« Using Honeypots to Sniff and Snuff out Botnets, part 2 | Main | Barbarians Inside the Cyber Gates »

2009.01.12

A weekend warrior web exploit?

While examining some events from the past couple weeks, I noticed an interesting anomaly - there was a specific grouping of exploits that only occurred on the weekend!

A couple of us in the research team kicked a few ideas around, and the best hypothesis we could come up with was that most people monitoring IDS systems tend to look at the most recent events first, and hence might never investigate the "older" events.  This makes sense from a "most bang for your buck" standpoint in that sometimes system IPs fluctuate due to DHCP leases, guest users are on your network one day and gone another, and because in general you deal with today's problem and not yesterday's.

I hunted around on a few of our "friendly" customers (those who let us look at their events for research purposes) to see how big a sample I could get to confirm this was indeed occurring.  Below I'll show you three of our appliances where the anomaly can be seen very clearly. 

Just a quick note If you're new to FireEye: We don't use any sort of blacklist to detect these URLs - we simply fingerprint the end host using techniques similar to p0f, and spin up a Virtual Machine that matches its profile.  We then load inside the appropriate browser (from a massive front-end cache) whatever the client actually saw, and then we watch the host VM for malicious changes.  These changes could be something like a DLL altered, a Windows service created, a registry key deleted, etc.  We then declare the object bad and initiate the proper blocking actions.  Because there is not a human driving our browser, none of the changes we detect are user initiated, and hence we have a 0% false positive rate.

Below I'll show screen shots from three devices (the middle two are from the same) that I found had the most obvious pattern, and after that I'll break down the data from a slightly larger set of our customers' detections.

(as always, don't try punching these URLs into your browser as you'll probably get infected)

Exploit1_new

Exploit2_new

Exploit3_new

Exploit4_new

Below is a larger set of data from the handful of appliances I can access, and you can see a pretty obvious trend with shockingly few outliers.  This is definitely one of the more interesting evasion techniques I've seen in use in the wild.  It appears that the exploit servers are reachable from Friday (who works on Fridays?) until about Monday morning. 

(Saturday) 2008-09-27 14:20:57.673 76.74.239.143/wqweqo/
(Saturday) 2008-09-27 14:30:33.707 76.74.154.110/wqweqo/
(Sunday) 2008-09-28 00:58:46.813 76.74.154.110/oaoa1010/co
(Sunday) 2008-09-28 02:18:44.841 76.74.154.110/oaoa1010/co
(Saturday) 2008-10-11 13:30:12.768 76.74.239.143/wqi1wqe4a/c
(Saturday) 2008-10-11 14:29:31.436 76.74.239.143/wqi1wqe4a/c
(Saturday) 2008-10-11 17:45:51.272 76.74.239.143/wqi1wqe4a/c
(Saturday) 2008-10-11 19:28:01.417 76.74.239.143/wqi1wqe4a/c
(Saturday) 2008-10-11 20:03:39.154 76.74.239.143/wqi1wqe4a/c
(Saturday) 2008-10-11 20:31:37.308 76.74.239.143/wqi1wqe4a/c
(Saturday) 2008-10-11 21:04:36.911 76.74.239.143/wqi1wqe4a/c
(Saturday) 2008-10-11 21:23:51.904 76.74.239.143/wqi1wqe4a/c
(Sunday) 2008-10-12 18:41:24.853 76.74.239.45/o0qcqwqio/co
(Sunday) 2008-10-12 18:46:17.653 76.74.239.45/o0qcqwqio/co
(Sunday) 2008-10-12 21:51:53.178 76.74.239.45/o0qcqwqio/co
(Sunday) 2008-10-12 22:28:56.872 76.74.239.45/1weioraoaqx2
(Sunday) 2008-10-12 23:00:37.564 76.74.239.45/o0qcqwqio/co
(Monday) 2008-10-13 02:09:03.218 76.74.239.143/wqi1wqe4a/c
(Monday) 2008-10-13 02:17:07.514 76.74.239.143/wqi1wqe4a/c
(Thursday) 2008-10-16 03:28:39.637 76.74.239.45/rweew1ewiuwe
(Friday) 2008-10-17 01:03:01.938 76.74.239.45/rweew1ewiuwe
(Saturday) 2008-10-18 14:27:37.368 76.74.239.45/rweew1ewiuwe
(Saturday) 2008-10-18 15:19:38.067 76.74.239.143/rweew1ewiuw
(Saturday) 2008-10-18 15:32:22.688 76.74.239.143/rweew1ewiuw
(Saturday) 2008-10-18 18:30:57.89 76.74.239.143/rweew1ewiuw
(Saturday) 2008-10-18 19:42:46.134 76.74.154.110/rweew1ewiuw
(Saturday) 2008-10-18 20:23:38.839 76.74.239.143/rweew1ewiuw
(Saturday) 2008-10-18 20:44:46.298 76.74.239.143/werwue0weri
(Saturday) 2008-10-18 21:29:33.252 76.74.239.143/rweew1ewiuw
(Saturday) 2008-10-18 22:51:48.44 76.74.154.110/rweew1ewiuw
(Saturday) 2008-10-18 23:19:38.418 76.74.239.143/rweew1ewiuw
(Sunday) 2008-10-19 13:26:48.14 76.74.239.143/zqeoriaqoiw
(Sunday) 2008-10-19 18:21:50.214 76.74.239.143/zqeoriaqoiw
(Sunday) 2008-10-19 20:40:41.643 76.74.239.143/eioraaioaqp
(Tuesday) 2008-10-21 00:45:11.004 76.74.239.45/oqweioqwieoq
(Tuesday) 2008-10-21 01:05:58.953 76.74.239.45/oqweioqwieoq
(Tuesday) 2008-10-21 03:08:05.633 76.74.239.45/oqweioqwieoq
(Friday) 2008-10-24 03:20:37.546 76.74.239.143/werweoioiew
(Saturday) 2008-10-25 13:26:50.666 76.74.239.143/zxciozxioer
(Saturday) 2008-10-25 14:13:24.453 76.74.239.143/zxciozxioer
(Saturday) 2008-10-25 14:52:26.283 76.74.239.45/zxciozxioeri
(Saturday) 2008-10-25 19:39:39.448 76.74.154.110/zxciozxioer
(Saturday) 2008-10-25 20:46:11.783 76.74.154.110/zxciozxioer
(Saturday) 2008-10-25 20:58:20.91 76.74.154.110/zxciozxioer
(Saturday) 2008-10-25 21:09:58.632 76.74.239.45/zxciozxioeri
(Saturday) 2008-10-25 21:33:42.667 76.74.154.110/zxciozxioer
(Sunday) 2008-10-26 00:30:45.609 76.74.239.45/zxciozxioeri
(Sunday) 2008-10-26 13:49:24.369 76.74.154.110/xwoiuioxwue
(Sunday) 2008-10-26 14:24:42.328 76.74.239.45/zxciozxioeri
(Sunday) 2008-10-26 14:56:46.40 76.74.239.45/zxciozxioeri
(Sunday) 2008-10-26 15:55:30.114 76.74.239.143/zxciozxioer
(Sunday) 2008-10-26 21:01:17.006 76.74.239.143/zxciozxioer
(Sunday) 2008-10-26 22:42:07.709 76.74.239.143/zxciozxioer
(Sunday) 2008-10-26 22:47:53.892 76.74.239.143/zxciozxioer
(Sunday) 2008-10-26 23:00:36.032 76.74.239.143/zxciozxioer
(Sunday) 2008-10-26 23:24:55.292 76.74.239.143/zxciozxioer
(Monday) 2008-10-27 00:49:50.054 76.74.239.45/zxciozxioeri
(Monday) 2008-10-27 03:29:03.154 76.74.239.45/zxciozxioeri
(Monday) 2008-10-27 04:15:11.204 76.74.239.143/zxciozxioer
(Thursday) 2008-10-30 02:49:18.761 76.74.239.143/weroqwesaou
(Thursday) 2008-10-30 03:28:36.044 76.74.239.45/weroqwesaoui
(Thursday) 2008-10-30 03:34:46.931 76.74.154.110/weroqwesaou
(Thursday) 2008-10-30 05:22:31.861 76.74.154.110/weroqwesaou
(Friday) 2008-10-31 00:50:09.282 76.74.239.143/erwuy4uwqeo
(Saturday) 2008-11-01 14:23:54.682 76.74.154.110/weruoiq/cou
(Saturday) 2008-11-01 15:45:17.192 76.74.154.110/weruoiq/cou
(Saturday) 2008-11-01 16:14:59.938 76.74.154.110/weruoiq/cou
(Saturday) 2008-11-01 16:56:54.934 76.74.239.143/weruoiq/cou
(Friday) 2008-11-07 03:50:29.032 76.74.239.143/weruoiq/cou
(Friday) 2008-11-07 04:23:04.382 76.74.239.143/weruoiq/cou
(Friday) 2008-11-07 06:45:07.725 76.74.239.143/weruoiq/cou
(Saturday) 2008-11-08 15:05:17.321 76.74.239.143/weruoiq/cou
(Saturday) 2008-11-08 16:01:15.609 76.74.239.143/weruoiq/cou
(Saturday) 2008-11-08 17:12:15.481 76.74.239.143/weruoiq/cou
(Saturday) 2008-11-08 17:16:36.326 76.74.239.143/weruoiq/cou
(Saturday) 2008-11-08 17:28:59.741 76.74.239.143/weruoiq/cou
(Saturday) 2008-11-08 18:48:43.138 76.74.239.45/weruoiq/coun
(Saturday) 2008-11-08 19:05:37.917 76.74.239.143/weruoiq/cou
(Sunday) 2008-11-09 14:34:05.45 76.74.239.143/weruoiq/cou
(Sunday) 2008-11-09 14:53:21.64 76.74.239.143/weruoiq/cou
(Sunday) 2008-11-09 15:34:05.373 76.74.239.143/weruoiq/cou
(Sunday) 2008-11-09 19:10:49.585 76.74.239.143/weruoiq/cou
(Wednesday) 2008-11-12 01:23:58.496 76.74.239.143/weruoiq/cou
(Wednesday) 2008-11-12 01:37:32.269 76.74.239.143/weruoiq/cou
(Thursday) 2008-11-13 03:58:28.745 76.74.239.143/weruoiq/cou
(Thursday) 2008-11-13 04:15:28.527 76.74.239.143/weruoiq/cou
(Friday) 2008-11-14 02:36:29.826 76.74.239.143/weruoiq/cou
(Friday) 2008-11-14 03:47:03.104 76.74.239.143/weruoiq/cou
(Friday) 2008-11-14 07:25:05.175 76.74.239.143/weruoiq/cou
(Saturday) 2008-11-15 14:08:57.94 76.74.239.143/weruoiq/cou
(Saturday) 2008-11-15 16:46:26.686 76.74.239.143/weruoiq/cou
(Saturday) 2008-11-15 18:50:02.54 76.74.154.110/weruoiq/cou
(Saturday) 2008-11-15 20:17:13.336 76.74.239.143/weruoiq/cou
(Sunday) 2008-11-16 00:39:16.892 76.74.239.143/weroqpqpqow
(Sunday) 2008-11-16 07:11:57.511 76.74.154.110/weruoiq/cou
(Sunday) 2008-11-16 16:07:49.254 76.74.239.143/weruoiq/cou
(Sunday) 2008-11-16 16:25:17.90 76.74.239.143/weruoiq/cou
(Sunday) 2008-11-16 17:20:53.613 76.74.239.143/weruoiq/cou
(Sunday) 2008-11-16 21:55:10.348 76.74.239.143/weruoiq/cou
(Monday) 2008-11-17 00:39:45.013 76.74.154.110/weruoiq/cou
(Sunday) 2008-12-21 23:51:58.678 76.74.239.143/doewiruweo/
(Monday) 2008-12-22 00:05:21.097 76.74.239.143/doewiruweo/
(Monday) 2008-12-22 01:49:25.35 76.74.239.143/doewiruweo/
(Monday) 2008-12-22 02:11:58.426 76.74.154.110/doewiruweo/
(Monday) 2008-12-22 02:14:29.785 76.74.154.110/doewiruweo/
(Monday) 2008-12-22 02:59:24.721 76.74.239.143/doewiruweo/
(Monday) 2008-12-22 03:25:09.185 76.74.239.45/doewiruweo/c
(Monday) 2008-12-22 03:58:08.662 76.74.239.143/doewiruweo/
(Monday) 2008-12-22 04:07:40.181 76.74.154.110/doewiruweo/
(Monday) 2008-12-22 05:00:20.957 76.74.154.110/doewiruweo/
(Monday) 2008-12-22 05:54:12.135 76.74.154.110/doewiruweo/
(Monday) 2008-12-22 07:03:37.655 76.74.154.110/doewiruweo/
(Monday) 2008-12-22 07:39:18.155 76.74.239.143/doewiruweo/
(Wednesday) 2008-12-24 05:49:29.785 76.74.239.45/doewiruweo/c
(Wednesday) 2008-12-24 07:55:17.728 76.74.154.110/doewiruweo/
(Friday) 2008-12-26 01:57:36.086 76.74.239.143/dqweoiruweo
(Friday) 2008-12-26 02:20:34.11 76.74.239.45/dqweoiruweoi
(Friday) 2008-12-26 02:52:10.997 76.74.239.45/dqweoiruweoi
(Friday) 2008-12-26 07:57:39.996 76.74.239.143/dqweoiruweo
(Saturday) 2008-12-27 16:17:27.945 76.74.239.45/dqweoiruweoi
(Saturday) 2008-12-27 16:27:26.856 76.74.239.45/dqweoiruweoi
(Saturday) 2008-12-27 16:53:12.521 76.74.239.45/dqweoiruweoi
(Saturday) 2008-12-27 17:01:16.519 76.74.239.45/dqweoiruweoi
(Saturday) 2008-12-27 17:45:48.793 76.74.239.143/dqweoiruweo
(Saturday) 2008-12-27 17:52:40.499 76.74.239.143/dqweoiruweo
(Saturday) 2008-12-27 18:04:55.995 76.74.239.45/dqweoiruweoi
(Saturday) 2008-12-27 18:28:51.772 76.74.154.110/dqweoiruweo
(Saturday) 2008-12-27 19:08:48.447 76.74.239.45/dqweoiruweoi
(Saturday) 2008-12-27 21:01:50.595 76.74.239.143/dqweoiruweo
(Saturday) 2008-12-27 21:10:06.055 76.74.239.143/dqweoiruweo
(Saturday) 2008-12-27 21:22:19.105 76.74.239.143/dqweoiruweo
(Saturday) 2008-12-27 22:16:43.26 76.74.239.143/dqweoiruweo
(Saturday) 2008-12-27 22:40:48.978 76.74.239.143/dqweoiruweo
(Sunday) 2008-12-28 00:40:57.336 76.74.239.45/dqweoiruweoi
(Sunday) 2008-12-28 03:46:38.189 76.74.154.110/dqweoiruweo
(Sunday) 2008-12-28 03:58:11.958 76.74.239.143/dqweoiruweo
(Sunday) 2008-12-28 07:06:43.592 76.74.239.143/dqweoiruweo
(Sunday) 2008-12-28 16:28:46.26 76.74.239.143/dqweoiruweo
(Sunday) 2008-12-28 16:55:17.97 76.74.239.143/dqweoiruweo
(Sunday) 2008-12-28 17:25:09.96 76.74.154.110/dqweoiruweo
(Sunday) 2008-12-28 17:30:39.923 76.74.239.45/dqweoiruweoi
(Sunday) 2008-12-28 18:37:36.423 76.74.239.143/dqweoiruweo
(Sunday) 2008-12-28 20:20:43.128 76.74.239.143/dqweoiruweo
(Sunday) 2008-12-28 20:28:04.067 76.74.239.143/dqweoiruweo
(Sunday) 2008-12-28 20:49:28.995 76.74.239.45/dqweoiruweoi
(Sunday) 2008-12-28 21:00:24.819 76.74.154.110/dqweoiruweo
(Sunday) 2008-12-28 23:15:12.281 76.74.239.143/dqweoiruweo
(Sunday) 2008-12-28 23:45:13.823 76.74.154.110/dqweoiruweo
(Monday) 2008-12-29 00:40:40.184 76.74.154.110/dqweoiruweo
(Monday) 2008-12-29 01:22:45.735 76.74.239.143/dqweoiruweo
