funsec mailing list archives
INJ3CT0R.COM
From: Jon Kibler <Jon.Kibler () aset com>
Date: Wed, 04 Nov 2009 09:10:49 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is an analysis I wrote for Security Focus' Pen Test mailing list. I thought it would be of interest here... All, Starting yesterday afternoon, I had a bunch of people begin to ask me about inj3ct0r.com. Google it and you find: 1) "milw0rm.com is dead, inj3ct0r.com is born!" 2) "New BuGTraCk project ( Exploits database ) inj3ct0r.com" Two red flags right off the bat. (A Bugtrack project? Get real!) Asking several well connected folks in the industry, only one had ever heard of the site and his opinion was exactly the same as mine: evil site. Any legitimate effort to distribute exploits for defensive purposes would require being known in the industry and being trusted by your peers before there could be a reasonable expectation of site contributions. This is a BIG RED FLAG to have an unknown person taking on such a task. If you visit the site, it just looks bogus. It has the appearance of a sloppy and incomplete wget of milw0rm, with some editing to make links work and to provide some replacement scripts. The site just looks completely bogus. Another set of big red flags! Checking inj3ct0r.com's registration record: - ---------- whois -h whois.PublicDomainRegistry.com inj3ct0r.com Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM Registration Service Provided By: RU@HOSTING Contact: +7.38526996373 Domain Name: INJ3CT0R.COM Registrant: milw0rm now at inj3ct0r.com str0ke aka r00t0ro0t3r (e-c-h-0 () mail ru) Burdenko 43 inj3ct0r Adana,123000 TR Tel. +7.4953216549 Creation Date: 13-Dec-2008 Expiration Date: 13-Dec-2013 Domain servers in listed order: ns.secondary.net.ua wateam.org.ua Administrative Contact: inj3ct0r str0ke aka r00t0ro0t3r (e-c-h-0 () mail ru) Burdenko 43 inj3ct0r Adana,123000 TR Tel. +7.4953216549 Technical Contact: inj3ct0r str0ke aka r00t0ro0t3r (e-c-h-0 () mail ru) Burdenko 43 inj3ct0r Adana,123000 TR Tel. +7.4953216549 Billing Contact: inj3ct0r str0ke aka r00t0ro0t3r (e-c-h-0 () mail ru) Burdenko 43 inj3ct0r Adana,123000 TR Tel. +7.4953216549 Status:ACTIVE - ---------- Okay, how many red flags to we see here? 1) Clams to be owned by str0ke. 2) Has a .ru email address. 3) Has a claimed TR address (.ru + TR has been a past RBN clue). 4) Is trying to associate itself with milw0rm. And those are just the red flags that I see without doing any more research! Next, where is the site hosted? - ---------- $ host www.inj3ct0r.com www.inj3ct0r.com is an alias for inj3ct0r.com. inj3ct0r.com has address 77.120.101.8 $ wip 77.120.101.8 checking whois.arin.net... checking whois.ripe.net... inetnum: 77.120.101.0 - 77.120.101.255 netname: VOLIA-DC descr: Volia DC colocation #6 remarks: Send spam reports to: abuse () dc volia com country: UA admin-c: VDCA-RIPE tech-c: VDCT-RIPE status: ASSIGNED PA mnt-by: VOLIA-DC-MNT source: RIPE # Filtered person: Volia DC Admin contact address: Ukraine, Kiev phone: +38 044 2852716 abuse-mailbox: abuse () dc volia com nic-hdl: VDCA-RIPE mnt-by: VOLIA-DC-MNT source: RIPE # Filtered - ---------- Hosted in Kiev, UA. Not a good sign. Everything about the site looks and smells suspect. As it is said... "If it looks like a duck, and it quacks like a duck, then it is probably a duck." In my professional opinion, everything about this site is "wrong." I would strongly recommend avoiding it. It just looks too bogus and it is trying too hard to appear legitimate, but no one knows who is behind it. Never trust a site handing out exploits if you don't know who is providing the exploits! So what could be the purpose of this site? These are only some hypothesis and speculations... no hard evidence to date to back up my thoughts: 1) The site could be phishing for new 0-day exploits that could be used in targeted or wide spread attacks by criminal organizations. 2) The site could be modifying know exploits, adding back doors (if you are a script kiddie, are you going to check the embedded shell code?) that had over compromised boxes to some botnet. 3) A means of infecting systems that visit the site. (No sign of that at this time.) 4) Other? Bottom line: My recommendation is to avoid this site like the plague. Also, don't count milw0rm as dead yet. Str0ke had a lot of friends. Let's wait and see if anyone picks up his site and runs with it. Jon - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-813-2924 s: 843-564-4224 s: JonRKibler e: Jon.Kibler () aset com e: Jon.R.Kibler () gmail com http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrxi2kACgkQUVxQRc85QlMSBACdHszQw/4Eim6qS3RVFT3u7kLq uG0An2IhFgg0chRmt09lMcm8Rtdto/fI =lRDs -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- INJ3CT0R.COM Jon Kibler (Nov 04)