Zscalerのブログ

Zscalerの最新ブログ情報を受信

購読する
Now “ce.ms” Free Domains Are Being Used To Host Malicious Code
Security Research

Now “ce.ms” Free Domains Are Being Used To Host Malicious Code

image
THREATLABZ
October 27, 2011 - 2 分で読了
A few months back, I posted a blog on “co.tv” domains being used by attackers to host malicious code . We had identified number of different domains being used to carry out attacks using heavily obfuscated JavaScript. Now it appears that attackers are leveraging free “.ce.ms” domains. Likewise, we have identified a number of .ce.ms domains exploiting various known client side vulnerabilities. Here are a few of the URL’s being used:
 

hxxp://27glshegbslijels.ce.ms/main.php?page=66c6ce3c7bc4b20c
hxxp://hhhjjjjj111111.ce.ms/main.php?page=423b262d0a1a9f70
hxxp://00000000000000.ce.ms/main.php?page=423b262d0a1a9f70
hxxp://24sjegohmjosee.ce.ms/main.php?page=66c6ce3c7bc4b20c
hxxp://44444444444444444.ce.ms/main.php?page=423b262d0a1a9f70

The aforementioned domains suggest that random domain names are being registered to host these attacks. Once visited, the victim will be presented with obfuscated JavaScript code, formatted in such way to evade IDS, IPS and antivirus solutions. The numbers in the arrays used by the scripts are intentionally spread across separate lines. This way the size of HTML file becomes huge and the total code spans 29K lines. Here is the snapshot of the first part of the malicious code:Image

Look at the array variable. As can be seen, the numbers used in the array are spread over separate lines. Here is the last part of the script:


Image

 

Once the above code is decoded, it turns out be related to the Blackhole exploit kit which exploits a variety of known client side vulnerabilities. Here is a small screenshot of the decoded script:

 

ImageAttackers keep registering different random domains to spread their attacks, often targeting free registration services. Due to obfuscation used by the attackers, security solutions relying on regular expressions designed to match known patterns can often be evaded due to the code being spread of over numerous lines.
 
Stay safe!!!
Umesh
form submtited
お読みいただきありがとうございました

このブログは役に立ちましたか?

免責事項:このブログは、Zscalerが情報提供のみを目的として作成したものであり、「現状のまま」提供されています。記載された内容の正確性、完全性、信頼性については一切保証されません。Zscalerは、ブログ内の情報の誤りや欠如、またはその情報に基づいて行われるいかなる行為に関して一切の責任を負いません。また、ブログ内でリンクされているサードパーティーのWebサイトおよびリソースは、利便性のみを目的として提供されており、その内容や運用についても一切の責任を負いません。すべての内容は予告なく変更される場合があります。このブログにアクセスすることで、これらの条件に同意し、情報の確認および使用は自己責任で行うことを理解したものとみなされます。

Zscalerの最新ブログ情報を受信

このフォームを送信することで、Zscalerのプライバシー ポリシーに同意したものとみなされます。