[en] Nrgbot via trafficholder malvertising

Just a found this from TraficcHolder :
http://www.freeadultsporn.com/ (80.82.70.234)
http://www.freeadultsporn.com/%28%20European%20Hot%20Babes.com%20%29%20Most%20sexiest%20babes%20from%20all%20over%20the%20Europe%20and%20whole%20wide%20world_files/style.css
http://www.freeadultsporn.com/%28%20European%20Hot%20Babes.com%20%29%20Most%20sexiest%20babes%20from%20all%20over%20the%20Europe%20and%20whole%20wide%20world_files/whv2_001.js
redirect to Exploit kit :
http://stereoagreement.biz:1781/prazdnik/dremin/buttons.php?cars=8
http://stereoagreement.biz:1781/prazdnik/dremin/EQRMvW.jar
http://stereoagreement.biz:1781/prazdnik/dremin/MakYhMvs.jar
http://stereoagreement.biz:1781/prazdnik/dremin/EQRMvW.jar
http://stereoagreement.biz:1781/prazdnik/dremin/MakYhMvs.jar
http://stereoagreement.biz:1781/prazdnik/dremin/EQRMvW.jar
http://stereoagreement.biz:1781/prazdnik/dremin/EQRMvW.jar
http://stereoagreement.biz:1781/prazdnik/dremin/gsibl.class
http://stereoagreement.biz:1781/prazdnik/dremin/gsibl/class.class

The domain FREEADULTSPORN.COM is new, so this is a probably a malvertising :

Domain Name: FREEADULTSPORN.COM
Registrar: INTERNET.BS CORP.
Whois Server: whois.internet.bs
Referral URL: http://www.internet.bs
Name Server: NS1.ANONY-ONES.COM
Name Server: NS2.ANONY-ONES.COM
Status: clientTransferProhibited
Updated Date: 27-aug-2013
Creation Date: 27-aug-2013
Expiration Date: 27-aug-2014

malvertising_NRGBot
In string memory of the binary, we can find an URL - so a Trojan.Downloader :
malvertising_NRGBot2

malvertising_NRGBot3
The malware is a nrgbot - not very common from a Malvertising - it connects to u.placo.us (27.54.210.21) on port 9380
malvertising_NRGBot4

malvertising_NRGBot5

Domain ID:D7595330-AFIN
Domain Name:PLACO.IN
Created On:27-Aug-2013 09:19:29 UTC
Last Updated On:28-Aug-2013 10:29:44 UTC
Expiration Date:27-Aug-2014 09:19:29 UTC
Sponsoring Registrar:Webiq Domains Solutions Pvt. Ltd. (R131-AFIN)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Status:ADDPERIOD
Registrant ID:WIQ_29524138
Registrant Name:Mike J Perez
Registrant Organization:-
Registrant Street1:12 86391 Stadtbergen
Registrant Street2:
Registrant Street3:
Registrant City:Beds
Registrant State/Province:Dobeles Apripkis
Registrant Postal Code:76491
Registrant Country:LV
Registrant Phone:+371.754907346
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:[email protected]

[email protected] research on Google return some hacked forum.

Anyway the detections for a wild stuff are very good.

http://malwaredb.malekal.com/index.php?hash=c4a4e560e6144a2517aa954d267b961f

http://malwaredb.malekal.com/index.php?hash=ce2e9daa72f468fa82d954b2895c4734
malvertising_NRGBot6

Cet article est sous licence Creative Commons BY-NC-SA.
Vous êtes autorisé à partager et modifier cet article, à condition de créditer le site ainsi que la licence, d'utiliser la même licence si vous modifiez l'oeuvre et de ne pas en faire d'utilisation commerciale.

Trouver la solution sur le forum d'aide

Vous êtes arrivé au terme de l'article [en] Nrgbot via trafficholder malvertising mais vous n'avez pas trouvé la solution à votre problème...

Suivez ces articles du forum pour trouver une réponse :
Sinon créez votre propre demande pour obtenir de l'aide gratuite.
Plus de détails : Comment obtenir de l'aide sur le forum