| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 14 Mar 2007 21:32:22 +0100 From: Nicolas RUFF <nicolas.ruff@...il.com> To: Securityfocus <bugtraq@...urityfocus.com> Cc: Reversemode <advisories@...ersemode.com>, Thierry Zoller <Thierry@...ler.lu>, ge@...uxbox.org Subject: Re: Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god.. > Among other things (password stealer), this BHO has backdoor and > "botnet" capabilities, implementing several remote commands: > + upload > + run > + update > ... Yeah, I love the KILLWINANDREBOOT command, which will basically delete NTLDR and NTDETECT.COM before rebooting Windows ... > Watch out for unexpected http traffic containing > commandack.php,mailwab.php.. Embedded URLs are : http://58.65.234.73/~mjakson http://58.65.234.73/~mjakson/mail.php http://58.65.234.73/~mjakson/newuser.php http://58.65.234.73/~mjakson/commandack.php http://58.65.234.73/~mjakson/mailwab.php http://58.65.234.73/~mjakson/command.php http://58.65.234.73/~mjakson/upload.php You can also easily guess the following URL : http://58.65.234.73/~mjakson/admin.php Best course of action for sysadmins would be to block at least this IP. The site seems to be hosted in a server farm near Hong Kong. On March, 14th at 20:00 GMT the site was still up and running. Very nice piece of malware indeed ... Regards, - Nicolas RUFF
Powered by blists - more mailing lists