(Monday) 2008-12-29 02:13:45.236 76.74.239.45/dqweoiruweoi
(Monday) 2008-12-29 04:24:41.825 76.74.239.45/dqweoiruweoi
(Monday) 2008-12-29 04:34:36.774 76.74.154.110/dqweoiruweo
(Monday) 2008-12-29 04:48:07.242 76.74.239.143/dqwawoeiuo/
(Monday) 2008-12-29 04:58:32.309 76.74.239.143/dqwawoeiuo/
(Monday) 2008-12-29 05:43:08.981 76.74.239.45/dqweoiruweoi
(Saturday) 2009-01-03 15:29:29.245 76.74.154.110/dqweoiruweo
(Saturday) 2009-01-03 16:07:12.436 76.74.239.143/dqwdioewu/c
(Saturday) 2009-01-03 16:09:58.588 76.74.239.45/wroiweurewio
(Saturday) 2009-01-03 16:12:44.31 76.74.154.110/dqwdioewu/c
(Saturday) 2009-01-03 16:14:55.383 76.74.239.143/dqwdioewu/c
(Saturday) 2009-01-03 16:20:04.347 76.74.154.110/dqwdioewu/c
(Saturday) 2009-01-03 16:20:15.628 76.74.239.143/dqwdioewu/c
(Saturday) 2009-01-03 16:24:57.546 76.74.239.45/dqwdioewu/co
(Saturday) 2009-01-03 17:42:00.689 76.74.239.45/dqwdioewu/co
(Saturday) 2009-01-03 18:25:50.06 76.74.239.143/dqwdioewu/c
(Saturday) 2009-01-03 18:50:29.641 76.74.239.143/wroiweurewi
(Saturday) 2009-01-03 19:09:47.742 76.74.239.143/dqwdioewu/c
(Saturday) 2009-01-03 19:14:31.554 76.74.239.143/dqwdioewu/c
(Saturday) 2009-01-03 19:33:41.343 76.74.239.45/dqwdioewu/co
(Saturday) 2009-01-03 20:34:11.516 76.74.239.143/dqwdioewu/c
(Saturday) 2009-01-03 21:20:29.259 76.74.239.143/dqwdioewu/c
(Saturday) 2009-01-03 21:33:24.17 76.74.239.143/dqwdioewu/c
(Saturday) 2009-01-03 23:19:16.231 76.74.154.110/dqwdioewu/c
(Saturday) 2009-01-03 23:50:54.036 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-04 00:01:06.765 76.74.239.45/dqwdioewu/co
(Sunday) 2009-01-04 00:15:56.188 76.74.154.110/dqwdioewu/c
(Sunday) 2009-01-04 01:17:06.587 76.74.154.110/dqwdioewu/c
(Sunday) 2009-01-04 01:17:48.301 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-04 01:30:54.235 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-04 02:01:21.556 76.74.154.110/dqwdioewu/c
(Sunday) 2009-01-04 02:06:14.414 76.74.239.45/wroiweurewio
(Sunday) 2009-01-04 03:39:51.623 76.74.154.110/dqwdioewu/c
(Sunday) 2009-01-04 03:47:07.429 76.74.239.45/dqwdioewu/co
(Sunday) 2009-01-04 04:00:03.999 76.74.154.110/dqwdioewu/c
(Sunday) 2009-01-04 04:04:13.548 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-04 04:42:34.663 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-04 05:19:29.699 76.74.239.45/dqwdioewu/co
(Sunday) 2009-01-04 06:03:30.02 76.74.154.110/dqwdioewu/c
(Sunday) 2009-01-04 06:06:36.937 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-04 06:37:20.365 76.74.239.45/dqwdioewu/co
(Sunday) 2009-01-04 06:37:43.806 76.74.154.110/dqwdioewu/c
(Sunday) 2009-01-04 06:41:55.564 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-04 06:44:05.907 76.74.239.45/dqwdioewu/co
(Sunday) 2009-01-04 06:46:38.773 76.74.154.110/dqwdioewu/c
(Sunday) 2009-01-04 07:08:30.085 76.74.154.110/dqwdioewu/c
(Sunday) 2009-01-04 07:51:24.967 76.74.154.110/wroiweurewi
(Sunday) 2009-01-04 15:03:04.338 76.74.239.45/dqwdioewu/co
(Sunday) 2009-01-04 15:13:27.853 76.74.239.45/dqwdioewu/co
(Sunday) 2009-01-04 16:02:40.934 76.74.154.110/dqwdioewu/c
(Sunday) 2009-01-04 16:39:52.555 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-04 16:44:23.339 76.74.154.110/dqwdioewu/c
(Sunday) 2009-01-04 16:55:11.251 76.74.239.143/wroiweurewi
(Sunday) 2009-01-04 17:07:38.305 76.74.154.110/dqwdioewu/c
(Sunday) 2009-01-04 17:20:40.558 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-04 17:33:18.692 76.74.239.45/dqwdioewu/co
(Sunday) 2009-01-04 17:36:41.747 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-04 17:39:38.885 76.74.239.45/dqwdioewu/co
(Sunday) 2009-01-04 17:46:13.267 76.74.239.45/dqwdioewu/co
(Sunday) 2009-01-04 17:50:21.922 76.74.154.110/dqwdioewu/c
(Sunday) 2009-01-04 18:12:35.356 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-04 18:26:27.867 76.74.239.45/dqwdioewu/co
(Sunday) 2009-01-04 18:31:48.838 76.74.239.45/wroiweurewio
(Sunday) 2009-01-04 19:06:18.037 76.74.239.45/dqwdioewu/co
(Sunday) 2009-01-04 19:14:30.579 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-04 19:23:24.155 76.74.154.110/dqwdioewu/c
(Sunday) 2009-01-04 19:35:33.16 76.74.154.110/dqwdioewu/c
(Sunday) 2009-01-04 20:42:26.815 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-04 20:43:25.458 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-04 21:18:11.552 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-04 21:39:13.916 76.74.154.110/wroiweurewi
(Sunday) 2009-01-04 21:42:18.422 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-04 21:49:48.699 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-04 21:52:40.33 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-04 22:24:21.775 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-04 23:10:44.59 76.74.239.45/dqwdioewu/co
(Monday) 2009-01-05 06:01:41.928 76.74.239.143/dqwdioewu/c
(Monday) 2009-01-05 06:50:57.608 76.74.154.110/dqwdioewu/c
(Monday) 2009-01-05 07:41:45.503 76.74.239.45/dqwdioewu/co
(Monday) 2009-01-05 07:56:45.516 76.74.239.143/dqwdioewu/c
(Saturday) 2009-01-10 15:07:11.183 76.74.239.143/wroiweurewi
(Saturday) 2009-01-10 15:08:47.963 76.74.239.45/dqwdioewu/co
(Saturday) 2009-01-10 15:20:20.457 76.74.154.110/dqwdioewu/c
(Saturday) 2009-01-10 15:49:25.841 76.74.154.110/dqwdioewu/c
(Saturday) 2009-01-10 15:54:34.732 76.74.239.45/dqwdioewu/co
(Saturday) 2009-01-10 16:07:02.372 76.74.154.110/dqwdioewu/c
(Saturday) 2009-01-10 16:15:50.129 76.74.239.143/dqwdioewu/c
(Saturday) 2009-01-10 16:18:23.973 76.74.239.143/dqwdioewu/c
(Saturday) 2009-01-10 17:46:01.541 76.74.239.143/dqwdioewu/c
(Saturday) 2009-01-10 17:50:33.426 76.74.154.110/dqwdioewu/c
(Saturday) 2009-01-10 17:55:36.096 76.74.239.143/dqwdioewu/c
(Saturday) 2009-01-10 18:22:18.546 76.74.239.143/dqwdioewu/c
(Saturday) 2009-01-10 19:15:22.045 76.74.154.110/dqwdioewu/c
(Saturday) 2009-01-10 19:58:00.684 76.74.154.110/dqwdioewu/c
(Saturday) 2009-01-10 20:13:12.956 76.74.154.110/dqwdioewu/c
(Saturday) 2009-01-10 20:41:00.051 76.74.154.110/dqwdioewu/c
(Saturday) 2009-01-10 20:49:05.16 76.74.239.143/dqwdioewu/c
(Saturday) 2009-01-10 22:52:04.254 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-11 00:13:23.004 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-11 01:19:05.703 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-11 01:47:02.346 76.74.239.45/dqwdioewu/co
(Sunday) 2009-01-11 02:53:45.366 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-11 05:09:04.961 76.74.239.45/dqwdioewu/co
(Sunday) 2009-01-11 05:17:28.871 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-11 05:20:22.901 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-11 05:57:14.783 76.74.154.110/dqwdioewu/c
(Sunday) 2009-01-11 06:52:28.156 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-11 07:12:07.014 76.74.154.110/dqwdioewu/c
(Sunday) 2009-01-11 15:44:11.833 76.74.239.45/dqwdioewu/co
(Sunday) 2009-01-11 16:10:05.205 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-11 16:19:59.123 76.74.239.45/dqwdioewu/co
(Sunday) 2009-01-11 17:33:20.144 76.74.239.45/dqwdioewu/co
(Sunday) 2009-01-11 17:43:14.385 76.74.154.110/dqwdioewu/c
(Sunday) 2009-01-11 18:25:11.942 76.74.239.45/dqwdioewu/co
(Sunday) 2009-01-11 19:11:09.862 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-11 19:32:47.218 76.74.239.45/dqwdioewu/co
(Sunday) 2009-01-11 20:02:13.653 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-11 20:38:25.218 76.74.154.110/dqwdioewu/c
(Sunday) 2009-01-11 21:35:28.027 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-11 21:37:42.081 76.74.154.110/dqwdioewu/c
(Sunday) 2009-01-11 21:40:03.734 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-11 23:27:38.12 76.74.239.143/dqwdioewu/c
(Sunday) 2009-01-11 23:53:59.657 76.74.154.110/dqwdioewu/c
(Monday) 2009-01-12 00:47:31.575 76.74.239.143/dqwdioewu/c
(Monday) 2009-01-12 04:00:51.666 76.74.239.45/dqwdioewu/co
(Monday) 2009-01-12 05:11:56.126 76.74.239.143/dqwdioewu/c
(Monday) 2009-01-12 06:25:02.435 76.74.154.110/dqwdioewu/c
(Monday) 2009-01-12 06:36:46.471 76.74.239.143/dqwdioewu/c
(Monday) 2009-01-12 06:55:26.633 76.74.154.110/dqwdioewu/c
(Monday) 2009-01-12 07:02:53.37 76.74.239.143/wroiweurewi
(Monday) 2009-01-12 07:13:57.316 76.74.154.110/dqwdioewu/c
(Monday) 2009-01-12 07:15:03.082 76.74.239.45/dqwdioewu/co
(Monday) 2009-01-12 07:28:45.294 76.74.239.143/wroiweurewi
(Monday) 2009-01-12 07:36:27.021 76.74.154.110/dqwdioewu/c
(Monday) 2009-01-12 07:36:52.517 76.74.239.143/dqwdioewu/c
(Monday) 2009-01-12 07:37:04.573 76.74.239.45/dqwdioewu/co
(Monday) 2009-01-12 07:42:14.292 76.74.154.110/dqwdioewu/c

As always, if you'd like any of the actual exploit data (in .pcap form), simply email the research team.

Alex "Who's got my 3/6/09 Hampton?" Lanstein @ FireEye Malware Intelligence Lab
Questions/Comments to research [ @ ] fireeye.com

FE Malware Researcher on 2009.01.12 in Exploit Research |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d835018afd53ef010536cb6c2b970c

Listed below are links to weblogs that reference A weekend warrior web exploit?:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.