Malware Domain List

Malware Related => Malicious Domains => Topic started by: eoin.miller on February 19, 2010, 10:29:33 pm

Title: FakeAV -,,
Post by: eoin.miller on February 19, 2010, 10:29:33 pm
VirusTotal Results: FakeAlert

Found on:

These sites and others are leveraging for javascript... all seem to be in the Netherlands, domain.
Title: Re: FakeAV -,,
Post by: eoin.miller on February 22, 2010, 04:52:16 pm
More IP's serving up the same stuff:

Get is always for randomized php filenames (examples):

1_16a16d.php, 7_780c4b.php, 5_5de2e4.php, 2_252934.php, 3_36ae8d.php, b_bf3f87.php, 0_004a13.php, 2_2a27b8.php, 8_8249dd.php, a_ae50bc.php, e_e2395d.php, e_e43e4d.php, e_ec4f67.php, 1_1af700.php, 8_82255d.php, e_e35625.php, 7_77e376.php, f_f57329.php, 0_04a6ff.php, 2_2503e1.php, 9_95f7f8.php, 3_3ea213.php, a_aa91a9.php, f_ff0c38.php, 2_2e348c.php, 3_321ed0.php, 6_682f42.php, 8_8f118b.php, 9_916d30.php, b_bd2241.php, c_c08284.php, d_dc8120.php, e_efe822.php, f_fe6f6c.php, f_ff6a9f.php, 3_373564.php, 4_4787ec.php, 5_5ceba7.php, c_c9fa27.php, d_d2d46e.php, d_dd1918.php, f_f57a78.php, 0_064307.php, 0_0e3b3f.php, 0_0e3f4b.php, 2_2e2e69.php, 2_2ee665.php, 4_483d69.php, 4_4cd684.php, 5_50ebe9.php, 6_6096a6.php, 6_62f78f.php, 7_72e715.php, 7_78f558.php, 9_985ca2.php, 9_994c5c.php, d_d8d213.php, e_e1813d.php, e_eddb7c.php, f_fcc9cf.php

Always returns back attachment named install.exe:

Code: [Select]
HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.1
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Content-Type: application/octet-stream
Content-Length: 1045504
Content-Disposition: attachment; filename="install.exe"
Content-Transfer-Encoding: binary
Connection: close
Date: Thu, 18 Feb 2010 21:09:40 GMT
Server: lighttpd/1.4.22
MZP@!L!This program cannot be run in DOS mode.