(The quickest way to register)

Check out our new Mobile App

Forum

  1. User picture
    • NotBuyingIt on Wed 21 Mar 2012
    • 09:15:45 PM UTC

    Qai.jar malware (CVE-2010-1885)

    A well-know spam expert is reporting an aggressively promoted malware exploit which uses multiple sites together. Deceptive web pages planted on dozens of sites load a set of JavaScripts which in turn attempt to load a malicious webpage. Several variations were detected yesterday and today.

    This set of scripts
    hXXp://50.57.29.172/hVg3GFAo/js.js
    hXXp://finantariauto.ro/5ZqETXNE/js.js
    hXXp://ipecturkey.com/E2UNfoGY/js.js
    hXXp://oompa.de/VTwQKwDD/js.js
    attempt to load
    hXXp://209.59.217.193/showthread.php?t=d7ad916d1c0396ff
    that leads to malware at
    hXXp://209.59.217.193/q.php?f=ba33
    hXXp://209.59.217.193/content/Qai.jar

    This set of scripts
    hXXp://216.205.49.67/CD5s3Ne3/js.js
    hXXp://activetours.pttk.pl/Eaz0Mz8g/js.js
    hXXp://copymax.gr/jbbaaFCK/js.js
    hXXp://offvip.com/TtMQy1sw/js.js
    hXXp://solocyberday.com/oDYibUuh/js.js
    attempt to load
    hXXp://slickicus.com/showthread.php?t=8d80b8c3f87a9538
    that leads to malware at
    hXXp://slickicus.com/q.php?f=db757
    hXXp://slickicus.com/content/Qai.jar

    This set of scripts
    hXXp://officefurnituremart.com/sT1SFMyf/js.js
    hXXp://orvosokafrikaert.hu/Bsz1CQg0/js.js
    hXXp://qqprints.com.my/37ErBpvj/js.js
    hXXp://romanjewelers.com/mnbCaEYY/js.js
    hXXp://samx.zzl.org/crF5iYsT/js.js
    attempt to load
    hXXp://slicksphere.com/showthread.php?t=d7ad916d1c0396ff
    but the domain slicksphere.com has been suspended

    Here are some of the deceptive URLs that have been reported earlier today

    hXXp://02f40c1.netsolhost.com/jXh3opQk/index.html
    hXXp://02f40c1.netsolhost.com/pVXky4P3/index.html
    hXXp://184.164.129.5/H0PL9q26/index.html
    hXXp://3eras.com/0X98aHUS/index.html
    hXXp://5seis.com.ar/jXh3opQk/index.html
    hXXp://91.93.110.150/JYjJE2q2/index.html
    hXXp://acriancafeliz.org.br/vyEryYcH/index.html
    hXXp://advanced-web-hosting-solutions.com/H0PL9q26/index.html
    hXXp://advancedcopier.net/tMYwdbsB/index.html
    hXXp://aerospacend.com/0X98aHUS/index.html
    hXXp://autolorentzos.gr/46iU2yx2/index.html
    hXXp://autolorentzos.gr/k4H1CSBf/index.html
    hXXp://autouniversal.ro/tMYwdbsB/index.html
    hXXp://bestdeal.com.vn/H0PL9q26/index.html
    hXXp://binhanphat.vn/pVXky4P3/index.html
    hXXp://chinchunhoo.com/tp3G2sKH/index.html
    hXXp://criadero-duancos.com.ar/jXh3opQk/index.html
    hXXp://dhtics.webou.net/8pe5eCMZ/index.html
    hXXp://dhtics.webou.net/N7hwdmet/index.html
    hXXp://dhtics.webou.net/vyEryYcH/index.html
    hXXp://fundoohairstyles.com/0X98aHUS/index.html
    hXXp://getstrength.com/pVXky4P3/index.html
    hXXp://glamourspa.com.vn/H0PL9q26/index.html
    hXXp://goksen.com.tr/H0PL9q26/index.html
    hXXp://goksen.com.tr/JYjJE2q2/index.html
    hXXp://goksen.com.tr/tp3G2sKH/index.html
    hXXp://hajashaza.hu/JYjJE2q2/index.html
    hXXp://hajashaza.hu/pVXky4P3/index.html
    hXXp://hajashaza.hu/W9x9Xomw/index.html
    hXXp://hellenic-antiaging-academy.gr/k4H1CSBf/index.html
    hXXp://hidroprojekt-consult.hr/W9x9Xomw/index.html
    hXXp://hippocrafts.com/46iU2yx2/index.html
    hXXp://hippocrafts.com/8pe5eCMZ/index.html
    hXXp://hippocrafts.com/svaVeSkm/index.html
    hXXp://hyperbeesmedia.com/svaVeSkm/index.html
    hXXp://ibafo.com.br/LTWJaNR9/index.html
    hXXp://ibafo.com.br/N7hwdmet/index.html
    hXXp://inour.biz/JYjJE2q2/index.html
    hXXp://inour.biz/pVXky4P3/index.html
    hXXp://isravilon1.com/tMYwdbsB/index.html
    hXXp://junglecreativestudio.gr/k4H1CSBf/index.html
    hXXp://jurjev.com/8pe5eCMZ/index.html
    hXXp://koala.unas.cz/N7hwdmet/index.html
    hXXp://kolling.com.my/LTWJaNR9/index.html
    hXXp://kongo.co.hu/N7hwdmet/index.html
    hXXp://kongo.co.hu/svaVeSkm/index.html
    hXXp://kongo.co.hu/tMYwdbsB/index.html
    hXXp://laflcargo.com/vyEryYcH/index.html
    hXXp://laleyurtseven.com/8pe5eCMZ/index.html
    hXXp://laleyurtseven.com/tMYwdbsB/index.html
    hXXp://ledsociety.com/7ik7M03n/index.html
    hXXp://ledsociety.com/tp3G2sKH/index.html
    hXXp://leikar.net/vyEryYcH/index.html
    hXXp://linemenu.com/8pe5eCMZ/index.html
    hXXp://linemenu.com/svaVeSkm/index.html
    hXXp://littlelordspreschool.com/0X98aHUS/index.html
    hXXp://lsquarednetworks.com/7ik7M03n/index.html
    hXXp://lsquarednetworks.com/tp3G2sKH/index.html
    hXXp://mage.ibraggiotti.com/0X98aHUS/index.html
    hXXp://mage.ibraggiotti.com/W9x9Xomw/index.html
    hXXp://magneticlodestone.com/46iU2yx2/index.html
    hXXp://magneticlodestone.com/tMYwdbsB/index.html
    hXXp://maxiesolutions.com/svaVeSkm/index.html
    hXXp://mayerdobrasil.com.br/W9x9Xomw/index.html
    hXXp://mcms.xs2theworld.com/LTWJaNR9/index.html
    hXXp://mcms.xs2theworld.com/vyEryYcH/index.html
    hXXp://metrofincaraiz.com/0X98aHUS/index.html
    hXXp://minds.com.pk/8pe5eCMZ/index.html
    hXXp://mishelart.com/tp3G2sKH/index.html
    hXXp://mixtle.com/tMYwdbsB/index.html
    hXXp://mkultura.lt/7ik7M03n/index.html
    hXXp://musicalchemylab.lh.pl/46iU2yx2/index.html
    hXXp://myghanaonline.com/N7hwdmet/index.html
    hXXp://notebooktamiri.gen.tr/vyEryYcH/index.html
    hXXp://objebi.com/xBu5dukk/index.html
    hXXp://olla-de-felix-buenos-aires.com/Qyuv8XX1/index.html
    hXXp://olla-de-felix-buenos-aires.com/xBu5dukk/index.html
    hXXp://oneblr.com/a65oSoKL/index.html
    hXXp://optimizacija-seo.com/a65oSoKL/index.html
    hXXp://overhill.comicgenesis.com/xBu5dukk/index.html
    hXXp://paperbuzz.net/3BvC2cTf/index.html
    hXXp://party-chat.hu/a65oSoKL/index.html
    hXXp://party-chat.hu/xBu5dukk/index.html
    hXXp://povilasc.ipower.com/tp3G2sKH/index.html
    hXXp://pp.premiumpage.pl/vyEryYcH/index.html
    hXXp://Privatesandbox.com/qVsVjYfe/index.html
    hXXp://prodmovie.com/xBu5dukk/index.html
    hXXp://psytrip.com.br/LTWJaNR9/index.html
    hXXp://public.smartbe.be/0X98aHUS/index.html
    hXXp://rajtr.com/7ik7M03n/index.html
    hXXp://realestatebootcamp.ca/LTWJaNR9/index.html
    hXXp://redencionsofro.com.ar/3BvC2cTf/index.html
    hXXp://revivalgospelministries.org/LTWJaNR9/index.html
    hXXp://riwex.hu/3BvC2cTf/index.html
    hXXp://sarahyong.com/CzEjfCRK/index.html
    hXXp://sereflikochisarzob.org/LTWJaNR9/index.html
    hXXp://sezam.home.pl/CzEjfCRK/index.html
    hXXp://silentstartupwebsite.com/CzEjfCRK/index.html
    hXXp://silentstartupwebsite.com/xBu5dukk/index.html
    hXXp://siranmuftulugu.gov.tr/46iU2yx2/index.html
    hXXp://sisrs.org/tMYwdbsB/index.html
    hXXp://sixdimensions.co.id/xBu5dukk/index.html
    hXXp://softwarepark-galati.ro/xBu5dukk/index.html
    hXXp://swcc.marknetdev.com/LTWJaNR9/index.html
    hXXp://sxs-bwn.org/vyEryYcH/index.html
    hXXp://techleadsolution.com/QnXBRiWS/index.html
    hXXp://tehranmaltbeer.com/30VtVqEf/index.html
    hXXp://tempo-www.defisduchott.com/CzEjfCRK/index.html
    hXXp://themainmall.com/svaVeSkm/index.html
    hXXp://transcamila.com/tMYwdbsB/index.html
    hXXp://upedagogica.edu.bo/N7hwdmet/index.html
    hXXp://www.tesan.com.tr/vyEryYcH/index.html

    Some other reported URLs return HTTP 404 ("Not Found") or their domains have been suspended, so I suspect efforts are underway to combat the malware campaign.

     Data that is stored in the cloud may become lost in the fog.

Comments:

  1. User picture
    • NotBuyingIt on Wed 23 May 2012
    • 06:48:35 PM UTC

    RE: Pol.jar malware (CVE-2010-1885, CVE-2012-0507)

    elciudadanodelasheras.com/xV2AeFyD/index.html
    medistar.web-tronix.com/xV2AeFyD/index.html

    74.91.114.192/showthread.php?t=4a6d866826776084
    74.91.114.192/data/ap2.php
    74.91.114.192/data/Pol.jar         (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )
    74.91.114.192/Set.jar                 (see http://www.virustotal.com/file/8699be5447dd8ba5e53... )

     Data that is stored in the cloud may become lost in the fog.

  2. User picture
    • NotBuyingIt on Wed 23 May 2012
    • 09:12:13 PM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    pengroup.gr/j50RQuko/index.html

    174.140.165.100/showthread.php?t=623698f92af884b3
    174.140.165.100/showthread.php?t=4a6d866826776084
    174.140.165.100/data/ap2.php
    174.140.165.100/data/Pol.jar         (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )
    174.140.165.100/Set.jar                 (see http://www.virustotal.com/file/8699be5447dd8ba5e53... )

     Data that is stored in the cloud may become lost in the fog.

  3. User picture
    • NotBuyingIt on Wed 23 May 2012
    • 09:49:35 PM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    www.weisskugel.it/dd4xsiy5/index.html

    accentiahealth.com/WMCV1FLR/js.js
    amobraz.ro/MkeoXKJm/js.js
    originind.ro/om7ocz9s/js.js
    www.solimoveis.net/S0ohMNA1/js.js
    www.travian-food.com/eQDfnRj8/js.js

    174.140.165.100/showthread.php?t=d7ad916d1c0396ff
    174.140.165.100/showthread.php?t=977334ca118fcb8c

     Data that is stored in the cloud may become lost in the fog.

  4. User picture
    • NotBuyingIt on Thu 24 May 2012
    • 03:42:55 AM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    benihikanjogja.com/ZqCpbHzN/index.html
    dental-tourism-zagreb.com/Ni160qtP/index.html
    ekspreskahvalti.com/xLNpXphX/index.html
    finaworldgroup.com/ZqCpbHzN/index.html
    hockkui.com/hS4G00nJ/index.html
    hyperservices.com.br/y2gVTAKp/index.html
    lecourt-avocat.fr/jU44q0wE/index.html
    mxmultimedia.com/jBgLotGE/index.html
    newrichonline.com.au/fVcarZLM/index.html
    sachy-tachov.cz/fs9oPMmb/index.html
    srisaravanafin.co.in/fV4gq28Y/index.html
    unidasmat.com.br/jBgLotGE/index.html

     Data that is stored in the cloud may become lost in the fog.

  5. User picture
    • NotBuyingIt on Thu 24 May 2012
    • 04:04:28 PM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    69.194.196.44/showthread.php?t=d7ad916d1c0396ff     [Edit: 24-May-2012 16:25 UTC added CVE-2010-1885]
    69.194.196.44/data/ap2.php
    69.194.196.44/data/Pol.jar         (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )
    69.194.196.44/Set.jar                 (see http://www.virustotal.com/file/8699be5447dd8ba5e53... )

    [Edit: 24-May-2012 16:50 UTC added sites (below)]

    camerone.com.br/VF3apoPq/index.html
    nayezpaspeur.ca/5KDDCnWR/index.html

    www.jajatour.com.br/MAnhmQqo/index.html

    sindprevba.org.br/HboasMYe/js.js

     Data that is stored in the cloud may become lost in the fog.

