Threat Level: green Handler on Duty: Deborah Hale

SANS ISC: yl18.net part II - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
yl18.net part II

As handlers we tend to have a tiny stubborn streak, no really, we are, just ask our respective partners, they’ll confirm it.   So in the fine tradition of "I wonder what else is going on" I dug a little bit further. 

The more I looked the more familiar it seemed.  Remember the Super Bowl infection back in February?  Mass defacement, using SQL Injection, downloading a file (although almost everything does that nowadays),  script is #.js, etc.   It all sounded a bit the same.  So was there a link?

Seems there might be at that.   There are various sites that will let you have a look and see what other sites are or were hosted on a particular IP address.  The address that yl18.net points at shows that other web sites hosted on the same server as yl18.net are:

  • ·         137wg.com
  • ·         Worldofwarcraftn.com
  • ·         Zj5173.com

A quick google will show you that 137wg.com  and Zj5173.com  were used in the Super Bowl defacements.  The warcraft site might be legit, but so far it is three against one on the server. 

When you look at the title of the site 137wg.com you will find a reference to the newasp.com.cn domain (remember ANI?)

Following the yellow brick road on yl18.net  you end up adding to the counter hosted in the domain cnzz.com, strangely familiar from both the Super Bowl and ANI issues earlier this year.    So it would seem that there may be a link.

The good news so far is that the executable being downloaded seems to be detected by most AV products.  The sad news is that when I checked the other day the number of infected sites was about 30K and now about 52K sites.

If you use URL blockers in your organisation, then you may want to block the four domains and your users will be protected for at least the next little while.

Cheers

Mark  H - Shearwater

Mark

392 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!