperbuzz.net/3BvC2cTf/index.html
    hXXp://party-chat.hu/a65oSoKL/index.html
    hXXp://party-chat.hu/xBu5dukk/index.html
    hXXp://povilasc.ipower.com/tp3G2sKH/index.html
    hXXp://pp.premiumpage.pl/vyEryYcH/index.html
    hXXp://Privatesandbox.com/qVsVjYfe/index.html
    hXXp://prodmovie.com/xBu5dukk/index.html
    hXXp://psytrip.com.br/LTWJaNR9/index.html
    hXXp://public.smartbe.be/0X98aHUS/index.html
    hXXp://rajtr.com/7ik7M03n/index.html
    hXXp://realestatebootcamp.ca/LTWJaNR9/index.html
    hXXp://redencionsofro.com.ar/3BvC2cTf/index.html
    hXXp://revivalgospelministries.org/LTWJaNR9/index.html
    hXXp://riwex.hu/3BvC2cTf/index.html
    hXXp://sarahyong.com/CzEjfCRK/index.html
    hXXp://sereflikochisarzob.org/LTWJaNR9/index.html
    hXXp://sezam.home.pl/CzEjfCRK/index.html
    hXXp://silentstartupwebsite.com/CzEjfCRK/index.html
    hXXp://silentstartupwebsite.com/xBu5dukk/index.html
    hXXp://siranmuftulugu.gov.tr/46iU2yx2/index.html
    hXXp://sisrs.org/tMYwdbsB/index.html
    hXXp://sixdimensions.co.id/xBu5dukk/index.html
    hXXp://softwarepark-galati.ro/xBu5dukk/index.html
    hXXp://swcc.marknetdev.com/LTWJaNR9/index.html
    hXXp://sxs-bwn.org/vyEryYcH/index.html
    hXXp://techleadsolution.com/QnXBRiWS/index.html
    hXXp://tehranmaltbeer.com/30VtVqEf/index.html
    hXXp://tempo-www.defisduchott.com/CzEjfCRK/index.html
    hXXp://themainmall.com/svaVeSkm/index.html
    hXXp://transcamila.com/tMYwdbsB/index.html
    hXXp://upedagogica.edu.bo/N7hwdmet/index.html
    hXXp://www.tesan.com.tr/vyEryYcH/index.html

    Some other reported URLs return HTTP 404 ("Not Found") or their domains have been suspended, so I suspect efforts are underway to combat the malware campaign.

     Data that is stored in the cloud may become lost in the fog.

Comments:

  1. User picture
    • A440 on Sun 01 Apr 2012
    • 04:08:46 AM UTC

    javascript

    This is exactly why I have disabled java and javascript from running on any site unless I physically choose that option.
    This trick can most certainly snare someone running OSX too.

  2. User picture
    • NotBuyingIt on Sun 01 Apr 2012
    • 06:15:01 PM UTC

    RE: javascript

    According to the University of Alabama / Birmingham blog post that I mentioned, the malware is contained an an EXE file that only targets computers running Microsoft Windows. (I have read elsewhere that Zeus botnets often attempt several infections in tandem.) Repeated analyses reported by the University of California / Santa Barbara (UCSB) classify the harm as coming from the first, or both, of these Windows vulnerabilities:
    CVE-2010-1885 (hcp pseudo-protocol Help Center URL Validation Vulnerability)
    CVE-2010-0188 (Libtiff integer overflow in Adobe Reader and Acrobat)

    Someone else may wish to discuss whether or not everyone's computers should have had security upgrades for the vulnerabilities installed long ago.

    The botnet campaign uses JavaScript in at least two ways; (1) a script highly obfuscates its instructions to avoid detection, and (2) a script redirects from spammed URLs to a site hosting the malicious Java archive Pol.jar (or earlier, Qai.jar).

    The botnet also uses HTML entities to obfuscate the Java applet declarations. If I remember correctly, each malicious web page that I've seen has obfuscated the declaration differently. The obfuscated JavaScript and obfuscated HTML may be mixed together.

    The sandboxing (security) policies of web browsers in general, and of Java and JavaScript in particular, should not allow an EXE file to be automatically installed upon a user's computer. Typically, a user has to be tricked into manually approving a malicious installation.

    Readers may wish to consider using a browser add-on such as NoScirpt for safety while they run JavaScript. NoScript is not a substitute for an antiviral program which should still be needed.

    I have not read that this botnet campaign targets or threatens Mac OS. However, the UCSB analyses show that the exploit contains code that is intended to specifically detect MacOS, iPod, iPhone and iPad.

    [Edit: Update 04-April-2012] Regarding Java
    Mozilla has made a change in Firefox that will block all of the older versions of Java that contain a critical vulnerability that's being actively exploited. The decision to add these vulnerable versions of Java to the browser's blocklist is designed to protect users who may not be aware of the flaw and attacks. "

    Java has been the target of a slew of attacks in recent weeks as criminals have targeted a known unpatched vulnerability in the software, and researchers have said that there also are ongoing attacks against some older Java flaws, including CVE-2012-0507. That vulnerability now is the target of an exploit that was added to the infamous Blackhole exploit kit. "

    http://threatpost.com/en_us/blogs/mozilla-adds-old...

     Data that is stored in the cloud may become lost in the fog.

  3. User picture
    • NotBuyingIt on Mon 02 Apr 2012
    • 12:41:58 AM UTC

    RE: Pol.jar malware (CVE-2010-0188, CVE-2010-1885)

    informator.powiat.pl/BZBmikS1/index.html
    komak47.com/NQLG54qb/index.html
    184.168.60.208/NQLG54qb/index.html
    nscbmc.ac.in/e6XXSxv5/index.html

     Data that is stored in the cloud may become lost in the fog.

  4. User picture
    • NotBuyingIt on Mon 02 Apr 2012
    • 05:40:20 PM UTC

    RE: Pol.jar malware (CVE-2010-0188, CVE-2010-1885)

    aep-projects.at/YY7LVHna/index.html
    alamsindo.com/erkEVBhG/index.html
    dieselforum.pl/CYagS9aU/index.html
    dogumgunu.com.tr/7irbmfgK/index.html
    faratel.com/gYfL5ZzK/index.html
    habitual.com.br/9tcio9ph/index.html
    heroesandheritage.net/CgeknEwU/index.html
    hiperfashion.org/5KNLHRQg/index.html
    www..mindviagens.com.br/xU53M4Qk/index.html
    monteiroclassificados.com.br/GdpEPG6m/index.html
    naturalhigh.co.za/mgP27TV9/index.html
    onlyone.pl/FkBzZcRM/index.html
    www.party4you.co/LqyJSEwy/index.html
    www.peirs.be/LqyJSEwy/index.html
    pinholebdg.com/mgP27TV9/index.html
    piyushharora.99k.org/9tcio9ph/index.html
    portfolioeponine.clanteam.com/BjzePads/index.html
    www.qualityviagens.com.br/xU53M4Qk/index.html
    role.ind.br/mgP27TV9/index.html
    safetry.zxq.net/xU53M4Qk/index.html
    www
    .quercycenter.com/pKhokZPC/index.html
    vesi-courses.com/mgP27TV9/index.html

    alasinmedia.pp.fi/8qeXM1Kx/js.js
    hirochan.boo.jp/7PMiDL3p/js.js
    ncworld.in/bgGdzvBh/js.js
    raja-sms.com/roLcnvNu/js.js
    renovation-nantes.com/NCAsBwpU/js.js

    207.210.101.44/showthread.php?t=8d80b8c3f87a9538
    207.210.101.44/showthread.php?t=d7ad916d1c0396ff
    {applet/*/ archive="hXXp://207.210.101.44/data/Pol.jar" code="ta.L"}

    [Edit: added more sites (below) 02-April-2011 20:15 UTC]

    imobiliariabalivo.com.br/5KNLHRQg/index.html
    investorconsulting.sk/BjzePads/index.html
    iskefe.com/BjzePads/index.html
    jl-lavage.fr/0yeMJP0c/index.html
    kompani.eu/pKhokZPC/index.html
    mehmetdudu.com/zUGqdj5E/index.html
    p867.phpnet.org/pKhokZPC/index.html
    piyangokulubu.com/5KNLHRQg/index.html
    ploeven-porzay.fr/9tcio9ph/index.html
    www.rohasnagpal.com/9tcio9ph/index.html
    seo-powersuite-review.com/EbX4f9QW/index.html
    www.safmusic.com/pKhokZPC/index.html
    www.samechanic.com/9tcio9ph/index.html
    sjqwatercolour.com/5KNLHRQg/index.html
    www.sloneczneprzedszkole.com.pl/EbX4f9QW/index.html
    sunable.sshel.com/EbX4f9QW/index.html
    ulisesmagic.com.ar/5KNLHRQg/index.html
    ut.tur.br/5KNLHRQg/index.html
    www.viamunditur.com.br/pKhokZPC/index.html

    benetts.com.br/C9gxJgMX/js.js
    fillmorerents.com/5gBHnHim/js.js
    oyasigorta.com/BEswPnYb/js.js
    silca.com.ar/eFArJfsH/js.js

    66.151.244.209/showthread.php?t=d44175c6da768b70
    {applet/*/ archive="hXXp://66.151.244.209/data/Pol.jar" code="ta.L"}

    69.163.37.33/showthread.php?t=d44175c6da768b70

     Data that is stored in the cloud may become lost in the fog.

  5. User picture
    • NotBuyingIt on Mon 02 Apr 2012
    • 10:34:02 PM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    2mais.com/jRznQAtZ/index.html
    activecomputech.com/0drnFhv7/index.html
    dunnwrightsystems.com/jRznQAtZ/index.html
    e-lingerie.co.za/c1LRK0ZP/index.html
    elmardelaceramica.com/jRznQAtZ/index.html
    fablabbudapest.zzl.org/0drnFhv7/index.html
    ficohsa.info/0drnFhv7/index.html
    heregospel.com.br/Puuy2Ats/index.html
    humanitariantreks.com/1JUxhsHj/index.html
    hyper-trade.net/zUGqdj5E/index.html
    immoscoop.com/Z2bg1Pij/index.html
    ionosphere.hr/4HV1xDxk/index.html
    jurikaliptov.sk/40MVPL5A/index.html
    magical-garhwal.com/VCuA8Z5E/index.html
    mariekebrouwers.nl/9hEetc63/index.html
    mashigiene.com.ar/V0s1S0nt/index.html
    myhomebusines.com/Z2bg1Pij/index.html
    s399270837.websitehome.co.uk/zUGqdj5E/index.html
    safecambodia.com/HavsLLhq/index.html
    sagaseoexpert.com/4YT5yyBC/index.html
    sitesubmiturl.com/4txGy2fG/index.html
    walterguerra.art.br/YY7LVHna/index.html
    yildizliguven.com.tr/jRznQAtZ/index.html

    boxpluss.com/00o6FfJc/js.js

    [Edit: Added more sites (below) 02-April-2012 23:25 UTC]

    alislam4all.com/zUGqdj5E/index.html
    www.die-wohnkultur.at/EbX4f9QW/index.html
    www.fratellionofri.it/xU53M4Qk/index.html
    laurencecoiffure-isabelleesthetique.fr/5KNLHRQg/index.html
    www.op-ed.it/BjzePads/index.html
    www.pdlgaeta.it/pKhokZPC/index.html
    rafal-stolarz.pl/EbX4f9QW/index.html
    www.rasfatatul.ro/EbX4f9QW/index.html
    scoala1buzau.ro/5KNLHRQg/index.html
    seo-succes.dk/EbX4f9QW/index.html
    socargcancer.org.ar/EbX4f9QW/index.html
    www.soho.com.br/xU53M4Qk/index.html
    storkstash.com/9tcio9ph/index.html
    terceirease.com.br/LqyJSEwy/index.html
    trakyaguvercin.com/9tcio9ph/index.html

     Data that is stored in the cloud may become lost in the fog.

  6. User picture
    • NotBuyingIt on Tue 03 Apr 2012
    • 03:40:57 AM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    182.18.152.247/CgeknEwU/index.html
    209.227.245.173/Afk3VXew/index.html
    javor.com.br/Afk3VXew/index.html
    microsfx.com/BjzePads/index.html
    museum-pasifika.com/BjzePads/index.htm
    www.nlservicios.info/xU53M4Qk/index.html
    picsellart.de/hQLv8GxT/index.html
    stuffnwhatnot.com/zh6jPwn1/index.html
    yachek.com/o4qG9xyx/index.html

     Data that is stored in the cloud may become lost in the fog.

  7. User picture
    • Nick Vini (not verified) on Tue 03 Apr 2012
    • 03:36:43 PM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    Got spammed from these websites;
    http://weneed.uk.com/G9sqcmby/index.html
    http://www.adndesign.co/6D9UsT0U/index.html
    http://venturesgained.com/G9sqcmby/index.html
    http://deltasport.hr/Nv8QYtkR/index.html
    http://typis.gr/GSx77DTJ/index.html
    http://webtab.in/zhN50DKp/index.html
    http://www.brancatosnowremoval.com/ZyfyoPoh/index.html
    http://www.sistemi.it/L3vHQRwh/index.html
    All links lead to malware, JS:Redirector-RO [Trj] according to Avast antivirus.

  8. User picture
    • NotBuyingIt on Tue 03 Apr 2012
    • 06:50:09 PM UTC

    RE: Pol.jar malware (CVE-2010-0188, CVE-2010-1885)

    www.aesa-sa.com.ar/FtB7R7gK/index.html
    allproductsinternet.com/G9sqcmby/index.html
    www.ato3x85w.dev.pathcom.com/5nk3a9eQ/index.html
    alphaagraphics.com/BUCpnN5G/index.html
    boschbitlis.com/QCXpJ3Y5/index.html
    dedicatedservers-hosting.com/UNxM9us2/index.html
    dewa.com.pl/QCXpJ3Y5/index.html
    dlprozhe.com/qBbo270a/index.html
    dotnet-domain-web-hosting.net/UNxM9us2/index.html
    domain-name-registrations.ws/qBbo270a/index.html
    dotnet-domain-web-hosting.net/UNxM9us2/index.html
    www.enodivinus.com/58yGKZgA/index.html
    tokoshopping.com/bEqJEaPW/index.html
    srisaiswamiji.in/Z2bg1Pij/index.html

    www.ccscorrectconnections.com.au/rpG93fGy/js.js
    COORGDREAMRESORT.COM/JyExsDxV/js.js
    domainextension.eu/kYebTsLi/js.js
    www.everonqatar.com/oZg1q9RT/js.js
    www.montichiaricalcio.it/DwVZwP8G/js.js
    www.oldcoachroadmountainwalk.com/4Hexw8tk/js.js
    ttonatta.x-y.net/mXs39uhK/js.js

    109.202.98.43/showthread.php?t=d7ad916d1c0396ff
    174.140.171.100/showthread.php?t=d7ad916d1c0396ff
    kopernikssa.com/dasdasaseq.php?page=615e93140e5bd4e3

    [Edit: Add 03-April-2012 19:20 UTC] Based upon the URLs listed in Nick Vini's recent post, I found the following additional URLs:

    buscadordetrabajo.com.ar/nEZydsCE/js.js
    www.ceposduvalle.com.br/3DviVvyS/js.js
    vmax.com.vn/GJwU9YNH/js.js

     Data that is stored in the cloud may become lost in the fog.

  9. User picture
    • A440 on Wed 04 Apr 2012
    • 03:44:24 AM UTC

    RE: javascript

    Originally posted by: NotBuyingIt
    According to the University of Alabama / Birmingham blog post that I mentioned, the malware is contained an an EXE file that only targets computers running Microsoft Windows. (I have read elsewhere that Zeus botnets often attempt several infections in tandem.) Repeated analyses reported by the University of California / Santa Barbara (UCSB) classify the harm as coming from the first, or both, of these Windows vulnerabilities:
    CVE-2010-1885 (hcp pseudo-protocol Help Center URL Validation Vulnerability)
    CVE-2010-0188 (Libtiff integer overflow in Adobe Reader and Acrobat)

    Someone else may wish to discuss whether or not everyone's computers should have had security upgrades for the vulnerabilities installed long ago.
    etc . . .


    Though most of these problems target Windows, OSX is now a target of opportunity.
    The Flashback trojan exploits unpatched Java vulnerability, no password needed for OSX users (sandbox, what sandbox?), thus I have just installed the latest Java upgrade from Apple. Apple is slow to address problems with Java and Javascript.

    http://www.macintouch.com/readerreports/security/i...

  10. User picture
    • NotBuyingIt on Wed 04 Apr 2012
    • 03:54:55 AM UTC

    RE: Pol.jar malware (CVE-2010-0188, CVE-2010-1885)

    bstudio.ro/jm8MjLwp/index.html
    www.access-ict.com/CrdtoUx7/index.html
    www.acfcommunications.ca/XwL6fwpr/index.html
    www.adaraskitchens.com/5nk3a9eQ/index.html
    www.aexpressviagens.com.br/jm8MjLwp/index.html
    alblebanon.com/JYsmHbAz/index.html
    tintoys.altervista.org/uXn1oR2L/index.html
    www.ambietica.com.br/bEqJEaPW/index.html
    bilunbilisim.com/G9sqcmby/index.html
    www.bomdestino.com.br/ZyfyoPoh/index.html
    www.centraldeinspecoes.com/CrdtoUx7/index.html
    www.certomaq.com.br/ZyfyoPoh/index.html
    china-net-domains.com/HYqbqV0P/index.html
    cpspace.nazwa.pl/EwXXz9sD/index.html
    www.dealtender.com.au/ZyfyoPoh/index.html
    denperfektestorm.dk/1HsDsRCD/index.html
    www.denaq.net/ZyfyoPoh/index.html
    dinbamusic.com/uDRkcCuP/index.html
    dp23260004.lolipop.jp/yq0LhXVy/index.html
    www.epu-anay.com.ar/ZyfyoPoh/index.html
    filizgroup.com.tr/t2mMdKa1/index.html
    grcruzeiro.com.br/5nk3a9eQ/index.html
    mikulas.index.hu/HYqbqV0P/index.html
    njpelectricalservices.com.au/memEJj4e/index.html
    www.noemailetisim.com/L3vHQRwh/index.html
    www.rcmturismo.com.br/ZyfyoPoh/index.html
    scoaladepompieri.ro/t4FFVjXH/index.html
    teste.edata.com.br/uXn1oR2L/index.html
    urbanbushbabes.com/VRciuoA6/index.html
    vakratundagroup.com/jm8MjLwp/index.html
    velozeta.com/t4FFVjXH/index.html
    vendehoy.es/GSx77DTJ/index.html
    vendforhealth.com/1rG4Yi6m/index.html
    welle-poseidon.de/U1UKyGcu/index.html
    wincarevn.com/G9sqcmby/index.html
    wishingfair.com/jm8MjLwp/index.html
    wl28www924.webland.ch/QGjb5JyQ/index.html

    www.bitbanglabs.com/4z1qi5PZ/js.js
    www.enucuzspormalzemeleri.com/5NVzaHGw/js.js

    78.129.132.239:8080/showthread.php?t=d7ad916d1c0396ff

    "Gameover Zeus" (See the article at http://spamalysis.wordpress.com/2012/04/03/your-at... )
    Note: Very few antivirus services currently* detect malware in the EXE files that I have listed below

    confeitariadossonhos.com.br/Wo4RUjB.exe
    hermanosbrando.es/8xsfW5.exe
    textilsuica.com.br/hsvNq.exe
    kylanlaw.com/22D2Y.exe

    [Edit: Update 04-April-2012 16:45 UTC]
    *Thirteen hours after I first posted this list, substantially more antivirus programs are now detecting malware in the EXE files in the list. See
    http://www.virustotal.com/file/5b141917fda61b84044...

     Data that is stored in the cloud may become lost in the fog.

  11. User picture
    • NotBuyingIt on Wed 04 Apr 2012
    • 04:30:00 AM UTC

    RE: javascript

    Originally posted by: A440
    The Flashback trojan exploits unpatched Java vulnerability, no password needed for OSX users (sandbox, what sandbox?), thus I have just installed the latest Java upgrade from Apple.
    \

    @A440, Thank you. Upon reading your message, I immediately located and ran "Java for OS X 2012-001 (v 1.0)" and I have forwarded the information to some other OS X users. Browsers should have a security policy that sandboxes applets and other objects.

    [Edit Added this] see http://www.macnn.com/articles/12/04/03/addresses.n...

     Data that is stored in the cloud may become lost in the fog.

  12. User picture
    • SuperHero58 (not verified) on Wed 04 Apr 2012
    • 06:01:26 PM UTC

    RE: javascript

    Originally posted by: NotBuyingIt
    \

    @A440, Thank you. Upon reading your message, I immediately located and ran "Java for OS X 2012-001 (v 1.0)" and I have forwarded the information to some other OS X users. Browsers should have a security policy that sandboxes applets and other objects.

    @Nobuyingit =
    Great job and echo in ref to
    "Browsers should have a security policy that sandboxes applets and other objects."

  13. User picture
    • NotBuyingIt on Wed 04 Apr 2012
    • 06:16:06 PM UTC

    RE: Pol.jar malware (CVE-2010-0188, CVE-2010-1885)

    www.103newsletter.talktalk.net/jm8MjLwp/index.html
    www.aquicompro.com/bEqJEaPW/index.html
    bead-jewelled-crafts.com/45FduQJY/index.html

    www.ciupanezu.ro/dvEEi978/index.html
    demo.auctionsiteforlease.com/u8J3B832/js.js
    enclaveriverfront.net/eorgFm72/index.html
    eklavya.org/6D9UsT0U/index.html
    estovale.com.br/bgJcXXRW/index.html
    grupogtres.co/QCXpJ3Y5/index.html
    gyongyjoga.hu/BGRM6xvW/index.html
    hotelpousadafeliz.com.br/bgJcXXRW/index.html
    ihtindia.com/NYgzXnp0/index.html
    www.maisviagens.tur.br/z2FuCaqW/index.html
    mapaviagens.com.br/9ZT4hYfA/index.html
    ms-immobilienservice.com/eorgFm72/index.html
    parkeci.com/hxPrr9kh/index.html
    recredit.com.br/cbBD4zt1/index.html
    thainihnic.org/bgJcXXRW/index.html
    www.nyexchangesa.com/6D9UsT0U/index.html
    tomdev.blym.org.uk/DnAp2Ghm/index.html
    ukash-odeme.com/DnAp2Ghm/index.html
    vanandtruckequipment.com/qPRdELp7/index.html

    cac-realestate.com/AtzSAqNB/js.js
    casamayer.com.br/idvRyfA5/js.js
    www.fujjiturismo.com.br/Qs45y4Jz/js.js
    www.getebel.com.br/Xmjqazk4/js.js
    jonmillward.com/KWorPhs0/js.js [Edit: Update 04-April-2011 22:20 UTC: disabled — returns HTTP 404]
    lider.com/nzH60W21/js.js

    50.2.7.109/showthread.php?t=73a07bcb51f4be71
    50.2.7.109/showthread.php?t=8d80b8c3f87a9538
    50.2.7.109/showthread.php?t=d7ad916d1c0396ff
    174.140.166.138/showthread.php?t=73a07bcb51f4be71
    174.140.166.138/showthread.php?t=8d80b8c3f87a9538
    184.171.255.183/showthread.php?t=d7ad916d1c0396ff
    184.171.255.183/showthread.php?t=73a07bcb51f4be71

    [Edit: Added more sites (below) 04-April-2011 22:20 UTC]

    www.camargoturismo.com.br/BmUpHRne/index.html
    oliveira4x4.com.br/eorgFm72/index.html
    rashtriyamilitaryschools.in/qVsVjYfe/index.html
    www.researchandpsychology.com/LqyJSEwy/index.html

     Data that is stored in the cloud may become lost in the fog.

  14. User picture
    • NotBuyingIt on Thu 05 Apr 2012
    • 03:43:26 AM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    64.120.232.102/showthread.php?t=d7ad916d1c0396ff
    infovega.lt:8080/showthread.php?t=73a07bcb51f4be71
    infovega.lt /pony/gate.php
    subdatapro.com:8008/showthread.php?t=d7ad916d1c0396ff
    subdatapro.com:8008/pony/gate.php

     Data that is stored in the cloud may become lost in the fog.

  15. User picture
    • A440 on Thu 05 Apr 2012
    • 02:56:50 PM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    Regarding browsers that have a java sandbox, Safari has none other than just turning off java (I do).
    Is there a good javascript filter for Safari like "noscript" in Firefox?

  16. User picture
    • NotBuyingIt on Thu 05 Apr 2012
    • 04:46:54 PM UTC

    RE: Pol.jar malware (CVE-2010-0188, CVE-2010-1885)

    aluguelciroimoveis.com.br/9ZT4hYfA/index.html
    eltekmuhendislik.com/PX34vf6P/index.html
    erinteltelekom.com.tr/2qkQiMnF/index.html
    estutrans.co.id/zSfdvN78/index.html
    homeartbornova.com/ZQe8w6UJ/index.html

    guzel-macrame.com/mNv2hTDq/js.js
    osakaledpanel.com/NSAPcnkz/js.js
    scoalapelinie.scienceontheweb.net/AdbZZbva/js.js
    travelhelper.biz/PBzpAEjg/js.js
    usmedicalit.com/ebv60BkK/js.js
    www.walscape.com/Bi7L9NvW/js.js
    yesconvites.com/JcCFzYq7/js.js

    50.116.35.146/showthread.php?t=73a07bcb51f4be71
    50.116.35.146/showthread.php?t=8d80b8c3f87a9538
    50.116.35.146/showthread.php?t=d7ad916d1c0396ff
    209.59.218.94/showthread.php?t=73a07bcb51f4be71
    209.59.218.94/data/Pol.jar

     Data that is stored in the cloud may become lost in the fog.

  17. User picture
    • NotBuyingIt on Thu 05 Apr 2012
    • 08:27:16 PM UTC

    RE: Pol.jar malware (CVE-2010-0188, CVE-2010-1885)

    agrimir.com/7zVC6k3E/index.html
    www.viaimpressa.com.br/AjrXGFpA/index.html
    webdesing.host.org/XeRn2NHf/index.html

    esurveyshop.com/JyLB9cB5/js.js
    honglinhpc.vn/NgLChx6h/js.js
    igtic.com/P8x1UmEB/js.js
    shotbythishya.com/n4FDyRDV/js.js
    training.wdpcommunity.org/WdA8CYb8/js.js
    truecouponing.com/kCBB03A8/js.js

    50.116.4.110/showthread.php?t=73a07bcb51f4be71
    50.116.4.110/showthread.php?t=8d80b8c3f87a9538
    50.116.4.110/showthread.php?t=d7ad916d1c0396ff
    50.116.4.115/showthread.php?t=73a07bcb51f4be71
    50.116.4.115/showthread.php?t=8d80b8c3f87a9538
    50.116.4.115/showthread.php?t=d7ad916d1c0396ff
    64.120.232.102/showthread.php?t=73a07bcb51f4be71
    66.150.214.196/showthread.php?t=d7ad916d1c0396ff

    [Edit: Added more sites (below) 05-Apri-2012 22:40 UTC]

    doraproje.com/oQAJ1oDK/index.html
    kartalmantolama.com/L0oma16u/index.html

    jsec.com.sg/KxTiNvRn/js.js
    locacionesnf.com.ar/nKPp9nNs/js.js
    nortrix.com/Xi3EVwUH/js.js

    50.116.17.145/showthread.php?t=8d80b8c3f87a9538

     Data that is stored in the cloud may become lost in the fog.

  18. User picture
    • NotBuyingIt on Fri 06 Apr 2012
    • 07:24:20 AM UTC

    RE: (1) hdmiwebshop.nl; (2) eventakustik.de

    cross-references:

    (1) hdmiwebshop.nl, which I mentioned earlier in this thread, is the subject of a new site evaluation at
    http://www.mywot.com/forum/21906-hdmiwebshop-nl

    (2) eventakustik.de, which MarkGiles mentioned earlier in this thread, is the subject of a new site evaluation at
    http://www.mywot.com/forum/21850-eventakustik-d...

     Data that is stored in the cloud may become lost in the fog.

  19. User picture
    • NotBuyingIt on Fri 06 Apr 2012
    • 02:28:24 PM UTC

    RE: Pol.jar malware (CVE-2010-0188, CVE-2010-1885)

    algumasviagens.com.br/KUQgDbzp/index.html
    camiisitma.com.tr/qNtVEq8w/index.html
    ftp.europedirecttrencin.sk/4uwaHHUF/index.html
    tugolilla.com/Yip3cUVx/index.html

    184.82.202.46/showthread.php?t=d7ad916d1c0396ff

    [Edit: Add 06-April-2012 16:00 UTC]
    cfi.nieruchomosci.pl/w45GVeUH/index.html
    kekayaandarirumah.com/BL9dWh68/index.html

     Data that is stored in the cloud may become lost in the fog.

  20. User picture
    • NotBuyingIt on Sat 07 Apr 2012
    • 12:08:03 AM UTC

    RE: Pol.jar malware (CVE-2010-0188, CVE-2010-1885)

    www.costima.be/kFDPmQYr/index.html
    ejderturizm.com/y3BFU9HN/index.html

    www.adelinaivan.com/osGH4ZwV/js.js
    www.AAMOKHTAR.COM/ThyCJZfp/js.js
    cdce.kz/pJ7JNyrX/js.js
    silginc.com/HJn4XCCU/js.js
    znr.com.tr/2bhYPWTN/js.js

    69.163.40.127/showthread.php?t=d7ad916d1c0396ff
    designvv.com/showthread.php?t=d7ad916d1c0396ff
    ggf.me/showthread.php?t=d7ad916d1c0396ff

    [Edit: Add 06-April-2012 01:40 UTC]

    www.costima.be/kFDPmQYr/index.html
    ejderturizm.com/y3BFU9HN/index.html

    www.surfhouse.lt/T8DCZdC2/js.js

    50.116.4.115/showthread.php?t=d7ad916d1c0396ff
    72.46.140.17/showthread.php?t=d7ad916d1c0396ff

    jmservice.servicos.ws/Mk4Lf.exe ("GameOver" Zeus — See http://www.virustotal.com/url/5cf1e931b27b0c4933d9... )

     Data that is stored in the cloud may become lost in the fog.

  21. User picture
    • c۞g on Sat 07 Apr 2012
    • 04:13:20 PM UTC

    RE: Pol.jar malware (CVE-2010-0188, CVE-2010-1885)

    Originally posted by: NotBuyingIt
    jmservice.servicos.ws/Mk4Lf.exe ("GameOver" Zeus — See http://www.virustotal.com/url/5cf1e931b27b0c4933d9... )

    403 / Forbidden
    http://jmservice.servicos.ws/Mk4Lf.exe
    Forbidden

    You don't have permission to access /Mk4Lf.exe on this server.

    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

    ∞ Opto, ergo sum _https://en.wikipedia.org/wiki/And_You_and_I

  22. User picture
    • NotBuyingIt on Sat 07 Apr 2012
    • 08:31:31 PM UTC

    RE: Klot.jar malware (CVE-2010-0188, CVE-2010-1885)

    ozkanlialisverismerkezi.com/CHMVWw5B/index.html
    radio-energie.com.tr/pgDoEByu/index.html
    rosscom.co.rs/kFDPmQYr/index.html

    www.alberghi.com:8080/showthread.php?t=d7ad916d1c0396ff
    www.alberghi.com/pony/gate.php

    • [Note the name change for the Java archive]

    {applet/*/ archive="hXXp://www.alberghi.com:8080/data/Klot.jar" ...}

    "Gameover" Zeus
    3dtaller.com.ar/uLLGRaXP.exe (See http://www.virustotal.com/url/80dcb59fb4ef261a1d31... )
    mestraimoveis.com.br/0Ev34x.exe (See http://www.virustotal.com/url/5b1d4f203030dac56301... )
    vidyocini.com/VDR2PNG6.exe (See http://www.virustotal.com/url/ce721080df258a3d0166... )

    [Edit: Add 07-April-2012 21:20 UTC]

    private-flite.com/dDKzm47W/index.html
    www.sultorres.ind.br/kFDPmQYr/index.html

    www.7visualsolution.com/Cq4rtJAa/js.js
    csspndt.com/AwDMGHyz/js.js
    www.skalunas.lt/KQZY4Zg9/js.js

    [Edit: Add 07-April-2012 23:30 UTC]

    109.168.126.112:8080/showthread.php?t=d7ad916d1c0396ff

    www.dwa-wrestling.de/DGUhkavQ/SkxZGut.exe (See http://www.virustotal.com/url/3f02cc0513641a770630... )
    geovanabauerdocesfinos.com.br/6md3zev5/hQj.exe (See http://www.virustotal.com/url/1d1ba2bbd696f9f0799a... )

     Data that is stored in the cloud may become lost in the fog.

  23. User picture
    • NotBuyingIt on Mon 09 Apr 2012
    • 04:44:12 PM UTC

    Klot.jar malware (CVE-2010-0188, CVE-2010-1885)

    216.24.170.27/kQN0HPVk/index.html
    cepronda.org/SpwNjjYt/index.html
    cmhoster.com/kCT0Kjrw/index.html
    creditcardking.com.au/Uvf96Daf/index.html
    www.comopanoramisconosciuti.it/SpwNjjYt/index.html
    efiledata.com/gRrZR1yz/index.html
    equipo4.com.ar/YtWvZiiG/index.html
    ekocell.net/MNYRhqTp/index.html
    fancydiamondgroup.com/C5F477qM/index.html
    firenfpa.com/xtVNSCKE/index.html
    kasas.ro/YtWvZiiG/index.html
    medidazul.pt/C5F477qM/index.html
    procrearteinternational.com/xtVNSCKE/index.html
    secretulmeu.eu/CA35Z5zz/index.html
    totuleco.ro/xtVNSCKE/index.html

    7misto.com/tcdPNXur/js.js
    congress-assistants.fi/idm2TZP1/js.js
    ctd.binhdinh.gov.vn/fKbwm0Gp/js.js
    EKONTA.PL/KHrj6wiK/js.js
    erenmatbaacilik.com.tr/B5wcboyY/js.js
    enrekang.net/noATFPo9/js.js
    fugidaescola.com.br/Uk56mQXw/js.js
    icostaf2010.mustra.hu/A0o8pR27/js.js
    mobileproductivemoneymaking.com/oExXoVCh/js.js
    primasaleorganik.com/3N6zKxSS/js.js
    sulpaginas.com/rjFA1Crh/js.js

    216.224.182.94/showthread.php?t=8d80b8c3f87a9538

    [Edit: Added more sites 09-April-2012 18:40 UTC]

    antaresabogados.com/C7FR7gXy/index.html
    boxersdelaragua.com/HuZ15vxK/index.html
    lmsv2.ballisticmedia.net/HuZ15vxK/index.html
    gemini5designs.com/UZTSFXkV/index.html
    theclinic-toronto.com/YtWvZiiG/index.html

    mustra.hu/A0o8pR27/js.js
    icostaf2010.mustra.hu/A0o8pR27/js.js

    [Edit: Added more sites 09-April-2012 22:15 UTC]

    cuisine-equipee.ma/W1L3txJk/index.html
    kaizenmarketing.com.ar/qfHENt8V/index.html
    lostwood.pl/ShvFZsdb/index.html
    maternitybank.com/iEQ9DzwW/index.html

    danielajakubowicz.com/Evy14yLH/js.js
    gcg-t.com/rt4NU8a5/js.js
    procreartesantarosa.com.ar/NN2N1Zua/js.js
    radoslawjura.pl/S2edUdQe/js.js
    sim-art.si/B2TMFRgQ/js.js
    torosfilm.com/Z2jLDR1T/js.js

     Data that is stored in the cloud may become lost in the fog.

  24. User picture
    • NotBuyingIt on Tue 10 Apr 2012
    • 01:07:15 AM UTC

    RE: Klot.jar malware (CVE-2010-0188, CVE-2010-1885)

    aligultekin.com/heVYhKJz/index.html
    imzavatti.com/EYP14Ykv/index.html
    motorcuyuz.com/Qtq0KndJ/index.html
    royal.ed.cr/qfHENt8V/index.html
    swintec.co.za/SpwNjjYt/index.html
    ftp.uncuentodenavidadazultelcel.com.mx/BLo7FXRH/index.html

    [Edit: Added more sites 10-April-2012 07:15 UTC]

    216.24.170.150/VV0eL3vA/index.html

    50.116.19.23/showthread.php?t=73a07bcb51f4be71

     Data that is stored in the cloud may become lost in the fog.

  25. User picture
    • NotBuyingIt on Tue 10 Apr 2012
    • 05:27:47 PM UTC

    RE: Klot.jar malware (CVE-2010-0188, CVE-2010-1885)

    aeroclubdelmolise.it/4r45RHDS/index.html
    allods-apps.com/DqV2jNz4/index.html
    artedora.es/jrWsV6de/index.html
    breastenhancingcream.net/u2ufK265/index.html
    buildind.com/Db4M582z/index.html
    dabotta.co.cc/dBeSJj0q/index.html
    desprecs.ro/Q1Gqtcmk/index.html
    koumusauto.com/o3xJh33g/index.html
    marketingmacrovenda.com.br/FV2H8ERq/index.html
    wallcalendar.in/KReR2AAm/index.html
    zimbaue.com.br/C7FR7gXy/index.html

    cezarow.nazwa.pl/26WHbS87/js.js
    crazytraintour.com.ar/jie3Qd6E/js.js
    disqus.eliteit.pl/dqEoXsdJ/js.js
    erenmatbaacilik.com.tr/B5wcboyY/js.js
    fp.uagrm.edu.bo/RPVKhKkF/js.js
    grupoa2.com.br/Q5YTMvCA/js.js
    ilkerterzioglu.com/jnYLcpmh/js.js
    iyi-gunler.com/RYuB3U2t/js.js
    jon.com.br/vuepCeZY/js.js
    ftp.mielodisplasia.com.mx/0annoRhQ/js.js
    misslia.se/xnn165Ei/js.js
    ohojunk.com/3KEzD13Y/js.js
    periodicosemilladevida.com/Ubp0Gb4Z/js.js
    psd.grafika.uz/5SLhodT1/js.js

    74.91.114.235/showthread.php?t=73a07bcb51f4be71
    209.59.218.181/showthread.php?t=73a07bcb51f4be71

    www.bmsevero.com.br/J1eGwcP.exe (See http://www.virustotal.com/url/272c2016f900508c5fa6... )
    finskiydom.com.ua/JdS.exe (See http://www.virustotal.com/url/085dcfc9bfb534c14916... )
    mestraimoveis.com.br/0Ev34x.exe (See http://www.virustotal.com/url/5b1d4f203030dac56301... )
    raadstudies.ir/Kw7hE7.exe (See http://www.virustotal.com/url/b97a1cb38f93a43d3a42... )

    [Edit: Add sites: 10-April-2012 19:10 UTC]

    iemp.com.br/WNkPgFo1/index.html
    perfectbulldoghomes.com/eeXD8W0d/index.html
    pricing.profusiondealer.com/RLJuXp19/index.html
    woltel.com/WNkPgFo1/index.html

    ipradio.com.mx/vAjGyXwr/js.js
    munsoninternational.com/veJnKK3x/js.js
    neacursos.com.br/K3UUb8wY/js.js

    208.43.102.144/showthread.php?t=d7ad916d1c0396ff

     Data that is stored in the cloud may become lost in the fog.

  26. User picture
    • NotBuyingIt on Wed 11 Apr 2012
    • 02:29:17 AM UTC

    RE: Klot.jar malware (CVE-2010-0188, CVE-2010-1885)

    aurumcommunications.com/E88HzS6Q/index.html
    bahcesehirtemizlik.com/Db4M582z/index.html
    canamlogistic.com/Db4M582z/index.html
    rooftopgrill.ir/Q1Gqtcmk/index.html
    sohbetodalar.net/uas1HQCd/index.html
    stockline.it/mc12UzMx/index.html
    veukihivasok.mustra.hu/41fKL5fj/index.html

     Data that is stored in the cloud may become lost in the fog.

  27. User picture
    • NotBuyingIt on Wed 11 Apr 2012
    • 04:19:39 PM UTC

    RE: malware (CVE-2010-0188, CVE-2010-1885)

    beyul.org/eLKEaDCQ/index.html
    catchthemoment.be/iPE3euWn/index.html
    giochionline.ilgiornale.it/iscmWEUX/index.html
    inntech.net.br/iPE3euWn/index.html
    omegamastering.com/LDCgLqMB/index.html
    rudivanoirschot.be/KdPD0zd8/index.html
    screen-media.mk/KdPD0zd8/index.html
    tunasindonesiatours.com/iscmWEUX/index.html
    uthb.biz/0ZZ7THk0/index.html
    welmans.co.za/iPE3euWn/index.html

    www.arcadephase.com/hq3oY4op/js.js
    architectureinbulgaria.com/dj8meZvU/js.js
    lillydong.com/ZWezcMEv/js.js

    74.91.114.141/showthread.php?t=d7ad916d1c0396ff

     Data that is stored in the cloud may become lost in the fog.

  28. User picture
    • NotBuyingIt on Wed 11 Apr 2012
    • 10:33:07 PM UTC

    RE: malware (CVE-2010-0188, CVE-2010-1885)

    A prolific anti-phishing expert is reporting an aggressively promoted malware exploit which uses multiple sites together. Deceptive web pages planted on dozens of sites load a set of JavaScripts which in turn attempt to load a malicious webpage.

    This set of scripts (and others)

    axislegal.com.au/gcq37VtM/js.js
    terramaresturismo.com.br/MeyBxZaD/js.js [repeat]

    attempt to load a malicious web page at

    209.59.219.231/showthread.php?t=d7ad916d1c0396ff

    Here are some of the deceptive URLs that have been reported today

    ftp.ad-style.eu/6dfVBJ4A/index.html
    ahlinyamembenahiperusahaan.com/HXut2jHC/index.html
    altamuraprop.com.ar/HXut2jHC/index.html
    caribbeanlifestyles.com/SGKhn5ZG/index.html
    digitally.ro/iPE3euWn/index.html
    elrehabhomes.com/0ZZ7THk0/index.html
    energyexcel.net/yeBPPmBJ/index.html
    epiclink.net/w09noxG5/index.html
    express-lanka.zxq.net/SGKhn5ZG/index.html
    faindest.es/1DJehHw1/index.html
    fbookbanners.net/bW7t7YUF/index.html
    florerialaorquidea.com/KdPD0zd8/index.html
    gapegitim.org/w09noxG5/index.html
    globalenglishblog.com/nGVMZoc6/index.html
    homefitnessprofessionals.com/bW7t7YUF/index.html
    marketingvirtuar.com.br/6dfVBJ4A/index.html
    metally.com.br/KdPD0zd8/index.html
    npocpas.com/nGVMZoc6/index.html
    oferta-zilei.com/LDCgLqMB/index.html
    omellono.soragoto.net/6dfVBJ4A/index.html
    osgiliath-veterans.cvk.gr/g60cLnEE/index.html
    osmaneken.com/EaHu64GN/index.html
    parfumuri-fm.ro/W8cHZxEj/index.html
    pazhahutamil.com/0ZZ7THk0/index.html
    permanent-makeup-schmidt.de/3pXYFd9G/index.html
    piknik.web.id/1DJehHw1/index.html
    pothencia.com.br/iscmWEUX/index.html
    pramborsfm.com/LDCgLqMB/index.html
    prosite.zxq.net/HXut2jHC/index.html
    portefolioeponine.zzl.org/0s9ScSBD/index.html
    radiusbikesandaccessories.com/UxgwhcEm/index.html
    rapidgrowth.ca/0ZZ7THk0/index.html
    reflections.zxq.net/nGVMZoc6/index.html
    rent4keeps.com/6dfVBJ4A/index.html
    renuka.zxq.net/eLKEaDCQ/index.html
    roda.hr/0ZZ7THk0/index.html
    rulparrulman.com/6dfVBJ4A/index.html
    salimzerconwala.com/gMsyk6kT/index.html
    serbs-exposed.com.au/KdPD0zd8/index.html
    sevgiradyo.net/u2ufK265/index.html
    sfdancewear.com/1DJehHw1/index.html
    shiraliarchitects.com/W8cHZxEj/index.html
    skngas.com/yoKUoxiG/index.html
    skyhighandes.com/eLKEaDCQ/index.html
    sort.magtools.dk/yoKUoxiG/index.html
    stickydots.co.za/3pXYFd9G/index.html
    soundbrush.com/w09noxG5/index.html
    sucsongmoijsc.vn/xvxFidsB/index.html
    suior.ro/eLKEaDCQ/index.html
    surfingalert.com/LDCgLqMB/index.html
    tagdatabases.com/xvxFidsB/index.html
    thesurveycraze.com/eLKEaDCQ/index.html
    tomgarner.com/3pXYFd9G/index.html
    toshikhahandicrafts.com/W8cHZxEj/index.html
    triconintranet.com/mK151WbA/index.html
    triexco.com/W8cHZxEj/index.html
    trojecotama.com/KdPD0zd8/index.html
    tusfrasesfb.com.ar/w09noxG5/index.html
    www.ukrzysia.pl/iscmWEUX/index.html
    vidadefudido.com/yeBPPmBJ/index.html
    www.vims.lt/eLKEaDCQ/index.html
    xujinming.com/iscmWEUX/index.html

    Some other reported URLs return HTTP 404 ("Not Found") or their domains have been suspended, so I suspect efforts are underway to combat the malware campaign.

