dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3
share rss forum feed

MGD
Premium,MVM
join:2002-07-31
kudos:9
reply to mysec

Re: foxnews.com infected?

said by mysec:

....
Note that this is an Acrobat Reader exploit, not a browser exploit. The browser just loads the PDF file. This exploit works in all browsers. Be sure and configure your file types to Prompt for Download, or "Always Ask"
..
----
rich
Great write up !

I was particularily interested in this driveby:

quote:
[Adobe Reader 6.0 from your computer wants to
connect to plathost.ru [78.109.25.217], port 80]

as that location has come to my attention on several occasions.

IP 78.109.25.217

appears to be hosting 3 domains: »whois.domaintools.com/78.109.25.217

1. Nevervhudo.ru »whois.domaintools.com/nevervhudo.ru

2. Socksps.ru »whois.domaintools.com/Socksps.ru

3. Stopgam.cn »whois.domaintools.com/Stopgam.cn

Due to the name, Socksps.ru aroused some curiosity, however, the main page only offers a log in:




If one can overcome that restriction an account holder can purchase the use of compromised machines around the globe to use as a secure proxy:




This may be where some of the compromised victim machines are leveraged for additional income:

The master list of available for rent machines is several pages long:




You can sort the available hijacked machines by country, and then buy access, daily or monthly to mask your true origin for any nefarious purpose:

USA:




UK:




Iran:




Note the banner add for "carding Conference" at cashing.cc:

This may be where the compromised extracted financial data ends up for sale:




It appears that the only way to obtain a log in account in order to use the services of Socksps.ru is to contact ICQ 431278403

Or you can resond directly to his promotion on forum.zloy.org a cyber criminals one stop shop for carding, hacking exploits, money transfers, banking etc.

His translated add posting on the forum.zloy.org for Socksps.ru services is here:



The main zloy.org page is translated here:



MGD