Help - Search - Members - Calendar
Full Version: Exploits: www.wackystone.com - www.tomi2008.com
B.I.S.S. Forums > Malware News , Research & Removal > Malware Playground
Kimberly
Sep 24 2008, 06:14 PM

www.wackystone.com - Exploits


Just surfing a bit on Internet when suddenly I got a prompt about aig.scr ...
IPB Image
What .. Why .. How ... To keep it simple, this one comes through advertising (again) - ad.yieldmanager.com > count.exit0808.com > www.mytoursinfo.com - and from there an iframe to www.wackystone.com. That website has a huge amount of exploits running as seen below. This is the first time I did encounter the latest Windows Media Encoder 9 vulnerability - see Ms08053.htm
IPB Image
Details:All roads lead to the same excutable, taskmgr.exe which arrived as aig.scr in my case. Internet access is requested in order to download and excute another file which is saved as %windir%\svchost.exe
IPB Image
The file will have the following loading point so that %windir%svchost.exe loads on startup.
QUOTE
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows "load"
Old type: REG_SZ
New type: REG_SZ
Old data:
New data: C:\WINDOWS\svchost.exe
%windir%\svchost.exe will prompt for internet access after few moments. It will request a page located at www.cpccpmlead.com and visit all the URL's contained in the response ... it's one of those "clicker trojans".

IP details


wackystone.com - 69.89.31.107

ICANN Registrar: FASTDOMAIN, INC.
Created: 2007-09-06
Expires: 2009-09-06
Updated: 2008-09-07
Name Server: NS1.BLUEHOST.COM (has 577,114 domains)
Name Server: NS2.BLUEHOST.COM
Whois Server: whois.fastdomain.com

www.golf1997.com 222.73.236.27

ICANN Registrar: ENOM, INC.
Created: 2007-09-05
Expires: 2009-09-05
Updated: 2008-08-08
Registrar Status: clientTransferProhibited
Name Server: DNS1.NAME-SERVICES.COM (has 4,702,489 domains)
Name Server: DNS2.NAME-SERVICES.COM
Name Server: DNS3.NAME-SERVICES.COM
Name Server: DNS4.NAME-SERVICES.COM
Name Server: DNS5.NAME-SERVICES.COM
Whois Server: whois.enom.com

www.cpccpmlead.com - 222.73.236.25

ICANN Registrar: ENOM, INC.
Created: 2007-09-05
Expires: 2009-09-05
Updated: 2008-08-08
Registrar Status: clientTransferProhibited
Name Server: DNS1.NAME-SERVICES.COM (has 4,702,489 domains)
Name Server: DNS2.NAME-SERVICES.COM
Name Server: DNS3.NAME-SERVICES.COM
Name Server: DNS4.NAME-SERVICES.COM
Name Server: DNS5.NAME-SERVICES.COM
Whois Server: whois.enom.com
Kimberly
Oct 3 2008, 02:40 PM

www.tomi2008.com - Same story


Same exploits are running at www.tomi2008.com, same files are downloaded. The initial culprit are the iframes at www.mytoursinfo.com which I recommend to block.
IPB Image
The 3 last iframes are quite interesting too, all contain the same code linking back to another page at their own site.

www.mytoursinfo.com/search/exchange.php
CODE
<script language="javascript">
function clicklink(){
  if(document.all){
    document.all("url").click();
  }
}
</script>
</head>
<BODY onload="clicklink();">
<a href="http://www.mytoursinfo.com/search/index.php" id='url'></a>

IP details


www.tomi2008.com - 67.205.36.140

ICANN Registrar: NEW DREAM NETWORK, LLC
Created: 2008-09-13
Expires: 2009-09-13
Updated: 2008-09-13
Name Server: NS1.DREAMHOST.COM (has 746,819 domains)
Name Server: NS2.DREAMHOST.COM
Name Server: NS3.DREAMHOST.COM
Whois Server: whois.dreamhost.com

www.mytoursinfo.com - 83.149.99.10

IP Location - Noord-holland - Amsterdam - Leaseweb
ICANN Registrar: ENOM, INC.
Created: 2004-02-07
Expires: 2009-02-07
Updated: 2008-01-09
Name Server: DNS1.NAME-SERVICES.COM (has 4,669,916 domains)
Name Server: DNS2.NAME-SERVICES.COM
Name Server: DNS3.NAME-SERVICES.COM
Name Server: DNS4.NAME-SERVICES.COM
Name Server: DNS5.NAME-SERVICES.COM
Whois Server: whois.enom.com
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.