Recently, we have seen the websites of MySQL
Let’s look at the infection in detail.URL
The following shows the redirection trace when visiting the aforementioned URL.Network Trace
The redirection chain above case is as follows:
--> hxxp://rsnvlbgcba.ibiz.cc/d/404.php?go=1 (Intermediate Redirection)
The de-obfuscated version of the code above can be seen here:
The de-obfuscated code loads an iFrame into the victim’s browser, which is redirecting the user to ‘hxxp://rsnvlbgcba.ibiz.cc/d/404.php?go=1’, which in turn redirects it to ‘hxxp://fukbb.com/’.
The source code hosted at ‘hxxp://rsnvlbgcba.ibiz.cc/d/404.php?go=1’ is a simple redirect:
Final re-directed page:
Currently, ‘hxxp://fukbb.com’ is not serving any malicious code but the reputation of this site is found to be suspicious (Refer the VT link below). The page could however be revived at some point in the future. ThreatLabZ informed FeedBurner about this infection on 12/26/2013.VT Reports
URL scan on ‘hxxp://rsnvlbgcba.ibiz.cc/d/404.php?go=1’ : 2/51
URL scan on ‘hxxp://fukbb.com/’ : 3/51ZULU Report
URL Scan on ‘hxxp://feeds.feedburner.com/bileblog’: 100/100
Similar instances of this infection have been found on ‘http://celebrityshowdown.net/?feed=rss2’, which is also an RSS feed management site. The following is the network trace seen when visiting this URL.
The redirection chain observed in this case is as follows:
For a detailed report about this infections check the urlQueryreport.