Malware hosted on 3322.org AGAIN! - SANS Internet Storm Center

Malware hosted on 3322.org AGAIN!
If you google for l61.3322.org you will find LOTS of “script” links to: http://l61DOT3322DOTorg/eDOTjs. That first letter is an L not a 1. Be careful that java script attempts to exploit vulnerabilities in some browsers. Fellow Handler BojanZ stated this about that malicious piece of java: “The attached JS file calls other JS files (from various servers). At least one of them tries to exploit an old vulnerability (MS06-014 - Microsoft Data Access Components (MDAC)). Other JS files redirect the browser to different sites: http://www.777seo.com/seo.php?username=happygold http://www.ovosearch.com/advertising/?ref=happygold http://kikclick.com/portal/?ref=happygold (these are click through affiliate web sites)” 3322.org has hosted malware several times in the past including a element of the zero day word exploit that was reported in 05-2005 http://isc.sans.org/diary.html?storyid=1348 It was also used as the ftp download site for a SAV based worm 12-2005. https://isc.sans.org/diary.html?storyid=1945 Thanks Bryan and Evan for bringing this to our attention. I recommend you monitor your IDS, firewall and other logs for access to l61DOT3322DOTORG if you see any access you should check the systems that accessed it for malware. You may decide to block that site within your enterprise. Many enterprise and educational networks did block 3322.org during the word zero day exploit in 2005.	donald 206 Posts Aug 15th 2007
Thread locked Subscribe	Aug 15th 2007 1 decade ago