(The quickest way to register)

Check out our new Mobile App

Forum

  1. User picture
    • NotBuyingIt on Wed 21 Mar 2012
    • 09:15:45 PM UTC

    Qai.jar malware (CVE-2010-1885)

    A well-know spam expert is reporting an aggressively promoted malware exploit which uses multiple sites together. Deceptive web pages planted on dozens of sites load a set of JavaScripts which in turn attempt to load a malicious webpage. Several variations were detected yesterday and today.

    This set of scripts
    hXXp://50.57.29.172/hVg3GFAo/js.js
    hXXp://finantariauto.ro/5ZqETXNE/js.js
    hXXp://ipecturkey.com/E2UNfoGY/js.js
    hXXp://oompa.de/VTwQKwDD/js.js
    attempt to load
    hXXp://209.59.217.193/showthread.php?t=d7ad916d1c0396ff
    that leads to malware at
    hXXp://209.59.217.193/q.php?f=ba33
    hXXp://209.59.217.193/content/Qai.jar

    This set of scripts
    hXXp://216.205.49.67/CD5s3Ne3/js.js
    hXXp://activetours.pttk.pl/Eaz0Mz8g/js.js
    hXXp://copymax.gr/jbbaaFCK/js.js
    hXXp://offvip.com/TtMQy1sw/js.js
    hXXp://solocyberday.com/oDYibUuh/js.js
    attempt to load
    hXXp://slickicus.com/showthread.php?t=8d80b8c3f87a9538
    that leads to malware at
    hXXp://slickicus.com/q.php?f=db757
    hXXp://slickicus.com/content/Qai.jar

    This set of scripts
    hXXp://officefurnituremart.com/sT1SFMyf/js.js
    hXXp://orvosokafrikaert.hu/Bsz1CQg0/js.js
    hXXp://qqprints.com.my/37ErBpvj/js.js
    hXXp://romanjewelers.com/mnbCaEYY/js.js
    hXXp://samx.zzl.org/crF5iYsT/js.js
    attempt to load
    hXXp://slicksphere.com/showthread.php?t=d7ad916d1c0396ff
    but the domain slicksphere.com has been suspended

    Here are some of the deceptive URLs that have been reported earlier today

    hXXp://02f40c1.netsolhost.com/jXh3opQk/index.html
    hXXp://02f40c1.netsolhost.com/pVXky4P3/index.html
    hXXp://184.164.129.5/H0PL9q26/index.html
    hXXp://3eras.com/0X98aHUS/index.html
    hXXp://5seis.com.ar/jXh3opQk/index.html
    hXXp://91.93.110.150/JYjJE2q2/index.html
    hXXp://acriancafeliz.org.br/vyEryYcH/index.html
    hXXp://advanced-web-hosting-solutions.com/H0PL9q26/index.html
    hXXp://advancedcopier.net/tMYwdbsB/index.html
    hXXp://aerospacend.com/0X98aHUS/index.html
    hXXp://autolorentzos.gr/46iU2yx2/index.html
    hXXp://autolorentzos.gr/k4H1CSBf/index.html
    hXXp://autouniversal.ro/tMYwdbsB/index.html
    hXXp://bestdeal.com.vn/H0PL9q26/index.html
    hXXp://binhanphat.vn/pVXky4P3/index.html
    hXXp://chinchunhoo.com/tp3G2sKH/index.html
    hXXp://criadero-duancos.com.ar/jXh3opQk/index.html
    hXXp://dhtics.webou.net/8pe5eCMZ/index.html
    hXXp://dhtics.webou.net/N7hwdmet/index.html
    hXXp://dhtics.webou.net/vyEryYcH/index.html
    hXXp://fundoohairstyles.com/0X98aHUS/index.html
    hXXp://getstrength.com/pVXky4P3/index.html
    hXXp://glamourspa.com.vn/H0PL9q26/index.html
    hXXp://goksen.com.tr/H0PL9q26/index.html
    hXXp://goksen.com.tr/JYjJE2q2/index.html
    hXXp://goksen.com.tr/tp3G2sKH/index.html
    hXXp://hajashaza.hu/JYjJE2q2/index.html
    hXXp://hajashaza.hu/pVXky4P3/index.html
    hXXp://hajashaza.hu/W9x9Xomw/index.html
    hXXp://hellenic-antiaging-academy.gr/k4H1CSBf/index.html
    hXXp://hidroprojekt-consult.hr/W9x9Xomw/index.html
    hXXp://hippocrafts.com/46iU2yx2/index.html
    hXXp://hippocrafts.com/8pe5eCMZ/index.html
    hXXp://hippocrafts.com/svaVeSkm/index.html
    hXXp://hyperbeesmedia.com/svaVeSkm/index.html
    hXXp://ibafo.com.br/LTWJaNR9/index.html
    hXXp://ibafo.com.br/N7hwdmet/index.html
    hXXp://inour.biz/JYjJE2q2/index.html
    hXXp://inour.biz/pVXky4P3/index.html
    hXXp://isravilon1.com/tMYwdbsB/index.html
    hXXp://junglecreativestudio.gr/k4H1CSBf/index.html
    hXXp://jurjev.com/8pe5eCMZ/index.html
    hXXp://koala.unas.cz/N7hwdmet/index.html
    hXXp://kolling.com.my/LTWJaNR9/index.html
    hXXp://kongo.co.hu/N7hwdmet/index.html
    hXXp://kongo.co.hu/svaVeSkm/index.html
    hXXp://kongo.co.hu/tMYwdbsB/index.html
    hXXp://laflcargo.com/vyEryYcH/index.html
    hXXp://laleyurtseven.com/8pe5eCMZ/index.html
    hXXp://laleyurtseven.com/tMYwdbsB/index.html
    hXXp://ledsociety.com/7ik7M03n/index.html
    hXXp://ledsociety.com/tp3G2sKH/index.html
    hXXp://leikar.net/vyEryYcH/index.html
    hXXp://linemenu.com/8pe5eCMZ/index.html
    hXXp://linemenu.com/svaVeSkm/index.html
    hXXp://littlelordspreschool.com/0X98aHUS/index.html
    hXXp://lsquarednetworks.com/7ik7M03n/index.html
    hXXp://lsquarednetworks.com/tp3G2sKH/index.html
    hXXp://mage.ibraggiotti.com/0X98aHUS/index.html
    hXXp://mage.ibraggiotti.com/W9x9Xomw/index.html
    hXXp://magneticlodestone.com/46iU2yx2/index.html
    hXXp://magneticlodestone.com/tMYwdbsB/index.html
    hXXp://maxiesolutions.com/svaVeSkm/index.html
    hXXp://mayerdobrasil.com.br/W9x9Xomw/index.html
    hXXp://mcms.xs2theworld.com/LTWJaNR9/index.html
    hXXp://mcms.xs2theworld.com/vyEryYcH/index.html
    hXXp://metrofincaraiz.com/0X98aHUS/index.html
    hXXp://minds.com.pk/8pe5eCMZ/index.html
    hXXp://mishelart.com/tp3G2sKH/index.html
    hXXp://mixtle.com/tMYwdbsB/index.html
    hXXp://mkultura.lt/7ik7M03n/index.html
    hXXp://musicalchemylab.lh.pl/46iU2yx2/index.html
    hXXp://myghanaonline.com/N7hwdmet/index.html
    hXXp://notebooktamiri.gen.tr/vyEryYcH/index.html
    hXXp://objebi.com/xBu5dukk/index.html
    hXXp://olla-de-felix-buenos-aires.com/Qyuv8XX1/index.html
    hXXp://olla-de-felix-buenos-aires.com/xBu5dukk/index.html
    hXXp://oneblr.com/a65oSoKL/index.html
    hXXp://optimizacija-seo.com/a65oSoKL/index.html
    hXXp://overhill.comicgenesis.com/xBu5dukk/index.html
    hXXp://paperbuzz.net/3BvC2cTf/index.html
    hXXp://party-chat.hu/a65oSoKL/index.html
    hXXp://party-chat.hu/xBu5dukk/index.html
    hXXp://povilasc.ipower.com/tp3G2sKH/index.html
    hXXp://pp.premiumpage.pl/vyEryYcH/index.html
    hXXp://Privatesandbox.com/qVsVjYfe/index.html
    hXXp://prodmovie.com/xBu5dukk/index.html
    hXXp://psytrip.com.br/LTWJaNR9/index.html
    hXXp://public.smartbe.be/0X98aHUS/index.html
    hXXp://rajtr.com/7ik7M03n/index.html
    hXXp://realestatebootcamp.ca/LTWJaNR9/index.html
    hXXp://redencionsofro.com.ar/3BvC2cTf/index.html
    hXXp://revivalgospelministries.org/LTWJaNR9/index.html
    hXXp://riwex.hu/3BvC2cTf/index.html
    hXXp://sarahyong.com/CzEjfCRK/index.html
    hXXp://sereflikochisarzob.org/LTWJaNR9/index.html
    hXXp://sezam.home.pl/CzEjfCRK/index.html
    hXXp://silentstartupwebsite.com/CzEjfCRK/index.html
    hXXp://silentstartupwebsite.com/xBu5dukk/index.html
    hXXp://siranmuftulugu.gov.tr/46iU2yx2/index.html
    hXXp://sisrs.org/tMYwdbsB/index.html
    hXXp://sixdimensions.co.id/xBu5dukk/index.html
    hXXp://softwarepark-galati.ro/xBu5dukk/index.html
    hXXp://swcc.marknetdev.com/LTWJaNR9/index.html
    hXXp://sxs-bwn.org/vyEryYcH/index.html
    hXXp://techleadsolution.com/QnXBRiWS/index.html
    hXXp://tehranmaltbeer.com/30VtVqEf/index.html
    hXXp://tempo-www.defisduchott.com/CzEjfCRK/index.html
    hXXp://themainmall.com/svaVeSkm/index.html
    hXXp://transcamila.com/tMYwdbsB/index.html
    hXXp://upedagogica.edu.bo/N7hwdmet/index.html
    hXXp://www.tesan.com.tr/vyEryYcH/index.html

