Saturday, January 23, 2010

CVE-2010-0249 in the wild – part 0.1


hxxxxxp://mxd0102.3322.org/njk/index.htm
(AS4134 CHINA-TELECOM China Telecom)

image
Click to enlarge

The URL above it’s been request using (IMHO a very useful tool) MDecoder 0.4 (http://mtian.net/down/MDecoder.zip). As shown in the following picture is detected a binary file downloaded from www.ynew.net:

image Click to enlarge

Some network info from Robtex about www.ynew.net:

ss0003243
Click to enlarge

It’s been used Virustotal for a fast detection:
http://www.virustotal.com/analisis/ee58cf8312b67d69559aa0c22e1256673a07f9617fea9bc360f33c273c05df1a-1264263391

and ThreatExpert for a quick analysis about the binary above (1.exe):
http://www.threatexpert.com/report.aspx?md5=499a5da8d1b644c50607cfa9a6007dbe

From Threatexpert report,  seem once of the tons of ad hoc malware build for Chinese users.

No comments:

Post a Comment