  6. User picture
    • NotBuyingIt on Thu 24 May 2012
    • 09:37:56 PM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    www.byha.net/TGQxG0wY/index.html
    www.fotovargas.com.br/bDhFfggs/js.js
    hotelbalionline.com/EVSpZbZd/index.html
    www.jambsoft.com/pqdRbRWX/index.html
    www.jp-avax.gr/J6ttVmvC/index.html
    ftp.notarialconsultoria.com.br/kiQtvJox/js.js
    serkan-canta.com/VHUVPaU4/index.html

    187.52.180.3/TZAhihTN/js.js
    www.e-kozbeszerzes.net/H4xx3KHT/js.js
    vandillenpartners.com/xhPLxe0i/js.js

    72.46.137.57/showthread.php?t=623698f92af884b3
    72.46.137.57/data/Pol.jar         (http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  7. User picture
    • NotBuyingIt on Fri 25 May 2012
    • 12:26:41 AM UTC

    RE: zelia.net

    A malicious web page on zelia.net (scorecard) that I reported in this thread on 12-April-2012 has been disabled or removed. I have no knowledge of any malicious webpages currently running on the site. For a summary of the exploit, see
    http://support.clean-mx.de/clean-mx/viruses.php?do...

    For a newly requested WOT Site Evaluation, see http://www.mywot.com/forum/23414-zelia-net

     Data that is stored in the cloud may become lost in the fog.

  8. User picture
    • NotBuyingIt on Fri 25 May 2012
    • 06:20:24 AM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    ftp.acecp.com.br/JhnLce1D/index.html
    www.anandaespacodeyoga.com/FE0pu1od/index.html
    ibbrasilandia.org.br/VHUVPaU4/index.html
    linkyourart.com/0q0Zmz8a/index.html
    mooreaprofessional.com.br/hmpbDY0A/index.html
    ftp.tantal.sk/52pnpumn/index.html

    216.119.142.54/showthread.php?t=977334ca118fcb8c
    216.119.142.54/data/ap2.php
    216.119.142.54/data/Pol.jar         (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

    [Edit: Added site (below) 25-May-2012 14:50 UTC ]

    rielatour.ro/io20uMRY/index.html

    216.119.142.54/showthread.php?t=623698f92af884b3
    216.119.142.54/q.php?f=99d7d&e=3

     Data that is stored in the cloud may become lost in the fog.

  9. User picture
    • NotBuyingIt on Fri 25 May 2012
    • 04:58:15 PM UTC

    Sakura Exploit Kit

    Some for the botnet's JavaScript redirection scripts which I have listed in this thread over the past several days are now redirecting to a "Sakura Exploit Kit" on the OVH network at

    wildestmantis.com/lou/index.php?showtopic=974468         (see http://urlquery.net/report.php?id=59648 )

    The exploit attempts to disguise itself with an actual regional Google search page.

     Data that is stored in the cloud may become lost in the fog.

  10. User picture
    • NotBuyingIt on Sat 26 May 2012
    • 01:30:41 AM UTC

    nayezpaspeur.ca

    A malicious web page on nayezpaspeur.ca (scorecard) that I reported in this thread on 24-May-2012 has been disabled or removed. I have no knowledge of any malicious webpages currently running on the site. For a summary of the exploit, see
    http://urlquery.net/report.php?id=59676

    For a newly requested WOT Site Evaluation, see http://www.mywot.com/forum/23442-nayezpaspeur-c...

     Data that is stored in the cloud may become lost in the fog.

  11. User picture
    • NotBuyingIt on Sat 26 May 2012
    • 02:02:11 AM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    204.145.80.94/showthread.php?t=977334ca118fcb8c
    204.145.80.94/data/ap2.php
    204.145.80.94/data/Pol.jar         (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  12. User picture
    • NotBuyingIt on Sat 26 May 2012
    • 03:43:27 PM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    lumeazambeste.ro/oJoL1KSM/index.html

    204.145.80.94/showthread.php?t=4a6d866826776084
    204.145.80.94/showthread.php?t=623698f92af884b3
    204.145.80.94/showthread.php?t=d7ad916d1c0396ff
    {applet/archive=hXXp://204.145.80.94/Set.jar code=ta.C }         (see http://www.virustotal.com/file/8699be5447dd8ba5e53... )

     Data that is stored in the cloud may become lost in the fog.

  13. User picture
    • NotBuyingIt on Tue 29 May 2012
    • 04:55:27 PM UTC

    RE: Pol.jar malware (CVE-2010-1885, CVE-2012-0507)

    109.123.65.237/Z3X1qKbE/index.html
    crimestatistics.co.za/TE1xkmY2/index.html
    hernandezmotores.cl/NQ6oVdu4/index.html
    parodont.de.mypubxtreme.ro/YDEcqFai/index.html
    robinaepstein.com/Sd5m0S0j/index.html

    212.50.122.233/fPAL1JQB/js.js
    agrimp.com/w0jXT3Y7/js.js
    marchaparajesus.com.ve/ZTYtnwmn/js.js
    mysoregolfacademy.com/7bPV7dXH/js.js
    renaissancecasa.com/Rm3jo1zM/js.js
    Talingchan.bangkok.doae.go.th/79Mt8wFR/js.js

    199.119.207.125/showthread.php?t=4a6d866826776084
    199.119.207.125/data/Pol.jar             (see http://r.virscan.org/report/9da76325d053d66e08b0af... )

    [Edit: Added comment (below) 29-May-2012 17:25 UTC]

    In some circumstances, perhaps after attempting to infect the visitor's computer, the malicious webpages at IP 199.119.207.125 may redirect to the legitimate Windows Live site.

    replicainbase.com is hosted at IP 199.119.207.125 and it will serve the same malware (including the following two examples). I have not seen any reports showing that the botnet is literally using the domain name however.

    replicainbase.com/showthread.php?t=d7ad916d1c0396ff
    replicainbase.com/data/Pol.jar

     Data that is stored in the cloud may become lost in the fog.

  14. User picture
    • NotBuyingIt on Tue 29 May 2012
    • 06:41:03 PM UTC

    RE: Pol.jar malware (CVE-2010-1885, CVE-2012-0507)

    www.cdlpalmares.com.br/Z3X1qKbE/index.html
    czechpaintings.info/6VhnQNxd/index.html
    gicutz.atspace.com/gs7SXvq8/index.html
    mishkatint.com/EL3AH1N2/index.html
    modelfashion.com.mx/8EqcSCR1/index.html

     Data that is stored in the cloud may become lost in the fog.

  15. User picture
    • NotBuyingIt on Tue 29 May 2012
    • 09:08:43 PM UTC

    RE: Pol.jar malware (CVE-2010-1885, CVE-2012-0507)

    automazioneindustriale.co/0uzQVt9s/index.html
    starelectro.kz/7baYx7cq/index.html
    vimana.lk/7baYx7cq/index.html

    dolphincure.com/zzuYPcww/js.js
    drmanolomaestre.com/tNEJk058/js.js
    ftp.micro-cam-unit.com/ouyi4nia/js.js

    46.182.109.41/showthread.php?t=623698f92af884b3
    46.182.109.41/showthread.php?t=d7ad916d1c0396ff
    46.182.109.41/data/Pol.jar         (see http://r.virscan.org/report/49fbdeee990d4a407feb9e... )

    In some circumstances, perhaps after attempting to infect the visitor's computer, the malicious webpages at IP 46.182.109.41 may redirect to the legitimate Windows Live site.

     Data that is stored in the cloud may become lost in the fog.

  16. User picture
    • NotBuyingIt on Tue 29 May 2012
    • 10:05:53 PM UTC

    RE: Pol.jar malware (CVE-2010-1885, CVE-2012-0507)

    37.72.168.37/showthread.php?t=623698f92af884b3
    37.72.168.37/data/Pol.jar         (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

    In some circumstances, perhaps after attempting to infect the visitor's computer, the malicious webpages at IP 37.72.168.37 may redirect to the legitimate Windows Live site.

     Data that is stored in the cloud may become lost in the fog.

  17. User picture
    • NotBuyingIt on Tue 29 May 2012
    • 11:06:48 PM UTC

    RE:Pol.jar malware (CVE-2010-1885, CVE-2012-0507)

    www..baniyabridegrooms.com/YiNgmdmr/index.html

    37.72.168.37/showthread.php?t=d7ad916d1c0396ff

     Data that is stored in the cloud may become lost in the fog.

