(The quickest way to register)

Check out our new Mobile App

Forum

  1. User picture
    • NotBuyingIt on Wed 21 Mar 2012
    • 09:15:45 PM UTC

    Qai.jar malware (CVE-2010-1885)

    A well-know spam expert is reporting an aggressively promoted malware exploit which uses multiple sites together. Deceptive web pages planted on dozens of sites load a set of JavaScripts which in turn attempt to load a malicious webpage. Several variations were detected yesterday and today.

    This set of scripts
    hXXp://50.57.29.172/hVg3GFAo/js.js
    hXXp://finantariauto.ro/5ZqETXNE/js.js
    hXXp://ipecturkey.com/E2UNfoGY/js.js
    hXXp://oompa.de/VTwQKwDD/js.js
    attempt to load
    hXXp://209.59.217.193/showthread.php?t=d7ad916d1c0396ff
    that leads to malware at
    hXXp://209.59.217.193/q.php?f=ba33
    hXXp://209.59.217.193/content/Qai.jar

    This set of scripts
    hXXp://216.205.49.67/CD5s3Ne3/js.js
    hXXp://activetours.pttk.pl/Eaz0Mz8g/js.js
    hXXp://copymax.gr/jbbaaFCK/js.js
    hXXp://offvip.com/TtMQy1sw/js.js
    hXXp://solocyberday.com/oDYibUuh/js.js
    attempt to load
    hXXp://slickicus.com/showthread.php?t=8d80b8c3f87a9538
    that leads to malware at
    hXXp://slickicus.com/q.php?f=db757
    hXXp://slickicus.com/content/Qai.jar

    This set of scripts
    hXXp://officefurnituremart.com/sT1SFMyf/js.js
    hXXp://orvosokafrikaert.hu/Bsz1CQg0/js.js
    hXXp://qqprints.com.my/37ErBpvj/js.js
    hXXp://romanjewelers.com/mnbCaEYY/js.js
    hXXp://samx.zzl.org/crF5iYsT/js.js
    attempt to load
    hXXp://slicksphere.com/showthread.php?t=d7ad916d1c0396ff
    but the domain slicksphere.com has been suspended

    Here are some of the deceptive URLs that have been reported earlier today

    hXXp://02f40c1.netsolhost.com/jXh3opQk/index.html
    hXXp://02f40c1.netsolhost.com/pVXky4P3/index.html
    hXXp://184.164.129.5/H0PL9q26/index.html
    hXXp://3eras.com/0X98aHUS/index.html
    hXXp://5seis.com.ar/jXh3opQk/index.html
    hXXp://91.93.110.150/JYjJE2q2/index.html
    hXXp://acriancafeliz.org.br/vyEryYcH/index.html
    hXXp://advanced-web-hosting-solutions.com/H0PL9q26/index.html
    hXXp://advancedcopier.net/tMYwdbsB/index.html
    hXXp://aerospacend.com/0X98aHUS/index.html
    hXXp://autolorentzos.gr/46iU2yx2/index.html
    hXXp://autolorentzos.gr/k4H1CSBf/index.html
    hXXp://autouniversal.ro/tMYwdbsB/index.html
    hXXp://bestdeal.com.vn/H0PL9q26/index.html
    hXXp://binhanphat.vn/pVXky4P3/index.html
    hXXp://chinchunhoo.com/tp3G2sKH/index.html
    hXXp://criadero-duancos.com.ar/jXh3opQk/index.html
    hXXp://dhtics.webou.net/8pe5eCMZ/index.html
    hXXp://dhtics.webou.net/N7hwdmet/index.html
    hXXp://dhtics.webou.net/vyEryYcH/index.html
    hXXp://fundoohairstyles.com/0X98aHUS/index.html
    hXXp://getstrength.com/pVXky4P3/index.html
    hXXp://glamourspa.com.vn/H0PL9q26/index.html
    hXXp://goksen.com.tr/H0PL9q26/index.html
    hXXp://goksen.com.tr/JYjJE2q2/index.html
    hXXp://goksen.com.tr/tp3G2sKH/index.html
    hXXp://hajashaza.hu/JYjJE2q2/index.html
    hXXp://hajashaza.hu/pVXky4P3/index.html
    hXXp://hajashaza.hu/W9x9Xomw/index.html
    hXXp://hellenic-antiaging-academy.gr/k4H1CSBf/index.html
    hXXp://hidroprojekt-consult.hr/W9x9Xomw/index.html
    hXXp://hippocrafts.com/46iU2yx2/index.html
    hXXp://hippocrafts.com/8pe5eCMZ/index.html
    hXXp://hippocrafts.com/svaVeSkm/index.html
    hXXp://hyperbeesmedia.com/svaVeSkm/index.html
    hXXp://ibafo.com.br/LTWJaNR9/index.html
    hXXp://ibafo.com.br/N7hwdmet/index.html
    hXXp://inour.biz/JYjJE2q2/index.html
    hXXp://inour.biz/pVXky4P3/index.html
    hXXp://isravilon1.com/tMYwdbsB/index.html
    hXXp://junglecreativestudio.gr/k4H1CSBf/index.html
    hXXp://jurjev.com/8pe5eCMZ/index.html
    hXXp://koala.unas.cz/N7hwdmet/index.html
    hXXp://kolling.com.my/LTWJaNR9/index.html
    hXXp://kongo.co.hu/N7hwdmet/index.html
    hXXp://kongo.co.hu/svaVeSkm/index.html
    hXXp://kongo.co.hu/tMYwdbsB/index.html
    hXXp://laflcargo.com/vyEryYcH/index.html
    hXXp://laleyurtseven.com/8pe5eCMZ/index.html
    hXXp://laleyurtseven.com/tMYwdbsB/index.html
    hXXp://ledsociety.com/7ik7M03n/index.html
    hXXp://ledsociety.com/tp3G2sKH/index.html
    hXXp://leikar.net/vyEryYcH/index.html
    hXXp://linemenu.com/8pe5eCMZ/index.html
    hXXp://linemenu.com/svaVeSkm/index.html
    hXXp://littlelordspreschool.com/0X98aHUS/index.html
    hXXp://lsquarednetworks.com/7ik7M03n/index.html
    hXXp://lsquarednetworks.com/tp3G2sKH/index.html
    hXXp://mage.ibraggiotti.com/0X98aHUS/index.html
    hXXp://mage.ibraggiotti.com/W9x9Xomw/index.html
    hXXp://magneticlodestone.com/46iU2yx2/index.html
    hXXp://magneticlodestone.com/tMYwdbsB/index.html
    hXXp://maxiesolutions.com/svaVeSkm/index.html
    hXXp://mayerdobrasil.com.br/W9x9Xomw/index.html
    hXXp://mcms.xs2theworld.com/LTWJaNR9/index.html
    hXXp://mcms.xs2theworld.com/vyEryYcH/index.html
    hXXp://metrofincaraiz.com/0X98aHUS/index.html
    hXXp://minds.com.pk/8pe5eCMZ/index.html
    hXXp://mishelart.com/tp3G2sKH/index.html
    hXXp://mixtle.com/tMYwdbsB/index.html
    hXXp://mkultura.lt/7ik7M03n/index.html
    hXXp://musicalchemylab.lh.pl/46iU2yx2/index.html
    hXXp://myghanaonline.com/N7hwdmet/index.html
    hXXp://notebooktamiri.gen.tr/vyEryYcH/index.html
    hXXp://objebi.com/xBu5dukk/index.html
    hXXp://olla-de-felix-buenos-aires.com/Qyuv8XX1/index.html
    hXXp://olla-de-felix-buenos-aires.com/xBu5dukk/index.html
    hXXp://oneblr.com/a65oSoKL/index.html
    hXXp://optimizacija-seo.com/a65oSoKL/index.html
    hXXp://overhill.comicgenesis.com/xBu5dukk/index.html
    hXXp://paperbuzz.net/3BvC2cTf/index.html
    hXXp://party-chat.hu/a65oSoKL/index.html
    hXXp://party-chat.hu/xBu5dukk/index.html
    hXXp://povilasc.ipower.com/tp3G2sKH/index.html
    hXXp://pp.premiumpage.pl/vyEryYcH/index.html
    hXXp://Privatesandbox.com/qVsVjYfe/index.html
    hXXp://prodmovie.com/xBu5dukk/index.html
    hXXp://psytrip.com.br/LTWJaNR9/index.html
    hXXp://public.smartbe.be/0X98aHUS/index.html
    hXXp://rajtr.com/7ik7M03n/index.html
    hXXp://realestatebootcamp.ca/LTWJaNR9/index.html
    hXXp://redencionsofro.com.ar/3BvC2cTf/index.html
    hXXp://revivalgospelministries.org/LTWJaNR9/index.html
    hXXp://riwex.hu/3BvC2cTf/index.html
    hXXp://sarahyong.com/CzEjfCRK/index.html
    hXXp://sereflikochisarzob.org/LTWJaNR9/index.html
    hXXp://sezam.home.pl/CzEjfCRK/index.html
    hXXp://silentstartupwebsite.com/CzEjfCRK/index.html
    hXXp://silentstartupwebsite.com/xBu5dukk/index.html
    hXXp://siranmuftulugu.gov.tr/46iU2yx2/index.html
    hXXp://sisrs.org/tMYwdbsB/index.html
    hXXp://sixdimensions.co.id/xBu5dukk/index.html
    hXXp://softwarepark-galati.ro/xBu5dukk/index.html
    hXXp://swcc.marknetdev.com/LTWJaNR9/index.html
    hXXp://sxs-bwn.org/vyEryYcH/index.html
    hXXp://techleadsolution.com/QnXBRiWS/index.html
    hXXp://tehranmaltbeer.com/30VtVqEf/index.html
    hXXp://tempo-www.defisduchott.com/CzEjfCRK/index.html
    hXXp://themainmall.com/svaVeSkm/index.html
    hXXp://transcamila.com/tMYwdbsB/index.html
    hXXp://upedagogica.edu.bo/N7hwdmet/index.html
    hXXp://www.tesan.com.tr/vyEryYcH/index.html

    Some other reported URLs return HTTP 404 ("Not Found") or their domains have been suspended, so I suspect efforts are underway to combat the malware campaign.

     Data that is stored in the cloud may become lost in the fog.

Comments:

  1. User picture
    • NotBuyingIt on Sat 02 Jun 2012
    • 01:39:23 AM UTC

    RE: Pol.jar malware (CVE-2010-1885, CVE-2012-0507)

    ingeniost.com/MBx1yXv4/index.html
    lightedge.ro/GDZVD084/index.html

    108.166.65.182:8080/search.php?q=3e1d86682675601a
    108.166.65.182:8080/search.php?q=ff6d7ad916d1c039
    108.166.65.182:8080/d.php?f=99d7d&e=1
    108.166.65.182:8080/data/Pol.jar             (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  2. User picture
    • NotBuyingIt on Sat 02 Jun 2012
    • 04:26:23 PM UTC

    RE:Pol.jar malware (CVE-2010-1885, CVE-2012-0507)

    5.39.15.199/search.php?q=3e1d86682675601a
    5.39.15.199/d.php?f=99d7d&e=1           ("readme.exe", see http://www.virustotal.com/file/72132d2bc2a8d604a9a... )
    5.39.15.199/d.php?f=8896e                   ("about.exe", see http://www.virustotal.com/file/3f22a0add32b852d7f3... )
    5.39.15.199/data/Pol.jar                         (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

    liliyot.co.il/6KKg1gjp.exe                           (see http://www.virustotal.com/file/28c76f40f657215a5e4... )
    referti.girlandoeparavizzini.com/hdMwZDqk/x7z.exe         (see http://www.virustotal.com/file/cbcaf6cb797ae7377a2... )
    warequip.com.au/EXW9rGX7.exe             (see http://www.virustotal.com/file/03e1e9f4161ab566914... )

     Data that is stored in the cloud may become lost in the fog.

  3. User picture
    • NotBuyingIt on Sat 02 Jun 2012
    • 07:43:05 PM UTC

    RE: Pol.jar malware (CVE-2010-1885, CVE-2012-0507)

    printcardingressos.com.br/ZTHQ6UTP/index.html

    bursatarimmakinalari.com/wQbxzhFB/js.js
    daralwatan.com.sa/gTDoDT2c/js.js

     Data that is stored in the cloud may become lost in the fog.

  4. User picture
    • NotBuyingIt on Sat 02 Jun 2012
    • 09:08:02 PM UTC

    RE: Pol.jar malware (CVE-2010-1885, CVE-2012-0507)

    206.186.17.184/Cq34EQTq/index.html
    212.39.68.195/UDkyqqr7/index.html
    adndesign.co/0S8Ua09z/index.html
    alessandroaraujo.com.br/8t6d37YU/index.html
    amsonstravel.co.uk/0TTSKiQC/index.html
    bebek-oyunlari.gen.tr/1vAJs3E2/index.html
    biuro-senska.pl/0TTSKiQC/index.html
    cbassistencial.com.br/GbEGiQpT/index.html
    conexion.net.co/LLsfhq1N/index.html
    dimenal.com.br/7Fy2FzNg/index.html
    elnacronje.co.za/bVgC3QGf/index.html
    glassdirectory.com.au/0pVSF0Az/index.html
    goldmen.ma/cfMaTvfj/index.html
    mariannetijsterman.nl/jRAcAA9J/index.html
    newsite.itsgroup.it/q99Ent4K/index.html
    paixaodacasa.com.br/aa06FUwn/index.html
    printcardingressos.com.br/ZTHQ6UTP/index.html
    puenteaereo.info/0pVSF0Az/index.html
    superaciondelamujer.org/7Fy2FzNg/index.html
    vandrielautos.nl/219c89/index.html

    constanta-avocat.ro/FjgWd6ny/js.js
    icanquit.co.uk/wvGCntXp/js.js
    javierat.com/5QxFksk3/js.js
    scubadiverindo.com/K0Euhffo/js.js

    5.39.15.199/search.php?q=234977334ca118fc

    Acknowledgement: Most of these sites were listed at malwareblacklist.com earlier today.

     Data that is stored in the cloud may become lost in the fog.

  5. User picture
    • NotBuyingIt on Sun 03 Jun 2012
    • 02:03:31 AM UTC

    RE: Pol.jar malware (CVE-2010-1885, CVE-2012-0507)

    216.52.143.36/search.php?q=fa16f5d3def51288
    216.52.143.36/d.php?f=7ad2b&e=1             ("contacts.exe", see http://www.virustotal.com/file/94139592962a9bb3f86... )
    216.52.143.36/d.php?f=dee40&e=1             ("calc.exe", see http://www.virustotal.com/file/026e0d5b1197323a865... )
    216.52.143.36/data/Pol.jar                           (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  6. User picture
    • NotBuyingIt on Sun 03 Jun 2012
    • 02:16:45 AM UTC

    RE: Pol.jar malware (CVE-2010-1885, CVE-2012-0507)

    209.59.220.244/search.php?q=fa16f5d3def51288
    209.59.220.244/d.php?f=7ad2b&e=1
    209.59.220.244/d.php?f=dee40&e=1
    209.59.220.244/data/Pol.jar         (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  7. User picture
    • NotBuyingIt on Sun 03 Jun 2012
    • 03:30:45 AM UTC

    RE: Pol.jar malware (CVE-2010-1885, CVE-2012-0507)

    creal.nstrefa.pl/1vAJs3E2/index.html
    hunterland.com.ua/oHqKH6Fh/index.html
    kui.kz/9WZMtfHD/index.html
    teatur.com.br/aa06FUwn/index.html

    institutoartedance.com/DuSRFU7j/js.js
    quiz.aycedev.com/W2V5KLYy/js.js

    49.156.20.209:8080/search.php?q=234977334ca118fc
    49.156.20.209:8080/q.php?f=7245d&e=1

    anamel.ro/wtmg.exe      (see http://www.virustotal.com/file/061bb896da0eaec822e... )

     Data that is stored in the cloud may become lost in the fog.

  8. User picture
    • NotBuyingIt on Sun 03 Jun 2012
    • 06:32:46 AM UTC

    RE: Pol.jar malware (CVE-2010-1885, CVE-2012-0507)

    nolgo.com:8080/search.php?q=fa16f5d3def51288
    nolgo.com:8080/d.php?f=dee40&e=1
    nolgo.com:8080/d.php?f=7ad2b&e=1
    nolgo.com:8080/data/Pol.jar         (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

    IP 115.71.239.202 hosts the domain nolgo.com and it will serve the same malware (including the following examples). I have not seen any reports showing that the botnet is literally using the IP address however.

    115.71.239.202:8080/search.php?q=fa16f5d3def51288
    115.71.239.202:8080/d.php?f=dee40&e=1
    115.71.239.202:8080/d.php?f=7ad2b&e=1
    115.71.239.202:8080/data/Pol.jar

     Data that is stored in the cloud may become lost in the fog.

  9. User picture
    • NotBuyingIt on Sun 03 Jun 2012
    • 01:41:12 PM UTC

    RE: Pol.jar malware (CVE-2010-1885, CVE-2012-0507)

    boletinoficialsalta.gov.ar/3bRAajUt/index.html
    dedetizadoraalexandrelopes.com.br/Y2soB4DP/index.html
    faraak.sk/HaZtQ33j/index.html
    freelanceadministration.be/9WZMtfHD/index.html

    beeremovalfortworth.net/t1CXMasJ/js.js
    detailscompany.com/N5g3uUtV/js.js

    [Edit: Added 2 sites (below) 03-June-2012 14:25 UTC]

    grupovacabranca.com.br/9H8yX3VP/index.html
    ladedoces.com.br/bZQzw9cw/index.html

    [Edit: Added 4 sites (below) 03-June-2012 16:15 UTC]

    newjitsu.it/9H8yX3VP/index.html
    podhalan.net.pl/9H8yX3VP/index.html
    purebeginnings.co.za/cTHW8dVL/index.html
    sircolor.in/0TTSKiQC/index.html

    Acknowledgement: These sites are newly listed at malwareblacklist.com.

     Data that is stored in the cloud may become lost in the fog.

  10. User picture
    • NotBuyingIt on Mon 04 Jun 2012
    • 05:47:41 AM UTC

    RE: Pol.jar malware (CVE-2010-1885, CVE-2012-0507)

    digipulso.com.br/AvvxFTyg/index.html
    staines.com.br/0pVSF0Az/index.html

     Data that is stored in the cloud may become lost in the fog.

  11. User picture
    • NotBuyingIt on Mon 04 Jun 2012
    • 02:42:37 PM UTC

    RE: Pol.jar malware (CVE-2010-1885, CVE-2012-0507)

    64.111.24.121/search.php?q=fa16f5d3def51288
    64.111.24.121/g.php?f=7ad2b&e=1
    64.111.24.121/g.php?f=dee40&e=1
    64.111.24.121/data/Pol.jar           (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  12. User picture
    • NotBuyingIt on Mon 04 Jun 2012
    • 03:10:47 PM UTC

    RE: Pol.jar malware (CVE-2012-0507)

    dictatingrepurposed.in/Set.jar
    dictatingrepurposed.in/data/Pol.jar         (see http://www.virustotal.com/file/ce8202fc14b039b03c5... )

    IP 37.59.188.165 hosts the domain dictatingrepurposed.in and it will serve the same malware (including the following example). I have not seen any reports showing that the botnet is literally using the IP address however. The site uses an Apache web server instead of a nginx server which is typically used in the other payload sites listed in this thread.

    37.59.188.165/data/Pol.jar                     (see http://www.virustotal.com/file/ce8202fc14b039b03c5... )

     Data that is stored in the cloud may become lost in the fog.

  13. User picture
    • NotBuyingIt on Mon 04 Jun 2012
    • 05:42:07 PM UTC

    RE: Pol.jar malware (CVE-2010-1885, CVE-2012-0507)

    198.136.53.34/search.php?q=234977334ca118fc
    198.136.53.34/search.php?q=fa16f5d3def51288
    198.136.53.34/g.php?f=0e44a&e=1
    198.136.53.34/data/Pol.jar         (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  14. User picture
    • NotBuyingIt on Tue 05 Jun 2012
    • 01:21:20 AM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    el-paso-roofing.com/hDmkSNFe/index.html
    freejeans.com.br/ZdJy5swz/index.html
    made.lu/wXXwze3j/index.html
    revistasdelinterior.com.ar/0pVSF0Az/index.html
    rogerioventura.com.br/bZQzw9cw/index.html
    soneraydinaydin.com.tr/1NBNa2Sz/index.html
    tematravel.com.br/1vAJs3E2/index.html
    wjservice.com.br/0TTSKiQC/index.html

    afsannyl.com.tr/8kZCt9VU/js.js
    log-frame.ro/SbRpTuJj/js.js
    otokimthanh.com.vn/mEyUCwQJ/js.js
    rapidcentrocolor.es/zEY8f0FZ/js.js
    ftp.securedhomeownerloans.org.uk/UP4uBEEQ/js.js
    vivaa.com.br/yGLVgJZp/js.js

    198.136.53.34/search.php?q=3e1d86682675601a
    198.136.53.34/search.php?q=ff6d7ad916d1c039
    198.136.53.34/g.php?f=7ad2b
    198.136.53.34/g.php?f=952f5
    198.136.53.34/Set.jar        (note low detection rate of this item: http://www.virustotal.com/file/c061d11845e57f073ba...

     Data that is stored in the cloud may become lost in the fog.

  15. User picture
    • NotBuyingIt on Tue 05 Jun 2012
    • 12:00:28 PM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    216.52.143.244/search.php?q=ff6d7ad916d1c039
    216.52.143.244/g.php?f=ba33e&e=1
    216.52.143.244/g.php?f=ba33e&e=4
    216.52.143.244/data/Pol.jar         (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )
    216.52.143.244/Set.jar                 (note low detection rate of this item: http://www.virustotal.com/file/c8d7e275728e88bb7ea... )

     Data that is stored in the cloud may become lost in the fog.

  16. User picture
    • NotBuyingIt on Tue 05 Jun 2012
    • 12:39:30 PM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    174.140.166.30/search.php?q=ff6d7ad916d1c039
    174.140.166.30/g.php?f=ba33e&e=1
    174.140.166.30/g.php?f=ba33e&e=4
    174.140.166.30/data/Pol.jar         (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  17. User picture
    • NotBuyingIt on Tue 05 Jun 2012
    • 03:09:09 PM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    72.46.137.61/search.php?q=3e1d86682675601a
    72.46.137.61/g.php?f=99d7d&e=1
    72.46.137.61/g.php?f=99d7d&e=4
    72.46.137.61/data/Pol.jar         (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  18. User picture
    • NotBuyingIt on Tue 05 Jun 2012
    • 08:48:02 PM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    69.194.196.34/search.php?q=ff6d7ad916d1c039
    69.194.196.34/data/ap2.php
    69.194.196.34/g.php?f=ba33e&e=4
    69.194.196.34/g.php?f=ba33e&e=1
    69.194.196.34/data/Pol.jar           (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  19. User picture
    • NotBuyingIt on Tue 05 Jun 2012
    • 09:33:52 PM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    hamay.com.vn/iPgNt3kZ/index.html
    heathmediagroup.co.uk/DEbQXKqx/index.html
    informevale.com.br/56zgewD4/index.html
    ftp.maynet.sk/JxMXtMc4/index.html
    ortopedicacanadense.com.br/kovCWMYa/index.html
    ponteenmipiel.org/An959TSk/index.html
    urbanjunky.net/QVHfT7sk/index.html

    esquematizados.com.br/koBPNNj9/js.js
    fabiospezzan.altervista.org/kAf66Cid/js.js
    www.jshayeb.com.br/V4jG1q59/js.js
    liderlab.com.ar/d5tN5pUD/js.js
    projectsatjds.com/cNhadDoD/js.js

    69.194.196.34/search.php?q=1ae63dc58b3bf81d
    69.194.196.34/search.php?q=3e1d86682675601a
    69.194.196.34/search.php?q=fa16f5d3def51288

     Data that is stored in the cloud may become lost in the fog.

  20. User picture
    • NotBuyingIt on Wed 06 Jun 2012
    • 12:36:12 AM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    173.236.15.23/search.php?q=1ae63dc58b3bf81d
    173.236.15.23/data/ap2.php
    173.236.15.23/g.php?f=dee40&e=1
    173.236.15.23/g.php?f=7ad2b&e=1
    173.236.15.23/data/Pol.jar   (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  21. User picture
    • NotBuyingIt on Wed 06 Jun 2012
    • 01:28:04 AM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    46.21.155.132/search.php?q=1ae63dc58b3bf81d
    46.21.155.132/data/ap2.php
    46.21.155.132/g.php?f=0cf26&e=4
    46.21.155.132/g.php?f=0cf26&e=1
    46.21.155.132/data/Pol.jar         (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  22. User picture
    • NotBuyingIt on Wed 06 Jun 2012
    • 02:13:15 AM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    redejundiai.com/hGwaAUM6/index.html
    sociedadesbiblicas.org.ve/DEbQXKqx/index.html

    46.21.155.132/search.php?q=ff6d7ad916d1c039 (preliminary screenshot: http://urlquery.net/screenshot.php?id=64247 )
    46.21.155.132/Set.jar
    46.21.155.132/g.php?f=ba33e&e=1
    46.21.155.132/g.php?f=ba33e&e=4

     Data that is stored in the cloud may become lost in the fog.

  23. User picture
    • NotBuyingIt on Wed 06 Jun 2012
    • 04:52:19 AM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    appliancerepairsanantoniotexas.com/3js6mr5T/index.html
    extremix.com.ar/A09s9jBs/index.html    (earlier report)
    fusion.home.pl/3js6mr5T/index.html
    long-beach-plumber.com/A09s9jBs/index.html
    prelucrari-reparatii.ro/n6PQQMbf/index.html

     Data that is stored in the cloud may become lost in the fog.

  24. User picture
    • NotBuyingIt on Wed 06 Jun 2012
    • 03:40:03 PM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    46.182.109.34/search.php?q=1ae63dc58b3bf81d
    46.182.109.34/data/ap2.php
    46.182.109.34/g.php?f=0cf26&e=4
    46.182.109.34/g.php?f=0cf26&e=1
    46.182.109.34/data/Pol.jar         (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  25. User picture
    • NotBuyingIt on Wed 06 Jun 2012
    • 05:26:50 PM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    204.145.80.216/search.php?q=3e1d86682675601a
    204.145.80.216/data/ap2.php
    204.145.80.216/g.php?f=99d7d&e=4
    204.145.80.216/g.php?f=99d7d&e=1
    204.145.80.216/data/Pol.jar         (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  26. User picture
    • NotBuyingIt on Wed 06 Jun 2012
    • 10:30:17 PM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    64.111.24.122/search.php?q=1ae63dc58b3bf81d
    64.111.24.122/data/ap2.php
    64.111.24.122/g.php?f=0cf26&e=4
    64.111.24.122/g.php?f=0cf26&e=1
    64.111.24.122/Set.jar
    64.111.24.122/data/Pol.jar           (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  27. User picture
    • NotBuyingIt on Thu 07 Jun 2012
    • 01:04:31 AM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    72.46.137.45/search.php?q=ff6d7ad916d1c039
    72.46.137.45/data/ap2.php
    72.46.137.45/g.php?f=ba33e&e=1
    72.46.137.45/g.php?f=ba33e&e=4
    72.46.137.45/data/Pol.jar         (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  28. User picture
    • NotBuyingIt on Thu 07 Jun 2012
    • 08:41:42 AM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    The botnet has resumed using the following payload site

    108.166.65.182:8080/search.php?q=1ae63dc58b3bf81d
    108.166.65.182:8080/search.php?q=fa16f5d3def51288

     Data that is stored in the cloud may become lost in the fog.

  29. User picture
    • NotBuyingIt on Thu 07 Jun 2012
    • 09:26:04 AM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    liliput.com.ua/biwYyxtQ/index.html
    realtimelocation.co.uk/DhNdipWV/index.html
    rigoncosmeticos.com.br/CuKTuYTM/index.html

    bianti.com.br/tg1XnDuj/js.js
    laurenzanopropiedades.com/CAhLWwx3/js.js
    ftp.meccane.com.br/w9b10b29/js.js
    sampadaindia.in/CUUs4Z8L/js.js
    shiro.co.za.temp.wadns.net/PJ3XHez0/js.js
    thelifetimebusiness.com/PM0cttba/js.js

    108.166.65.182:8080/search.php?q=ff6d7ad916d1c039

     Data that is stored in the cloud may become lost in the fog.

  30. User picture
    • NotBuyingIt on Thu 07 Jun 2012
    • 10:04:37 AM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    207.57.244.55/xyjs3fuu/index.html
    datelec.com.ec/WWUVzxhT/index.html
    hidollar.com.au/1hNZxwFD/index.html
    ftp.jornalpovocristao.com.br/gT5Vq7g1/index.html
    paramed-group.pl/XAKKgFQh/index.html
    questers.git.edu/4k3Nb0xx/index.html

    elephantrouge.com.br/YWjSv36Y/js.js

    50.116.12.58/search.php?q=ff6d7ad916d1c039         (preliminary screenshot: http://urlquery.net/screenshot.php?id=64912)
    50.116.12.58/search.php?q=1ae63dc58b3bf81d
    50.116.12.58/data/ap2.php
    50.116.12.58/g.php?f=0cf26&e=1
    50.116.12.58/g.php?f=0cf26&e=4
    50.116.12.58/Set.jar
    50.116.12.58/data/Pol.jar     (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

    Acknowledgement: Most of these sites were listed at malwareblacklist.com very recently.

     Data that is stored in the cloud may become lost in the fog.