Monday, September 20, 2010

Decoding html viruses followup

The last post was getting too long so it was time to start a new one.

Now the subject line says "contract for sports complex" and going to through some of the previous decoding steps and feeding it into jsunpack leads us to a complicated scenario that the CyberCrime & Doing Time blog goes into here.

The browser visits a hostile site

It tells me that x.html is
info: [meta refresh]
info: [iframe]

which just looks like your basic Can we sell you some cheap pills? SpamRx. or in this case a porn site. BUT! you get this free surprise inside an iframe (that's an HTML thingy).

The sports complex one I went through decoded to (I've removed the opening angle bracket to keep the browser from trying to interpret it and changed http to h.ttp):

PLEASE WAITING.... 4 SECONDS meta h.ttp-equiv="refresh" content="4;url=h.ttp://" /> iframe width="0" height="0" src="h.ttp://"> /iframe>

So while you are seeing your browser is getting something else entirely.
jsunpack tells me it contains a file called 3.wav file which I find pretty strange., but on further examination it's part of the xxxvideo porn site so it's more smoke.

What I need is more info about:

A quick google of shows one link and it was created by yours truly when I did the above jsunpack run.

So I finally finished my local install of the text only browser "Lynx" running on a Linux system only to find out the site is gratefully down.

However the domain name is owned by someone:
Whois Server:
Referral URL:
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 13-sep-2010
Creation Date: 13-sep-2010

Expiration Date: 13-sep-2011

And the contact info is hidden by the registrant Monkier:

Registrar: MONIKER

Registrant [3157846]:
Dennis Nanni
6310 Rock Creek Rd
Tullahoma TN 37388 US

This domain was just registered a week ago, but still isn't really functional or was and is no longer.

So I still don't know what they're up to, but it's getting harder and harder to find out just what it is, though I have a feeling that if the site answered then jsunpack would have more to say about it.

No comments: