Glazunov / Sibhost Exploit Kit

— 2/13 Update

More recent examples have changed slightly.

Paste of gate

http://awfok43. tobykeithsiloveth isbarandgrill.org/tsgmydgysams19m93a5jpl4xeacgsvpl > Gate
http://awfok43. toby keithsilovethisbarandgrill.org/deployJava.js
http://awfo k43.tobykeithsilovet hisbarandgrill .org/tsgmydgysams19m93a5jpl4xeacgsvpl.jar > 404
http://awfok43. tobykeithsilovethisbaran dgrill.org/tsgmydgysams19m93a5jpl4xeacgsvpl.pdf > PDF 2010-0188 (WEPAWET)
http://awfok43. tobykeithsilo vethisbarandgrill.org/tsgmydgysams19m93a5jpl4xeacgsvpl.pdf?s=2 > Encoded Locker EXE (VT – Decoded)

See more examples of Glavunov / Sibhost on UrlQuery

— 11/27/12

HTTP Request Method = GET
HTTP URI Strings =

/g00db4by4YoUn0W
/b3s7b4by4YoUn0W
“\/[a-zA-Z0-9]{32}?s=1&m=2”
“\/[a-zA-Z0-9]{32}\?s=1”
“\/[a-zA-Z0-9]{32}\.pdf\?p=1” > PDF 2010-0188
“\/[a-zA-Z0-9]{32}\.pdf\?p=1&s=2” > RogueAV EXE disguised as .DAT

See examples on UrlQuery.net

References:

Sibhost / Glazunov on Malwaredomainlist.com

Comments are closed.