  18. User picture
    • NotBuyingIt on Wed 30 May 2012
    • 12:35:15 AM UTC

    RE: Pol.jar malware CVE-2010-1885, CVE-2012-0507)

    kekayaandarirumah.com/XrG4MX2q/index.html

    ftp.mullerwwl.altervista.org/NbdoX4c9/js.js

    178.77.99.145:8080/showthread.php?t=4a6d866826776084
    178.77.99.145:8080/data/Pol.jar                       (see http://r.virscan.org/report/b8e33d4fc3c649f333fdef... )
    178.77.99.145:8080/q.php?f=5d5d6&e=1         (see http://www.virustotal.com/file/eb5d0a015452c65c3b2... )

     Data that is stored in the cloud may become lost in the fog.

  19. User picture
    • NotBuyingIt on Wed 30 May 2012
    • 01:15:16 AM UTC

    RE: Pol.jar malware (CVE-2010-1885)

    hangiokulnerede.com/0AnWez3h/index.html
    hoteldooars.in/cdUCmgTD/index.html
    silverstonebuildwel.com/1QHxnz6g/index.html
    sms2play.co.za/CJSsufVE/index.html

    178.77.99.145:8080/showthread.php?t=d7ad916d1c0396ff

     Data that is stored in the cloud may become lost in the fog.

  20. User picture
    • NotBuyingIt on Wed 30 May 2012
    • 05:36:52 PM UTC

    RE: Pol.jar malware (CVE-2010-1885, CVE-2012-0507)

    algodaodoceeciaeventos.com.br/zdJToAWs/index.html
    dallasrodentcontrol.com/xonBRDNc/index.html
    iemp.com.br/60m32ZpU/index.html

    escolaendanca.com.br/MjS6ob4L/js.js
    uspt.edu.ar/sfu0QDmL/js.js

    69.194.192.238/search.php?q=1ae63dc58b3bf81d
    69.194.192.238/d.php?f=5d5d6&e=1
    69.194.192.238/data/Pol.jar         (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

    felipemarttos.com.br/L6u4tEBQ/index.html

    www.manhattan.tur.br/sFXCbGnX/js.js
    www.mediagalati.ro/NYMHd3Tr/js.js
    rankingpokemonespanol.net/bFY1TgUK/js.js

    184.154.76.237/search.php?q=3e1d86682675601a
    184.154.76.237/data/Pol.jar         (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  21. User picture
    • NotBuyingIt on Wed 30 May 2012
    • 07:43:37 PM UTC

    RE: Pol.jar malware (CVE-2010-1885, CVE-2012-0507)

    72.5.102.164/search.php?q=3e1d86682675601a
    72.5.102.164/d.php?f=99d7d&e=1
    72.5.102.164/data/Pol.jar         (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

    In some circumstances, perhaps after attempting to infect the visitor's computer, the malicious webpages at IP 72.5.102.164 may redirect to the legitimate Windows Live site.

     Data that is stored in the cloud may become lost in the fog.

  22. User picture
    • NotBuyingIt on Wed 30 May 2012
    • 08:24:16 PM UTC

    RE: Pol.jar malware (CVE-2010-1885, CVE-2012-0507)

    198.136.53.72/search.php?q=1ae63dc58b3bf81d
    198.136.53.72/d.php?f=0cf26&e=1
    198.136.53.72/data/Pol.jar         (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

    In some circumstances, perhaps after attempting to infect the visitor's computer, the malicious webpages at IP 198.136.53.72 may redirect to the legitimate Windows Live site.

     Data that is stored in the cloud may become lost in the fog.

  23. User picture
    • NotBuyingIt on Wed 30 May 2012
    • 08:56:53 PM UTC

    RE: Pol.jar malware (CVE-2006-0003,CVE-2010-1885,CVE-2012-0507)

    66.160.179.70/search.php?q=1ae63dc58b3bf81d
    66.160.179.70/search.php?q=3e1d86682675601a
    66.160.179.70/d.php?f=99d7d&e=1
    66.160.179.70/data/Pol.jar         (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

    "Malicious software includes 85 trojan(s)." (source: http://www.google.com/safebrowsing/diagnostic?site... )

    In some circumstances, perhaps after attempting to infect the visitor's computer, the malicious webpages at IP 66.160.179.70 may redirect to the legitimate Windows Live site.

     Data that is stored in the cloud may become lost in the fog.

  24. User picture
    • NotBuyingIt on Thu 31 May 2012
    • 03:15:02 AM UTC

    RE: Pol.jar malware (CVE-2006-0003,CVE-2010-1885,CVE-2012-0507)

    empresing.com.ar/a20ED2Qz/index.html
    omaha-pest-control.org/uuuXXSur/index.html
    ourusafinance.com/1JhkV2jy/index.html
    vedanteducom.org/aEhEhjcC/index.html

    mysasociados.com.ar/HBWyJmCK/js.js

     

    49.156.20.209:8080/data/Pol.jar         (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )
    49.156.20.209:8080/Set.jar                 (see http://www.virustotal.com/file/9f169fd368e602d7119... )

     Data that is stored in the cloud may become lost in the fog.

  25. User picture
    • NotBuyingIt on Thu 31 May 2012
    • 03:59:50 AM UTC

    RE: 7visualsolution.com

    A malicious file on 7visualsolution.com (scorecard) that I reported in this thread on 07-April-2012 has been disabled or removed. I have no knowledge of any malware currently on the site. See a summary of the old exploit at
    http://support.clean-mx.de/clean-mx/viruses.php?do...

    For a newly requested WOT Site Evaluation, see http://www.mywot.com/forum/23596-7visualsolutio...

     Data that is stored in the cloud may become lost in the fog.

  26. User picture
    • NotBuyingIt on Thu 31 May 2012
    • 02:56:50 PM UTC

    RE: Pol.jar malware (CVE-2010-1885, CVE-2012-0507)

    bs-3.si/RyoctXWb/index.html
    burakulas.tk/QLyNgE55/index.html
    camaraportolucena.rs.gov.br/Hx07oivy/index.html
    cwbauditores.com.br/HZAzFiZ6/index.html
    dactriviemxoang.vn/BkVLE7V3/index.html
    doonclub.com/Hx07oivy/index.html
    felipemarttos.com.br/FAVMC3TX/index.html
    healthmela.com/1iLNu1Wi/index.html
    jljconcept.com/htiwvzYG/index.html
    jtp2.ipislam.edu.my/tA5dHsGP/index.html
    ftp.konutshop.com/BHQJQvux/index.html
    leasingauto.com.ro/kzbPtCpF/index.html
    masterprimeimoveis.com.br/jDhqtfDM/index.html
    mondistar.ro/LRyoXMeq/index.html
    monfortarquitectes.com/xrtRQx7h/index.html
    muglacaddeemlak.com/97WGPrBT/index.html
    oursmarted.com/QLyNgE55/index.html
    pension-rosi.members.cablelink.at/FKwEXRGH/index.html
    prakash.clanteam.com/T2rzMr6E/index.html
    s346318142.websitehome.co.uk/jDhqtfDM/index.html
    seagullinteractive.com/LbkHbtvJ/index.html
    shanwealth.com/seddWEb9/index.html
    shriramsuperele.com/uQQAbhjv/index.html
    ftp.temperoarruda.com.br/fkJwx80T/index.html
    toffanoseventos.com.br/wwhaMUAT/index.html
    tr-marksys.com/USqYB7oC/index.html
    transrim.com.br/ZPx0HULy/index.html
    u3w.edu.pl/USqYB7oC/index.html
    uptown37.com.my/RyoctXWb/index.html
    vidaeverdade.com.br/zZ5Q0Cst/index.html
    vilnius.lcn.lt/o9ZuHL1g/index.html
    websitetipsfromtonyla.com/y2jzKbf0/index.html
    windaze.com/GfjgMkft/index.html

    www.adroit-india.in/4xRraik0/js.js
    clox.co.za/Jv6ALdbz/js.js
    deniquecrafts.co.za/5fTuVAix/js.js
    www.telemedica.ro/0Gng4gkp/js.js
    shreesponge.com/Lpps8WqL/js.js
    unfelden-armaifi.ro/6XSwEr7U/js.js

    108.170.18.39/search.php?q=1ae63dc58b3bf81d
    108.170.18.39/search.php?q=3e1d86682675601a
    108.170.18.39/search.php?q=ff6d7ad916d1c039
    108.170.18.39/d.php?f=0cf26&e=1
    108.170.18.39/data/Pol.jar         (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

    In some circumstances, perhaps after attempting to infect the visitor's computer, the malicious webpages at IP 108.170.18.39 may redirect to the legitimate Windows Live site.

    Acknowledgement: Many of the suspicious URLs listed above were identified earlier at http://malwaresurvival.net/2012/05/30/more-bancorp-spoofing-and-malware-attacks/

     Data that is stored in the cloud may become lost in the fog.

  27. User picture
    • NotBuyingIt on Thu 31 May 2012
    • 04:52:23 PM UTC

    RE: Pol.jar malware (CVE-2010-1885, CVE-2012-0507)

    alacultural.com.br/XwvxhzQ4/index.html
    elichenterprises.com/oY5zib4q/index.html

    ftp.jestec.com.br/aCGpKhR6/js.js

    [Edit: Added sites (below) 31-May-2012 17:20 UTC]

    ftp.dealsouk.com/ne3Cisth/index.html

    46.182.109.41/search.php?q=ff6d7ad916d1c039

    [Edit: Added sites (below) 31-May-2012 17:55 UTC]

    piknik.web.id/7NHGH0wy/index.html         (domain was previously reported on 11-May-2012)
    san-diego-rodent-control.com/42MAa7r1/index.html

     Data that is stored in the cloud may become lost in the fog.

  28. User picture
    • NotBuyingIt on Fri 01 Jun 2012
    • 05:31:37 AM UTC

    RE: Pol.jar malware (CVE-2009-0927,CVE-2010-1885,CVE-2012-0507)

    ftp.autecjoi.com.br/KrKxLB2v/index.html

    184.154.76.237/search.php?q=ff6d7ad916d1c039
    184.154.76.237/data/ap1.php?f=0cf26

     Data that is stored in the cloud may become lost in the fog.

  29. User picture
    • NotBuyingIt on Fri 01 Jun 2012
    • 03:42:25 PM UTC

    RE: Pol.jar malware (CVE-2010-1885, CVE-2012-0507)

    dp23260004.lolipop.jp/pX1Zao4k/index.html
    ftp.evolucaobodyart.com/RkE1zpWs/index.html
    ganymeden.se/s6m9fwdz/index.html
    gasthof-sonnenlicht.at/R9L3cqLG/index.html
    gbryk.webiq.pl/p1gs4Ljx/index.html
    lightssanantonio.com/ZYZkE3p2/index.html
    recantodolazerpiscinas.com.br/Cq34EQTq/index.html
    wp10646208.wp274.webpack.hosteurope.de/DXWffYUd/index.html

    einkaufs.net/SbGWwe8N/js.js
    www.fercorte.com.br/geCGtpPj/js.js
    hongmingintranet.com/d38Xd3AL/js.js
    www.overock.com.br/hyn8CW4F/js.js
    pestcontrolsandiego.info/t5bPeNH5/js.js
    play.timerec.net/BSWw9mTY/js.js

    199.192.203.139/search.php?q=1ae63dc58b3bf81d
    199.192.203.139/search.php?q=ff6d7ad916d1c039
    199.192.203.139/Set.jar
    199.192.203.139/data/Pol.jar   (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  30. User picture
    • NotBuyingIt on Fri 01 Jun 2012
    • 04:31:58 PM UTC

    RE: Pol.jar malware (CVE-2010-1885, CVE-2012-0507)

    ceasubun.ro/ne3Cisth/index.html
    compunavia.com.ve/rgqJm1ne/index.html
    gvsjpbcrgx.times.lv/UwAXFo9U/index.html

    199.192.203.139/search.php?q=3e1d86682675601a

    108.166.65.182:8080/pony/gate.php

    72.47.252.140/jBz4.exe
    aencuentro.com.ar/xc25nXp.exe
    akradugunsalonlari.com/k0g2Cgr9/nn4hWpH.exe
    alta-e.com/wEs.exe
    annonceagricole.com/eud7io3A/M13ZGPt.exe
    ateneaconsultora.com.ar/yaRKc.exe
    bgdt.co.uk/2A3.exe
    www.caudelem.fr/gy9fHt.exe
    ftp.clickdanoiva.com.br/E18n.exe
    www.colo.com.vn/6DfSMB.exe
    discoveryestetica.com.ar/uPbhM7.exe
    connectinfo.com.br/hQMt02q.exe
    fratellosole.com.br/QjwKv.exe
    ghivece-gradina.ro/a1A.exe
    madeiras10.com.br/ZNg8uR.exe
    www.manhattan.tur.br/CesRSc6x.exe
    misterm.at/Cttr.exe
    parapunov.com/F4nzCV.exe
    www.shelfspace.co.za/bwBhYgJ.exe       (see http://www.virustotal.com/file/4adc6a610f8c952f927... )

    Acknowledgement: All of the EXE files and the Zeus C&C site listed above were identified by www.threatexpert.com

    [Edit: Added sites (below) 01-June-2012 18:25 UTC]

    ftp.ashleytech.com/edTpC2WC/index.html
    kadikoyden.com/kJeUD7ij/index.html

    [Edit: Added site (below) 01-June-2012 19:10 UTC]

    logicis.net/rAoxMGBb/index.html

     Data that is stored in the cloud may become lost in the fog.