[en] Reveton go now by hacked website and malicious redirection to malekal

After the shutdown of the Reveton’s Malvertising :

We can see a nice fall down in the RogueKiller statistic : http://www.sur-la-toile.com/RogueKiller/stats.php

Reveton_hackedsite4Looks like they are trying an other way to get traffic, using a Hacked website :

http://ninoromano.it/DNGJxdCW.php (62.149.128.154)
http://www.ninoromano.it/DNGJxdCW.php (62.149.128.154)
http://recitonshautakirjoituksia.cachemeifyoucangame.com:801/conversion-silent_mole_crew.html
http://recitonshautakirjoituksia.cachemeifyoucangame.com:801/domestic-wellknown.html
http://recitonshautakirjoituksia.cachemeifyoucangame.com:801/obedience_colour-fatal.html
http://download.cdn.mozilla.net/pub/mozilla.org/firefox/releases/15.0.1/update/win32/fr/firefox-15.0.1.complete.mar
http://recitonshautakirjoituksia.cachemeifyoucangame.com:801/department-kidney-gastric-shortly.jar
http://recitonshautakirjoituksia.cachemeifyoucangame.com:801/java/lang/ClassBeanInfo.class
http://recitonshautakirjoituksia.cachemeifyoucangame.com:801/java/lang/ObjectBeanInfo.class
http://recitonshautakirjoituksia.cachemeifyoucangame.com:801/java/lang/ObjectCustomizer.class
http://recitonshautakirjoituksia.cachemeifyoucangame.com:801/java/lang/ClassCustomizer.class
http://recitonshautakirjoituksia.cachemeifyoucangame.com:801/banker_shaft_nobody_stimulate.txt?e=14&h=11

Reveton_hackedsite Reveton_hackedsite2

Detection of the Javascript that made the redirection : https://www.virustotal.com/fr/file/698c75f36574bf5e32c2d0788016f36d3f7c759a907fae99dc079594eebcb22c/analysis/1376466037/

AntiVir JS/Blacole.EB.46 20130814
Avast JS:Decode-AZW [Trj] 20130814
Kaspersky HEUR:Trojan.Script.Generic 20130813
McAfee JS/Blacole-Redirect.ai 20130814
Microsoft Trojan:Win32/Quidvetis.A 20130814
NANO-Antivirus Trojan.Script.Iframe.bopaxv 20130814
TrendMicro HEUR_HTJS.HDJSFN 20130814

 

Im not sure they will get the high traffic they got in the past.
The malvertising are really good for that. Also Antivirus are probably a bit better to catch Hacked Website than Malvertising.
W’ll see.

Sample : http://malwaredb.malekal.com/index.php?hash=ad50cdb0d887db63ccf0b1189551c12c

Reveton_hackedsite3

EDIT August 13

Today, i got strange requests with strange referers on my Website :

DoS_Reveton DoS_Reveton2
DoS_Reveton3

DoS_Reveton4

Thoses pages are build to redirect to my website :

DoS_Reveton7

DoS_Reveton8

On some of them, we can find the redirection to the Reveton Exploit Kit :
DoS_Reveton5 DoS_Reveton6

Probably, after the Joe Job, it’s probably an other try to get my website blacklisted.
So here, some referer, that can may be usefull for security researchers and antivirus guys : http://pjjoint.malekal.com/files.php?read=20130813_x5g1015l9p10

EDIT August 15

The Javascript redirector has been update :

https://www.virustotal.com/fr/file/6bebc27b90d0df1dfdcb8cf1644dedb5f88a3e9e81f1c9780574cdd552f64c55/analysis/1376575199/

http://malwaredb.malekal.com/index.php?hash=d6a36d8ecb77d7dd1491dcdc6fc0efe0

old rise at 12 @ VT : https://www.virustotal.com/fr/file/28de21839e7b2455869812b2f127206255b477799370e8eb827378d6508c92a4/analysis/1376575802/
Reveton_javascript

EDIT 20 August

After a new spam email campaign, the redirections to my website are back.

Reveton_Redirection

I notice two differents javascript : https://www.virustotal.com/fr/file/841d71213fbd431d65115a20633b2706093abf6a8811da983d69acef2baf0265/analysis/

SHA256: 841d71213fbd431d65115a20633b2706093abf6a8811da983d69acef2baf0265
Nom du fichier : bla.js
Ratio de détection : 4 / 46
Date d’analyse : 2013-08-19 22:03:31 UTC (il y a 9 heures, 25 minutes

GData Script.Packed.IFrame.E 20130819
Ikarus Trojan.JS.BlacoleRef 20130819
Kaspersky HEUR:Trojan.Script.Generic 20130819
NANO-Antivirus Trojan.Script.Iframe.bopaxv 20130819

Reveton_Redirection2

the second : https://www.virustotal.com/fr/file/73106114748bda8436c70b8ebc03ab2bf9e68f8329fc21f4bd65d98093e697b8/analysis/1376982689/

SHA256: 73106114748bda8436c70b8ebc03ab2bf9e68f8329fc21f4bd65d98093e697b8
Nom du fichier : bla.js
Ratio de détection : 5 / 46
Date d’analyse : 2013-08-20 07:11:29 UTC (il y a 0 minute)

AntiVir JS/BlacoleRef.DD.40 20130820
Fortinet JS/Redirector.BOZ!tr 20130820
Microsoft Trojan:JS/BlacoleRef.DD 20130820
Sophos Troj/Iframe-JH 20130820
TrendMicro HEUR_HTJS.HDJSFN 20130820

Reveton_malekal_redirection

The first time, you got the exploit kit to Reveton dropper.
Then if you hit the same url with the IP, you got my website :

Reveton_malekal_redirection2

Current list : http://pjjoint.malekal.com/files.php?read=20130820_o15h15v6d5g9

Yeah Avast! :

Reveton_Avast

Comment lire d'autres tutoriels de malekal.com ?

Si le site vous a aidé, svp, débloquez les bloqueurs de publicités, n'hésitez pas non plus à partager l'article ou le site sur les réseaux sociaux.

Pour pouvoir lire plus d'articles et tutoriels, utilisez le menu en haut du site. Plein d'articles et tutos utiles vous attendent !

Besoin d'aide ?

Posez votre question ou soumettez votre problème sur le forum malekal.com pour obtenir une aide efficace : Aller sur le forum malekal.com
(Visited 42 times, 1 visits today)

4 thoughts on “[en] Reveton go now by hacked website and malicious redirection to malekal

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *