tsnse.cn/i.js

This sql-injected script calls iframe http://www.gomne.cn/yh.htm

yh.htm has the same vulnerability exploits as the previous post. Most likely from the same kit.

The exploits download malicious executable from http://www.at820.cn/wins.exe [VT results]

CWSandbox analysis of wins.exe shows further download such as rootkit http://www.at820.cn/ie.exe [VT results]

Note that all 3 domains tsnse.cn, http://www.gomne.cn and http://www.at820.cn resolve to the same IP address 120.50.35.138.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: