Exploits, Miley Cyrus, Waledac, Nah...TV and PIZZA!
I was going to touch on the multiple MS09-002 exploits in the wild. I've confirmed at least three sites hosting this exploit. I'm sure many more will now that the POC has been posted on Milw0rm and others have already created Metasploit code. I expect HD Moore to come out with something tonight or tomorrow.
I've exploited a couple of sandboxes with the milw0rm code and some real code from the three websites I know are infected. The code seems to belong to the 9966.org group -- at least that is where the C&C is pointed.
Then I thought I'd write about cardviewer.exe, downloaded from hxxp://iliyp[.]bestgoodnews[.]com/cardviewer[.]exe...but it's nothing new either, just another Waledac trojan. It connected to 118.37.178.102, 152.149.147.36 and 85.87.241.106 on port 80. Looks like they're using the domains:
....and probably others.
So I figured I'd write about this message:
However, that was just an offer for some drug that probably would not work for me. I still don't know what it has to do with Miley Cyrus. Maybe the drug works as well as she sings?
So I figured I'd go check out my Facebook page. Not too much happening there.
Go patch IE7, check your weblogs to make sure you're not visiting those waledac domains, turn off Miley, and join me for some NCIS and pizza.
I've exploited a couple of sandboxes with the milw0rm code and some real code from the three websites I know are infected. The code seems to belong to the 9966.org group -- at least that is where the C&C is pointed.
Then I thought I'd write about cardviewer.exe, downloaded from hxxp://iliyp[.]bestgoodnews[.]com/cardviewer[.]exe...but it's nothing new either, just another Waledac trojan. It connected to 118.37.178.102, 152.149.147.36 and 85.87.241.106 on port 80. Looks like they're using the domains:
bestgoodnews.com
workhomegold.com
netcitycab.com
adorelyric.com
bluevalentineonline.com
thevalentineparty.com
beadcareer.com
reportradio.com
adorepoem.com
spacemynews.com
cherishletter.com
bestlovelong.com
romanticsloving.com
worldlovelife.com
funloveonline.com
worshiplove.com
funnyvalentinesite.com
yourgreatlove.com
whocherish.com
lovelifeportal.com
adoresongs.com
wirelessvalentineday.com
worldnewsdot.com
wapcitynews.com
worldtracknews.com
....and probably others.
So I figured I'd write about this message:
Delivered-To: REDACTED
Received: by 10.231.16.72 with SMTP id n8cs152634iba;
Sun, 15 Feb 2009 17:44:02 -0800 (PST)
Received: by 10.114.95.1 with SMTP id s1mr1905419wab.20.1234748642098;
Sun, 15 Feb 2009 17:44:02 -0800 (PST)
Return-Path: rajat-limerai@aaaventuresonline.com
Received: from 142-217-173-53.telebecinternet.net (142-217-173-53.telebecinternet.net [142.217.173.53])
by mx.google.com with ESMTP id m29si7894098poh.20.2009.02.15.17.44.01;
Sun, 15 Feb 2009 17:44:02 -0800 (PST)
Received-SPF: neutral (google.com: 142.217.173.53 is neither permitted nor denied by domain of rajat-limerai@aaaventuresonline.com) client-ip=142.217.173.53;
Authentication-Results: mx.google.com; spf=neutral (google.com: 142.217.173.53 is neither permitted nor denied by domain of rajat-limerai@aaaventuresonline.com) smtp.mail=rajat-limerai@aaaventuresonline.com
Date: Sun, 15 Feb 2009 17:44:02 -0800 (PST)
Message-Id: <4998c4e2.1def600a.35f9.ffff85e1smtpin_added@mx.google.com>
To: REDACTED
Subject: Miley Cyrus gets her cherry popped
From: rajat-limerai@aaaventuresonline.com
MIME-Version: 1.0
Content-Type: text/html
However, that was just an offer for some drug that probably would not work for me. I still don't know what it has to do with Miley Cyrus. Maybe the drug works as well as she sings?
So I figured I'd go check out my Facebook page. Not too much happening there.
Go patch IE7, check your weblogs to make sure you're not visiting those waledac domains, turn off Miley, and join me for some NCIS and pizza.
Labels: facebook, IE7, malware research, MS09-002, pizza, spam, waledac
posted by Nicholas at
00:45
0 Comments
