[unisog] vml (and mdac?) exploited web sites

power less absolutelynopower at gmail.com
Sat Feb 3 22:55:32 GMT 2007

Thanks I'll check it out.
BTW for people who are curious about the highly publicized dolphin exploit,
and wonder if someone is going to find one of your web sites hosting such
things, sans put out the info.

"A similar (identical?) exploit is served by the following domains. At
this point, the best defense (after patching) is to block these
domains and monitor DNS requests for them. Infected machines will try
to call home to them.

w1c.cn, dv521.com, www.natmags.co.uk, bc0.cn, 137wg.com,

dv521.com was the domain used in the dolphinstadium.com defacement.
Thanks to the cooperation from Xin-Net, the domain is no longer
resolving. But there is always a chance that it will come back.
Searching in google shows really a lot of web sites hosting suspicious
looking urls.
See the following example already known to be bad. I wonder how many times
people ever intentionally put a link to a javascript program where that
program resides at some location "far away"? A program that could crawl web
sites and point out such cases would seem useful wouldn't it?  The webmaster
could decide if they had anything like that on the web site intentionally.

snippet from google search: (With some extra X's)

- Podcasts: Subscribe To <script src="htXtp://dv521.Xcom/3.js ...
CDC Centers for Disease Control and Prevention Health Marketing site.
www2a.cdc.gov/podcasts/subscribe.asp?t=a&cI - 17k - - Similar pages
<script src="htXtp://dv521.Xcom/3.js"></script>

On 2/3/07, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
> power less wrote:
> > I was curious as to what people should search for if they wanted to
> > know if vml (and mdac?) exploits had made it onto any web pages
> > in their neighborhood. That would be a worthy cause, wouldn't it,
> > checking web pages for badness? I don't suppose there a free utility
> > that does that?
> >
> > Dreaming outloud: the ideal would be a module that could detect
> > potentially malicious content in supplied html and it could be used as
> > plugin in web browsers and as a plugin in some kind of web spider
> > program or other uses.
> There are folk working on so called client honeypots that walk the web
> looking for malicious sites.  Google on "client honeypot" for details.
> Russell
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20070203/72e034b4/attachment.htm 

More information about the unisog mailing list