Malware Domain List
Malware Related => Malicious Domains => Topic started by: eoin.miller on November 09, 2009, 05:50:44 pm
-
Site is hosting some nasty stuff.
http://www.redirectcounter1.com/lborzp2.exe (you have to check in before you are able to DL).
Pulled the binary from the pcaps and only 4/41 triggered on virustotal:
http://www.virustotal.com/analisis/ea8c35f562103284c582220d32b076e83bb6d0acd0ec79342c017c7bc219adc1-1257433073
ThreatExpert Report:
http://www.threatexpert.com/report.aspx?md5=c23e0f9dd1e61dd54e1814bd225bbd0f
-
Check in ?
-
Yea, looks like you have to have checked in to another URL prior to DL'ing (or have referrer)
http://91.212.127.226/check - Listed in MalwareURL.com
http://91.212.127.227/check - Listed in MalwareURL.com
http://193.169.12.50/check - Listed in MalwareURL.com
http://193.169.12.53/check - NOT listed anywhere currently
If you try to go to the URL for the exe posted previously, it wont let you pull it and spits back this error:
The encoded file /var/www/user/data/www/redirectcounter1.com/load.php is not permissioned for xxx.xxx.xxx.xxx
This is just more Internet Antivirus Pro, we have found it to be pushed by malicious PDF and the 193.169.12.0/23 seems to be quite suspect.
-
Thanks for the explanation.
-
Interesting...
Fragus exploit pack at:
redirectcounter1.com/news.php
Trojan Alureon (TDSS):
193.169.12.51/trt.exe
193.169.12.53/trt.exe
http://www.virustotal.com/analisis/c1c1980b2e25dabf215db976efd879a91517dd9151467960e300cc173181b755-1257818989 - 17/40 (42.50%)
-
or you can just remove the www
www.redirectcounter1.com/load.php
will give The encoded file /var/www/user/data/www/redirectcounter1.com/load.php is not permissioned for xxx.xxx.xxx.xx
but redirectcounter1.com/load.phpwill not