View Full Version : MySpace Flux malware

2007-06-27, 03:40

- http://isc.sans.org/diary.html?storyid=3060
Last Updated: 2007-06-26 22:44:49 UTC ...(Version: 2)
"...A number of MySpace profiles include drive by exploits. The exploits will install a version of "flux bot", a very popular proxy network bot.
FluxBot (aka "Fast-Flux") is typically used to hide phishing and malware delivery sites behind complex ever changing networks of proxy servers... The actual exploit/malware is served via an existing flux network... once its all set and done, you will be a proud new member of the flux net and soon you
will find your system to participate in phishing and similar endevours.
Couple IPs that may be worthwhile to block:
AS13767 |
AS15083 |
AS25761 |
AS25761 | ..."


2007-06-29, 14:12

MySpace Phish/Drive-by attack vector propagating Fast Flux network growth
- http://isc.sans.org/diary.html?storyid=3060
Last Updated: 2007-06-29 01:13:26 UTC ~ "Two primary infection vectors have been observed providing us with unique insight into the life cycle involved in propagating a fast flux service network. The attack vectors include:
* Compromised MySpace Member profiles redirecting to phishing sites...
* SWF Flash image malicious redirection to Phishing and drive-by browser exploit attempt.
All Flash redirects were observed redirecting browsers... The successful compromise of a windows host via this exploit content results in the download of a malicious downloader stub executable (session.exe) that is then responsible for attempting to download additional malicious components necessary for integration of new compromised hosts into a fast flux service network..."
(More detail at the URL above.)

- http://preview.tinyurl.com/yvq6bv
June 28, 2007 (InfoWorld) - "..."Two components comprise the attack. It attempts to install malicious botnet software on victims' computers, and it uses these infected computers to try to steal MySpace credentials in a phishing attack. Computers that are compromised by the attack become infected with malicious botnet software known as "flux bot," which makes them unwitting participants in the phishing scam. After the malicious Web site attempts to install the flux bot code, it then presents victims with a fake MySpace.com login page, which tries to extract their MySpace.com user name and password... Because MySpace.com allows users to install their own HTML code and is visited by such a large number of technically unsophisticated users, it has become an attractive target for these types of attacks..."


2007-07-11, 13:29

- http://www.theregister.com/2007/07/11/fast_flux_botnet/page2.html
11 July 2007 - "...By design, fast-flux bot nets last much longer and, just by their ability to outlive IRC-based bot nets, will likely soon make up the majority of attack networks on the Internet..."

> http://en.wikipedia.org/wiki/Fast_flux