Log in

View Full Version : MALWARE 0day..fun

BanMe
September 22nd, 2009, 20:56
http://dump.no/files/3afa6e541364/index.html

http://www.dump.no/files/08f75adce148/1-best3-Final.htm

nothing to special use flashget to dig those sites for the fun

nothing to worry about woodmann not infected

MALWARE!!

do not open LINKS normally!!

more links..
[9:46] (BanMe) http://dump.no/files/3afa6e541364/GnPron.jpg.gif
[9:46] (BanMe) http://dump.no/files/3afa6e541364/hacked.html
[9:46] (BanMe) http://dump.no/files/3afa6e541364/index.html
[9:46] (BanMe) http://dump.no/files/3afa6e541364/SpywarePopup.mov
[9:46] (BanMe) http://dump.no/files/3afa6e541364/SpywarePopup.mp4
[9:46] (BanMe) http://www.google-analytics.com/urchin.js
[9:46] (BanMe) http://pagead2.googlesyndication.com/pagead/show_ads.js
[9:47] (BanMe) http://www.dump.no/files/08f75adce148/view-source:file:///c:\boot.ini
[9:47] (BanMe) http://www.dump.no/files/08f75adce148/view-source:file:///c:\windows\win.ini
[9:47] (BanMe) http://www.dump.no/files/08f75adce148/view-source:file:///c:\winnt\win.ini
[9:47] (BanMe) http://www2.b3ta.com/top-10-cutest-kittens/the-boss-is-a-cunt.swf
[9:47] (BanMe) http://www.dump.no/files/62623633af93/NewIframeForWindowsStuffFrameMover3.html

BanMe
Kayaker
September 22nd, 2009, 22:27
Thanks for justifying why we script out clickable links on this board

FlashGet? Call me minimalist and suspicious of download accelerators in general, but I prefer the transparent Wget for this kind of safe spelunking of dangerous browser downloads. Either / or I guess.

http://gnuwin32.sourceforge.net/packages/wget.htm


Where'd you find this shi_ ? Never mind, I guess it's never hard to find. Gotta love blackmail spyware...



Code:


alert('FireFox, Internet Explorer, Opera, Buffer Overflow

 Javascript EXE Exploit');



<center>Automated Spyware Installation <br>

 Copyright 180 Solutionz 2007 <br>

 Thank you for installing<br><br></center>

1) Ultra Browser Toolbar Logger<br>

2) Browser Website Click Maker<br>

3) Pay Per Click Adware Clicker<br>

4) Ultra Porn Website Clicker  <br>

 <br> <br>



 alert("Browser Compromise\n\nThis browser has installed

 untrusted plugins and is not safe for use.

 

 <IFRAME SRC="mailto:PayPerClickDropper@180Solutionz.spy?

 subject=Super Affilliate PAY Per CLICK&

 body=Thank you for Downloading and Running Our Ultra Toolbar!!!

 We will now pay our affiliates each time you visit the PAY per CLICK sites.

 We appreciate you allowing our software to LOG each WEB SITE you VISIT

 with your EMAIL CONTACT LIST and any EMAIL not marked URGENT

 thus allowing us to send this private information to THIRD PARTIES.

 To remove this product please visit http%3a%2f%2fwww.spyware-removal.com"

 </IFRAME>
BanMe
September 22nd, 2009, 22:39
SubSyn made them one of the new members, there is nothing really malicious in em just fun and new
Kayaker
September 22nd, 2009, 22:51
Nah I wasn't implying they were malicious, you can tell that by looking at the source. Most spywares don't announce that you've just been 0wned or popup 1002 iframe instances.
BanMe
September 22nd, 2009, 23:03
heh you and I could also do the flashget/wget method Old school Http GET ..I might have already made a tool like that somewhere..

that's true 'most' ppl dont announce it, he's a lil different then the normal malware dev
he's a god damn good xss finder..hopefully he'll post here

BanMe