    Some other reported URLs return HTTP 404 ("Not Found") or their domains have been suspended, so I suspect efforts are underway to combat the malware campaign.

     Data that is stored in the cloud may become lost in the fog.

Comments:

  1. User picture
    • MarkGiles on Thu 07 Jun 2012
    • 10:57:30 AM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    More exploit sites:

    alessandroaraujo.com.br
    ciigroup.com
    demo.turnkeyphonestore.com
    denckermann.nazwa.pl
    dimenal.com.br
    dlkqwpjnpj.times.lv
    eicollege.co.uk
    eletronicaindustrial.com.br
    figurinhasmoranguinhobaby.com.br
    fiskus.com.br
    francistur.com.br
    ftp.argentinalatente.org
    ftp.bezinka.sk
    ftp.ppceyewear.com
    ftp.terapiamanual.com.br
    gestaltspi.com.br
    glassdirectory.com.au
    gruppozerog.altervista.org
    jachta.sailing.lt
    lejel.com.sg
    lorinatis.50webs.com
    madaboutleisure.wsini.com
    mercadodasmaquinascurtumes.com.br
    mtxgames.com.br
    napolipizza.com.mx
    newmaq.com.br
    onecursos.com
    procrearteescobar.com.ar
    revdev.co.uk
    revistasdelinterior.com.ar
    seventeen.co.za
    sexualizando.com.ar
    sseekkaass.times.lv
    staines.com.br
    taccolini.it
    terrabrokers.com.ar
    tiganjica.com
    travel.ezt.com.my
    uliasviripenko.times.lv
    usarcimilano.it

  2. User picture
    • NotBuyingIt on Thu 07 Jun 2012
    • 06:41:07 PM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    209.59.221.119/search.php?q=1ae63dc58b3bf81d
    209.59.221.119/search.php?q=fa16f5d3def51288
    209.59.221.119/data/ap2.php
    209.59.221.119/g.php?f=0cf26&e=4
    209.59.221.119/g.php?f=0cf26&e=1
    209.59.221.119/Set.jar
    209.59.221.119/data/Pol.jar           (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  3. User picture
    • NotBuyingIt on Fri 08 Jun 2012
    • 04:48:18 AM UTC

    RE: Pol.jar malware (CVE-2012-0507)

    109.123.109.150:8080/Set.jar
    109.123.109.150:8080/data/Pol.jar           (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  4. User picture
    • NotBuyingIt on Fri 08 Jun 2012
    • 06:37:05 AM UTC

    RE: Pol.jar malware (CVE-2012-0507)

    81.169.179.183/y1p2ZdRK/index.html
    adbline.home.pl/4g8QeSHw/index.html
    artesaniascortazar.com.ar/cgMVxMUM/index.html
    bolichesbares.com.ar/1yWBKZGq/index.html
    brsm.com.br/Swh4u40o/index.html
    coco-hellas.gr/Xi7ZAP3m/index.html
    cuisine-design.ma/2VcU3sfH/index.html
    incredibleandaman.in/CExGNdps/index.html
    jrstutorials.ac.in/VNP7qWZ9/index.html
    jbhx0aibh1zl.az.pl/e5CJJvkQ/index.html
    junnioreadriano.com.br/QDWPpq0b/index.html
    sexualizando.com.ar/4xrovZiP/index.html
    tarx.info/qNRzVe83/index.html
    terrabrokers.com.ar/0pVSF0Az/index.html
    wibawo.de/Knqz36An/index.html

    1000profesionales.com.ar/JWGA8T3x/js.js
    www.berylsprings.com/jWq1GBj1/js.js
    blog.cdmarket.com.ar/xL4sZAEc/js.js
    cprpocarica.com/Wi3oujJj/js.js
    elite-calendar-2012.com/4FJ1GtfU/js.js
    expresszmedia.hu/RwWus6ch/js.js
    horuscaudal.com.ar/AHt44cUu/js.js
    hugomontanaro.com.ar/A1t2BFqb/js.js
    ftp.leocardz.com/BhSFTbq9/js.js
    www.webondemand.altervista.org/V4uags9T/js.js

     Data that is stored in the cloud may become lost in the fog.

  5. User picture
    • NotBuyingIt on Fri 08 Jun 2012
    • 03:57:50 PM UTC

    RE: Pol.jar malware (CVE-2012-0507)

    198.106.90.79/Kqpg99oi/index.html
    ajppromocoesartisticas.com.br/7kys0QSA/index.html
    artesaniascortazar.com.ar/1yWBKZGq/index.html
    cctflorestal.com.br/tdvqDAGM/index.html
    chmsolutions.co.za/4kBk1eZR/index.html
    compsisnet.com.br/CkJV3CpV/index.html
    delinear.com.br/5mJ1b00v/index.html
    easyevents4u.nl/Ajua2y98/index.html
    fbs.host-ed.me/ipxJrVcy/index.html
    lrmdoxwcsn.times.lv/TLNTEJW0/index.html
    melanienrico.altervista.org/aQdDH7s5/index.html
    ftp.routemaster.com.br/56B4k9K9/index.html
    s318540028.mialojamiento.es/ooQY6HAy/index.html
    salehcontabil.com.br/7ALJfSvU/index.html
    schoenen-yvonne.be/gdco0i7S/index.html

    damsdawn.com/RAsHidFy/js.js
    hirochan.boo.jp/4utSkajr/js.js
    moti-chillum.com/oU2hSaJ4/js.js

    72.46.140.14/data/Pol.jar           (see http://r.virscan.org/report/951a485d7efaedea36be12... )

    Acknowledgement: Most of these sites were listed at malwareblacklist.com earlier today.

     Data that is stored in the cloud may become lost in the fog.

  6. User picture
    • NotBuyingIt on Fri 08 Jun 2012
    • 09:35:17 PM UTC

    RE: Pol.jar malware (CVE-2012-0507)

    69.194.196.49/data/Pol.jar           (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

    Currently, the Google Safe Diagnostic Browsing page for 69.194.196.0 (web block) reports Malicious software includes 83 trojan(s), 21 exploit(s).

     Data that is stored in the cloud may become lost in the fog.

  7. User picture
    • NotBuyingIt on Sat 09 Jun 2012
    • 12:13:35 AM UTC

    RE: Pol.jar malware (CVE-2012-0507)

    radiantconsultants.in/3RV8D8YF/index.html
    suramavi.in/ke5wW49M/index.html

    174.140.171.147/data/Pol.jar           (see http://r.virscan.org/report/130f0f42a0f8e367137e46... )

    173.236.15.29/data/Pol.jar               (see http://r.virscan.org/report/9eadb3e87907247186b7f1... )

     Data that is stored in the cloud may become lost in the fog.

  8. User picture
    • NotBuyingIt on Sat 09 Jun 2012
    • 03:28:27 AM UTC

    RE: Pol.jar malware (CVE-2006-0003, CVE-2012-0507)

    75.98.172.151/search.php?q=234977334ca118fc
    75.98.172.151/data/Pol.jar           (see http://r.virscan.org/report/6c3fd72535d1c01b732edc... )

     Data that is stored in the cloud may become lost in the fog.

  9. User picture
    • NotBuyingIt on Sat 09 Jun 2012
    • 05:00:04 AM UTC

    RE: Pol.jar malware (CVE-2006-0003, CVE-2012-0507)

    37.59.66.237/search.php?q=234977334ca118fc
    37.59.66.237/data/Pol.jar           (see http://r.virscan.org/report/01035b3676a9fc25b6bc2e... )

     Data that is stored in the cloud may become lost in the fog.

  10. User picture
    • NotBuyingIt on Sat 09 Jun 2012
    • 02:55:25 PM UTC

    RE: botnet redirectors

    alfilm.it/YBJ2p9Mn/index.html
    asotomotiv.com.tr/jLDudE1k/index.html
    computerhelpservices.com.au/HJmdFqbF/index.html
    gunubirlikturlar.ws/HY6kLjeU/index.html
    mariqueiroz.com.br/mRcHu5wu/index.html
    portalgrandecobilandia.com.br/xhndLzva/index.html

    incroyable.freehst.net/cvM7ULVz/js.js
    www.pasaklamphun-learning.com/h1szkkgF/js.js
    www.vandenboschelektro.be/6NKPsMyd/js.js

     Data that is stored in the cloud may become lost in the fog.

