said by mysec:
Note that this is an Acrobat Reader exploit, not a browser exploit. The browser just loads the PDF file. This exploit works in all browsers. Be sure and configure your file types to Prompt for Download, or "Always Ask"
Great write up !
I was particularily interested in this driveby:
[Adobe Reader 6.0 from your computer wants to
connect to plathost.ru [18.104.22.168], port 80]
as that location has come to my attention on several occasions.
appears to be hosting 3 domains: »whois.domaintools.com/22.214.171.124
1. Nevervhudo.ru »whois.domaintools.com/nevervhudo.ru
2. Socksps.ru »whois.domaintools.com/Socksps.ru
3. Stopgam.cn »whois.domaintools.com/Stopgam.cn
Due to the name, Socksps.ru aroused some curiosity, however, the main page only offers a log in:
If one can overcome that restriction an account holder can purchase the use of compromised machines around the globe to use as a secure proxy:
This may be where some of the compromised victim machines are leveraged for additional income:
The master list of available for rent machines is several pages long:
You can sort the available hijacked machines by country, and then buy access, daily or monthly to mask your true origin for any nefarious purpose:
Note the banner add for "carding Conference" at cashing.cc:
This may be where the compromised extracted financial data ends up for sale:
It appears that the only way to obtain a log in account in order to use the services of Socksps.ru is to contact ICQ 431278403
Or you can resond directly to his promotion on forum.zloy.org a cyber criminals one stop shop for carding, hacking exploits, money transfers, banking etc.
His translated add posting on the forum.zloy.org for Socksps.ru services is here:
The main zloy.org page is translated here: