I was looking at some images on Google and was looking at this particular site when I noticed that there was a unusual url request. I did some investigations and found out that the URL request was a malicious hXXp://hzebw.portrelay.com/jentrate.php

Please note that when I tried using automated analysis on the site, using the same referrers and different scanners, the return didn’t include a jentrate.php. You may also want to see the urlQuery results. Maybe there is a time limit between intervals? Or maybe it’s because I’m using a newer version of Firefox?

Basically, like any exploit, cursor starts flashing and a PDF file is automatically downloaded without user verification. You can only guess what happens next: The downloaded file is immediately ran. I didn’t want to fiddle with the outcome of running this PDF and terminated it upon execution, but if you want to check it out, the VirusTotal results and the download link are below.

Download the PDF (Password: infected): http://db.tt/GAcOjZhx
VirusTotal (6/45) as of 2013-01-24 01:32:17 UTC

Moving along, let’s look for more information about the jentrate.php. A search on Google reveals that this jentrate.php can be traced back to January 15th and 16th of 2013, so this is very new. Jsunpack results show us a somewhat familiar buffer overflow script. We also have analysis on Minotaur and a similar threat on urlQuery. Interesting, no?

Finally, I sent the malicious URL I encountered to urlQuery and was greeted with what I expected. A search on CleanMX reveals many entries for this site. Apparently the domain is also associated with a “jokevity.jar”. Have a look at the Wepawet scan.

For those who wish to dig deeper into subject, I strongly encourage you,
~!Donovan