Friday, August 31, 2012

Payloads URI die hard - Blackhole Exploit Kit

(Contents is regularly updated for sharing the closest possible to the fact)
Some MDL already informed and publish these URLs, so I have no reason to hold anymore:
payloads:

(1) hXXp://mxcwqdkbphcx.lookin.at/main.php?page=c9ee61ed42809775 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ classical one↑
(2) hXXp://02e9126.netsolhost.com/nfjviq3D/index.html ^^^^^^^^^^^^^^^^^^^^ ↑Good trick, don't be fooled with index.html (Information: this is actually iframer lead to BHEK at the below link) hXXp://66.175.222.25[/]pxyk80ujzb03h.php?y=p7tqagmzf8qdjqpi ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ↑Not usual one, look at the parameter at php file
(3) hXXp://crane.co.th/YabymY6p/index.html ^^^^^^^^^^^^^^^^^^^^ ↑see the above randomized subdir?
Conclusion: You can set almost every infection scheme in blackhole interface. yet the characteristic is still there. Note; This page is here because of the team work of malware researchers. Thank you for those who contributes the contents, to those who corrected and advice, for those who to read and share, and God & prayers bless them who take direct action straight to these threat.

BTW, No, I am telling you #MalwareMustDie is not selling crap.

1 comment:

  1. Checking : hxxp://02e9126.netsolhost.com/nfjviq3D/index.html
    Downloading Script : www.cxhr.cn/suftPUKQ/js.js
    Downloading Script : www.millerphotographix.net/e8sTfhiz/js.js
    Downloading Script : www.virtual-tutor.net/Dfu2pJiK/js.js
    Error waiting for the response from the server.
    Downloading Site : 50.116.51.78/pxyk80ujzb03h.php?y=p7tqagmzf8qdjqpi
    Downloading Site : 66.175.222.25/pxyk80ujzb03h.php?y=p7tqagmzf8qdjqpi
    Sc1=1
    JsDL=1
    JsDL=1
    ScR=1

    Malware Section Start
    ML1=4
    ApInv=1
    Malware Section End

    Results=6
    Analysis Time=0.286243101916134
    14.3284391883207

    ReplyDelete