Nine-Ball followup now with video! Part 1
A reader was gracious enough to share some information with me on the events surrounding the compromise of a website of his. The site was compromised via stolen FTP credentials which has been a technique employed by major Internet threats such as Gumblar and Nine-ball recently. This will be a two part post.
Lets take a look at what happens to the victim webserver after it gets compromised and the malware involved. To make this post more interesting I’ve decided to deliver my analysis via video! Rather than the standard nerve grating rock music that people tend to add to videos like this I have opted for my genre of choice, electronic 
. I’ve included virus total results, domains involved, etc at the end of the post.
Sit back, relax and enjoy the ride.
Domains / URLs involved:
71speed.info
xbx.tw/in.cgi?6
xbx.tw/in.cgi?3
zyejanag.cn/rf/
fvuligir.cn/s/in.cgi?11
84.244.138.58/ts/in.cgi?chtr&5f9d90
esli.tw/load.php?e=1
esli.tw/2/index.php
esli.tw/show.php?s=18f8bc6e98
Exploits Used:
MDAC -- MS06-014
Adobe Acroat -- CVE-2008-2992 & CVE-2009-0927
Adobe Flash Player (not sure which one)
Microsoft DirectShow & Office Web Components zero days
Microsoft Snapshot Viewer MS08-041
Virustotal Payload 1 & ThreatExpert Payload 1 -- SilentBanker -- Banking Trojan
Virustotal Payload 2 & ThreatExpert Payload 2 -- Tedroo -- SpamBot