    [Edit: Added comment (below) 12-April-2012 13:30 UTC]
    According to one study, this malware campaign also includes a Java exploit (CVE-2012-0507). See
    http://spamalysis.wordpress.com/2012/04/11/importa...

     Data that is stored in the cloud may become lost in the fog.

  29. User picture
    • NotBuyingIt on Thu 12 Apr 2012
    • 01:05:23 AM UTC

    RE: malware (CVE-2010-0188, CVE-2010-1885)

    dadotest.altervista.org/HXut2jHC/index.html
    derekhare.co.uk/iPE3euWn/index.html
    differenceacessorios.com.br/w09noxG5/index.html
    digidesain.net/1DJehHw1/index.html
    discoverteenergy.com/g60cLnEE/index.html
    divx.pl/W8cHZxEj/index.html
    drewex.slask.pl/yoKUoxiG/index.html
    editorastral.com.br/0ZZ7THk0/index.html
    equityreleasehelpers.co.uk/1DJehHw1/index.html
    www.everplast.com.br/bW7t7YUF/index.html
    exeitewan.com/9WVvMaVr/index.html
    explorerkenya.com/mK151WbA/index.html
    expressioncreativos.es/9WVvMaVr/index.html
    express-lanka.zxq.net/HXut2jHC/index.html
    fenixpromotion.sk/nxnon4jd/index.html
    www.follow-me.co/9WVvMaVr/index.html
    geograf.hu/yeBPPmBJ/index.html
    www.gladiator.hr/0ZZ7THk0/index.html
    globalndp.com/3pXYFd9G/index.html
    guerreiro.agr.br/HXut2jHC/index.html
    interpactravel.com.br/6dfVBJ4A/index.html
    jrp.junctionworld.com/bW7t7YUF/index.html
    julienbaudoux.be/xvxFidsB/index.html
    ftp.juveniaonline.com/gMsyk6kT/index.html
    kart2000web.com/nxnon4jd/index.html
    kojoecp.zxq.net/eLKEaDCQ/index.html
    kozanlar.com/eLKEaDCQ/index.html
    labodegadelhortal.com/eLKEaDCQ/index.html
    lamont-design.com/xvxFidsB/index.html
    www.laurusfunds.com/9WVvMaVr/index.html
    makedonika.com.mk/HXut2jHC/index.html
    malteperadyoloji.com/nGVMZoc6/index.html
    medicalcenterprothe.com/mK151WbA/index.html
    mlinpek.com.ba/yeBPPmBJ/index.html
    newbreedgirl.com/9WVvMaVr/index.html
    newlife.d11.eu/9WVvMaVr/index.html
    omniciencia.com.br/rcvdASJ6/index.html
    online-jordan-shoes.com/9WVvMaVr/index.html
    onurinsaatltd.com/0ZZ7THk0/index.html
    pakcr.org/gMsyk6kT/index.html
    parentproject.ro/g60cLnEE/index.html
    polumin.hu/yoKUoxiG/index.html
    porcelle.altervista.org/g60cLnEE/index.html
    portefolioeponine.zzl.org/9WVvMaVr/index.html
    prosite.zxq.net/gMsyk6kT/index.html
    ftp.realcom.nazwa.pl/3pXYFd9G/index.html
    rinolookmexico.com.mx/0ZZ7THk0/index.html
    royalamber.pl/6dfVBJ4A/index.html
    rukiyeozoglu.com/SGKhn5ZG/index.html
    sakk.battanet.hu/yeBPPmBJ/index.html
    selena-world.org/mK151WbA/index.html
    semenaxsiparis.com/nGVMZoc6/index.html
    sitegeist.dk/9WVvMaVr/index.html
    sklepgram.nazwa.pl/yoKUoxiG/index.html
    socialfancentral.com/6dfVBJ4A/index.html
    space-solution.net/iPE3euWn/index.html
    spaziorevestimentos.com/bW7t7YUF/index.html
    sr-c.com.tw/3pXYFd9G/index.html
    ssruic.com/1DJehHw1/index.html
    svatba-hera.com/nxnon4jd/index.html
    tatgolf.com.tr/rtdj69vg/index.html
    tigruponavesa.com.br/9WVvMaVr/index.html
    tkp-dbpp.org.hk/9WVvMaVr/index.html
    tpzb.pl/1DJehHw1/index.html
    trajcejancevski.mk/1DJehHw1/index.html
    trupa-paradox.ro/mK151WbA/index.html
    uredzadroge.hr/gMsyk6kT/index.html
    voodooajans.com/m1jjjAs9/index.html
    wemner.se/SGKhn5ZG/index.html

    [Edit: Added comment 12-April-2012 13:30 UTC]
    According to one study, this malware campaign also includes a Java exploit (CVE-2012-0507). See
    http://spamalysis.wordpress.com/2012/04/11/importa...

     Data that is stored in the cloud may become lost in the fog.

  30. User picture
    • NotBuyingIt on Thu 12 Apr 2012
    • 03:52:17 PM UTC

    RE: Klot.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    castles-for-sale-france.com/eeXD8W0d/index.html
    e-consulters.com.br/gMsyk6kT/index.html
    www.exit7.net/eLKEaDCQ/index.html
    liberoviagens.com.br/nxnon4jd/index.html
    mevsimbaharat.com/Q1Gqtcmk/index.html
    minkan.com/Xi0mjDsL/index.html
    onelektrik.com/eVv2B6EZ/index.html
    osc.com.mx/w09noxG5/index.html
    sanalturumolsun.com/mc12UzMx/index.html
    sandiklianadolulisesi.k12.tr/xvxFidsB/index.html
    wsidigitalwebsolutions.info/0ZZ7THk0/index.html

    69.194.192.229/showthread.php?t=73a07bcb51f4be71
    zelia.net:8080/showthread.php?t=d7ad916d1c0396ff

    [Edit: Added sites (below) 12-April-2012 17:45 UTC]

    david.deb.hu/yeBPPmBJ/index.html
    sika.co.id/KdPD0zd8/index.html
    www.spacewise.cl/0ZZ7THk0/index.html
    www.sparklewebsolutions.com/LDCgLqMB/index.html
    stronger-children.eu/nGVMZoc6/index.html
    www.teclaworldtour.com.br/LDCgLqMB/index.html
    unalemlakinsaat.com.tr/6dfVBJ4A/index.html
    video.zaluu.com/yoKUoxiG/index.html
    vilhil.com.mk/xvxFidsB/index.html
    www.vims.lt/nGVMZoc6/index.html

     Data that is stored in the cloud may become lost in the fog.