The malicious code in these pages, is a kind of encryption using a convertion of unicode numbers into characters:
So the code in teesplanet.com/dwindle.php
Simply do a redirection:
Code: Select all
As for, smokecloud9.com/brutal.php:
Code: Select all
targeted sites are yourdrugquality.ru & medicaltableteshop.ru (scam sites)
PS: to get safely the code for studying, it is better to use wget online.
Very well, those two redirecting pages may not be destructive at this moment:
teesplanet.com/dwindle.php > local security > Trojan-Downloader.JS.Redirector.a
smokecloud9.com/brutal.php > local security > Trojan-Downloader.JS.Redirector.a
Sample AV report:
> Detected object (file) was deleted.
The redirecting pages have irrelevant names clearly intended to be re-usable for any purpose. In fact, the longstanding redirectors are at least as valuable as the temporary disposable targets which the "encryption" is intended to shield from the light of day. I would not be surprised to find that these targets are only advertised via these redirectors.
Like A440, I have received several of these "poison pen" letters. Normal spam from rogue pharmacies plainly states that they offer cheap drugs, to appeal to recipients who want cheap drugs. To effectively sell a tangible product, whether it is drugs or cars, there is negative appeal in an irrelevant phish mail in the guise of a brand name social media vendor with a message waiting for you, especially when the pretense is so obviously shabby as if someone is playing this like a game, or more likely "farming" these redirectors from a common control center, and testing whether the farm will work successfully as a future social engineering attack.
Average users must (should) rely on security vendors' analyses because they do not have technical and/or physical resources to sacrifice either to malware or to the dirty targets. Because I don't have the physical resources, I have followed a few of these links which were cited only for phishing, etc, by multiple vendors, and cited for malware by none. In some of these cases, my local security has reacted by detecting, neutralizing, and quarantining automatically downloaded objects it identified as malware, as above. Thus my warning.
Some of these redirectors behave differently based on how they are approached. BitDefender and others report malware while Sucuri reports no content, RedirectDetective reports a 404, etc - and other odd combinations. So perhaps malicious code is dynamically added when a live browser seems to be present. To get the code safely, may not get all of the code. I normally do not have time to analyze these detections to an atomic level, especially when there are so many.
This spam campaign has a recognizable signature, and it seems wholly unsuited to hawking happy pills, but ideally suited to spreading malware among social media addicts. Already this campaign appears to be sitting on the fence. Thus my decision to actually post my warning here.