Fileden is hacked again - serving up malware (manual.pdf)

  • Thread starter Thread starter Virus Guy
  • Start date Start date
V

Virus Guy

For those that want to download some malware, fileden.com is hacked
again - I just downloaded another copy of manual.pdf. I'll be
submitting it to VT shortly...
 
Virus said:
For those that want to download some malware, fileden.com is hacked
again - I just downloaded another copy of manual.pdf. I'll be
submitting it to VT shortly...
Click to expand...

Ok, I just submitted it, and VT had never seen it before, and NO av
program detected the file as a threat.

So congratulations are in order to the coders - they got this one right!

Can anyone grab the plugin that fileden is trying to push? I'm not sure
how to do that without comprimizing my browser.
 
From: "Virus Guy" <[email protected]>


| Ok, I just submitted it, and VT had never seen it before, and NO av
| program detected the file as a threat.

| So congratulations are in order to the coders - they got this one right!

| Can anyone grab the plugin that fileden is trying to push? I'm not sure
| how to do that without comprimizing my browser.

Can you please uplaod the PDF to; http://www.uploadmalware.com/
 
From: "Virus Guy" <[email protected]>


| Dave, try this URL:

| hxxp://www.fileden.com/upload_old.php

Exploits of; CVE-2010-0886 & CVE-2010-1885 noted

Payload; 12sa.cz.cc/k.php?f=21&e=5 { one shot download }

http://www.virustotal.com/file-scan...07c7c44ea21bb500328f295051fcb27b04-1300327409

AVG 10.0.0.1190 2011.03.16 Downloader.Small
BitDefender 7.2 2011.03.17 Gen:Variant.Kazy.15907
CAT-QuickHeal 11.00 2011.03.16 (Suspicious) - DNAScan
GData 21 2011.03.17 Gen:Variant.Kazy.15907
NOD32 5961 2011.03.17 a variant of Win32/Kryptik.LRR
Panda 10.0.3.5 2011.03.16 Suspicious file
Prevx 3.0 2011.03.17 Medium Risk Malware Downloader
Sophos 4.63.0 2011.03.17 Mal/FakeAV-IS
VIPRE 8728 2011.03.17 FraudTool.Win32.FakeAV.a (v)
 
David H. Lipman said:
Payload; 12sa.cz.cc/k.php?f=21&e=5 { one shot download }
Click to expand...

I get the file "contacts.exe".

But it must be the same file - same VT scan.

Any ideas why the .PDF file wasn't flagged as malicious?

Are you able to capture the browser plugin being offered?
 
From: "Virus Guy" <[email protected]>


| Any comments on the fact that it wasn't detected by any AV package at
| VT?

I haven't had enough time to analyze it but off hand it looks like the same kind of
malicious PDF as the prior one and it is a case that tere is enough difference between the
two that there is just NO signature NO heuristic for this particular kind of PDF
exploitation vector.
 
From: "Ant" <[email protected]>


| It is; same type of encoding, same set of exploits and still the
| shellcode downloads the exe to an invalid filename. Apparently this
| works so I'm at a loss to explain it. I still haven't seen any
| evidence of code injection at fileden.com and following the Payload
| URL still gets 0 bytes.

| Even the other one had only a couple of detections. This type of
| malicious PDF coding has been around since at least December last year
| so it really is time the AVs caught up. Of course, it's not sensible
| to rely on AV products to protect you from such things - your system/
| browser/PDF reader should be securely configured anyway.

Thanx for the corroboration and elaboration.
 
Back
Top