Andrew Farmer wrote: > All files are available on request, if anyone's interested in doing > some further analysis of their own. > That was fun :) hi andrew, the main page try to load three different expoits: - a variant of Java/ClassLoader (the applet) - Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014) - MoBB #18: WebViewFolderIcon setSlice all these are http 1.1 download exec shellcodes pointed to some exe files on nownames.org and the0count.com http://www.now[REMOVEME]names.org/welded/get_exe.php http://www.the[REMOVEME]0count.com/serv.exe http://www.now[REMOVEME]names.org/images/funny.php so nothing new, just a botnet gang read the attachment for extended notes regards, Francesco 'ascii' Ongaro http://www.ush.it
Attachment:
findings.txt.bz2
Description: application/bzip
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/