Help Center URL Validation Vulnerability (CVE-2010-1885) Campaign
I've recently noticed a number of transactions to:
220.127.116.11 (PTR: www.asl-s.com)
Update: we're now seeing this attack hosted as well on:
Some of the transactions have referer strings from pages from a number of sites (i.e., these sites are compromised/hosting content that links to the attack pages), for example:
(the list goes on ... I'll make additions with the more interesting sites as I see them)
Some of these sites are also blocked by GSB, but initially I was not able to
track down the malicious content. Fortunately Wepawet was able to help me through the maze of content being loaded on the pages. The report is visible here.
Unfortunately it doesn't appear that the Wepawet sandbox falls victim to the exploit or is able to actually obtain a malicious payload from this. I'll analyze the HCP parameter / exploit further and include any information I find about the payload.
Here's the first stage decode of the payload (spaced to read better):
Uses cscript.exe (command-line version of Windows Script Host) to run commands that are "echoed" to a file ".js" which downloads contents from:
and stores them into a file bonjour.exe at the root directory. This executable is then launched and all processes containing the string "help" are forcefully killed.
Unfortunately, I have not been able to directly download the executable payload from vvvvvv.dyndns-mail.com, I keep getting a 302 response to Google.
There is also a Java attack being served from this exploit kit - possibly Incognito,
but I can't access the control panel: hxxp://blog.dyndns-blog.com/admin.php (I get an "error 3" text response).
Sample of .jar file drops:
Note: I've tried to download the executable payloads spoofing the referer / user-agent and coming from different hosts without success. It is possible that the hash value filename is time or source sensitive.
Had a friend send me a copy of the binary:
V/T Report: 2/41
ThreatExpert Report shows network connectivity to:
where # = 0-19 (possibly piecemeal malware building)
Here's an earlier variant (April 12, 2011) of the malware that I was able to find, however it is just as elusive at being pinned to a specific malware family:
V/T Report: 9/42
ThreatExpert Report, network activity: