Sweet Orange on ginblossoms[.]net leads to Fareit with a side of Fake AV


The injected iframe :

ginblossoms-net-iframe(rockcenter.law.stanford.edu also appears to be compromised and used to spread pharmajunk)

Landing page: avbhrewsw.sytes[.]net:9101/image/press.php?delicious=82
A copy pasted here for your review: [pastebin]

.jar: avbhrewsw.sytes[.]net:9101/image/WhKZF.jar

Encoded binary: gbdfcqhdzk.sytes[.]net:9101 /adclick.php?soma=338&django=4&power=550&premiere=171&soft=154&skin=388&page=675&flash=618&info=324&browse=891518899

Fareit ‘s POST checkin and additional binary download using fake user agent Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)



Also observed requests using fake user agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

  • twinkcam[.]net/images/s.php?id=214
  • cinnamyn[.]com/images/s.php?id=214

(Gin Blossoms and colleagues at Rackspace have been notified to help get the site cleaned up)