We have received reports of a kit being hosted on a Web site which, when accessed, redirects users to a malicious site. The said malicious site has different exploits that are used to ultimately download malicious files. We have in our hands eight files from this kit. Below are bits of information about the files:

• n404-0 is an obfuscated script. This is probably just a test script for the author because it just displays in a message box the deobfuscated or unencrypted contents of the file n404-1.
• n404-1 attempts to download the file vers.php, which is in reality a Win32 executable file detected by Trend Micro as TROJ_MURLO.AW. This downloaded Trojan is executed as ieupdate3r.exe, and downloads more malicious (and possibly malicious) files, including files detected as TROJ_SPAMBOT.B, TROJ_AGENT.USE, TROJ_WOPLA.DX, and Possible_NUCRP-3.
• n404-2 is similar to n404-1, but uses a different approach. It also downloads TROJ_MURLO.AW.
• n404-3 is a Setsplice exploit detected as EXPL_SSLICE.GEN. This file also attempts to download TROJ_MURLO.AW.
• n404-4 is a file we do not currently detect as malicious. However, according to our logs, it is related to the MS06-006 vulnerability (Windows Media Player plug-in with non-IE browsers). This one also tries to download TROJ_MURLO.AW.
• n404-5 looks like a possible Phel variant, but it seems to be currently doing no harm. This one can probably be edited depending on the attacker’s specification, probably for selling later in the game. This is also possible because this file is not being launched by version.php.
• n404-6 is detected as EXPL_TXTRANGE.A.
• n404-7 is detected as EXPL_IFRAMEBO.A. This one still points to vers.php (TROJ_MURLO.AW).

All the exploits above can be found within the site. However only n404-1, n404-2, n404-3, and n404-7 are directly launched when a user is redirected to the malicious site.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!