Many thanks for posting. I'll spread this to my Syrian friends just to
be aware of this.
All the best,
Hadi
On 01/29/2013 11:05 PM, KheOps wrote:
Dear Libtech,
We just saw that the website : http://www.syrian-martyrs.com is probably
compromised. Every page of the website contains an iFrame
Hello,
I wrote a first summary on the case, I will try to keep it up to date
with new data,
https://words.ceops.eu/posts/Infected%20Syrian%20opposition%20website%20spreads%20malware%20to%20its%20visitors/
ALl the best,
KheOps
Le 30/01/2013 00:00, SiNA Rabbani a écrit :
Hi!
I sent the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Dear List,
Here is more details with credit to: Team Cymru:
http://www.team-cymru.org/
CC nodes for this version:
melaniibaby.no-ip.biz 173.0.10.52 ghostsx.8866.org
192.168.11.1 (so not likely to connect) awrasx10.no-ip.biz
95.170.198.155
Dear Libtech,
We just saw that the website : http://www.syrian-martyrs.com is probably
compromised. Every page of the website contains an iFrame which links to
a .exe file which is detected as a virus by antivirus software:
http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe
The
Hey,
Le 29/01/2013 23:34, SiNA Rabbani a écrit :
This is the malware:
https://www.virustotal.com/file/cfdd3a78a895b3f49a39402eb28b0d2134cc3086849a41a6fdfe7d829a0d4dcd/analysis/
Yes, saw that too.
However, I don't find any precise description of its behaviour. Like,
what it does, if it opens
Just a heads up the sites been taken down, malware is here:
https://resources.telecomix.ceops.eu/material/malwares/
Also looking at getting access to the server in question for forensics.
-Andrew
On Jan 30, 2013, at 11:34 AM, SiNA Rabbani s...@redteam.io wrote:
-BEGIN PGP SIGNED
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Ok. I infected an old Windoes xp with this malware and it keeps
sending SYN requests to this hostname: awrasx10.no-ip.biz which
currently resolved to: 37.236.124.197 and is down for me.
- --SiNA
Internet Protocol Version 4, Src: 10.10.10.17
Hello,
Le 30/01/2013 03:02, SiNA Rabbani a écrit :
Ok. I infected an old Windoes xp with this malware and it keeps
sending SYN requests to this hostname: awrasx10.no-ip.biz which
currently resolved to: 37.236.124.197 and is down for me.
Thank you for your work :) The hostname still resolves