Home page logo
/

pen-test logo Penetration Testing mailing list archives

Brief Analysis of inj3ct0r.com
From: Jon Kibler <Jon.Kibler () aset com>
Date: Wed, 04 Nov 2009 09:07:39 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,

Starting yesterday afternoon, I had a bunch of people begin to ask me about
inj3ct0r.com. Google it and you find:

1) "milw0rm.com is dead, inj3ct0r.com is born!"
2) "New BuGTraCk project ( Exploits database ) inj3ct0r.com"

Two red flags right off the bat. (A Bugtrack project? Get real!)


Asking several well connected folks in the industry, only one had ever heard of
the site and his opinion was exactly the same as mine: evil site. Any legitimate
effort to distribute exploits for defensive purposes would require being known
in the industry and being trusted by your peers before there could be a
reasonable expectation of site contributions. This is a BIG RED FLAG to have an
unknown person taking on such a task.

If you visit the site, it just looks bogus. It has the appearance of a sloppy
and incomplete wget of milw0rm, with some editing to make links work and to
provide some replacement scripts. The site just looks completely bogus. Another
set of big red flags!


Checking inj3ct0r.com's registration record:
- ----------
        whois -h whois.PublicDomainRegistry.com inj3ct0r.com
        Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A
PUBLICDOMAINREGISTRY.COM
        Registration Service Provided By: RU () HOSTING
        Contact: +7.38526996373

        Domain Name: INJ3CT0R.COM

        Registrant:
            milw0rm now at inj3ct0r.com
            str0ke aka r00t0ro0t3r        (e-c-h-0 () mail ru)
            Burdenko 43
            inj3ct0r
            Adana,123000
            TR
            Tel. +7.4953216549

        Creation Date: 13-Dec-2008
        Expiration Date: 13-Dec-2013

        Domain servers in listed order:
            ns.secondary.net.ua
            wateam.org.ua


        Administrative Contact:
            inj3ct0r
            str0ke aka r00t0ro0t3r        (e-c-h-0 () mail ru)
            Burdenko 43
            inj3ct0r
            Adana,123000
            TR
            Tel. +7.4953216549

        Technical Contact:
            inj3ct0r
            str0ke aka r00t0ro0t3r        (e-c-h-0 () mail ru)
            Burdenko 43
            inj3ct0r
            Adana,123000
            TR
            Tel. +7.4953216549

        Billing Contact:
            inj3ct0r
            str0ke aka r00t0ro0t3r        (e-c-h-0 () mail ru)
            Burdenko 43
            inj3ct0r
            Adana,123000
            TR
            Tel. +7.4953216549

        Status:ACTIVE
- ----------

Okay, how many red flags to we see here?

1) Clams to be owned by str0ke.
2) Has a .ru email address.
3) Has a claimed TR address (.ru + TR has been a past RBN clue).
4) Is trying to associate itself with milw0rm.

And those are just the red flags that I see without doing any more research!


Next, where is the site hosted?

- ----------
        $ host www.inj3ct0r.com
        www.inj3ct0r.com is an alias for inj3ct0r.com.
        inj3ct0r.com has address 77.120.101.8

        $ wip 77.120.101.8
        checking whois.arin.net...
        checking whois.ripe.net...

        inetnum:        77.120.101.0 - 77.120.101.255
        netname:        VOLIA-DC
        descr:          Volia DC colocation #6
        remarks:        Send spam reports to: abuse () dc volia com
        country:        UA
        admin-c:        VDCA-RIPE
        tech-c:         VDCT-RIPE
        status:         ASSIGNED PA
        mnt-by:         VOLIA-DC-MNT
        source:         RIPE # Filtered

        person:         Volia DC Admin contact
        address:        Ukraine, Kiev
        phone:          +38 044 2852716
        abuse-mailbox:  abuse () dc volia com
        nic-hdl:        VDCA-RIPE
        mnt-by:         VOLIA-DC-MNT
        source:         RIPE # Filtered
- ----------

Hosted in Kiev, UA. Not a good sign.


Everything about the site looks and smells suspect.

As it is said...
   "If it looks like a duck, and
    it quacks like a duck, then
    it is probably a duck."

In my professional opinion, everything about this site is "wrong." I would
strongly recommend avoiding it. It just looks too bogus and it is trying too
hard to appear legitimate, but no one knows who is behind it.

Never trust a site handing out exploits if you don't know who is providing the
exploits!

So what could be the purpose of this site? These are only some hypothesis and
speculations... no hard evidence to date to back up my thoughts:

1) The site could be phishing for new 0-day exploits that could be used in
targeted or wide spread attacks by criminal organizations.

2) The site could be modifying know exploits, adding back doors (if you are a
script kiddie, are you going to check the embedded shell code?) that had over
compromised boxes to some botnet.

3) A means of infecting systems that visit the site. (No sign of that at this time.)

4) Other?


Bottom line: My recommendation is to avoid this site like the plague.

Also, don't count milw0rm as dead yet. Str0ke had a lot of friends. Let's wait
and see if anyone picks up his site and runs with it.

Jon
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-813-2924
s: 843-564-4224
s: JonRKibler
e: Jon.Kibler () aset com
e: Jon.R.Kibler () gmail com
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrxiqsACgkQUVxQRc85QlNl4ACdFTyCPjmn8/GyLOgqhh0HuLSO
XC0AnijJsGAfIY/sPkJEqWi7LkvFVjsE
=Cpy5
-----END PGP SIGNATURE-----




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]