  11. User picture
    • MarkGiles on Sun 10 Jun 2012
    • 07:00:35 AM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    More of the same

    ajppromocoesartisticas.com.br
    archives.zxq.net
    carandclassic.host.org
    eicollege.co.uk
    ftp.oblivious.taess.net
    ftp.restorationonline.com.au
    gruppozerog.altervista.org
    helitav.altervista.org
    lorinatis.50webs.com
    mondoorso.altervista.org
    mtxgames.com.br
    revdev.co.uk
    slsb.com.my
    sseekkaass.times.lv
    uportal.cloudaccess.net
    web.piecraft.co.uk
    http://www.alibostan.com
    http://www.amaituoiocchi.it
    http://www.dewaltdirect.com
    http://www.incredibleandamans.com
    http://www.laclaregroup.com
    http://www.tiganjica.com
    zehava.org.il

  12. User picture
    • NotBuyingIt on Sun 10 Jun 2012
    • 04:52:14 PM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    Originally posted by: MarkGiles
    More of the same
    \

    Based upon MarkGiles's list, I can confirm that the following URLs are still actively redirecting to a "suspicious site" where a Backhole exploit kit was reportedly detected within the past few days. The redirection uses JavaScript files that I have already listed in this thread. Additional similarly constructed malicious URLs may be running on the same sites as these samples.

    www.alibostan.com/rmZ7pSYb/index.html
    www.amaituoiocchi.it/EBjy0Kmr/index.html
    lorinatis.50webs.com/CzQttX4i/index.html
    ftp.oblivious.taess.net/hUBtDDxA/index.html
    revdev.co.uk/QZa4bo6A/index.html
    slsb.com.my/7kys0QSA/index.html

     Data that is stored in the cloud may become lost in the fog.

  13. User picture
    • NotBuyingIt on Sun 10 Jun 2012
    • 07:20:52 PM UTC

    RE: botnet redirectors

    davinci-bar.me/6jFno63X/index.html
    ilriparosano.it/9mUkVkCh/index.html
    jarotur.com.br/tdvqDAGM/index.html
    jiji.ge/S4pwPeiL/index.html
    juntadelosrios.cl/VrhvCSJp/index.html
    ftp.ocristao.com.br/jUuxtuAW/index.html

     Data that is stored in the cloud may become lost in the fog.

  14. User picture
    • NotBuyingIt on Mon 11 Jun 2012
    • 07:54:10 PM UTC

    RE: Qai.jar malware (CVE-2006-0003,CVE-2010-1885,CVE-2012-0507)

    pistolitnameste.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c
    pistolitnameste.ru:8080/forum/data/ap2.php
    pistolitnameste.ru:8080/forum/w.php?f=182b5&e=1
    pistolitnameste.ru:8080/forum/Set.jar

    philosophysimilarities.co.in/data/Qai.jar
    philosophysimilarities.co.in/data/Pol.jar           (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  15. User picture
    • NotBuyingIt on Fri 15 Jun 2012
    • 05:03:04 AM UTC

    RE: Pol.jar malware (CVE-2012-0507)

    karlikof.cz/TnwU7KUQ/index.html
    paisagua.com/cSC5zWNf/index.html
    quantumemailcampaign.com/btGW8Z6f/index.html
    summitroofingservices.com/JvJ7EQnc/index.html
    transworldconstruction.com/X7Q8yZyE/index.html
    vendingmachinesservicescompanies.com/dyWr3L5b/index.html

    files.theriepes.com/14oufM7D/js.js
    karczmapodstrzecha.drl.pl/BD5Xnd5b/js.js
    pestcontrolallen.net/f0gMn5GG/js.js
    roozbeh.ac.ir/Rm1zd4dg/js.js
    vitaminacinema.com/fNofAUHm/js.js

    66.151.138.190/page.php?p=8495fe23
    66.151.138.190/Set.jar
    66.151.138.190/data/Pol.jar           (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  16. User picture
    • NotBuyingIt on Fri 15 Jun 2012
    • 05:44:45 PM UTC

    RE: Pol.jar malware (CVE-2012-0507)

    integrallisambiental.com.br/KWhsKyaL/index.html
    mariosorti.com.ar/0CoGUTav/index.html
    novidadediaria.com.br/vZbJvftz/index.html

    ptagroup.ro/AwgATE0R/js.js

    72.46.140.15/page.php?p=5fac4c875bd06fc5
    72.46.140.15/data/ap2.php
    72.46.140.15/data/Pol.jar           (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  17. User picture
    • NotBuyingIt on Fri 15 Jun 2012
    • 06:58:01 PM UTC

    RE: Pol.jar malware (CVE-2012-0507)

    www.hsmgroup.com.br/07ZVsEvp/js.js

    174.140.166.117/page.php?p=5fac4c875bd06fc5
    174.140.166.117/data/ap2.php
    174.140.166.117/data/Pol.jar           (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  18. User picture
    • NotBuyingIt on Sat 16 Jun 2012
    • 04:36:52 PM UTC

    RE: Pol.jar malware (CVE-2012-0507)

    63.251.20.180/page.php?p=5fac4c875bd06fc5
    63.251.20.180/data/Pol.jar           (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  19. User picture
    • NotBuyingIt on Sun 17 Jun 2012
    • 03:28:56 PM UTC

    RE: Pol.jar malware (CVE-2012-0507)

    8x09.vn/xfGUYbhJ/index.html
    www.gowagsteams.com/LCVJQ4WT/js.js
    pucbatelsoho.com.br/w7aSBU9F/js.js
    purotoro.es/vqnu6Ct9/js.js

     Data that is stored in the cloud may become lost in the fog.

  20. User picture
    • NotBuyingIt on Tue 19 Jun 2012
    • 04:46:25 AM UTC

    RE: Pol.jar malware (CVE-2012-0507)

    escolaconducaocaldas.com/SNRmBcQp/index.html
    imsarabia.com/sJ7Ha5FE/index.html

    eyluletut.com/QFVcykad/js.js
    nowy.jazzclubscena.pl/qWDegz3h/js.js
    techsmart.com.tr/44KRMZdP/js.js
    www.ttca.edu.hk/HBscUVzP/js.js

    199.71.214.199/download.php?id=947daf03
    199.71.214.199/data/ap2.php
    199.71.214.199/data/Pol.jar           (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

    The domain depositmycashloan.com is hosted at IP 199.71.214.199 and will serve the same malware (example below). The botnet may use the domain name, but I haven't seen it happen.

    depositmycashloan.com/data/Pol.jar

     Data that is stored in the cloud may become lost in the fog.

  21. User picture
    • MarkGiles on Tue 19 Jun 2012
    • 05:18:16 AM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    50 examples

    a1caravanning.co.uk/mail.htm
    admissions.frenzet.net/mail.htm
    amf.dreamhosters.com/mail.htm
    astavasta.altervista.org/mail.htm
    aymeric.pansu.net/mail.htm
    blog.yourls.org/mail.htm
    camper.waw.pl/mail.htm
    cd8.com.cn/mail.htm
    clickvicosa.com.br/loja/images/mail.htm
    cphinney.liquidarchaeology.com/mail.htm
    en.highsure.com.cn/mail.htm
    en.pymed.com.cn/mail.htm
    extremelysa.co.za/mail.htm
    forum.patriaefidelis.pl/mail.htm
    gliiaci.altervista.org/mail.htm
    guitar.nyanta.jp/m/mail.htm
    igeek.org.gg/mail.htm
    itlb.com.cn/mail.htm
    ker.cal24.pl/mail.htm
    lauriethelibrarian.electrified.ca/mail.htm
    library.fandomcafe.com/mail.htm
    pics.pixelarium.ch/mail.htm
    pictures.iwantallama.info/mail.htm
    printhouse.inf.br/images/mail.htm
    protonx.pr.funpic.de/mail.htm
    sacidaker.com.tr/mail.htm
    schalkewiki.sc.funpic.de/mail.htm
    serwis.vline.pl/mail.htm
    sonjamarinkovic.edu.rs/mail.htm
    sprockanastacia.altervista.org/mail.htm
    test.vesterberg.org/mail.htm
    tmvision.com.ar/mail.htm
    us.com.sa/mail.htm
    vtera.seacatcolonia.com/mail.htm
    web3b.sakura.ne.jp/mail.htm
    webmail.firstbaja.com/mail.htm
    www.abepsi.org.br/mail.htm
    www.albanoguattiphotography.com/mail.htm
    www.aleco.co.rs/mail.htm
    www.androsoftitalia.altervista.org/mail.htm
    www.arhitrav.rs/mail.htm
    www.basarkoleji.k12.tr/kadro/mail.htm
    www.beckerundkries.de/mail.htm
    www.bhc.co.rs/mail.htm
    www.biathlonnachwuchs.de/mail.htm
    www.bjhbxn.com/mail.htm
    www.bleugarance.fr/mail.htm
    www.bluesclub.pl/mail.htm
    www.bunnyschool.co.rs/mail.htm
    www.cidademanaus.com.br/mail.htm
    www.clinicaodontec.com.br/mail.htm
    www.constructoradelbosque.com/mail.htm
    www.cppidf8.fr/plugins/fckeditor/FCKeditor/editor/plugins/ajaxfilemanager/inc/mail.htm
    www.cqnasx.com/mail.htm
    www.davidcantero.fr/mail.htm
    www.deq.state.ms.us/mail.htm
    www.deveducation.co.in/mail.htm
    www.diningallegheny.com/js_scripts/tinymce/jscripts/tiny_mce/plugins/ajaxfilemanager/inc/mail.htm
    www.donnepercambiare.altervista.org/mail.htm
    www.ed.cl/mail.htm
    www.embportugal.rs/mail.htm
    www.engineerable.com/mail.htm
    www.eqmuse.com/mail.htm
    www.everline.ru/mail.htm
    www.goodway.sh.cn/mail.htm
    www.goushoubiao.com/mail.htm
    www.gztwzl.com/mail.htm
    www.helpincleaning.co.uk/mail.htm
    www.hostelnewmorning.com/mail.htm
    www.hoteleczechy.pl/02eed88a2333db92e80148ff459f86d5/mail.htm
    www.houseoflordsla.com/mail.htm
    www.huguet.cl/mail.htm
    www.infrontofmycamera.com/mail.htm
    www.jysj.net.cn/mail.htm
    www.kiraken.co.jp/admin/mail.htm
    www.ksee.net/mail.htm
    www.lipe.rs/mail.htm
    www.lizzieannbags.co.uk/mail.htm
    www.lyhyjt.cn/mail.htm
    www.manushi.in/tinymce/jscripts/tiny_mce/plugins/ajaxfilemanager/inc/mail.htm
    www.neimarkg.rs/mail.htm
    www.nordcapitalgroup.ru/mail.htm
    www.npftin.ru/mail.htm
    www.paree.cn/mail.htm
    www.paz.cl/mail.htm
    www.planetearthstaffing.com/mail.htm
    www.plusbeograd.com/mail.htm
    www.portalminassaude.com.br/javascript/tiny_mce/plugins/ajaxfilemanager/inc/mail.htm
    www.puteviinvest.rs/mail.htm
    www.qchzd.com/mail.htm
    www.rango.me/mail.htm
    www.secondswing.com.au/mail.htm
    www.shdexi.com/mail.htm
    www.shidokai.co.uk/mail.htm
    www.sit.gov.cv/mail.htm
    www.skagen.bz/mail.htm
    www.snd.org.rs/katalog/mail.htm
    www.stlukesforesthills.org/mail.htm
    www.storgas.co.rs/mail.htm
    www.sudas.com.cn/mail.htm
    www.sztrm.co.rs/mail.htm
    www.therapy2000.com/mail.htm
    www.therealmantracker.com/mail.htm
    www.timobieber.de/mail.htm
    www.ubefekt.pl/mail.htm
    www.voodoolab.org/mail.htm
    www.walkislesofscilly.co.uk/mail.htm
    www.wdjly.com/mail.htm
    www.webclinic.ro/mail.htm
    www.webuymaternity.com/mail.htm
    www.wizantiana.co.rs/mail.htm
    www.writersinc.co/mail.htm
    www.xialy.com/mail.htm
    www.xiaofeima.com/mail.htm
    www.yemio.co.uk/mail.htm
    www.zjsfz.com/mail.htm
    www.zkkrosno.vel.pl/mail.htm
    www.zlotepiachy.pl/mail.htm

    Typical analysis
    http://wepawet.iseclab.org/view.php?hash=07b9fadec...

    Redirection target after removing obfuscation
    hxxp://monashkanasene.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c
    hxxp://monashkanasene.ru:8080/forum/Half.jar

    Exploits
    HPC URL - - Help Center URL Validation Vulnerability - - CVE-2010-1885
    AtomicReferenceArray unsafe typing - - Type safety violation in the AtomicReferenceArray class - - CVE-2012-0507

  22. User picture
    • NotBuyingIt on Wed 20 Jun 2012
    • 04:00:58 AM UTC

    cross-reference: jonmillward.com

    jonmillward.com, a site that I listed in this thread on 04-April-2012, is the subject of a new Site Evaluation.

     Data that is stored in the cloud may become lost in the fog.

  23. User picture
    • NotBuyingIt on Thu 21 Jun 2012
    • 03:06:22 AM UTC

    RE: Pol.jar malware (CVE-2012-0507)

    clients.adventmedia.net/SNRmBcQp/index.html
    imperfection.es:80/Cd30figQ/index.html
    irdc-india-uk.org/t5hDnrCe/index.html
    rafal-stolarz.pl:80/4sqY4G8c/index.html       (also reported in this thread on 02-April-2012)

    ebilinc.com/8E9hHV6o/js.js
    industrial-esports.xaa.pl/gEpu5vCF/js.js
    www.smga.com.ar/XXLGBLHP/js.js

    46.249.37.103/download.php?id=947daf03
    46.249.37.103/data/Pol.jar           (see http://r.virscan.org/01035b3676a9fc25b6bc2eb2b87b8... )

    [Edit: Added site (below) 21-April-2012 03:30 UTC]

    184.154.70.89/download.php?id=947daf03
    184.154.70.89/data/Pol.jarr           (see http://r.virscan.org/01035b3676a9fc25b6bc2eb2b87b8... )

     Data that is stored in the cloud may become lost in the fog.

