This German site (in-vogue.de) is hosting malware:
Upon execution you might see fireworks (if you are running Process Explorer):
This is poorly written malware, although whoever wrote it made sure it would run after a reboot:
After execution, the malware downloads an additional component from: in-vogue.de/Scripts/update.exe (Virus Total 4/42).
Also noticeable are constant pings to 18.104.22.168 (Russian IP).
The IP leads us to AS41947 known as WEBALTA-AS OAO Webalta.
This ISP is very well known for having all sorts of badness (spam, bots, phishing, exploits).
Google’s Safe Browsing report highlights that “32695 site(s) we tested on this network over the past 90 days, 1905 site(s) served content that resulted in malicious software.”
If you remember, the Wikileaks website was hosted on this Russian Blackhat ISP back in December 2010.
Webalta is enjoying a good run so far but is closely watched by the security community. It will be shutdown eventually, but most likely will give birth to another blackhat or bullet-proof ISP.
Leave a reply