Sponsored by..

Tuesday 26 August 2008

Asprox: beyry.ru, iopoe.ru, jetp6.ru, nucop.ru, port04.ru and vj64.ru

There's been a slight shift in the characteristics of the current Asprox attack. The javascript called is now script.js rather than ngg.js or js.js, and this goes to a redirect script currently pointing at /cgi-bin/index.cgi?lle on the local domain.

Active domains in this new attack seem to be as follows, new ones are in bold.
  • beyry.ru
  • cb3f.ru
  • cnld.ru
  • iopc4.ru
  • iopoe.ru
  • jetp6.ru
  • loopk.ru
  • netr2.ru
  • okcd.ru
  • nucop.ru
  • port04.ru
  • ueur3.ru
  • vj64.ru
Check your logs or block these domains. Most business outside of Russia and neighbouring countries could probably block the entire .ru TLD with minimal impact. Look also for the CGI sript (/cgi-bin/index.cgi?lle) to find potentially infected client PCs.

No comments: