Discussion in 'malware problems & news' started by ronjor, Apr 2, 2013.
Wow, this is really bad. It looks like all of the work that the attackers used to not get caught is paying off. Its smart to not try to infect every single site visitor. Using IP addresses and other criteria to decide who to hit and who to leave alone makes tracking this much harder.
Software vulnerabilities are bad enough. Suspected but unknown vulnerabilities are much worse.
Finally got around to a site with q.php lit on it - it's the blackhole exploit kit for anyone interested in knowing what the payload is. Second attempt at the site failed to deliver it, as described in the article. Apparently there's additional code operating it on the server side which is why it isn't showing up in the html coming from Apache ...
No worries playing with bad stuff on this end, so was curious as to what it was.
Oh... really? I don't see anything new... So, even if website A gets infected with the exploit code/some other code and redirects to B to the actual payload/exploit code + payload, if access to B is not allowed, then nothing will happen.
That's my current approach, when browsing.
Example: Unless Wilderssecurity itself becomes compromised to the point of hosting the actual payload, my browser session won't allow any other communication other than to www.wilderssecurity.com and its respective IP address.
The same for my other profiles, including the general browser profile, which only a small amount of websites/domains are allowed to be connected to.
This without resorting to other means of securing a user, which are also a possibility.
Apache binaries replaced by stealth malcious ones:
Here is a update on this issue: full read here: http://www.computerworld.com/s/arti...ech_39_malware_undertakes_ransomware_campaign
Yes, it's here, thanks: https://www.wilderssecurity.com/showthread.php?t=349807
Separate names with a comma.