(The quickest way to register)

Check out our new Mobile App

Forum

  1. User picture
    • NotBuyingIt on Wed 21 Mar 2012
    • 09:15:45 PM UTC

    Qai.jar malware (CVE-2010-1885)

    A well-know spam expert is reporting an aggressively promoted malware exploit which uses multiple sites together. Deceptive web pages planted on dozens of sites load a set of JavaScripts which in turn attempt to load a malicious webpage. Several variations were detected yesterday and today.

    This set of scripts
    hXXp://50.57.29.172/hVg3GFAo/js.js
    hXXp://finantariauto.ro/5ZqETXNE/js.js
    hXXp://ipecturkey.com/E2UNfoGY/js.js
    hXXp://oompa.de/VTwQKwDD/js.js
    attempt to load
    hXXp://209.59.217.193/showthread.php?t=d7ad916d1c0396ff
    that leads to malware at
    hXXp://209.59.217.193/q.php?f=ba33
    hXXp://209.59.217.193/content/Qai.jar

    This set of scripts
    hXXp://216.205.49.67/CD5s3Ne3/js.js
    hXXp://activetours.pttk.pl/Eaz0Mz8g/js.js
    hXXp://copymax.gr/jbbaaFCK/js.js
    hXXp://offvip.com/TtMQy1sw/js.js
    hXXp://solocyberday.com/oDYibUuh/js.js
    attempt to load
    hXXp://slickicus.com/showthread.php?t=8d80b8c3f87a9538
    that leads to malware at
    hXXp://slickicus.com/q.php?f=db757
    hXXp://slickicus.com/content/Qai.jar

    This set of scripts
    hXXp://officefurnituremart.com/sT1SFMyf/js.js
    hXXp://orvosokafrikaert.hu/Bsz1CQg0/js.js
    hXXp://qqprints.com.my/37ErBpvj/js.js
    hXXp://romanjewelers.com/mnbCaEYY/js.js
    hXXp://samx.zzl.org/crF5iYsT/js.js
    attempt to load
    hXXp://slicksphere.com/showthread.php?t=d7ad916d1c0396ff
    but the domain slicksphere.com has been suspended

    Here are some of the deceptive URLs that have been reported earlier today

    hXXp://02f40c1.netsolhost.com/jXh3opQk/index.html
    hXXp://02f40c1.netsolhost.com/pVXky4P3/index.html
    hXXp://184.164.129.5/H0PL9q26/index.html
    hXXp://3eras.com/0X98aHUS/index.html
    hXXp://5seis.com.ar/jXh3opQk/index.html
    hXXp://91.93.110.150/JYjJE2q2/index.html
    hXXp://acriancafeliz.org.br/vyEryYcH/index.html
    hXXp://advanced-web-hosting-solutions.com/H0PL9q26/index.html
    hXXp://advancedcopier.net/tMYwdbsB/index.html
    hXXp://aerospacend.com/0X98aHUS/index.html
    hXXp://autolorentzos.gr/46iU2yx2/index.html
    hXXp://autolorentzos.gr/k4H1CSBf/index.html
    hXXp://autouniversal.ro/tMYwdbsB/index.html
    hXXp://bestdeal.com.vn/H0PL9q26/index.html
    hXXp://binhanphat.vn/pVXky4P3/index.html
    hXXp://chinchunhoo.com/tp3G2sKH/index.html
    hXXp://criadero-duancos.com.ar/jXh3opQk/index.html
    hXXp://dhtics.webou.net/8pe5eCMZ/index.html
    hXXp://dhtics.webou.net/N7hwdmet/index.html
    hXXp://dhtics.webou.net/vyEryYcH/index.html
    hXXp://fundoohairstyles.com/0X98aHUS/index.html
    hXXp://getstrength.com/pVXky4P3/index.html
    hXXp://glamourspa.com.vn/H0PL9q26/index.html
    hXXp://goksen.com.tr/H0PL9q26/index.html
    hXXp://goksen.com.tr/JYjJE2q2/index.html
    hXXp://goksen.com.tr/tp3G2sKH/index.html
    hXXp://hajashaza.hu/JYjJE2q2/index.html
    hXXp://hajashaza.hu/pVXky4P3/index.html
    hXXp://hajashaza.hu/W9x9Xomw/index.html
    hXXp://hellenic-antiaging-academy.gr/k4H1CSBf/index.html
    hXXp://hidroprojekt-consult.hr/W9x9Xomw/index.html
    hXXp://hippocrafts.com/46iU2yx2/index.html
    hXXp://hippocrafts.com/8pe5eCMZ/index.html
    hXXp://hippocrafts.com/svaVeSkm/index.html
    hXXp://hyperbeesmedia.com/svaVeSkm/index.html
    hXXp://ibafo.com.br/LTWJaNR9/index.html
    hXXp://ibafo.com.br/N7hwdmet/index.html
    hXXp://inour.biz/JYjJE2q2/index.html
    hXXp://inour.biz/pVXky4P3/index.html
    hXXp://isravilon1.com/tMYwdbsB/index.html
    hXXp://junglecreativestudio.gr/k4H1CSBf/index.html
    hXXp://jurjev.com/8pe5eCMZ/index.html
    hXXp://koala.unas.cz/N7hwdmet/index.html
    hXXp://kolling.com.my/LTWJaNR9/index.html
    hXXp://kongo.co.hu/N7hwdmet/index.html
    hXXp://kongo.co.hu/svaVeSkm/index.html
    hXXp://kongo.co.hu/tMYwdbsB/index.html
    hXXp://laflcargo.com/vyEryYcH/index.html
    hXXp://laleyurtseven.com/8pe5eCMZ/index.html
    hXXp://laleyurtseven.com/tMYwdbsB/index.html
    hXXp://ledsociety.com/7ik7M03n/index.html
    hXXp://ledsociety.com/tp3G2sKH/index.html
    hXXp://leikar.net/vyEryYcH/index.html
    hXXp://linemenu.com/8pe5eCMZ/index.html
    hXXp://linemenu.com/svaVeSkm/index.html
    hXXp://littlelordspreschool.com/0X98aHUS/index.html
    hXXp://lsquarednetworks.com/7ik7M03n/index.html
    hXXp://lsquarednetworks.com/tp3G2sKH/index.html
    hXXp://mage.ibraggiotti.com/0X98aHUS/index.html
    hXXp://mage.ibraggiotti.com/W9x9Xomw/index.html
    hXXp://magneticlodestone.com/46iU2yx2/index.html
    hXXp://magneticlodestone.com/tMYwdbsB/index.html
    hXXp://maxiesolutions.com/svaVeSkm/index.html
    hXXp://mayerdobrasil.com.br/W9x9Xomw/index.html
    hXXp://mcms.xs2theworld.com/LTWJaNR9/index.html
    hXXp://mcms.xs2theworld.com/vyEryYcH/index.html
    hXXp://metrofincaraiz.com/0X98aHUS/index.html
    hXXp://minds.com.pk/8pe5eCMZ/index.html
    hXXp://mishelart.com/tp3G2sKH/index.html
    hXXp://mixtle.com/tMYwdbsB/index.html
    hXXp://mkultura.lt/7ik7M03n/index.html
    hXXp://musicalchemylab.lh.pl/46iU2yx2/index.html
    hXXp://myghanaonline.com/N7hwdmet/index.html
    hXXp://notebooktamiri.gen.tr/vyEryYcH/index.html
    hXXp://objebi.com/xBu5dukk/index.html
    hXXp://olla-de-felix-buenos-aires.com/Qyuv8XX1/index.html
    hXXp://olla-de-felix-buenos-aires.com/xBu5dukk/index.html
    hXXp://oneblr.com/a65oSoKL/index.html
    hXXp://optimizacija-seo.com/a65oSoKL/index.html
    hXXp://overhill.comicgenesis.com/xBu5dukk/index.html
    hXXp://paperbuzz.net/3BvC2cTf/index.html
    hXXp://party-chat.hu/a65oSoKL/index.html
    hXXp://party-chat.hu/xBu5dukk/index.html
    hXXp://povilasc.ipower.com/tp3G2sKH/index.html
    hXXp://pp.premiumpage.pl/vyEryYcH/index.html
    hXXp://Privatesandbox.com/qVsVjYfe/index.html
    hXXp://prodmovie.com/xBu5dukk/index.html
    hXXp://psytrip.com.br/LTWJaNR9/index.html
    hXXp://public.smartbe.be/0X98aHUS/index.html
    hXXp://rajtr.com/7ik7M03n/index.html
    hXXp://realestatebootcamp.ca/LTWJaNR9/index.html
    hXXp://redencionsofro.com.ar/3BvC2cTf/index.html
    hXXp://revivalgospelministries.org/LTWJaNR9/index.html
    hXXp://riwex.hu/3BvC2cTf/index.html
    hXXp://sarahyong.com/CzEjfCRK/index.html
    hXXp://sereflikochisarzob.org/LTWJaNR9/index.html
    hXXp://sezam.home.pl/CzEjfCRK/index.html
    hXXp://silentstartupwebsite.com/CzEjfCRK/index.html
    hXXp://silentstartupwebsite.com/xBu5dukk/index.html
    hXXp://siranmuftulugu.gov.tr/46iU2yx2/index.html
    hXXp://sisrs.org/tMYwdbsB/index.html
    hXXp://sixdimensions.co.id/xBu5dukk/index.html
    hXXp://softwarepark-galati.ro/xBu5dukk/index.html
    hXXp://swcc.marknetdev.com/LTWJaNR9/index.html
    hXXp://sxs-bwn.org/vyEryYcH/index.html
    hXXp://techleadsolution.com/QnXBRiWS/index.html
    hXXp://tehranmaltbeer.com/30VtVqEf/index.html
    hXXp://tempo-www.defisduchott.com/CzEjfCRK/index.html
    hXXp://themainmall.com/svaVeSkm/index.html
    hXXp://transcamila.com/tMYwdbsB/index.html
    hXXp://upedagogica.edu.bo/N7hwdmet/index.html
    hXXp://www.tesan.com.tr/vyEryYcH/index.html

    Some other reported URLs return HTTP 404 ("Not Found") or their domains have been suspended, so I suspect efforts are underway to combat the malware campaign.

     Data that is stored in the cloud may become lost in the fog.

Comments:

  1. User picture
    • NotBuyingIt on Fri 04 May 2012
    • 01:31:07 PM UTC

    RE: Edu.jar malware (CVE-2010-0188, CVE-2012-0507)

    www.gettysburgtimes.pa.net/N3fzP4Zu/index.html
    tirisad.org/RsUQXedt/index.html

    ftp.affectthedollar.com/n3S8bGs0/js.js [HTTP 404]
    energoprotect.com/EREjWFDH/js.js [domain suspended]
    searchgroup.net/WCVpLWpg/js.js
    sentinelone.co/8evU76zS/js.js [HTTP 404]
    www.tasimpeks.com/TpgY6n9S/js.js

     Data that is stored in the cloud may become lost in the fog.

  2. User picture
    • NotBuyingIt on Fri 04 May 2012
    • 02:37:50 PM UTC

    RE: Edu.jar malware (CVE-2010-0188, CVE-2012-0507)

    dsizeart.com/rKf4ZjN9/index.html
    www.jetleg.com.br/rL2u5HWk/index.html
    theheavenlove.99k.org/4SoTooBn/index.html

    208.106.249.244/64ppbD3k/js.js
    www.grasskeepers.com/64ppbD3k/js.js
    jombangit.com/FLz5EwR6/js.js
    lincolnshire-renewable-energy.co.uk/cj0PsMXz/js.js
    mazyamana.com/UH4UyHcG/js.js
    WWW.SACMCO.COM/oexZFsB0/js.js
    www.shahinvestment.com/WZHGxcL6/js.js
    sqmsindia.com/dwK3ysya/js.js
    ukloansblog.info/AR7t0nYW/js.js
    viatata.uv.ro/oucDypRa/js.js

    184.154.220.226/showthread.php?t=34c79594e8b8ac0f
    184.154.220.226/showthread.php?t=977334ca118fcb8c

     Data that is stored in the cloud may become lost in the fog.

  3. User picture
    • NotBuyingIt on Fri 04 May 2012
    • 04:07:51 PM UTC

    RE: malware (CVE-2010-0188)

    www.radiooisvira.com/mRpNLgWY/index.html
    www.statisticsolympiad.org/gR2aietM/index.html

    69.163.34.114/showthread.php?t=34c79594e8b8ac0f
    69.163.34.114/data/ap2.php

     Data that is stored in the cloud may become lost in the fog.

  4. User picture
    • NotBuyingIt on Fri 04 May 2012
    • 08:16:42 PM UTC

    RE: malware (CVE-2010-0188, CVE-2012-0507)

    ftp.coden.com.br/BhxC8VrP/index.html
    generalcontractorsnc.com/nUUyHyvy/index.html
    gopeshmathur.com/JFs10e34/index.html
    mccgedvalenca.com.br/JFs10e34/index.html

    69.163.34.114/showthread.php?t=4a6d866826776084
    69.163.34.114/showthread.php?t=73a07bcb51f4be71
    69.163.34.114/showthread.php?t=977334ca118fcb8c
    69.163.34.114/showthread.php?t=9d77a9163cda8dbe
    69.163.34.114/showthread.php?t=d7ad916d1c0396ff
    {applet/*/ code=hXXp://69.163.34.114/a.A archive="Edu.jar"}

     Data that is stored in the cloud may become lost in the fog.

  5. User picture
    • NotBuyingIt on Sat 05 May 2012
    • 02:31:52 AM UTC

    RE: malware (CVE-2010-0188, CVE-2012-0507)

    mdaudioevideo.com.br/eEijVvUM/index.html
    norvacvalveexpress.com/RRwxN9ci/index.html
    www.factoriacreativa.com.mx/Q98ayRkZ/index.html
    visualcomp.com.br/n62HLsiv/index.html

    65.98.39.110/showthread.php?t=34c79594e8b8ac0f
    65.98.39.110/data/ap2.php
    {applet/*/ code=a.A archive="Edu.jar"}

     Data that is stored in the cloud may become lost in the fog.

  6. User picture
    • NotBuyingIt on Sun 06 May 2012
    • 02:11:23 AM UTC

    RE: Pol.jar malware (CVE-2010-0188, CVE-2012-0507)

    cpcasalarysurvey.com/XGQ18d2v/index.html
    r-spacek.cz/3UXvwRUh/index.html
    turkelli.k12.tr/ejJoP1QM/index.html

    65.98.39.110/data/Pol.jar (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  7. User picture
    • NotBuyingIt on Mon 07 May 2012
    • 06:06:23 AM UTC

    RE: Edu.jar malware (CVE-2010-0188, CVE-2012-0507)

    aurianedamez.fr:8080/showthread.php?t=34c79594e8b8ac0f
    aurianedamez.fr:8080/data/ap2.php (see: http://www.virustotal.com/file/6fad435000daedb650a... )
    {applet/*/ code=hXXp://aurianedamez.fr/a.A archive=Edu.jar}
    aurianedamez.fr:8080/data/Pol.jar (see: http://www.virustotal.com/file/f76ac6983135c7a69b5... )

    Note: aurianedamez.fr is hosted on IP 69.194.194.251, which will also serve malware. However, I have not seen any reports that the following URLs are literally being used by the the botnet.

    91.121.158.5:8080/showthread.php?t=34c79594e8b8ac0f
    91.121.158.5:8080/data/ap2.php
    {applet/*/ code=hXXp://91.121.158.5/a.A archive=Edu.jar}
    91.121.158.5:8080/data/Pol.jar

    The reverse look-up for IP 69.194.194.251 is ks359502.kimsufi.com, which will likewise serve malware. However, I have not seen any reports that the following URLs are literally being used by the the botnet.

    ks359502.kimsufi.com:8080/showthread.php?t=34c79594e8b8ac0f
    ks359502.kimsufi.com:8080/data/ap2.php
    {applet/*/ code=hXXp:/ks359502.kimsufi.com/a.A archive=Edu.jar}
    ks359502.kimsufi.com:8080/data/Pol.jar

     Data that is stored in the cloud may become lost in the fog.

  8. User picture
    • NotBuyingIt on Mon 07 May 2012
    • 02:49:40 PM UTC

    RE: Edu.jar malware (CVE-2010-0188, CVE-2012-0507)

    74.91.119.220/showthread.php?t=34c79594e8b8ac0f
    74.91.119.220/data/ap2.php (see: http://www.virustotal.com/file/4b91008e74e974d0a6d... )
    74.91.119.220/data/Pol.jar (see: http://www.virustotal.com/file/f76ac6983135c7a69b5... )
    {applet/*/ code=a.C archive=Edu.jar}

     Data that is stored in the cloud may become lost in the fog.

  9. User picture
    • NotBuyingIt on Mon 07 May 2012
    • 05:54:47 PM UTC

    RE: Edu.jar malware (CVE-2010-0188, CVE-2012-0507)

    baratoinfo.com/6pt0mJiZ/index.html
    bowlingfiles.com/TNFnJUcQ/index.html
    www.srtran.com/A2zroS7N/index.html

    seaboat.com.br/2WeyRe7b/js.js

    74.91.119.220/showthread.php?t=4a6d866826776084
    74.91.119.220/showthread.php?t=73a07bcb51f4be71
    74.91.119.220/showthread.php?t=977334ca118fcb8c
    74.91.119.220/showthread.php?t=9d77a9163cda8dbe
    74.91.119.220/showthread.php?t=d7ad916d1c0396ff

     Data that is stored in the cloud may become lost in the fog.

  10. User picture
    • NotBuyingIt on Mon 07 May 2012
    • 06:25:04 PM UTC

    RE: Pol.jar malware (CVE-2010-0188, CVE-2012-0507)

    chaplinsaamanthy.com/KnTYBdCG/index.html
    hotpotatokids.com/wcadcax4/index.html

    BuyMeizitangBotanicalSlimming.us/M2J4cZFr/js.js
    khaptad.gov.np/Ym85jaFW/js.js
    wiseguymoneymichine.com/3uc6KzbP/js.js

    69.194.193.146/showthread.php?t=34c79594e8b8ac0f
    69.194.193.146/data/ap2.php (see: http://www.virustotal.com/file/579c32b4e1b0933331e... )
    69.194.193.146/data/Pol.jar (see: http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  11. User picture
    • NotBuyingIt on Mon 07 May 2012
    • 10:44:18 PM UTC

    RE: Pol.jar malware (CVE-2010-0188, CVE-2012-0507)

    ftp.dominiooff.com.br/Xdzdfa7E/index.html

    69.194.193.146/showthread.php?t=34c79594e8b8ac0f
    69.194.193.146/showthread.php?t=4a6d866826776084
    69.194.193.146/showthread.php?t=73a07bcb51f4be71
    69.194.193.146/showthread.php?t=977334ca118fcb8c
    69.194.193.146/showthread.php?t=9d77a9163cda8dbe
    69.194.193.146/showthread.php?t=d7ad916d1c0396ff

     Data that is stored in the cloud may become lost in the fog.

  12. User picture
    • NotBuyingIt on Tue 08 May 2012
    • 05:23:59 AM UTC

    RE: Pol.jar malware (CVE-2010-0188, CVE-2012-0507)

    e-anestesicos.com.br/H3VJn6ej/index.html
    novatech21.net/A2zroS7N/index.html

     Data that is stored in the cloud may become lost in the fog.

  13. User picture
    • MysteryFCM on Tue 08 May 2012
    • 05:52:26 AM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    Just an FYI from the last couple you posted, these are those pointed to and still live;

    List of domains/hosts:

    e-anestesicos.com.br/H3VJn6ej/index.html
    novatech21.net/A2zroS7N/index.html
    rodriguezchevalier.com.ar/xctCu9JX/js.js
    seaboat.com.br/2WeyRe7b/js.js
    xn--serwis-monitorw-8rb.pl/7NzFHmr8/js.js
    184.154.220.226/showthread.php?t=34c79594e8b8ac0f
    69.194.193.146/showthread.php?t=34c79594e8b8ac0f

    Regards Steven Burn I.T. Mate / hpHosts it-mate.co.uk / hosts-file.net

  14. User picture
    • NotBuyingIt on Wed 09 May 2012
    • 02:24:42 AM UTC

    RE: Pol.jar malware (CVE-2010-0188, CVE-2012-0507)

    Thanks to MysteryFCM for adding the following URL that I never listed because I mistakenly thought that it had been deactivated:

    xn--serwis-monitorw-8rb.pl/7NzFHmr8/js.js
          or equivalently
    serwis-monitorów.pl/7NzFHmr8/js.js

     Data that is stored in the cloud may become lost in the fog.

  15. User picture
    • NotBuyingIt on Wed 09 May 2012
    • 05:30:16 PM UTC

    RE: Pol.jar malware (CVE-2010-0188, CVE-2012-0507)

    babapinardernegi.net/V42vazpi/index.html
    frednmel.com/JK28wKto/index.html

    imagesbyjvargas.com/didXSn3t/js.js
    www.lenadamakeup.com/i3etNC89/js.js
    vubii.com/yDBDJWXB/js.js

    50.116.57.160/showthread.php?t=977334ca118fcb8c
    50.116.57.160/data/ap2.php (see: http://www.virustotal.com/file/90fa1f6fdde6e7fbc4c... )
    50.116.57.160/data/Pol.jar (see: http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  16. User picture
    • NotBuyingIt on Wed 09 May 2012
    • 06:52:02 PM UTC

    RE: Pol.jar malware (CVE-2010-0188, CVE-2012-0507)

    174.140.169.118/showthread.php?t=977334ca118fcb8c
    174.140.169.118/data/ap2.php (see http://www.virustotal.com/file/79e14697c346afc65ca... )
    174.140.169.118/data/Pol.jar (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  17. User picture
    • NotBuyingIt on Thu 10 May 2012
    • 12:08:44 AM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    ashqmusic.com/8tMRkobw/index.html
    funidem.org/TrgohVjw/index.html
    puertodevigo.com.mx/jdzrAw0Q/index.html
    rbmont.cz/FWPLTiio/index.html

    bowwowbus.com/CjkVtmAD/js.js
    www.incredibleandaman.in/2z7Nw8KL/js.js
    www.techmuntda.com/9TzyH3Xu/js.js

    174.140.169.118/showthread.php?t=d7ad916d1c0396ff

     Data that is stored in the cloud may become lost in the fog.

  18. User picture
    • NotBuyingIt on Thu 10 May 2012
    • 02:51:38 AM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    kskhealth.com/AdsnZXE4/index.html

    www.crechelardepaulo.org.br/7qddrGj6/js.js

    174.140.169.118/showthread.php?t=9d77a9163cda8dbe

     Data that is stored in the cloud may become lost in the fog.

  19. User picture
    • NotBuyingIt on Thu 10 May 2012
    • 03:03:19 PM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    arzumoltutasi.com.tr/mabpx4nN/index.html
    avjmobiletechnician.com/gNTDeA93/index.html
    birendrakumar.com/SgrDoxwU/index.html
    ceheath.com/NFqUErbP/index.html
    comehomeonline.com/SgrDoxwU/index.html

    desiremobile.netfirms.com/i7K1Gp1g/js.js
    hoteldooars.in/DbL72xH1/js.js
    nisanurum.com/e7pFkjut/js.js
    pricedrightviewhomes.com/QiGaWKkT/js.js
    s270915069.onlinehome.fr/go3wLLiK/js.js
    shokani.net/YvKDGVwn/js.js
    smithrz.hosting4less.com/CGrzhxx1/js.js
    urbannex.co.za/SVVsEJwY/js.js

    69.194.194.90/showthread.php?t=d7ad916d1c0396ff
    69.194.194.90/data/ap2.php (see http://www.virustotal.com/file/6e76bece9008d3ecd6c... )
    69.194.194.90/data/Pol.jar (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

    98.158.129.17:8080/showthread.php?t=4a6d866826776084
    98.158.129.17:8080/data/ap2.php (see http://www.virustotal.com/file/69e59f45787040cc168... )
    98.158.129.17:8080/data/Pol.jar (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

    173.236.88.179/showthread.php?t=4a6d866826776084
    173.236.88.179/data/Pol.jar (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )
    173.236.88.179/data/ap2.php (see http://www.virustotal.com/file/6e76bece9008d3ecd6c... )

    174.140.168.175/showthread.php?t=d7ad916d1c0396ff
    174.140.168.175/data/ap2.php (see http://www.virustotal.com/file/6364712a75bdfe9b279... )
    174.140.168.175/data/Pol.jar (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  20. User picture
    • NotBuyingIt on Fri 11 May 2012
    • 06:56:54 AM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    ftp.flightstobangkok.me.uk/4f83RNJW/index.html
    ricon-x.com/2DF6Myuu/index.html
    shoesblog110.info/w13oNri6/index.html

    222.255.28.16:8080/showthread.php?t=977334ca118fcb8c
    222.255.28.16:8080/data/Pol.jar (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )
    222.255.28.16:8080/data/ap2.php (see http://www.virustotal.com/file/43f2ed448245160e4cf... )

     Data that is stored in the cloud may become lost in the fog.

