Horrible horrible malware site

Discussion in 'Spyware' started by scott, Nov 11, 2005.

  1. scott

    scott Guest

    Want a big load of undetectable malware loaded on your computer? Go here
    with IE:
    http://american-redbud-tree.jerome.semibay.com/

    If you go there with Firefox on windows it goes to a different site, and
    it you go to it with FF on a linux machine it comes up with a 404.

    Had a customer get into this and what it put on her computer was not
    detectable by NOD32, MSAS, Spybot, etc... It is using something that
    hides the files and registry entries from the windows API. Not ADS...
     
    scott, Nov 11, 2005
    #1
    1. Advertisements

  2. From: "scott" <>

    | Want a big load of undetectable malware loaded on your computer? Go here
    | with IE:
    | http://american-redbud-tree.jerome.semibay.com/
    |
    | If you go there with Firefox on windows it goes to a different site, and
    | it you go to it with FF on a linux machine it comes up with a 404.
    |
    | Had a customer get into this and what it put on her computer was not
    | detectable by NOD32, MSAS, Spybot, etc... It is using something that
    | hides the files and registry entries from the windows API. Not ADS...


    I guess you missed reading the FAQ -- http://shplink.com/misc/FAQ.htm

    7. Are there any posting restrictions, rules or guidelines?
    < snip >

    "Also, unless requested, do not post the URL where you suspect you obtained your adware /
    spyware / malware / parasite infection. Instead, alter the URL in some way so as to make it
    human-readable but NOT clickable, such as "h**p://www.removethis.example.c*m". Why?
    Unsuspecting or inexperienced lurkers might just click on the URL and get unwittingly
    hijacked. Note that this request applies only to suspect URLs, and is not meant to
    discourage the posting of information about possibly rogue web sites. Please DO tell us
    about them; just do so safely."

    In the future, please obfuscate the URL of malicious web sites !


    The following was noted with Mcafee v7.1E, Engine 5000, DAT v4626
    D:\temp\IE6\Temporary Internet
    Files\Content.IE5\FZ4HCZOS\free_access[1].cab\FREE_ACCESS[1].CAB Adware-RBlast.dll
     
    David H. Lipman, Nov 11, 2005
    #2
    1. Advertisements

  3. scott

    Dustin Cook Guest

    I wasn't able to duplicate it here using Ie6... I'll try it later from
    a wmware image.
    What OS is your customer using? I would like to acquire the malware
    executables for possible inclusion in the next pattern release of
    BugHunter. Thanks for the url.

    Regards,
    Dustin Cook
    http://bughunter.atspace.org
     
    Dustin Cook, Nov 11, 2005
    #3
  4. Note X's.
    Perhaps ActiveX?
    Yes, please do! <lol>

    Whatever is at the cited URL appears to be called by the JavaScript. I
    do not do JS, but if anyone wants to analyze it:
    hXXp://american-redbud-tree.jerome.semibay.com/script/hui.js
     
    Beauregard T. Shagnasty, Nov 11, 2005
    #4
  5. From: "Beauregard T. Shagnasty" <>


    |
    | Yes, please do! <lol>
    |
    | Whatever is at the cited URL appears to be called by the JavaScript. I
    | do not do JS, but if anyone wants to analyze it:
    | hXXp://american-redbud-tree.jerome.semibay.com/script/hui.js
    |

    D'oh !

    I just realized I failed to obfuscate the URL in my reply !

    { Damn ! }
     
    David H. Lipman, Nov 11, 2005
    #5
  6. scott

    J-Walker Guest

    I get a 404 as well using SlimBrowser w/Java permissions set to High.
     
    J-Walker, Nov 11, 2005
    #6
  7. scott

    1 Guest

    Error 404 is a server side HTTP 1.0/1.1 error.
     
    1, Nov 17, 2005
    #7
  8. scott

    Andy Walker Guest

    I can't find any DNS listing for that site or for semibay.com. It
    looks like the domain has been killed.

    Registration info (the last part indicates this domain has been
    suspended):

    Registration Service Provided By: ESTDOMAINS
    Contact: +372.55647646
    Website: http://www.estdomains.com

    Domain Name: SEMIBAY.COM

    Registrant:
    Dutch Clicks Gmbh
    Mrs. Sara Lijiendar ()
    se Lunter 12/103
    Gaaga
    ,7928BW
    NL
    Tel. +31.890125592

    Creation Date: 30-Oct-2005
    Expiration Date: 30-Oct-2006

    Domain servers in listed order:
    ns2.l00phost.com
    ns1.l00phost.com


    Administrative Contact:
    Dutch Clicks Gmbh
    Mrs. Sara Lijiendar ()
    se Lunter 12/103
    Gaaga
    ,7928BW
    NL
    Tel. +31.890125592

    Technical Contact:
    Dutch Clicks Gmbh
    Mrs. Sara Lijiendar ()
    se Lunter 12/103
    Gaaga
    ,7928BW
    NL
    Tel. +31.890125592

    Billing Contact:
    Dutch Clicks Gmbh
    Mrs. Sara Lijiendar ()
    se Lunter 12/103
    Gaaga
    ,7928BW
    NL
    Tel. +31.890125592

    Status:SUSPENDED
    Note: This Domain Name is Suspended. In this status the domain
    name is InActive and will not function.
     
    Andy Walker, Nov 17, 2005
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.