|
Donation/Premium |
|
 |
|
|
|
|
|
|
|
Survey |
|
|
|
|
|
|
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
TeMerc
Captain
Premium Member
Joined: Apr 24, 2004
Posts: 557
|
 Posted: Fri Jun 01, 2007 8:09 pm Post subject: List Of Compromised Sites From SANS |
|
|
| Quote: | Published: 2007-06-01,
Last Updated: 2007-06-01 18:32:52 UTC
by Johannes Ullrich (Version: 1)
Our first e-mail this morning was from Dave, who informed us about a compromised site ( hxxp://lawfuel. com /show-release.asp?ID=12419 ). Lorna took the lead on investigating the malware on this site, and in the process ended up with two massive lists of other compromised sites.
We haven't checked them all yet (and probably never will...) but I figure its good to push out a list of these sites before its too late on Friday.
For a list of URLs referenced see http://isc.sans.org/diaryimages/hosts20070601.txt |
SANS
_________________
Ultimate Countermeasures Page
Malware Advisor Blog
|
|
| Back to top |
|
 |
axnjxnind
MIRT Hunter
Joined: Apr 17, 2007
Posts: 357
|
| Posted: Fri Jun 01, 2007 10:13 pm Post subject: Re: List Of Compromised Sites From SANS |
|
|
| TeMerc wrote: | | Quote: | Published: 2007-06-01,
Last Updated: 2007-06-01 18:32:52 UTC
by Johannes Ullrich (Version: 1)
Our first e-mail this morning was from Dave, who informed us about a compromised site ( hxxp://lawfuel. com /show-release.asp?ID=12419 ). Lorna took the lead on investigating the malware on this site, and in the process ended up with two massive lists of other compromised sites.
We haven't checked them all yet (and probably never will...) but I figure its good to push out a list of these sites before its too late on Friday.
For a list of URLs referenced see http://isc.sans.org/diaryimages/hosts20070601.txt |
SANS |
I have this list running through wget as I type. I'll update everyone with the results. As of now, there are 26 executables that I have grabbed. I haven't had a chance to verify any of them yet.
|
|
| Back to top |
|
|
laser2507
Guest
IP: 90.192.*.*
|
| Posted: Sat Jun 02, 2007 9:16 pm Post subject: |
|
|
Whoa, theres some real nasty stuff downloading from these websites.. one link downloaded and created over 30 new processes... then started scanning the local subnet, obviously for targets...
Is it me, or do most of the sites all look the same - ie some real nice graphical video-game style characters?
Must be all made from the same people?
|
|
| Back to top |
|
|
axnjxnind
MIRT Hunter
Joined: Apr 17, 2007
Posts: 357
|
| Posted: Mon Jun 04, 2007 4:06 pm Post subject: |
|
|
Out of all of the files I got from downloading on these sites (72 executables), I have checked out 7-8. All of them so far have been detecting as seen below with little detection overall (had to rename the file due to illegal unicode chars):
omplete scanning result of "copy012.exe", received in VirusTotal at 06.04.2007, 16:10:39 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.5.31.2 06.04.2007 no virus found
AntiVir 7.4.0.29 06.04.2007 no virus found
Authentium 4.93.8 05.23.2007 W32/AddUser.H@troj
Avast 4.7.997.0 06.04.2007 Win32:Rbot-BUC
AVG 7.5.0.467 06.03.2007 no virus found
BitDefender 7.2 06.04.2007 no virus found
CAT-QuickHeal 9.00 06.04.2007 no virus found
ClamAV devel-20070416 06.04.2007 W32.Zloyfly
DrWeb 4.33 06.04.2007 no virus found
eSafe 7.0.15.0 06.04.2007 no virus found
eTrust-Vet 30.7.3690 06.04.2007 no virus found
Ewido 4.0 06.04.2007 no virus found
FileAdvisor 1 06.04.2007 no virus found
Fortinet 2.85.0.0 06.02.2007 no virus found
F-Prot 4.3.2.48 06.01.2007 W32/AddUser.H@troj
F-Secure 6.70.13030.0 06.04.2007 Lineage.gen2
Ikarus T3.1.1.8 06.04.2007 Trojan-Dropper.Win32.Flystud.B
Kaspersky 4.0.2.24 06.04.2007 no virus found
McAfee 5044 06.01.2007 no virus found
Microsoft 1.2503 06.04.2007 no virus found
NOD32v2 2307 06.04.2007 no virus found
Norman 5.80.02 06.04.2007 Lineage.gen2
Panda 9.0.0.4 06.04.2007 no virus found
Prevx1 V2 06.04.2007 no virus found
Sophos 4.18.0 06.01.2007 no virus found
Sunbelt 2.2.907.0 05.30.2007 no virus found
Symantec 10 06.04.2007 no virus found
TheHacker 6.1.6.129 06.04.2007 no virus found
VBA32 3.12.0 06.04.2007 suspected of Embedded.Trojan.PWS.Legmir.887
VirusBuster 4.3.23:9 06.03.2007 no virus found
Webwasher-Gateway 6.0.1 06.04.2007 Win32.Malware.gen (suspicious)
Aditional Information
File size: 2929181 bytes
MD5: 853fdff8ccc680e10f1ef110d4272084
SHA1: aa0afb0cfd6f0f622e1af46a22b0d94e5e9a00a3
_________________
Trust, but verify. -Ronald Reagan
Work smarter, not harder.
|
|
| Back to top |
|
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You cannot download files in this forum
|
Powered by phpBB © 2001 phpBB Group
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
