Qai.jar malware (CVE-2010-1885)

Post Reply
User avatar
NotBuyingIt
Posts: 3202
Joined: Fri Mar 11, 2011 6:21 pm

Qai.jar malware (CVE-2010-1885)

Post by NotBuyingIt » Wed Mar 21, 2012 9:15 pm

A well-know spam expert is reporting an aggressively promoted malware exploit which uses multiple sites together. Deceptive web pages planted on dozens of sites load a set of JavaScripts which in turn attempt to load a malicious webpage. Several variations were detected yesterday and today.

This set of scripts
hXXp://50.57.29.172/hVg3GFAo/js.js
hXXp://finantariauto.ro/5ZqETXNE/js.js
hXXp://ipecturkey.com/E2UNfoGY/js.js
hXXp://oompa.de/VTwQKwDD/js.js
attempt to load
hXXp://209.59.217.193/showthread.php?t=d7ad916d1c0396ff
that leads to malware at
hXXp://209.59.217.193/q.php?f=ba33
hXXp://209.59.217.193/content/Qai.jar

This set of scripts
hXXp://216.205.49.67/CD5s3Ne3/js.js
hXXp://activetours.pttk.pl/Eaz0Mz8g/js.js
hXXp://copymax.gr/jbbaaFCK/js.js
hXXp://offvip.com/TtMQy1sw/js.js
hXXp://solocyberday.com/oDYibUuh/js.js
attempt to load
hXXp://slickicus.com/showthread.php?t=8d80b8c3f87a9538
that leads to malware at
hXXp://slickicus.com/q.php?f=db757
hXXp://slickicus.com/content/Qai.jar

This set of scripts
hXXp://officefurnituremart.com/sT1SFMyf/js.js
hXXp://orvosokafrikaert.hu/Bsz1CQg0/js.js
hXXp://qqprints.com.my/37ErBpvj/js.js
hXXp://romanjewelers.com/mnbCaEYY/js.js
hXXp://samx.zzl.org/crF5iYsT/js.js
attempt to load
hXXp://slicksphere.com/showthread.php?t=d7ad916d1c0396ff
but the domain slicksphere.com has been suspended

Here are some of the deceptive URLs that have been reported earlier today

hXXp://02f40c1.netsolhost.com/jXh3opQk/index.html
hXXp://02f40c1.netsolhost.com/pVXky4P3/index.html
hXXp://184.164.129.5/H0PL9q26/index.html
hXXp://3eras.com/0X98aHUS/index.html
hXXp://5seis.com.ar/jXh3opQk/index.html
hXXp://91.93.110.150/JYjJE2q2/index.html
hXXp://acriancafeliz.org.br/vyEryYcH/index.html
hXXp://advanced-web-hosting-solutions.com/H0PL9q26/index.html
hXXp://advancedcopier.net/tMYwdbsB/index.html
hXXp://aerospacend.com/0X98aHUS/index.html
hXXp://autolorentzos.gr/46iU2yx2/index.html
hXXp://autolorentzos.gr/k4H1CSBf/index.html
hXXp://autouniversal.ro/tMYwdbsB/index.html
hXXp://bestdeal.com.vn/H0PL9q26/index.html
hXXp://binhanphat.vn/pVXky4P3/index.html
hXXp://chinchunhoo.com/tp3G2sKH/index.html
hXXp://criadero-duancos.com.ar/jXh3opQk/index.html
hXXp://dhtics.webou.net/8pe5eCMZ/index.html
hXXp://dhtics.webou.net/N7hwdmet/index.html
hXXp://dhtics.webou.net/vyEryYcH/index.html
hXXp://fundoohairstyles.com/0X98aHUS/index.html
hXXp://getstrength.com/pVXky4P3/index.html
hXXp://glamourspa.com.vn/H0PL9q26/index.html
hXXp://goksen.com.tr/H0PL9q26/index.html
hXXp://goksen.com.tr/JYjJE2q2/index.html
hXXp://goksen.com.tr/tp3G2sKH/index.html
hXXp://hajashaza.hu/JYjJE2q2/index.html
hXXp://hajashaza.hu/pVXky4P3/index.html
hXXp://hajashaza.hu/W9x9Xomw/index.html
hXXp://hellenic-antiaging-academy.gr/k4H1CSBf/index.html
hXXp://hidroprojekt-consult.hr/W9x9Xomw/index.html
hXXp://hippocrafts.com/46iU2yx2/index.html
hXXp://hippocrafts.com/8pe5eCMZ/index.html
hXXp://hippocrafts.com/svaVeSkm/index.html
hXXp://hyperbeesmedia.com/svaVeSkm/index.html
hXXp://ibafo.com.br/LTWJaNR9/index.html
hXXp://ibafo.com.br/N7hwdmet/index.html
hXXp://inour.biz/JYjJE2q2/index.html
hXXp://inour.biz/pVXky4P3/index.html
hXXp://isravilon1.com/tMYwdbsB/index.html
hXXp://junglecreativestudio.gr/k4H1CSBf/index.html
hXXp://jurjev.com/8pe5eCMZ/index.html
hXXp://koala.unas.cz/N7hwdmet/index.html
hXXp://kolling.com.my/LTWJaNR9/index.html
hXXp://kongo.co.hu/N7hwdmet/index.html
hXXp://kongo.co.hu/svaVeSkm/index.html
hXXp://kongo.co.hu/tMYwdbsB/index.html
hXXp://laflcargo.com/vyEryYcH/index.html
hXXp://laleyurtseven.com/8pe5eCMZ/index.html
hXXp://laleyurtseven.com/tMYwdbsB/index.html
hXXp://ledsociety.com/7ik7M03n/index.html
hXXp://ledsociety.com/tp3G2sKH/index.html
hXXp://leikar.net/vyEryYcH/index.html
hXXp://linemenu.com/8pe5eCMZ/index.html
hXXp://linemenu.com/svaVeSkm/index.html
hXXp://littlelordspreschool.com/0X98aHUS/index.html
hXXp://lsquarednetworks.com/7ik7M03n/index.html
hXXp://lsquarednetworks.com/tp3G2sKH/index.html
hXXp://mage.ibraggiotti.com/0X98aHUS/index.html
hXXp://mage.ibraggiotti.com/W9x9Xomw/index.html
hXXp://magneticlodestone.com/46iU2yx2/index.html
hXXp://magneticlodestone.com/tMYwdbsB/index.html
hXXp://maxiesolutions.com/svaVeSkm/index.html
hXXp://mayerdobrasil.com.br/W9x9Xomw/index.html
hXXp://mcms.xs2theworld.com/LTWJaNR9/index.html
hXXp://mcms.xs2theworld.com/vyEryYcH/index.html
hXXp://metrofincaraiz.com/0X98aHUS/index.html
hXXp://minds.com.pk/8pe5eCMZ/index.html
hXXp://mishelart.com/tp3G2sKH/index.html
hXXp://mixtle.com/tMYwdbsB/index.html
hXXp://mkultura.lt/7ik7M03n/index.html
hXXp://musicalchemylab.lh.pl/46iU2yx2/index.html
hXXp://myghanaonline.com/N7hwdmet/index.html
hXXp://notebooktamiri.gen.tr/vyEryYcH/index.html
hXXp://objebi.com/xBu5dukk/index.html
hXXp://olla-de-felix-buenos-aires.com/Qyuv8XX1/index.html
hXXp://olla-de-felix-buenos-aires.com/xBu5dukk/index.html
hXXp://oneblr.com/a65oSoKL/index.html
hXXp://optimizacija-seo.com/a65oSoKL/index.html
hXXp://overhill.comicgenesis.com/xBu5dukk/index.html
hXXp://paperbuzz.net/3BvC2cTf/index.html
hXXp://party-chat.hu/a65oSoKL/index.html
hXXp://party-chat.hu/xBu5dukk/index.html
hXXp://povilasc.ipower.com/tp3G2sKH/index.html
hXXp://pp.premiumpage.pl/vyEryYcH/index.html
hXXp://Privatesandbox.com/qVsVjYfe/index.html
hXXp://prodmovie.com/xBu5dukk/index.html
hXXp://psytrip.com.br/LTWJaNR9/index.html
hXXp://public.smartbe.be/0X98aHUS/index.html
hXXp://rajtr.com/7ik7M03n/index.html
hXXp://realestatebootcamp.ca/LTWJaNR9/index.html
hXXp://redencionsofro.com.ar/3BvC2cTf/index.html
hXXp://revivalgospelministries.org/LTWJaNR9/index.html
hXXp://riwex.hu/3BvC2cTf/index.html
hXXp://sarahyong.com/CzEjfCRK/index.html
hXXp://sereflikochisarzob.org/LTWJaNR9/index.html
hXXp://sezam.home.pl/CzEjfCRK/index.html
hXXp://silentstartupwebsite.com/CzEjfCRK/index.html
hXXp://silentstartupwebsite.com/xBu5dukk/index.html
hXXp://siranmuftulugu.gov.tr/46iU2yx2/index.html
hXXp://sisrs.org/tMYwdbsB/index.html
hXXp://sixdimensions.co.id/xBu5dukk/index.html
hXXp://softwarepark-galati.ro/xBu5dukk/index.html
hXXp://swcc.marknetdev.com/LTWJaNR9/index.html
hXXp://sxs-bwn.org/vyEryYcH/index.html
hXXp://techleadsolution.com/QnXBRiWS/index.html
hXXp://tehranmaltbeer.com/30VtVqEf/index.html
hXXp://tempo-www.defisduchott.com/CzEjfCRK/index.html
hXXp://themainmall.com/svaVeSkm/index.html
hXXp://transcamila.com/tMYwdbsB/index.html
hXXp://upedagogica.edu.bo/N7hwdmet/index.html
hXXp://www.tesan.com.tr/vyEryYcH/index.html

Some other reported URLs return HTTP 404 ("Not Found") or their domains have been suspended, so I suspect efforts are underway to combat the malware campaign.
Data that is stored in the cloud may become lost in the fog.

User avatar
NotBuyingIt
Posts: 3202
Joined: Fri Mar 11, 2011 6:21 pm

RE: Qai.jar malware (CVE-2010-1885)

Post by NotBuyingIt » Thu Mar 22, 2012 1:56 am

Other people are also reporting virtually the same exploit which is also running on other sites.

This set of scripts
hXXp://50.57.29.172/hVg3GFAo/js.js
hXXp://oompa.de/VTwQKwDD/js.js
attempts to load
hXXp://matormaster.com/showthread.php?t=d7ad916d1c0396ff
that leads to malware at
hXXp://matormaster.com/q.php?f=ba33e
hXXp://matormaster.com/content/Qai.jar

This set of scripts
hXXp://officefurnituremart.com/sT1SFMyf/js.js
hXXp://orvosokafrikaert.hu/Bsz1CQg0/js.js
hXXp://romanjewelers.com/mnbCaEYY/js.js
hXXp://samx.zzl.org/crF5iYsT/js.js
attempts to load
hXXp://slickcurve.com/showthread.php?t=d7ad916d1c0396ff
that leads to malware at
hXXp://slickcurve.com/q.php?f=ba33
hXXp://slickcurve.com/content/Qai.jar


Here are some of the deceptive URLs that have been reported within the past few hours

hXXp://clubrepublique.com/LTWJaNR9/index.html
hXXp://gfclock.com/tMYwdbsB/index.html
hXXp://maxiesolutions.com/N7hwdmet/index.html
hXXp://orangesoft.co.uk/xBu5dukk/index.html
hXXp://palm-schools.com/xBu5dukk/index.html
hXXp://paperbuzz.net/xBu5dukk/index.html
hXXp://parfum-mester.hu/a65oSoKL/index.html
hXXp://parfum-sziget.hu/a65oSoKL/index.html
hXXp://party-chat.hu/3BvC2cTf/index.html
hXXp://photo-howto.com/a65oSoKL/index.html
hXXp://popi-indonesia.org/Qyuv8XX1/index.html
hXXp://probatik.com/3BvC2cTf/index.html
hXXp://psytrip.com.br/8pe5eCMZ/index.html
hXXp://riwex.hu/30VtVqEf/index.html
hXXp://riwex.hu/a65oSoKL/index.html
hXXp://saturnosistemas.com/xBu5dukk/index.html
hXXp://sezam.home.pl/a65oSoKL/index.html
hXXp://silentstartupwebsite.com/a65oSoKL/index.html
hXXp://sinarled.com/CzEjfCRK/index.html
hXXp://sreesaiproperty.com/CzEjfCRK/index.html
hXXp://szomaliaiegyesulet.hu/30VtVqEf/index.html
hXXp://tamanbungaku.com/a65oSoKL/index.html
hXXp://tanyaeco.co.za/30VtVqEf/index.html
hXXp://terangkecil.com/3BvC2cTf/index.html
hXXp://thechange180.com/a65oSoKL/index.html
Data that is stored in the cloud may become lost in the fog.

User avatar
c۞g
Posts: 10927
Joined: Mon Jan 05, 2009 4:02 am

RE: Qai.jar malware (CVE-2010-1885)

Post by c۞g » Thu Mar 22, 2012 3:48 am

Qai.jar - 17.07 KB
VT 0/43
contents:

ua.class - 1.04 KB
cons.class - 4.27 KB
cr.class - 2.3 KB
G.class - 3.35 KB
ub.class - 15.63 KB
uc.class - 389 Byte
sys.class - 313 Byte


results with 404 not found

matormaster.com/content/Qai.jar
matormaster.com/q.php?f=ba33e


50.57.29.172/hVg3GFAo/js.js
oompa.de/VTwQKwDD/js.js
officefurnituremart.com/sT1SFMyf/js.js
orvosokafrikaert.hu/Bsz1CQg0/js.js
romanjewelers.com/mnbCaEYY/js.js
samx.zzl.org/crF5iYsT/js.js

results with: document.location='http://slickcurve.com/showthread.php?t=d7ad916d1c0396ff';


slickcurve.com resides on IP:173.255.195.167 hXXp://173.255.195.167/showthread.php?t=d7ad916d1c0396ff results with same malware install

50.57.29.172
173.255.195.167


oompa.de
officefurnituremart.com
orvosokafrikaert.hu
romanjewelers.com
samx.zzl.org
slickcurve.com
∞ Opto, ergo sum
_https://en.wikipedia.org/wiki/And_You_and_I


User avatar
NotBuyingIt
Posts: 3202
Joined: Fri Mar 11, 2011 6:21 pm

RE: Qai.jar malware (CVE-2010-1885)

Post by NotBuyingIt » Thu Mar 22, 2012 3:44 pm

Spam email, transmitted via IP 82.127.14.217 (abo.wanadoo.fr), fraudulently claims to be a LinkIn notice. IP 82.127.14.217 may be blacklisted. The email contains a deceptive URL to a webpage at

hXXp://butelii-acetilena.ro/59N0J8h1/index.html

which attempts to load JavaScript from two sources

hXXp://interspeedy.com.br/zjSxmkDM/js.js
hXXp://limbongan.com/37hcGs54/js.js

The scripts, in turn, attempt to redirect to a malicious web page at

hXXp://bluecellular.com/showthread.php?t=977334ca118fcb8c

that leads to malware at

hXXp://bluecellular.com/content/Qai.jar
hXXp://bluecellular.com/q.php?f=2e457

The email contains two more suspicious URL which are either fakes or already have been disabled (HTTP 404):
http://inepalhotels.com/y7id9XXo/index.html
http://cgwood.net/U6PcaTcQ/index.html

[Edit: more]
Other malicious scripts that redirct to bluecellular.com are at


hXXp://muttonheadcollective.com/XvLBzokA/js.js
hXXp://auto-escolas.com/TfFQ7r6J/js.js
hXXp://rgexcel.com/CPD4MoEs/js.js
hXXp://turkwebalan.com/oUvuQ0b7/js.js
hXXp://vita-shop.hu/dSSjc0ag/js.js
hXXp://wilbrahamweddings.co.uk/qsTCVQXM/js.js
hXXp://www.bestcar.ee/0AfKWVDW/js.js
hXXp://www.unimoveis.net/jW57W6aZ/js.js
Data that is stored in the cloud may become lost in the fog.

User avatar
NotBuyingIt
Posts: 3202
Joined: Fri Mar 11, 2011 6:21 pm

RE: Qai.jar malware (CVE-2010-1885)

Post by NotBuyingIt » Thu Mar 22, 2012 5:42 pm

bluecellular.com has been suspended; its domain registrar has set its status to clientHold. The malware exploit is now using the newly registered browncellular.com instead.

hXXp://174.133.92.122/MgGsg1Pp/js.js
hXXp://myparacord.com/cxW8X8xp/js.js
hXXp://prace.kupbilet.com/VTDeZmRF/js.js
hXXp://smapit.com/TaTj4D3f/js.js
hXXp://thebestguide1.com/arKwG4pE/js.js
hXXp://www.aeceventos.com.br/zEQSTHfq/js.js
hXXp://www.extrhema.com.br/cVspcegd/js.js
hXXp://www.industriacaxiense.com.br/HLAeMSAd/js.js
hXXp://www.inkontro.com/CXxLMToy/js.js
hXXp://www.inkontro.it/9e85Bru8/js.js
hXXp://www.teodo-tivat.com/osJYHU6u/js.js
hXXp://mrsmakeit.com/9jrgDjED/js.js


attempt to redirect to a malicious web page at

hXXp://browncellular.com/showthread.php?t=d7ad916d1c0396ff

that leads to malware at

hXXp://browncellular.com/content/Qai.jar
hXXp://browncellular.com/content/ap2.php?f=7245d
Data that is stored in the cloud may become lost in the fog.

User avatar
NotBuyingIt
Posts: 3202
Joined: Fri Mar 11, 2011 6:21 pm

RE: Qai.jar malware (CVE-2010-1885)

Post by NotBuyingIt » Thu Mar 22, 2012 8:41 pm

Deceptive URLs at

hXXp://espacoquatro.com.br/3qZfYFbh/index.html
hXXp://sauschamber.com/sgc1MBef/index.html

load scripts from some of all of the following sources

hXXp://skueez.com/jKtfRnuL/js.js
hXXp://nhb.prosixsoftron.in/cJHrkMSb/js.js
hXXp://boemelparty.be/vnB4GozT/js.js
hXXp://www.alpine-turkey.com/YfTXsaR5/js.js
hXXp://sas.hg.pl/Th5Da66c/js.js
hXXp://www.vinhthanh.com.vn/8cACpVEr/js.js

that attempt to redirect to a malicious web page at

hXXp://cyancellular.com/showthread.php?t=d44175c6da768b70

that, in turn, leads to malware at

hXXp://cyancellular.com/content/Qai.jar
hXXp://cyancellular.com/q.php?f=44c23

Acknowledgement: I saw most of the URLs listed in this comment in the current malwaredomainlist.com report.
Data that is stored in the cloud may become lost in the fog.

User avatar
NotBuyingIt
Posts: 3202
Joined: Fri Mar 11, 2011 6:21 pm

RE: Qai.jar malware (CVE-2010-1885)

Post by NotBuyingIt » Thu Mar 22, 2012 9:48 pm

A deceptive URL at

hXXp://www.kozmodisk.net/enzfjWNu/index.html

loads scripts from all of the following sources

hXXp://auto-escolas.com/TfFQ7r6J/js.js
hXXp://muttonheadcollective.com/XvLBzokA/js.js
hXXp://rgexcel.com/CPD4MoEs/js.js
hXXp://turkwebalan.com/oUvuQ0b7/js.js
hXXp://vita-shop.hu/dSSjc0ag/js.js
hXXp://wilbrahamweddings.co.uk/qsTCVQXM/js.js
hXXp://www.bestcar.ee/0AfKWVDW/js.js
hXXp://www.unimoveis.net/jW57W6aZ/js.js

that attempt to redirect to a malicious web page at

hXXp://purplecellular.org/showthread.php?t=d7ad916d1c0396ff

that leads to a suspicious file at

hXXp://purplecellular.org/content/Qai.jar
Data that is stored in the cloud may become lost in the fog.

User avatar
NotBuyingIt
Posts: 3202
Joined: Fri Mar 11, 2011 6:21 pm

RE: Qai.jar malware (CVE-2010-1885)

Post by NotBuyingIt » Thu Mar 22, 2012 10:55 pm

Currently, many of the malware exploit's intermediary JavaScript files, including these

hXXp://thebestguide1.com/arKwG4pE/js.js
hXXp://www.extrhema.com.br/cVspcegd/js.js
hXXp://mrsmakeit.com/9jrgDjED/js.js

redirect to a malicious webpage at

hXXp://whitecellular.org/showthread.php?t=d7ad916d1c0396ff

which leads to the suspicious file

hXXp://whitecellular.org/content/Qai.jar
Data that is stored in the cloud may become lost in the fog.

User avatar
MarkGiles
Posts: 1951
Joined: Wed Mar 30, 2011 2:40 am
Contact:

RE: Qai.jar malware (CVE-2010-1885)

Post by MarkGiles » Fri Mar 23, 2012 4:51 am

From just the last 2 days, here is a list of 151 hijacked hosts found in spam. Each has an 8 random character string in the URL. They are sequenced by most frequent (127 hits) to least frequent (1 hit)


futurisima.com.ar
iips.edu.in
industriadaformatura.com.br
grimper.awardspace.com
gri.or.id
escoladailha.com.br
gardenmoveis.com.br
odontofamily.com.br
gerindra.or.id
giftformom.trei.ro
ttest.co.za
oscardelaolla.com.co
tubogas.com.br
peridot.com.vn
ogrodzeniamirko.home.pl
whiteoak.co.za
tatuielegante.com.br
sillinho.bplaced.net
andif.com.br
damhofer.com
planetafitnessltda.com.br
manczyl.webd.pl
spyder.snowpeak.com.tw
positivacomunicacao.com.br
newsletter.lavorosalute.it
test1991.mebyre.com
nafti.edu.gh
testeaza.trei.ro
lirahost.com.br
twilightbefore.bplaced.net
maxtone.nazwa.pl
dentalimplants123.com
seniordatinggroup.co.uk
corporateuniversity.com.br
mirrorfelder.cnh.at
sbemrj.org.br
cpm.borec.cz
istorie.usm.md
revistatempo.com.br
radicalatm.com.ar
intecone.com.br
elisaviscontinetwork.com
aluguechacaras.com.br
ayvitour.com.ua
chusto.lviv.ua
scsuprema.com.br
eventakustik.de
eurowire.it
aashirwad.com.hk
fitratder.org
mail2.direct.ee
balihai1.tempsite.ws
wp10647654.wp274.webpack.hosteurope.de
visualdesenvolvimento.com.br
ufmi.com.my
rlinux.moderna.com.br
rajniti.co.in
videos.newmotion.at
thebeautiq.com.au
suitesdojo.com.br
sospiscinaspr.com.br
romero12.mserwis.pl
revistalabarra.com.co
laseresp.com.mx
s373104026.online.de
municipioderawson.gob.ar
rmraguapura.com.br
afrohealing.co.za
smileshop.com.au
praxedysadesivos.com.br
hassansaeed.99k.org
ocgcoaching.co.il
rygy.com.br
micmusz.webd.pl
lulu.com.co
izaz.com.br
hoegie.be
marcusxl.blink.pl
z8mm.com.br
gfpesquisas.com.br
kadinmuhendisler.org
redleafapartments.co.in
saofranciscodocorumbau.com.br
oguzhanguzel.av.tr
nackageinvestmentgroup.com.au
newsite.itsgroup.it
barcuta.ro
artdelivery.it
witer.home.pl
v1.globaltransit.net
promocaolilicaetigor.com.br
portal365.freehosting.com
wproduct.99k.org
ssttice.bplaced.net
autoreinigung.at
tiborita.altervista.org
support.imatone.fr
scarletcourier.50webs.com
pm.weexcel.in
personnalis.com.br
prakash.clanteam.com
lawsystem.com.br
zegluga.lh.pl
cityofsutton.org
travian1000x.zzl.org
quickphoto.com.br
ftp.zimmerrestaurante.com.br
ftp.vilasek.com
ismailgunes.web.tr
gastrocomplexeu.pl
bizsizanayasaolmaz.org
wordpressitalia.altervista.org
vivaleboutique.com.br
ucscad.com.br
snowpeak.com.tw
monochromatic.art.pl
imobiliariacruzeirors.com.br
wahbischool.com
kemerburgazfutbolokulu.com
gruppoenter.eu
dimac.com.ar
cbac.com
voip.valorizaweb.com.br
vinicolaperini.com.br
travian250x.zzl.org
travelodubai.co.uk
topkids.com.br
tony.web.id
styling.krakow.pl
ssios.com.pk
snakeprotex.com.au
siwy010.webd.pl
shop.madamegrillet.it
seicommat.hospedagemdesites.ws
s391025613.onlinehome.fr
recantopaulista.com.br
radioresgateonline.com.br
pzas.nazwa.pl
proweb1.bplaced.net
piratrilhas.com.br
patentmall.com.my
pasandola.nixiweb.com
osteologia.org.ar
nortonmini.com.ar
metropolis.com.br
mcms.xs2theworld.com
mariotta.com.br
loja.weissblumenn.com.br
ftp.dariocandela.altervista.org
eminenceorganics.com.my
curicica.com.br


User avatar
NotBuyingIt
Posts: 3202
Joined: Fri Mar 11, 2011 6:21 pm

RE: Qai.jar malware (CVE-2010-1885)

Post by NotBuyingIt » Fri Mar 23, 2012 5:33 am

hXXp://www.aiopgiovani.it/FoSxV9z1/index.html

loads scripts from all of the following sources

hXXp://www.bestcar.ee/0AfKWVDW/js.js
hXXp://turkwebalan.com/oUvuQ0b7/js.js
hXXp://www.unimoveis.net/jW57W6aZ/js.js
hXXp://uttonheadcollective.com/XvLBzokA/js.js

which redirect to a malicious webpage at

http://azurecellular.com/showthread.php?t=d7ad916d1c0396ff

which leads to the suspicious file

hXXp://azurecellular.com/content/Qai.jar


Many of the scam sites hosting Qai.jar may be divided into two groups, based upon their creation dated.

Creation Date: 13-mar-2012
slickcurve.com (clientHold)
slickicus.com (clientHold)
slickidian.com (clientHold)
slicksphere.com (clientHold)
slickvard.com (IP 74.91.120.189)

Creation Date: 22-mar-2012
azurecellular.com (IP 209.59.217.78)
bluecellular.com (clientHold)
browncellular.com (IP 174.140.168.207)
cyancellular.com (clientHold)
purplecellular.org (CLIENT HOLD)
whitecellular.org (CLIENT HOLD)
Data that is stored in the cloud may become lost in the fog.

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests