Slight changes in Crimeboss URI’s

Main information on Crimeboss can be found here.

Chain looked like this…

http:// www.theowlmag .com/album-reviews/album-review-open-by-rhye/ >> Compromised Site
http:// bebicasal. >> continue if java enabled
http:// bebicasal >> 302
http:// derneuntekontinent. de/cgi/index.php?x=s >> continue if java enabled
http:// derneuntekontinent .de/cgi/index.php?x=s&gmllaid=754933428&no=0 >> GATE
http:// derneuntekontinent. de/cgi/index.php?action=stats_access
http:// derneuntekontinent .de/cgi/index.php?action=stats_javaon
http:// .uk/.te/amor1.jar >> 2012-4681
http:// www.backstop >> 2013-0422
http:// .uk/.te/jmx.jar?r=1061858 >> 2013-0422
http:// broodenzoets .nl/plugin/Plugin.cpl > EXE
http:// zelinares .com .br/x4.gif > EXE
http:// derneuntekontinent .de/cgi/index.php?action=stats_loaded&k=j
http:// .br/Site/js/tabs/mago/05/Instal.jpg > EXE
http:// fotoprimavera .com .br/Site/js/tabs/mago/civic/Instal.xml

The exe’s are particularly interesting as they aren’t encoded, but have faked names along with content types. They’re downloaded by Java tho, so the user agent is there.

This should be pretty easy to see with snort and may catch some other things too… > user_agent = *Mozilla*Java/1.* > look for MZ / MZP header

Without it you’ll have a fair amount of FPs, fun stuff.

Comments are closed.