Chinese Malvertisement of OnlineGame Trojan/InfoStealer by Expoiting CVE-2012-1889 (MS-XML bugs MS12-043)

Actually I wrote this first in the pastebin yesterday during "crusading" with #MalwareMustDie friends.Is the malvertisement of Chinese Online Game from the below host from Shanghai,China:IP: 222.73.57.117inetnum: 222.64.0.0 - 222.73.255.255netname: CHINANET-SHdescr: CHINANET shanghai province networkdescr: China Telecomdescr: No1,jin-rong Streetdescr: ...

Read More

Following a lead of "Suspected" Blackhole2 - New changes in plugin detect PDF's infection method, PDF/JavaScript codes

Firstly, special thank's for the first lead to @it4sec! This post is dedicated to all #MalwareMustDie members and supporters for being solid friends!Assuming the current target is a BlackHole v2.0 infectors online, we picked two urls from blacklist which lead to one infection. This is a story of peeling the threat. But before we continue, one more thing, this post is based on reversing we did while...

Read More

"Geek" Way in Reversing #CVE-2010-1885 Infection via PluginDetect Script/Blackhole EK (85.17.165.22)

Just finished handling local infection case today, behind this case is the beloved blackhole exploit kit. Some WinXP for some 3rd party software compatibility trouble can't install Microsoft's critical patch (MS10-042) properly, this patch is about the infamous (CVE-2010-1885) which is critical vulnerability in MPC::HexToNum function in helpctr.exe (a.k.a. hcp://URL flaw). And these clients accidentally...

Read More

Monitoring a BlackHole Exploit Kit Services & Infectors (Target: 203.91.113.6)

Monitoring the activity of one blackhole (in short: BHEK) host means spending time on it for days. I picked one positive BHEK host in 203.91.113.6 & stick to it for about a week, this host is quite active as malware infectors, which one of the reason I picked it up. I think I am careful enough in monitoring it, so I don't think they don't even sense to be monitored, which giving me much time...

Read More

A peek into "qaqipwel.ru" a Malicious Domain Redirector with Pseudo/Dynamic IP - Infector to RedKit Exploit Kit

This is a quicky, so please bare w/ it. The information might be important for the people who is handling the malware infector sites. While handling a report lead to the RedKit Exploit Kit/Pack, I came to a domain who's actively redirecting users to the RedKit Exploit Kit's landing page. This domain is qaqipwel.ruIt uses the pseudo dns for NS & A records to avoid blocking/tracking, currently is...

Read More

Slight changes detected in shellcode & dropper works of Blackhole Exploit Kit (landing page: 203.91.113.6 / mothership: 146.185.220.34)

Well, currently #MalwareMustDie is in the hunting mode, so I joined the event, this is actually a report of the first case in hand which becoming an important matter in investigation of BHEK. I received report of infection, and after looking a squid log I found the sourcewhich is 203.91.113.6 and is "suspected" serving blackhole. Why I quoted that word is because I am about 95% sure of it.Just arrived...

Read More