ADP Security Management Update

We analyzed following malicious URL which is used in ADP themed spam on June 28/29 2012:


ADP Security Update

The spam sample we analyzed was sent from – a known Cutwail spambot.

This malicious page contained 4 javascripts as shown below:

<script type=”text/javascript” src=”hxxp://”></script>
<script type=”text/javascript” src=”hxxp://”></script>
<script type=”text/javascript” src=”hxxp://”></script>

Eventually these malicious JS redirects victim to a Blackhole Exploit kit at

This Blackhole exploit kit was hosting at least 14 different malicious payloads. Detected malware payloads identified by MD5 hash included the following:

  • e6341e75dc5413720cbb03f6836ac39d
  • 1277be3dfecd932a1b4b32b1f0942146
  • 13b08f673c05c81b1f5b3344b23f79a2
  • 53fdca7c26b10de657cb4a4906cf6510
  • 488559808a353430357f4c3db9fb126f
  • 13b08f673c05c81b1f5b3344b23f79a2
  • 48a89c2e1816e2f8ec38071b45c72e6e
  • fe05f07e54adbf2d55946643f9a76f83
  • bee7603e2fb3dcb9dcf1c5589d551cb5
  • 1b1bbf726902beb3b25d11fbdc58720f
  • 017c71a4f156df3300d01ace4e01087a
  • e11534af5bb6a69726524e6851d8136d
  • 017c71a4f156df3300d01ace4e01087a
  • ced5d89b3d27b85e9418a94ef2aac990

All of these binaries appear, upon initial inspection, to be Pony downloaders.
Pony downloader posts to its dropzone at hxxp:// and also downloads 3 identical Gameover Zeus from following locations:

1. hxxp://
2. hxxp://
3. hxxp://


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: