Malware Domain List

Malware Related => Malicious Domains => Topic started by: pktguy on November 29, 2011, 07:13:10 pm

Title: More Blackhole Kits
Post by: pktguy on November 29, 2011, 07:13:10 pm

Blackhole serving Zbot

http://y00.sg.tf/2move.php -> http://y00.sg.tf/w.php?f=21&e=10

http://urlquery.net/report.php?id=9954
http://www.virustotal.com/file-scan/report.html?id=2471c69cf5bf154dab1eece4ab24c2648a642e338116e8b4f7f2e53a175986d6-1322571965

Title: Re: More Blackhole Kits
Post by: pktguy on November 29, 2011, 07:27:02 pm

Blackhole serving Cridex

http://bqredret.ru/w.php?f=16&e=3

http://www.virustotal.com/file-scan/report.html?id=d5f68298b81da0d42bbd4cfd517c3610de41c3db53acfbe1ce19c2e41cfc86b9-1322593499

Title: Re: More Blackhole Kits
Post by: pktguy on November 29, 2011, 07:40:51 pm

Blackhole serving unknown malware

http://ucleaned.info/w.php?f=19&e=10

http://www.virustotal.com/file-scan/report.html?id=2d4a6198e070c62649a5cde90c24650edcb0f2b808d414a59c2103f5916c23d8-1322594712

Title: Re: More Blackhole Kits
Post by: pktguy on November 29, 2011, 08:36:51 pm

Blackhole serving fake AV

http://lajhkvnwkqgjkasgoiqrht.c0m.li/w.php?f=17&e=6

http://www.virustotal.com/file-scan/report.html?id=2b259ddbe7b1c8758f129fdc040679653e9b292f8b14240b4b10e2974b5a546c-1322598458

Title: Re: More Blackhole Kits
Post by: pktguy on November 30, 2011, 05:40:12 pm

Blackhole serving fake AV

http://webfaterx.345.pl/w.php?f=28&e=1

http://www.virustotal.com/file-scan/report.html?id=8ce92dd7b1135466df9865d9be1495d95dc4d3d385d5a5711b52335443634d55-1322674139

Title: Re: More Blackhole Kits
Post by: pktguy on December 01, 2011, 05:36:09 pm

Blackhole serving downloader

http://dadrekemufre.in/main.php?page=5c0e7ec144104f94

http://dadrekemufre.in/w.php?f=19&e=0

http://www.virustotal.com/file-scan/report.html?id=2d8a1d452d13acc9e886c2aecf05118826631fdc0335957225e8817522e9dbfe-1322759698

Title: Re: More Blackhole Kits
Post by: pktguy on December 01, 2011, 07:29:22 pm

Blackhole serving downloader

http://ling.luhousing.net/main.php?page=d7e7761fb8451227

http://ling.luhousing.net/w.php?f=94&e=0

http://www.virustotal.com/file-scan/report.html?id=7836fc87f2b67d072d209f480d30cd811134ea7ab80fe7f3f542ca93ffda10f8-1322767169

Title: Re: More Blackhole Kits
Post by: pktguy on December 02, 2011, 10:21:54 pm

Blackhole serving Zero Access
http://trucande.co.cc/main.php?page=9065b71917ffec11
http://trucande.co.cc/w.php?f=18&e=0
http://www.virustotal.com/file-scan/report.html?id=e0ac41f0956561d84994f887dfa1d117b271843dce8f41b7abc5a598d5189a9c-1322841911

Blackhole serving Fake AV
http://caress.the09clinic.net/main.php?page=8ccf35d22df4bc2b
http://caress.the09clinic.net/w.php?f=76&e=0
http://www.virustotal.com/file-scan/report.html?id=fe1b7efdc883c6572134f3df6c13075e962c51116aeaf2f8b975fb90b10eaea8-1322850209

Title: Re: More Blackhole Kits
Post by: handball10 on December 05, 2011, 04:21:14 pm

Blackhole serving Downloader:

xttp://facebook-images.net/main.php

--> http://urlquery.net/report.php?id=10527 (http://urlquery.net/report.php?id=10527)

xttp://facebook-images.net/w.php?f=17&e=2

--> http://www.virustotal.com/file-scan/report.html?id=b8d822eaa147a2b9fabf05627d6800f1a4be5a30d2fc5639edd024047d3eb9e0-1323101395 (http://www.virustotal.com/file-scan/report.html?id=b8d822eaa147a2b9fabf05627d6800f1a4be5a30d2fc5639edd024047d3eb9e0-1323101395)

Title: Re: More Blackhole Kits
Post by: pktguy on December 05, 2011, 05:39:01 pm

Blackhole serving Trojan (likely Cridex)
http://smeliykot.ru/main.php?page=13cdcb8e92b33438
http://smeliykot.ru/w.php?f=17&e=0 HTTP/1.1
http://www.virustotal.com/file-scan/report.html?id=3b8355ace43f7b829277f292999afaafa6b372925c503ea3eefdf5588c605837-1323105531

Blackhole serving ZeroAccess
http://autoinsurancebicentennial.co.cc/main.php?page=9065b71917ffec11
http://autoinsurancebicentennial.co.cc//w.php?f=18&e=0

on same IP
http://autoinsurancebloom.co.cc/main.php?page=9065b71917ffec11
http://autoinsurancecalendaryear.co.cc/main.php?page=0d5ae1fd4dfc5ed6
http://www.virustotal.com/file-scan/report.html?id=94fca69a7c14110f82eafc6700e321b747b001102e921211881a6edd3c64c30a-1323105828

Title: Re: More Blackhole Kits
Post by: pktguy on December 06, 2011, 09:34:27 pm

Blackhole landing

http://kamaaz.in/main.php?page=13cdcb8e92b33438
http://urlquery.net/report.php?id=10740

http://188.247.232.182/main.php?page=70446792e08f4937
http://urlquery.net/report.php?id=10741

Title: Re: More Blackhole Kits
Post by: pktguy on December 08, 2011, 06:06:03 pm

Blackhole serving zero access
http://loplollo.co.cc/main.php?page=0d5ae1fd4dfc5ed6 <- active
http://loplollo.co.cc/w.php?f=19&e=0
http://www.virustotal.com/file-scan/report.html?id=2c143f047e6bc4b98f9efb1209ccb59e49e99111d704ec8e4f04eb44648f6b6f-1323366513

Blackhole serving trojan
http://coredret.ru/main.php?page=1e83fd4c01303f20
http://coredret.ru//w.php?f=16&e=0
http://www.virustotal.com/file-scan/report.html?id=d94cfd18f0cd4154a655072abc8b77605d0a2a2e0870faf32a3da8a1b5e56e98-1323359347

Title: Re: More Blackhole Kits
Post by: pktguy on December 08, 2011, 10:07:47 pm

Blackhole landing
eebmwqtj.servepics.com/main.php?page=322543253660156f
http://urlquery.net/report.php?id=11072

oredasw.cz.cc/main.php?page=95a18305ef2c2d0e
http://urlquery.net/report.php?id=11080

Title: Re: More Blackhole Kits
Post by: pktguy on December 12, 2011, 03:19:54 pm

Blackhole landing


noghered.info/main.php?page=657114e2319417e6
http://urlquery.net/report.php?id=11413

poptrera.co.cc/main.php?page=0d5ae1fd4dfc5ed6
http://urlquery.net/report.php?id=11416

postdafbes.co.cc/main.php?page=9065b71917ffec11
http://urlquery.net/report.php?id=11418

Title: Re: More Blackhole Kits
Post by: pktguy on December 13, 2011, 04:26:41 pm

Blackhole landing

hands.satisfiedwithmyplot.com/main.php?page=3e96fd0795f87f6c
http://urlquery.net/report.php?id=11616

popsebes.co.cc/main.php?page=0d5ae1fd4dfc5ed6
http://urlquery.net/report.php?id=11643

Title: Re: More Blackhole Kits
Post by: pktguy on December 15, 2011, 09:19:33 pm

Blackhole landing

boorendas.c0m.li/main.php?page=70446792e08f4937
http://urlquery.net/report.php?id=12076

toplinedirect4u.com/main.php?page=9697ea645d06945b
http://urlquery.net/report.php?id=12077

Title: Re: More Blackhole Kits
Post by: pktguy on January 03, 2012, 03:19:02 pm

Blackhole landing

parolessmklozzv.info/main.php?page=9b34131ac7cac573

http://urlquery.net/report.php?id=14357

Title: Re: More Blackhole Kits
Post by: pktguy on January 09, 2012, 07:40:30 pm

Blackhole landing

pe30.glx.nl/main.php?page=691bdc57bceadabf

http://urlquery.net/report.php?id=15333
http://wepawet.iseclab.org/view.php?hash=6da0ca02bb8496078732eead1ebf4b91&t=1326137875&type=js

Title: Re: More Blackhole Kits
Post by: pktguy on January 12, 2012, 03:21:40 pm

Blackhole landing

coxnamelocal.com/dumpsql/main.php?page=48b19601f8013ca5

http://wepawet.iseclab.org/view.php?hash=2b90ba3fed7598e2afcd38a96ac32a67&t=1326381343&type=js

Title: Re: More Blackhole Kits
Post by: pktguy on January 12, 2012, 10:19:59 pm

Blackhole landing

eurotomo.info/jkasdh98768sa9hdjkashdi6iyhikusadhi68/main.php?page=07962f409a0bbb09

http://wepawet.iseclab.org/view.php?hash=911012b0cec9c96b512cfc4002e004bf&t=1326405206&type=js

Title: Re: More Blackhole Kits
Post by: pktguy on January 17, 2012, 09:08:17 pm

Blackhole Landing

jjjjjjjjnnnnhhhhhhhh.nl.ai/main.php?page=e9c8657855ca6126

http://wepawet.iseclab.org/view.php?hash=a7fb5137b618ccb9c90d4b9b98f3b643&t=1326834212&type=js

Title: Re: More Blackhole Kits
Post by: pktguy on January 18, 2012, 07:20:24 pm

Blackhole landing

u333.in/main.php?page=3f4c2f48987fb197

http://wepawet.iseclab.org/view.php?hash=a390dd90ac5007c2e53fad3d7f1529c8&t=1326914042&type=js

Title: Re: More Blackhole Kits
Post by: pktguy on January 18, 2012, 10:39:37 pm

Blackhole landing

gggggghhhhhhhhh.nl.ai/main.php?page=3831657f7eea6b07

http://wepawet.iseclab.org/view.php?hash=7af39187d146da95bbf5ac59f17567b3&t=1326926287&type=js

Title: Re: More Blackhole Kits
Post by: pktguy on January 19, 2012, 07:07:32 pm

Blackhole landings

sssssssss222222222.nl.ai/main.php?page=8790bb3deeb48533
http://wepawet.iseclab.org/view.php?hash=b905efcf579598ed84f523e9cf2b7fb8&t=1326985670&type=js

pe58.glx.nl/main.php?page=691bdc57bceadabf
http://wepawet.iseclab.org/view.php?hash=12dcf128e1e88a829b2b2a7f0d60fc3f&t=1326999844&type=js

Title: Re: More Blackhole Kits
Post by: pktguy on January 19, 2012, 10:19:11 pm

Blackhole landing

tekspani.info/jkasdh98768sa9hdjkashdi6iyhikusadhi68/main.php?page=bc6c781dd38ea2ce

http://wepawet.iseclab.org/view.php?hash=e386033b239048dd74e4dd9eb4d7c4a2&t=1327011430&type=js

Title: Re: More Blackhole Kits
Post by: pktguy on January 23, 2012, 03:50:09 pm

acjfdfef.co.cc/main.php?page=0d5ae1fd4dfc5ed6
http://wepawet.iseclab.org/view.php?hash=b04f973e8063afeae65a9f2c5f903056&t=1327333512&type=js

fsfsfsdfsssssssssssssss.uni.me/main.php?page=43a3824339b73b31
http://wepawet.iseclab.org/view.php?hash=da463a6c27780e5bae6e6a181a9e5749&t=1327333605&type=js

Title: Re: More Blackhole Kits
Post by: pktguy on January 23, 2012, 06:49:25 pm

acjfdcdh.co.cc/main.php?page=38b16bc50912741c
http://wepawet.iseclab.org/view.php?hash=c0de85f2b466ecb1c5502829d87e57e8&t=1327344333&type=js

coirkdfmfhaysixkos.nl.ai/main.php?page=e447ddb2c962749a
http://wepawet.iseclab.org/view.php?hash=48cb773ad75885680aa7ec1afc5f7ddf&t=1327344368&type=js

Title: Re: More Blackhole Kits
Post by: pktguy on January 24, 2012, 08:39:09 pm

musth.in/info/main.php?page=80119cda9dabaed0
http://wepawet.iseclab.org/view.php?hash=49901fcce10fb5e9f1c38e8b7b50699e&t=1327437156&type=js

ffffffffggggggglllllll.uni.me/main.php?page=bb6227d3a4bb9474
http://wepawet.iseclab.org/view.php?hash=4b63be2754c06ebb80623073ee6ff4c9&t=1327437370&type=js

Title: Re: More Blackhole Kits
Post by: pktguy on February 02, 2012, 07:38:03 pm

oliffkreyg.com/vbforum.php?page=f068f027fa35073f
http://wepawet.iseclab.org/view.php?hash=56fc5e5f1fb1d1178ce111b6f9f0c51a&t=1328194936&type=js

nicesextubes.co/main.php?page=d8a857dd74ea601d
http://wepawet.iseclab.org/view.php?hash=3818bd0615da200b74aa2573add34dd5&t=1328211191&type=js

Title: Re: More Blackhole Kits
Post by: pktguy on February 14, 2012, 10:12:03 pm

hell.coupleswinning.com/main.php?page=f13f1407738b5bb1
http://wepawet.iseclab.org/view.php?hash=bfcbb5892d46279e70b5ad94f091afc8&t=1329257360&type=js

pixell.eu.tc/main.php?page=38b16bc50912741c
http://wepawet.iseclab.org/view.php?hash=f0898c409ef2f1415910283922a553a8&t=1329254830&type=js

Title: Re: More Blackhole Kits
Post by: pktguy on February 16, 2012, 06:46:08 pm

s08.trafficmeter.in/pGen.php?cID=e128d49632580799
http://wepawet.iseclab.org/view.php?hash=53260713da95fe46016bd9d042f3758f&t=1329408459&type=js

trackingimposibru.uni.me/content/fdp2.php?f=33
http://wepawet.iseclab.org/view.php?hash=952bd984478aceec2877107f41bf62aa&t=1329414274&type=js

Title: Re: More Blackhole Kits
Post by: pktguy on February 20, 2012, 07:28:45 pm

wggggfgd.co.cc/main.php?page=38b16bc50912741c
http://wepawet.iseclab.org/view.php?hash=efb3df618d64775aa9d3d1983e4a1fa6&t=1329752972&type=js

wklkljjl.co.cc/main.php?page=9065b71917ffec11
http://wepawet.iseclab.org/view.php?hash=c6797a5727595a18ba6db0a426aef5d4&t=1329766005&type=js

grow.ecologysportsnow.com/main.php?page=2110f08b632fef97
http://wepawet.iseclab.org/view.php?hash=7a6dcf08dd1072e137d5ad2873d5a7a1&t=1329765855&type=js

Title: Re: More Blackhole Kits
Post by: pktguy on February 21, 2012, 09:15:08 pm

pulling jav.jar

zp-okna.in/main.php?page=37f8823448dd9e3a
http://wepawet.iseclab.org/view.php?hash=21ef67625c0cf0587efe0ca9e3aad32c&t=1329858730&type=js

item.reddawndigital.net/main.php?page=4c8b25108c8e6bcf
http://wepawet.iseclab.org/view.php?hash=57ffd221c9e7a250600528365cee983b&t=1329858560&type=js

zozizoz.epac.to/main.php?page=09a3b73246e05a43
http://wepawet.iseclab.org/view.php?hash=50a234d7a16e3b24dcd2dbff505104ca&t=1329858676&type=js

Title: Re: More Blackhole Kits
Post by: SysAdMini on February 21, 2012, 10:35:53 pm

Quote from: pktguy on February 21, 2012, 09:15:08 pm

pulling jav.jar

zp-okna.in/main.php?page=37f8823448dd9e3a
http://wepawet.iseclab.org/view.php?hash=21ef67625c0cf0587efe0ca9e3aad32c&t=1329858730&type=js

item.reddawndigital.net/main.php?page=4c8b25108c8e6bcf
http://wepawet.iseclab.org/view.php?hash=57ffd221c9e7a250600528365cee983b&t=1329858560&type=js

zozizoz.epac.to/main.php?page=09a3b73246e05a43
http://wepawet.iseclab.org/view.php?hash=50a234d7a16e3b24dcd2dbff505104ca&t=1329858676&type=js

Wepawet is now able to decode those Blackhole kits correctly. Thanks to Marco Cova.

http://wepawet.iseclab.org/view.php?hash=21ef67625c0cf0587efe0ca9e3aad32c&t=1329863341&type=js
http://wepawet.iseclab.org/view.php?hash=57ffd221c9e7a250600528365cee983b&t=1329863358&type=js
http://wepawet.iseclab.org/view.php?hash=50a234d7a16e3b24dcd2dbff505104ca&t=1329863381&type=js

Title: Re: More Blackhole Kits
Post by: pktguy on February 23, 2012, 09:25:19 pm

Wepawet is still having trouble with these

iron.onlineadvocacy.me/main.php?page=4c8b25108c8e6bcf
http://wepawet.iseclab.org/view.php?hash=cce7db80bb4fd7b7cb61722093adf711&t=1330019596&type=js

yahooreturn.com/main.php?page=d74fc241f9c44e5c
http://wepawet.iseclab.org/view.php?hash=9568f7cd13d03d6e575c33f07ee11456&t=1330019835&type=js

Title: Re: More Blackhole Kits
Post by: mercutio on February 24, 2012, 12:59:30 am

Quote from: pktguy on February 23, 2012, 09:25:19 pm

Wepawet is still having trouble with these

iron.onlineadvocacy.me/main.php?page=4c8b25108c8e6bcf
http://wepawet.iseclab.org/view.php?hash=cce7db80bb4fd7b7cb61722093adf711&t=1330019596&type=js

yahooreturn.com/main.php?page=d74fc241f9c44e5c
http://wepawet.iseclab.org/view.php?hash=9568f7cd13d03d6e575c33f07ee11456&t=1330019835&type=js

It turns out they're serving a (slightly) different code. One of the versions of the code they send does not work in IE, where it causes a parsing exception (but it does work as expected in FF); this causes the analysis you linked to to fail to show the full chain of pages and exploits.

Here are two re-analysis that succeeded (it just happened that the servers were giving out a different version of the code that does work in IE):
http://wepawet.cs.ucsb.edu/view.php?hash=9568f7cd13d03d6e575c33f07ee11456&t=1330041812&type=js
http://wepawet.iseclab.org/view.php?hash=cce7db80bb4fd7b7cb61722093adf711&t=1330041690&type=js

Thanks!

Title: Re: More Blackhole Kits
Post by: michajp on February 27, 2012, 10:14:23 am

Fake IRS spam email, containing following link:

Code: [Select]

hxxp://iibm.in/acpatna/wp-content/uploads/fgallery/rep.html
Contains obfuscated iframer, VT-result:
https://www.virustotal.com/file/565dc176b664e1a8431789f13bcca2be1bf52846b5579c54867f77ee37af5ad5/analysis/

Blackhole at:

Code: [Select]

hxxp://110hobart.com/main.php?page=25e3203444ce0d83
----------


File: script-blackhole-2012-02-27.19-12.txt
Time: 2012-02-27 10:11:25 UTC
VT Result: 0 / 43

MD5:  5db425668150db05716864d62b65d2a5
First seen by VT:  2012-02-27 10:11:25 UTC ( 1 minute ago )
----------

https://www.virustotal.com/file/60d9e4133e982be2fc451cb10dea4ff22b583d86634876f4948048a97de65c91/analysis/1330337485/

Title: Re: More Blackhole Kits
Post by: michajp on February 27, 2012, 03:07:23 pm

Quote from: michajp on February 27, 2012, 10:14:23 am

Fake IRS spam email, containing following link:

Code: [Select]

hxxp://iibm.in/acpatna/wp-content/uploads/fgallery/rep.html
Two more:

Code: [Select]

hxxp://willitscharter.org/wp-wcs/wp-content/uploads/fgallery/rep.html
hxxp://ultimateadvehicles.com/wp-content/uploads/fgallery/rep.html

Title: Re: More Blackhole Kits
Post by: pktguy on February 28, 2012, 03:34:08 pm

Serving what looks like Cridex

twistedtarts.net/main.php?page=f231b7d2647c237a
http://wepawet.iseclab.org/view.php?hash=45f9c9216818812939ab78071e9c9f54&t=1330442417&type=js

Title: Re: More Blackhole Kits
Post by: pktguy on February 28, 2012, 06:34:53 pm

roiuy.eu.tc/main.php?page=38b16bc50912741c
http://wepawet.iseclab.org/view.php?hash=8798c871bee9efd3f1cfcdd0a4dd90f1&t=1330450562&type=js

pollypeach.com/search.php?page=977334ca118fcb8c
http://wepawet.iseclab.org/view.php?hash=02462082f0ce0a6c6d7f276be7ef6a3e&t=1330453907&type=js

Title: Re: More Blackhole Kits
Post by: pktguy on March 01, 2012, 10:29:33 pm

acjaiidcf.co.cc/main.php?page=38b16bc50912741c
http://wepawet.iseclab.org/view.php?hash=c030768f4e9bd0d0163d6cbc171a2810&t=1330636170&type=js

itemaccesta.info/jkasdh98768sa9hdjkashdi6iyhikusadhi68/main.php?page=360dd2a552386c78
http://wepawet.iseclab.org/view.php?hash=804217277041dde7ee47e2807f95f227&t=1330640881&type=js

Title: Re: More Blackhole Kits
Post by: pktguy on March 08, 2012, 04:50:46 pm

axserv145.info/main.php?page=2a0d7d7b60c68664
http://wepawet.iseclab.org/view.php?hash=9156dc0a76424fc4fd07ac09d03465cc&t=1331220078&type=js

aceabjjfi.co.cc/main.php?page=38b16bc50912741c
http://wepawet.iseclab.org/view.php?hash=0c0d51c79c66ab39e9b9091d987b6c5a&t=1331224503&type=js