  21. User picture
    • c۞g on Fri 11 May 2012
    • 12:46:10 PM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    24 April 2012 - post

    Originally posted by: MarkGiles

    List of domains/hosts:

    mayhems.co.uk

    Unable to find a _working_ example URL = mayhems.co.uk/8_character_code/index.html

    Not detected by any other malware / phish / spam source used by URLvoid, not even ZeusTracker
    re: http://www.urlvoid.com/scan/mayhems.co.uk

    No incidents recorded in CleanMX malware or phishing
    No recent (90 day) history recorded in SafeBrowsing

    mayhems.co.uk sits on IP: 213.229.68.31
    The IP is not referenced in this discussion
    however, IPvoid
    re: http://www.ipvoid.com/scan/213.229.68.31
    shows 2 detections:
    AHBL - UCE/UBE for helplessmint.info
    hpHosts - Sites resolving to 213.229.68.31 were NOT found in our database
    neither concern Zeus / zbot / botnet

    note
    there is a Site Evaluation for this domain:
    http://www.mywot.com/forum/23018-mayhems-co-uk

    ∞ Opto, ergo sum _https://en.wikipedia.org/wiki/And_You_and_I

  22. User picture
    • NotBuyingIt on Fri 11 May 2012
    • 05:37:03 PM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    adri.com.br/R9UwZRZq/index.html
    alinadam.ro/7DBeoPK9/index.html
    ftp.axgevents.com/XakNYYoA/index.html
    azeapersonalcoaching.com/gUnFdSS6/index.html
    bageurope.com/7DBeoPK9/index.html
    brucechancey.com/iww7LWJk/index.html
    ceylabs.com/jZ3aZxrJ/index.html
    comolograrobjetivosentuvida.com/7DBeoPK9/index.html
    corporateclothing.in/k6KJusqz/index.html
    www.electrice-sanitare.ro/EXTHfmta/index.html
    eptur.com.br/ppzx8WGP/index.html
    esecret.com.mx/ppzx8WGP/index.html
    famer.com.mx/b8oR7pPA/index.html
    floridabotoxtreatment.com/uqp0iPzL/index.html
    gruposexo3.com.ar/XakNYYoA/index.html
    hsconstrutora.com.br/ppzx8WGP/index.html
    lakemichigansportfishing.com/R9UwZRZq/index.html
    ftp.lib.org.il/rxWG7RGE/index.html
    ftp.lupatingenieria.com/R9UwZRZq/index.html
    metalurgicajsa.com.br/jZ3aZxrJ/index.html
    mylight.com.tr/JzN1XysX/index.html
    nasvibescariocas.com.br/XakNYYoA/index.html
    ftp.nmun.org/gag6EKu4/index.html
    ftp.peyrotonkaram.com/jJqLbogM/index.html
    projegunlugum.com/jJqLbogM/index.html
    rentatlaspalmas.com/xntAqoRb/index.html
    rjsebben.com.br/EXTHfmta/index.html
    smv.mobi/mNsp1sxu/index.html
    ftp.someconference.com/EXTHfmta/index.html
    stroll.com.br/7DBeoPK9/index.html
    sweetarts.com.br/jJqLbogM/index.html
    ftp.videoheretic.com/ymHUBpPH/index.html

    adenotrex.com/HjJqyMcN/js.js
    docemaededeus.org/5epEwuyN/js.js
    dralihanoglu.com/G07eaV9Z/js.js
    eiproducts.in/epo3c7y5/js.js
    emcoelectrodynamics.com/D1mFWVQx/js.js
    emserplaesp.gov.co/bBb6sEyJ/js.js
    friendforevers.com/i942tMvc/js.js
    luzdelunaxxl.com.ar/uGKjuS7D/js.js
    stylooo.com/ZYgHE7Y1/js.js
    unoparalagoinhas.com.br/jJqLbogM/index.html

    222.255.28.16:8080/showthread.php?t=d7ad916d1c0396ff'

     Data that is stored in the cloud may become lost in the fog.

  23. User picture
    • NotBuyingIt on Fri 11 May 2012
    • 06:27:08 PM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    bihhome-nekretnine.com/smPNouJt/index.html
    bloodclubindia.com/m28vBDsK/index.html
    comproelmundo.com/eCmLq2Zq/index.html
    dezignbugs.com/7yi2RmVE/index.html
    estani.com.ar/p5KxJrng/index.html
    feignasse.com/q9Xycbao/index.html
    iifinder.com/V59SsgH9/index.html
    nawazgroups.com/V59SsgH9/index.html
    oomphactory.net/V59SsgH9/index.html
    ositedasimples.com.br/SCxxMmB0/index.html
    pinnaclesoft.com/eCmLq2Zq/index.html
    pluscoinc.com/cFCzmofm/index.html
    petswonderland.com.my/sSghB42Z/index.html
    pondpcs.com/hj20r6zS/index.html
    ptepi.com/risGhpqV/index.html
    rafagamesxxe.com/5aHoJjoa/index.html
    reyongayrimenkul.com/mNsp1sxu/index.html
    schuldenfreilaw.com/JzN1XysX/index.html
    ftp.seeifitsells.com/nMxKhrJz/index.html
    sherryarora.com/smPNouJt/index.html
    ftp.svap.sk/smPNouJt/index.html
    teacherphilip.com/r6NX4kLW/index.html
    thoitrangmuadong.com/JzN1XysX/index.html
    unaj.edu.pe/risGhpqV/index.html
    unoparalagoinhas.com.br/jJqLbogM/index.html

    arvina.cz/PpBCye.exe (see http://www.virustotal.com/file/99cf5e2699333266b14... )
    gettingmoreyoutubeviews.info/KHwbi.exe (see http://www.virustotal.com/file/99cf5e2699333266b14... )
    ghanaleakplus.com/KVvCk7B.exe (see http://www.virustotal.com/file/99cf5e2699333266b14... )

     Data that is stored in the cloud may become lost in the fog.

  24. User picture
    • NotBuyingIt on Fri 11 May 2012
    • 10:43:04 PM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    ftp.altivexfoundry.com/9hDsbiWh/index.html
    antalyafootballcup.com/mNsp1sxu/index.html
    baydas.com/n0H5B6rP/index.html
    bukhattrading.com/hj20r6zS/index.html
    dev1.punchoutcatalogs.net/hj20r6zS/index.html
    elakta.com/sSghB42Z/index.html
    felsefeacademisi.com/cUCXkAS2/index.html
    floriculturabm.com/nNau2vjJ/index.html
    franklinlawpllc.com/wTUuvoxG/index.html
    ga-wireless.com/smPNouJt/index.html
    godoman.net/sSghB42Z/index.html
    pluscoinc.com/JzN1XysX/index.html
    pondpcs.com/mNsp1sxu/index.html
    profinmty.com/P5ut143R/index.html
    rehberpdm.com/QeFFJ3aq/index.html
    seguroseservicos.com.br/tb0RJRyr/index.html
    subhamcapital.com/jxpLMF10/index.html
    tradifrance.net/NGxo03v6/index.html

    clubedadancanh.com.br/pzBQPyFY/js.js
    euroitbd.com/pmy73fkL/js.js
    GRUPOSABER.COM.AR/rVW7zTzV/js.js

    222.255.28.16:8080/showthread.php?t=4a6d866826776084

     Data that is stored in the cloud may become lost in the fog.

  25. User picture
    • MarkGiles on Fri 11 May 2012
    • 10:47:14 PM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    The problem continues. Latest corrupted servers:

    List of domains/hosts:

    a1weblinks.co.uk
    alvourbano.com.br
    assifero.org
    autoricambidf.altervista.org
    autotop.com.pl
    caillo.it
    chaplinsaamanthy.com
    chasesandl.com
    clox.co.za
    debtlivelead.com
    divinaoferta.com.br
    epmogi.com.br
    felipegermano.com.br
    fmtjudo.com.br
    ftp.bowlingfiles.com
    ftp.flightstobangkok.me.uk
    ftp.flightstodelhi.me.uk
    ftp.flightstojeddah.me.uk
    ftp.niset.nl
    ftp.totalwebsystems.com
    gaurishankardpharm.org
    giatran.com.vn
    globoclube.com.br
    grupoqueiramais.com.br
    horadosclicks.com.br
    horraycraft.sharkserve.com
    hoyahk.cz
    indeep.com.ar
    itprojectmanagement.ca
    kps.com.pl
    liftandmove.com.mx
    macrotekdigital.brazi.us
    maffeitur.com.br
    marija.dev.webcreationuk.com
    migiweb.savana.cz
    napolipizza.com.mx
    pontodocorpo.com.br
    profiles.sdc.com
    robsonnunesfoto.com.br
    royalcorporates.com
    rstrading.co.in
    sbactu.com
    schikalow.bplaced.net
    sertamix.com.br
    shatrin.com.ve
    siatex.com.hk
    sikhbridegrooms.com
    smartlivetransfers.com
    smartsystemselectronics.com.mx
    srtran.com
    telugudesis.atwebpages.com
    teqanistudent.com
    vitrinedasofertas.com.br
    webissolucoes.com.br
    webrankingoptimization.com
    yosipic.99k.org
    youngindiafilms.in
    zetacreatives.com

    Sample redirection scripts

    eiproducts.in/epo3c7y5/js.js
    docemaededeus.org/5epEwuyN/js.js
    emserplaesp.gov.co/bBb6sEyJ/js.js

    Document location

    222.255.28.16:8080/showthread.php?t=4a6d866826776084

  26. User picture
    • MysteryFCM on Sun 13 May 2012
    • 06:50:36 AM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    Originally posted by: MarkGiles
    The problem continues. Latest corrupted servers:

    List of domains/hosts:

    a1weblinks.co.uk
    alvourbano.com.br
    assifero.org
    autoricambidf.altervista.org
    autotop.com.pl
    caillo.it
    chaplinsaamanthy.com
    chasesandl.com
    clox.co.za
    debtlivelead.com
    divinaoferta.com.br
    epmogi.com.br
    felipegermano.com.br
    fmtjudo.com.br
    ftp.bowlingfiles.com
    ftp.flightstobangkok.me.uk
    ftp.flightstodelhi.me.uk
    ftp.flightstojeddah.me.uk
    ftp.niset.nl
    ftp.totalwebsystems.com
    gaurishankardpharm.org
    giatran.com.vn
    globoclube.com.br
    grupoqueiramais.com.br
    horadosclicks.com.br
    horraycraft.sharkserve.com
    hoyahk.cz
    indeep.com.ar
    itprojectmanagement.ca
    kps.com.pl
    liftandmove.com.mx
    macrotekdigital.brazi.us
    maffeitur.com.br
    marija.dev.webcreationuk.com
    migiweb.savana.cz
    napolipizza.com.mx
    pontodocorpo.com.br
    profiles.sdc.com
    robsonnunesfoto.com.br
    royalcorporates.com
    rstrading.co.in
    sbactu.com
    schikalow.bplaced.net
    sertamix.com.br
    shatrin.com.ve
    siatex.com.hk
    sikhbridegrooms.com
    smartlivetransfers.com
    smartsystemselectronics.com.mx
    srtran.com
    telugudesis.atwebpages.com
    teqanistudent.com
    vitrinedasofertas.com.br
    webissolucoes.com.br
    webrankingoptimization.com
    yosipic.99k.org
    youngindiafilms.in
    zetacreatives.com

    To ease verification, can you remember to always post the full URLs for these please, especially given they're not static (the same) paths for them all.

    Regards Steven Burn I.T. Mate / hpHosts it-mate.co.uk / hosts-file.net

  27. User picture
    • NotBuyingIt on Mon 14 May 2012
    • 05:26:47 AM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    88.119.29.2:8080/showthread.php?t=4a6d866826776084
    88.119.29.2:8080/data/Pol.jar (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )
    88.119.29.2:8080/data/ap2.php (see http://www.virustotal.com/file/cdfce13cc3bf2691597... )

    IP 88.119.29.2 hosts home.creation.lt, which will likewise serve malware. However, I have not seen any reports that the following URLs are literally being used by the the botnet.

    home.creation.lt:8080/showthread.php?t=d7ad916d1c0396ff
    home.creation.lt:8080/data/Pol.jar
    home.creation.lt:8080/data/ap2.php
    {applet/archive=http://home.creation.lt:8080/Cal.jar code=la.C }

    [Edit: Update 19-May-2012 14:30 UTC]

    I can now confirm that the site's name home.creation.lt is being literally used by the botnet.

    home.creation.lt:8080/showthread.php?t=4a6d866826776084

     Data that is stored in the cloud may become lost in the fog.

  28. User picture
    • NotBuyingIt on Mon 14 May 2012
    • 03:27:26 PM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    euroitbd.com/pmy73fkL/js.js
    obrskalnikih.zxq.net/aeQS6bpz/js.js
    shsitalia.com/J1c2G1WM/js.js
    studioulike.com/0DtadgHj/js.js

    94.23.39.83:8080/showthread.php?t=4a6d866826776084
    94.23.39.83:8080/data/ap2.php (see http://www.virustotal.com/file/122c6018253efb936cc... )
    94.23.39.83:8080/data/Pol.jar (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  29. User picture
    • NotBuyingIt on Mon 14 May 2012
    • 03:57:18 PM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    ftp.bizmobilizer.com/8tVwmrKd/index.html
    comproelmundo.com/n0H5B6rP/index.html
    hibbingbowlingcenter.com/i4Ln0fYS/index.html
    historia-ferrocarril.com/XGTgDGgv/index.html
    investcare.org/yugaYC38/index.html
    nopc.commercestreet.com/7VEueCmT/index.html

    50.22.74.127/snF8EHAh/js.js
    balitis.gr/aZHdsWBs/js.js
    clubedadancanh.com.br/pzBQPyFY/js.js
    eboz.fr/BEeVKLSQ/js.js
    giakou-ermioni.com/jTqubN9i/js.js
    gpnetworksystem.com/EApqKMFj/js.js
    magicnight.rs/Y1Tqt39e/js.js
    mitrovica-udruzenje.com/91GrcuHU/js.js
    ftp.vitroblock.com.ar/b57bfddc/js.js

    94.23.39.83:8080/showthread.php?t=d7ad916d1c0396ff

     Data that is stored in the cloud may become lost in the fog.

  30. User picture
    • NotBuyingIt on Mon 14 May 2012
    • 06:45:53 PM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    ftp.aromatta.com.br/t75ZN2Sc/index.html
    decoracionclaire.com/sTP3JSCU/index.html
    hybridstate.co.uk/sTP3JSCU/index.html
    mdcinc.com/pgbiUXdx/index.html
    rafagamesxxe.com/hj20r6zS/index.html

    94.23.39.83:8080/showthread.php?t=34c79594e8b8ac0f
    94.23.39.83:8080/showthread.php?t=73a07bcb51f4be71
    94.23.39.83:8080/showthread.php?t=977334ca118fcb8c
    94.23.39.83:8080/showthread.php?t=9d77a9163cda8dbe

     Data that is stored in the cloud may become lost in the fog.