Tonight I saw another one, this time from TMZ.com.
Like last time, I took a look:
It looks very much like the last one (which I deleted), even being the same size. The var bd stuff is the payload, which is a (Javascript?) text string containing what appear to be the encoded binary exploit code.
% ls -l 710.pdf
-rw-r--r-- 1 uid gid 14720 2009-06-26 02:44 710.pdf
% file 710.pdf
710.pdf: PDF document, version 1.1
% cksum 710.pdf
279936831 14720 710.pdf
% strings -a 710.pdf | less
var bd = "10%32%118%97%114%32%86%121%103%76%78%100%106%32%61%32%110%101%119...etc.
Firefox history contained two URLs, with path components of /kn/in.php and /kn/pdf.php, both from the same server.
> host s.hhxzao.info
s.hhxzao.info has address 64.34.162.71
s.hhxzao.info has address 64.34.172.142
s.hhxzao.info has address 66.135.37.21
> host 64.34.162.71
71.162.34.64.in-addr.arpa domain name pointer sever3.adv-basesrv.net.
> host 64.34.172.142
142.172.34.64.in-addr.arpa domain name pointer server2.advert-base.net.
> host 66.135.37.21
21.37.135.66.in-addr.arpa domain name pointer server1.advert-base.net.
Look familiar? It should, it's the same outfit as last time!
Wikipedia's entry for TMZ.com say it "has major corporate backing" and names AOL/Time Warner. As I cited from Another virus infection, courtesy of Yahoo News in the prior post:
Major web sites like Yahoo.com and Boston.com are infecting thousands, if not hundred thousands of computers with trojans, back doors, and other viruses, through some of their ad service providers.The scope and breadth of this is startling, and it's been going on for months!
What gives? Why aren't people up in arms? If the Internet trade press has covered this, please let me know; I haven't seen anything. Is scandalous news being covered up?
Update: I moved the 710.pdf file to a Windows machine and scanned it with both Trend Micro HouseCall and AVG Free and neither one found a thing.
Update 2: See Steps To Prevent Gumblar / Martuz / Nine-Ball for things you can do to stay safe.
No comments:
Post a Comment