Subject: You have just received an ecard.
Body: Check out the original Crazy Cat Card. It is too funny for words.
http://75.4.70.217/
Subject: Check out your ecard.
Body: Click here to view your laughing kitty card online. http://74.138.11.91/
Subject: You've got a greeting just for you!
Body: Please click here to view your Crazy Kitty Card Online.
http://99.162.220.182/
Here's a screenshot of the page:
After looking at the source and downloading the Flash animation (the cat), I used Flare to extract any scripts. I found the the original file came from http://www.superlaugh.com/1/catnip.swf Both files were the same size but MD5's did not match.
movie 'catnip.swf' {
// flash 4, total frames: 127, frame rate: 12 fps, 360x450 px
frame 1 {
ifFrameLoaded (4) {
gotoAndPlay(3);
}
}
frame 2 {
gotoAndPlay(1);
}
movieClip 5 {
}
button 7 {
on (release) {
getURL('http://www.superlaugh.com', '_top');
}
}
movieClip 14 {
}
frame 125 {
gotoAndPlay(3);
}
}
The links on the page all go to SuperLaugh.exe which was caught by 70% of scan engines on Virus Total. Obfuscated Javascript was found at the bottom just like some previous versions. It looked to be the same exploits that have been being used on and off since I first started looking into Storm about a month or two ago.
Also, all the images, including the kitty Flash file, were sourced from the "/img" directory but it did not allow browsing of directories.
No comments:
Post a Comment