Better Business Bureau Complaint

Better Business Bureau Complaint


BBB complaint

Through encoded javascript, victim is eventually redirected to a Phoenix Exploit kit at hxxp://

Phoenix controller is configured to drop a PDF exploit CVE-2010-0188 from the hxxp:// This flash file had the following properties.

Name: auxqfudmbuiwg4.pdf
Size: 13,223 bytes
MD5: 9963aab22f61a8dd4118638c1f64181c

The PDF exploits CVE-2010-0188 and was detected by 27 of 42 AV vendors on VirusTotal.

Successful exploit will redirect victim to ebayfordummies[.]su:8080 /navigator/frf3.php?i=15 and install Pony Loader on the victim machine. This Pony loader had following properties:

File: dsarcubqinhsjqkugsbm.exe
MD5: fb967688f434ef239a718dede24269b5
Size: 93,736 bytes
Digital Signature: ADt82UxX8ndawrW
Certificate Validity: 04/06/2012 to 01/01/2040

This Phoenix kit is hosted on a fast flux infrastructure at following IP addresses:

This Pony Loader posts to a C&C at /pony/gate.php, hosted at IP address And then downloads 2 identical Gameover Zeus payloads from the following URL’s:

1. /6md3zev5/hQj.exe
2. /DGUhkavQ/SkxZGut.exe

Gameover installed in %APPDATA%\Avnaza\bixuak.exe

MD5: ba0f0a33956dfc96a1126a108eb4e47e
Size: 2,75,496 bytes
Signature: This file is digitally signed by ‘ADt82UxX8ndawrW’
Certificate Validity: 04/06/2012 to 01/01/2040
Timestamp: 2010:10:29 22:03:29+02:00

During analysis, Gameover Zeus variant dropzone was identified at Webinjects were pulled from IP at The Gameover variant had a botid “mf222a7″ and cid “5555″.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: