Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

.co.tv Domains Serving Heavily Obfuscated Malicious Code

image
THREATLABZ
June 11, 2011 - 1 min read
Following a previous post on a malicious Google News search, we identified additional domains related to this attack, also serving malicious code. The method of infection remains the same by injecting a malicious script, which will redirect victims to one of several malicious domains. You will only be redirected to the malicious domains if certain conditions are met, such as a match on the referrer string in the HTTP header. For most domains, the attack requires that the Referrer be
www.Google.com. Here is what the obfuscated malicious script looks like:

ImageThe malicious script is inserted just ahead of the opening HTML tag and decodes to any of the following domains which will ultimately deliver exploit code after multiple redirections,

okvmodps.co.tv
qbzaqmse.co.tv
jujbytqe.co.tv
ccjayplh.co.tv
sbzjrszn.co.tv
zarqqasx.co.tv
pboysxaj.co.tv
ecxajgff.co.tv
wkydwlkk.co.tv
bqhfvvdn.co.tv
cbneehtm.co.tv
xfrfrwjd.co.tv
neddhilr.co.tv
dzedshuw.co.tv
zhkeinzr.co.tv
rblvsbht.co.tv
itzqmiip.co.tv
mzpupkqo.co.tv
fkejoten.co.tv
rowxhoai.co.tv
eddddbzm.co.tv
bhbdzmjy.co.tv
xnnblhid.co.tv
zzxfyrru.co.tv
hocxhnrl.co.tv
rvcxwsmt.co.tv
wkrfgzoc.co.tv

All above mentioned domains are hosted on the same IP address (64.191.81.117).Here is whois information for the IP:
Image
Umesh

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
TOITOIN Trojan
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.