Sponsored by..

Wednesday 26 March 2014

Something evil on

There's some sort of evil at work here, but I can't quite replicate it.. however I would recommend that you put a block in for (Network Operations Center, US).

The infection chain I have spotted here starts with a typical compromised website, in this case:


A quick look at the URLquery report shows a general alert, but no smoking gun..

Is there some trickery at work here? Yes, there's a telltale sign in the HTTP Transactions graph:

Right at the end you can see a redirect to google.no..

This is a tell-tale sign that some malware is redirecting the URLquery probe to Google to protect itself. Usually it means that we don't have the right user agent, referrer string or perhaps the IP is blocked by the bad guys.

However, I can look at the log files of the incident and I see that the next step is a jump to another compromised site:


This then jumps to the presumed payload site at:


What is the payload... errr.. I don't know. The incident logs come up with a generic detection and my query-fu isn't working today. You'll just have to trust me that it's going to be malicious.

The following malicious subdomains are also active on

The simplest thing to do to protect yourself against this particular threat is to use the following blocklist:


Jeremy said...
This comment has been removed by the author.
Jeremy said...

Smoking gun at the following URL Query report I just submitted for the same IP.


Conrad Longmore said...

@Jeremy.. nice!

Also spotted as Angler EK here: https://twitter.com/malekal_morte/status/448852977764143104

Unknown said...

I was able to identify a payload for anyone interested originating from http://bkbr[dot]beuqnyrtz[dot]com/beq9klfi06.

MobileOptionPack.com (MZ header) - 8c3230a7f5543547ddb3addd35ea1e9105be2986f1aedb4b20ef17d73f16488c


It was located in the AppData\Roaming\MobileOptionPack\ folder. I can't verify this is always the folder/filename.

The MZ file had a modified timestamp.

Hope this helps.