Re: Rogue site?
- From: "FromTheRafters" <erratic@xxxxxxxxxxxxxxxxx>
- Date: Fri, 22 Oct 2010 06:24:09 -0400
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:i9qqk602v0g@xxxxxxxxxxxxxxxxxxxx
From: "FromTheRafters" <erratic@xxxxxxxxxxxxxxxxx>
| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
| news:i9qlb002rtm@xxxxxxxxxxxxxxxxxxxx
From: "HarryHydro" <harryhydro@xxxxxxxxxxx>
| I had a popup with the scanning and finding virus's thing. Then a
| popup to download a file, packupdate107_2029.exe from
| www1.riseonengine1.in . I figured it was fake but I ended that
task
| anyway, without clicking anything. I think I got lucky on this
one.
| However, this website doesn't appear to be in DNS, also has no
hits
in
| google. The name of this file is all over..
| Harry
Yes Harry, it was a Rogue anti malware scam site. Often these sites
exist for only a day
or so and are provided through a general redirection site that are
spammed or otherwise
"presented" to you.
An example of a spammed redirection site; better-web-365.com
| The last four or five I saw were all initially from the cz.cc domain
| (free domain names).
Redirection sites or the rogue host sites ?
I don't know really, I stopped invenstigating. I assume it is the
hosting site.
http://hostphotofree.com/?bookmark=21822
Another redirection site; netresults-online.com
Some other similar ones.
http://hostphotofree.com/?bookmark=21823
http://hostphotofree.com/?bookmark=21824
Osfuscated script snippet from that last one:
function
rv74bPtYUcMDqQQSI90MPvJ0E9kJwbYbkZ(rv74bPtYUcMDqQQSI90MPvJ0E9kJwbYbkZ){/*dfffddfd*/var
rv74bPtYUcMDqQQSI90MPvJ0E9kJwbYbkZ=6952;return
"rv74bPtYUcMDqQQSI90MPvJ0E9kJwbYbkZ";};
var
rv74bPtYUcMDqQQSI90MPvJ0E9kJwbYbkZ="rv74bPtYUcMDqQQSI90MPvJ0E9kJwbYbkZ";
var v89d795qo81UsWyHr9X8isuTOJa6pKCnw="e
rav\"{=krdsarvlmwslaf:\"uqt\",ef:\"cmfr\",eslafoceqrwaf:\"akr\",eslkxbacteslaf:\"mil\",:\"pgchm,eslafthgwhv\"\"pkjypl\",1-:\"afhyo
vid<\":ssalctnec\"\\=nallaram_gnid>\"\\nilc
vid<\"\\=ssalartnecidnaltfel_gn=di \"\\rtnec\"\\nallael_gnid<>\"\\tfalc
vid\"\\=sslartnecnidnal_tfel_g<>\"\\1alc
vidl\"\\=ssoci_tfe\"\\1_nvid/\\<> vid<>\\=ssalctnec\"dna...
....I think two layers of obfuscation, but I'm not sure - there is an
html file and an extensionless file with html content in addition to the
script.
<title>Security Analysis</title>
.
- References:
- Rogue site?
- From: HarryHydro
- Re: Rogue site?
- From: David H. Lipman
- Re: Rogue site?
- From: FromTheRafters
- Re: Rogue site?
- From: David H. Lipman
- Rogue site?
- Prev by Date: Re: Rogue site?
- Next by Date: Re: Rogue site?
- Previous by thread: Re: Rogue site?
- Next by thread: Re: Rogue site?
- Index(es):
