When bad people/bots attack

In some of our logs, we come across some of the more interesting things people try to jam into our forms. The examples below have some, well, interesting aspects to them.


<a href= http://6.exefiles.cn/adduserexe-resource-kit.html &rt;adduser.exe resource kit</a&rt;
[url=http://6.exefiles.cn/adduserexe-resource-kit.html]adduser.exe resource kit[/url] <a href= http://7.microsoft-security.cn/ntfrsexe.html &rt;ntfrs.exe</a&rt;
[url=http://7.microsoft-security.cn/ntfrsexe.html]ntfrs.exe[/url] <a href= http://7.exefiles.cn/jammerexe.html &rt;jammer.exe</a&rt;
[url=http://7.exefiles.cn/jammerexe.html]jammer.exe[/url]
<a href= http://7.exefiles.cn/piv-pivbrowardschoolscom-pivexe.html &rt;piv piv.browardschools.com piv.exe</a&rt;
[url=http://7.exefiles.cn/piv-pivbrowardschoolscom-pivexe.html]piv piv.browardschools.com piv.exe[/url] <a href= http://10.antyspyware.cn/spdbvexe.html &rt;spdbv.exe</a&rt;
[url=http://10.antyspyware.cn/spdbvexe.html]spdbv.exe[/url] <a href= http://5.exefiles.cn/regenv32-has-caused-an-error-in-regenv32exe.html &rt;regenv32 has caused an error in regenv32.exe</a&rt;
[url=http://5.exefiles.cn/regenv32-has-caused-an-error-in-regenv32exe.html]regenv32 has caused an error in regenv32.exe[/url] <a href= http://9.antyspyware.cn/age-of-empires-2-crackexe.html &rt;age of empires 2 crack.exe</a&rt;
[url=http://9.antyspyware.cn/age-of-empires-2-crackexe.html]age of empires 2 crack.exe[/url] <a href= http://3.microsoft-security.cn/g2a_customerexe.html &rt;g2a_customer.exe</a&rt;
[url=http://3.microsoft-security.cn/g2a_customerexe.html]g2a_customer.exe[/url] <a href= http://9.exefiles.cn/qsliceexe.html &rt;qslice.exe</a&rt;
[url=http://9.exefiles.cn/qsliceexe.html]qslice.exe[/url] <a href= http://9.antyspyware.cn/wewb32exe.html &rt;wewb32.exe</a&rt;
[url=http://9.antyspyware.cn/wewb32exe.html]wewb32.exe[/url]

First: if you have a windows machine UNDER NO CIRCUMSTANCES WHATSOEVER SHOULD YOU CUT AND PASTE ANY OF THESE LINKS, OR VISIT THEM FOR ANY REASON. If you fail to heed this free advice, you may lose control of your machine.

Second: Hmmm ….

What things do we notice about this attack (from our log)?

Well there is the TLD, and the misspelled domains, and …

… the attempt to inject binary executables into the run stream, assuming that we are running a Microsoft templated system.

Any security folks that want the info from the attempted injection, contact me offline.

Viewed 11576 times by 2622 viewers

Facebooktwittergoogle_plusredditpinterestlinkedinmail