  24. User picture
    • NotBuyingIt on Thu 21 Jun 2012
    • 03:33:38 PM UTC

    RE: Pol.jar malware (CVE-2012-0507)

    mercadodasmaquinascurtumes.com.br/3Dp4tr6g/index.html

    kallisto.cz/RAtGqgx5/js.js
    blogs.litware.se/RmufJ5DB/js.js
    efendioglu.com.tr/2J6dEYpL/js.js
    pasinski.2be.pl/EkHXayWc/js.js

    50.116.62.182/download.php?id=947daf03
    50.116.62.182//data/Pol.jar           (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  25. User picture
    • NotBuyingIt on Fri 22 Jun 2012
    • 05:11:00 AM UTC

    RE: Pol.jar malware (CVE-2012-0507)

    rosariodanza.com/fpHDJP1E/index.html

    aspecconsultores.com/iA3sgx0k/js.js
    grcruzeiro.com.br/9Ezc6xfK/js.js         (also reported in this thread on 04-April-2012)

    174.138.171.60/download.php?id=947daf03
    174.138.171.60/data/Pol.jar           (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  26. User picture
    • NotBuyingIt on Fri 22 Jun 2012
    • 07:30:34 PM UTC

    RE: Pol.jar malware (CVE-2012-0507)

    66.151.138.85/download.php?id=947daf03           network host: Nuclear Fallout Enterprises
    66.151.138.85/data/ap2.php
    66.151.138.85/data/Pol.jar           (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  27. User picture
    • NotBuyingIt on Fri 22 Jun 2012
    • 11:46:55 PM UTC

    RE: Pol.jar malware (CVE-2012-0507)

    margarita-gonzalez.com/DeVrhWWa/index.html

    50.116.43.143/download.php?id=947daf03           network host: Linode
    50.116.43.143//data/ap2.php
    50.116.43.143/data/Pol.jar           (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  28. User picture
    • NotBuyingIt on Sun 24 Jun 2012
    • 02:34:31 AM UTC

    RE: Pol.jar malware (CVE-2012-0507)

    network host: DediDirect / Continuum Data Centers, LLC (AS53264)

    216.231.139.106/Set.jar                   (see http://www.virustotal.com/file/432b3c1d0bd56b6652c... )
    216.231.139.106/data/Pol.jar           (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

    216.231.139.109/Set.jar                   (see http://www.virustotal.com/file/432b3c1d0bd56b6652c... )
    216.231.139.109/data/Pol.jar           (see http://www.virustotal.com/file/f76ac6983135c7a69b5... )

     Data that is stored in the cloud may become lost in the fog.

  29. User picture
    • MarkGiles on Sun 24 Jun 2012
    • 07:10:06 AM UTC

    RE: Qai.jar malware (CVE-2010-1885)

    dypowerboss.com.br
    enhalvhest.mvafoto.se
    krispykreme.co.id
    mysophiebiz.co.cc
    nozzesarde.altervista.org

    dypowerboss.com.br/9UHvnf6q/index.html
    enhalvhest.mvafoto.se/WADn3ff8/index.html
    - efendioglu.com.tr/2J6dEYpL/js.js
    - blogs.litware.se/RmufJ5DB/js.js
    - pasinski.2be.pl/EkHXayWc/js.js
    krispykreme.co.id/z1Dx74Q2/index.html
    mysophiebiz.co.cc/SiU4CB9T/index.html (IP 10.10.10.10
    nozzesarde.altervista.org/DeVrhWWa/index.html

    Wepawet analysis:
    http://wepawet.iseclab.org/view.php?hash=2de29f6d7...
    Name . . . . Description . . . . Reference
    Adobe Libtiff . . . Libtiff integer overflow in Adobe Reader and Acrobat . . . . CVE-2010-0188
    HPC URL . . . . Help Center URL Validation Vulnerability . . . . CVE-2010-1885

    > 174.138.171.60/download.php?id=947daf03

  30. User picture
    • NotBuyingIt on Sun 24 Jun 2012
    • 05:21:03 PM UTC

    RE: Pol.jar malware (CVE-2010-0188,CVE-2010-1885,CVE-2012-0507)

    rosscom.co.rs/9rEQ1DoZ/js.js           (also reported in this thread on 07-April-2012)

    Originally posted by: MarkGiles
    krispykreme.co.id/z1Dx74Q2/index.html
    \
    Krispy Kreme of Indonesia: Malware found on website — Dough-Not Visit :-(

     Data that is stored in the cloud may become lost in the fog.