ZSisic wrote:
>
> Hello everybody,
>
> As of today, we started noticing spamming bots or drones on our IRC
> network. They enter channels, scan for users, exit and spam users with
> following messages:
>
> <kyzclvqfc> EEEEEEETHHHOOOM! MINDJAIL!! HE IS TRAPPED!! GET HIM OUT!
> http://61.48.32.73:3030/mindjail.zip
>
>
>
> <pwdujizao> Ever heard of a thing called mindjail? Check it:
> http://61.106.85.184:3030/mindjail.zip
>
>
>
> Did anybody else notice this behavior? It seems to be a new work. I
> searched on Google for "mindjail", but my search did not return
> anything.
"mindjail.zip" contains a HTML file, "mindjail.html", which drops and
executes "javax.sun.base.exe" (MD5: 286b884697dffd5a535295dcf5a4c6ea) on
vulnerable systems - see "Self-Executing HTML: Internet Explorer 5.5 and
6.0 Part II", <http://www.securityfocus.com/archive/1/313174>, for more
information about the vulnerability.
"javax.sun.base.exe" is an upx'ed SdBot variant. It tries to connect to
"hk.zxy0.com" [64.156.241.176].
The most anti virus scanners fail to detect the exploit code and the
backdoor trojan. But a few scanners report the following:
[MINDJAIL.HTML]
Dialogue Science DrWebWCL : Trojan.SelfExecHtml
GeCAD RAVAV : HTML/CodeBaseExec*
Kaspersky Lab KAVDOS32 : TrojanDropper.JS.Mimail.b
Symantec NAV CE VSCAND : Trojan.Sefex
------------------------------------------------------------------------
----
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
------------------------------------------------------------------------
----
>
> Hello everybody,
>
> As of today, we started noticing spamming bots or drones on our IRC
> network. They enter channels, scan for users, exit and spam users with
> following messages:
>
> <kyzclvqfc> EEEEEEETHHHOOOM! MINDJAIL!! HE IS TRAPPED!! GET HIM OUT!
> http://61.48.32.73:3030/mindjail.zip
>
>
>
> <pwdujizao> Ever heard of a thing called mindjail? Check it:
> http://61.106.85.184:3030/mindjail.zip
>
>
>
> Did anybody else notice this behavior? It seems to be a new work. I
> searched on Google for "mindjail", but my search did not return
> anything.
"mindjail.zip" contains a HTML file, "mindjail.html", which drops and
executes "javax.sun.base.exe" (MD5: 286b884697dffd5a535295dcf5a4c6ea) on
vulnerable systems - see "Self-Executing HTML: Internet Explorer 5.5 and
6.0 Part II", <http://www.securityfocus.com/archive/1/313174>, for more
information about the vulnerability.
"javax.sun.base.exe" is an upx'ed SdBot variant. It tries to connect to
"hk.zxy0.com" [64.156.241.176].
The most anti virus scanners fail to detect the exploit code and the
backdoor trojan. But a few scanners report the following:
[MINDJAIL.HTML]
Dialogue Science DrWebWCL : Trojan.SelfExecHtml
GeCAD RAVAV : HTML/CodeBaseExec*
Kaspersky Lab KAVDOS32 : TrojanDropper.JS.Mimail.b
Symantec NAV CE VSCAND : Trojan.Sefex
[JAVAX.SUN.BASE.EXE]
GeCAD RAVAV : Backdoor:IRC/SdBot
Kaspersky Lab KAVDOS32 : Backdoor.SdBot.gen
Regards,
Axel Pettinger
------------------------------------------------------------------------
----
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
------------------------------------------------------------------------
----
[ reply ]