New Chinese exploit pack
Jump to navigation
Jump to search
(Publication) Google search: [1]
New Chinese exploit pack | |
---|---|
Botnet | |
Malware | |
Botnet/malware group | |
Exploit kits | KaiXin |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2012 / 2012-08-02 |
Editor/Conference | Kahu security blog |
Link | http://www.kahusecurity.com/2012/new-chinese-exploit-pack/ (Archive copy) |
Author | Darryl |
Type | Blogpost |
Abstract
“ A Korean news site was recently observed distributing malware. I thought it would be an opportune time to test out my program that attempts to locate malicious scripts on a website. Here’s an excerpt from the results
Looking at the screenshot above from the bottom up, we see some suspicious content from an IP address. That page gets called by an infected “popupmenu.js” file. And that file gets referenced on the main news page. Good, we know now where to start looking! By the way, the “ad.html” page that gets iframed has an “entropy” value of about 68% which is rather high (see top of the screenshot). This suggests the page has obfuscated Javascript.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR458, editor = {Kahu security blog}, author = {Darryl}, title = {New Chinese exploit pack}, date = {02}, month = Aug, year = {2012}, howpublished = {\url{http://www.kahusecurity.com/2012/new-chinese-exploit-pack/}}, }