// #MalwareMustDie!! // Cool Exploit Kit infectors // components downloaded log.. // via shell + fetch @ FreeBSD (UNIX rocks!) // @unixfreaxjp /malware]$ date // Mon Jan 14 21:14:07 JST 2013 --19:52:00-- h00p://50f31ac55ce66.hypnotherapyaz.com/news/tentative.jar => `tentative.jar.1' Resolving 50f31ac55ce66.hypnotherapyaz.com... seconds 0.00, 64.120.190.183 Caching 50f31ac55ce66.hypnotherapyaz.com => 64.120.190.183 Connecting to 50f31ac55ce66.hypnotherapyaz.com|64.120.190.183|:80... seconds 0.00, connected. GET /news/tentative.jar HTTP/1.0 Referer: h00p://50f31ac55ce66.hypnotherapyaz.com/news/Guilt.phtm User-Agent: MalwareMustDie Draining Your Cool EK Host: 50f31ac55ce66.hypnotherapyaz.com : HTTP request sent, awaiting response... : HTTP/1.1 200 OK Server: nginx/1.2.6 Date: Mon, 14 Jan 2013 10:52:00 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.16 : 200 OK Length: unspecified [text/html] 19:52:03 (338.29 KB/s) - `tentative.jar' saved [24] --19:55:23-- h00p://50f31ac55ce66.hypnotherapyaz.com/news/Shore_Rightly2.pdf => `Shore_Rightly2.pdf' Resolving 50f31ac55ce66.hypnotherapyaz.com... seconds 0.00, 64.120.190.183 Caching 50f31ac55ce66.hypnotherapyaz.com => 64.120.190.183 Connecting to 50f31ac55ce66.hypnotherapyaz.com|64.120.190.183|:80... seconds 0.00, connected. ---request begin--- GET /news/Shore_Rightly2.pdf HTTP/1.0 Referer: h00p://50f31ac55ce66.hypnotherapyaz.com/news/Guilt.phtm User-Agent: MalwareMustDie Draining Your Cool EK Host: 50f31ac55ce66.hypnotherapyaz.com : HTTP request sent, awaiting response... : HTTP/1.1 200 OK Server: nginx/1.2.6 Date: Mon, 14 Jan 2013 10:55:24 GMT Content-Type: application/pdf Content-Length: 20190 Connection: keep-alive X-Powered-By: PHP/5.3.16 ETag: "c120d4e2a0483c37298a923b9c73e9d3" Last-Modified: Mon, 14 Jan 2013 10:55:24 GMT Accept-Ranges: bytes : 200 OK Registered socket 1896 for persistent reuse. Length: 20,190 (20K) [application/pdf] 19:55:25 (51.64 KB/s) - `Shore_Rightly2.pdf' saved [20190/20190] --19:57:24-- h00p://50f31ac55ce66.hypnotherapyaz.com/news/live1.pdf => `live1.pdf' Resolving 50f31ac55ce66.hypnotherapyaz.com... seconds 0.00, 64.120.190.183 Caching 50f31ac55ce66.hypnotherapyaz.com => 64.120.190.183 Connecting to 50f31ac55ce66.hypnotherapyaz.com|64.120.190.183|:80... seconds 0.00, connected. : GET /news/live1.pdf HTTP/1.0 Referer: h00p://50f31ac55ce66.hypnotherapyaz.com/news/Guilt.phtm User-Agent: MalwareMustDie Draining Your Cool EK Host: 50f31ac55ce66.hypnotherapyaz.com Connection: Keep-Alive Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 : HTTP request sent, awaiting response... : HTTP/1.1 200 OK Server: nginx/1.2.6 Date: Mon, 14 Jan 2013 10:57:25 GMT Content-Type: application/pdf Content-Length: 9660 Connection: keep-alive X-Powered-By: PHP/5.3.16 ETag: "dc7e16b16843aeb59553fbfe774e3247" Last-Modified: Mon, 14 Jan 2013 10:57:25 GMT Accept-Ranges: bytes : 200 OK Registered socket 1896 for persistent reuse. Length: 9,660 (9.4K) [application/pdf] 19:57:26 (32.43 KB/s) - `live1.pdf' saved [9660/9660] --19:59:37-- h00p://50f31ac55ce66.hypnotherapyaz.com/news/INDUSTRIAL1.SWF => `INDUSTRIAL1.SWF' Resolving 50f31ac55ce66.hypnotherapyaz.com... seconds 0.00, 64.120.190.183 Caching 50f31ac55ce66.hypnotherapyaz.com => 64.120.190.183 Connecting to 50f31ac55ce66.hypnotherapyaz.com|64.120.190.183|:80... seconds 0.00, connected. : GET /news/INDUSTRIAL1.SWF HTTP/1.0 Referer: h00p://50f31ac55ce66.hypnotherapyaz.com/news/Guilt.phtm User-Agent: MalwareMustDie Draining Your Cool EK Host: 50f31ac55ce66.hypnotherapyaz.com : HTTP request sent, awaiting response... : HTTP/1.1 200 OK Server: nginx/1.2.6 Date: Mon, 14 Jan 2013 10:59:38 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.16 : 200 OK Length: unspecified [text/html] 19:59:38 (81.36 MB/s) - `INDUSTRIAL1.SWF' saved [7245] --- #MalwareMustDie!