Nothing too exciting here, just another example of poor webserver security practices . Glamour-shop(dot)com promises “high quality gifts”.
Instead, it hits you with a WMF exploit which then does all sorts of nasties.
http://glamour-shop(dot)com/backdoor/ – gives you the WMF exploit.
http://glamour-shop(dot)com/down.txt – It apparently pulls the downloaders from here.
And the cache of treasure (don’t run these — bad stuff):
http://glamour-shop(dot)com/stats/bin/bin.exe
http://glamour-shop(dot)com/stats/bin/bin2.exe
http://glamour-shop(dot)com/stats/bin/bin3.exe
http://glamour-shop(dot)com/stats/bin/bin4.exe
http://glamour-shop(dot)com/stats/bin/bin5.exe
Discovered through a pop-up: Our researcher discovered this site from a porn site ad that popped up during research. He followed the link and got hit at the main url with the WMF exploit.
This site was advertised through a Thanks to Jarrett Levine in Sunbelt Spyware Research.
Alex Eckelberry