funsec mailing list archives
INJ3CT0R.COM
From: Jon Kibler <Jon.Kibler () aset com>
Date: Wed, 04 Nov 2009 09:10:49 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is an analysis I wrote for Security Focus' Pen Test mailing list. I thought
it would be of interest here...
All,
Starting yesterday afternoon, I had a bunch of people begin to ask me about
inj3ct0r.com. Google it and you find:
1) "milw0rm.com is dead, inj3ct0r.com is born!"
2) "New BuGTraCk project ( Exploits database ) inj3ct0r.com"
Two red flags right off the bat. (A Bugtrack project? Get real!)
Asking several well connected folks in the industry, only one had ever heard of
the site and his opinion was exactly the same as mine: evil site. Any legitimate
effort to distribute exploits for defensive purposes would require being known
in the industry and being trusted by your peers before there could be a
reasonable expectation of site contributions. This is a BIG RED FLAG to have an
unknown person taking on such a task.
If you visit the site, it just looks bogus. It has the appearance of a sloppy
and incomplete wget of milw0rm, with some editing to make links work and to
provide some replacement scripts. The site just looks completely bogus. Another
set of big red flags!
Checking inj3ct0r.com's registration record:
- ----------
whois -h whois.PublicDomainRegistry.com inj3ct0r.com
Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A
PUBLICDOMAINREGISTRY.COM
Registration Service Provided By: RU@HOSTING
Contact: +7.38526996373
Domain Name: INJ3CT0R.COM
Registrant:
milw0rm now at inj3ct0r.com
str0ke aka r00t0ro0t3r (e-c-h-0 () mail ru)
Burdenko 43
inj3ct0r
Adana,123000
TR
Tel. +7.4953216549
Creation Date: 13-Dec-2008
Expiration Date: 13-Dec-2013
Domain servers in listed order:
ns.secondary.net.ua
wateam.org.ua
Administrative Contact:
inj3ct0r
str0ke aka r00t0ro0t3r (e-c-h-0 () mail ru)
Burdenko 43
inj3ct0r
Adana,123000
TR
Tel. +7.4953216549
Technical Contact:
inj3ct0r
str0ke aka r00t0ro0t3r (e-c-h-0 () mail ru)
Burdenko 43
inj3ct0r
Adana,123000
TR
Tel. +7.4953216549
Billing Contact:
inj3ct0r
str0ke aka r00t0ro0t3r (e-c-h-0 () mail ru)
Burdenko 43
inj3ct0r
Adana,123000
TR
Tel. +7.4953216549
Status:ACTIVE
- ----------
Okay, how many red flags to we see here?
1) Clams to be owned by str0ke.
2) Has a .ru email address.
3) Has a claimed TR address (.ru + TR has been a past RBN clue).
4) Is trying to associate itself with milw0rm.
And those are just the red flags that I see without doing any more research!
Next, where is the site hosted?
- ----------
$ host www.inj3ct0r.com
www.inj3ct0r.com is an alias for inj3ct0r.com.
inj3ct0r.com has address 77.120.101.8
$ wip 77.120.101.8
checking whois.arin.net...
checking whois.ripe.net...
inetnum: 77.120.101.0 - 77.120.101.255
netname: VOLIA-DC
descr: Volia DC colocation #6
remarks: Send spam reports to: abuse () dc volia com
country: UA
admin-c: VDCA-RIPE
tech-c: VDCT-RIPE
status: ASSIGNED PA
mnt-by: VOLIA-DC-MNT
source: RIPE # Filtered
person: Volia DC Admin contact
address: Ukraine, Kiev
phone: +38 044 2852716
abuse-mailbox: abuse () dc volia com
nic-hdl: VDCA-RIPE
mnt-by: VOLIA-DC-MNT
source: RIPE # Filtered
- ----------
Hosted in Kiev, UA. Not a good sign.
Everything about the site looks and smells suspect.
As it is said...
"If it looks like a duck, and
it quacks like a duck, then
it is probably a duck."
In my professional opinion, everything about this site is "wrong." I would
strongly recommend avoiding it. It just looks too bogus and it is trying too
hard to appear legitimate, but no one knows who is behind it.
Never trust a site handing out exploits if you don't know who is providing the
exploits!
So what could be the purpose of this site? These are only some hypothesis and
speculations... no hard evidence to date to back up my thoughts:
1) The site could be phishing for new 0-day exploits that could be used in
targeted or wide spread attacks by criminal organizations.
2) The site could be modifying know exploits, adding back doors (if you are a
script kiddie, are you going to check the embedded shell code?) that had over
compromised boxes to some botnet.
3) A means of infecting systems that visit the site. (No sign of that at this time.)
4) Other?
Bottom line: My recommendation is to avoid this site like the plague.
Also, don't count milw0rm as dead yet. Str0ke had a lot of friends. Let's wait
and see if anyone picks up his site and runs with it.
Jon
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o: 843-849-8214
c: 843-813-2924
s: 843-564-4224
s: JonRKibler
e: Jon.Kibler () aset com
e: Jon.R.Kibler () gmail com
http://www.linkedin.com/in/jonrkibler
My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkrxi2kACgkQUVxQRc85QlMSBACdHszQw/4Eim6qS3RVFT3u7kLq
uG0An2IhFgg0chRmt09lMcm8Rtdto/fI
=lRDs
-----END PGP SIGNATURE-----
==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- INJ3CT0R.COM Jon Kibler (Nov 04)