Malware Domain List

Malware Related => Malicious Domains => Topic started by: eoin.miller on June 11, 2010, 06:02:10 pm

Title: iamcome.in
Post by: eoin.miller on June 11, 2010, 06:02:10 pm
Seeing infected hosts reaching out to:
http://d.iamcome.in/u.txt

That returns a URL of an EXE which trips 29/41 on VirusTotal:
http://d.iamcome.in/ma.exe
Report: http://www.virustotal.com/analisis/ed8d7ddb7e865d0e0151490ae811f80bf968078e6542b6be25e55a5e86f6011c-1276258210
Title: Re: iamcome.in
Post by: eoin.miller on June 11, 2010, 06:23:52 pm
Looks like this is related to the massive SQL injection attack against IIS, similiar to the robint.us domain checkin that has been ongoing. Infected sites will toss you over to the following URL which is a drive by:

http://2677.in/yahoo.js

Looks like it is exploiting flash player, which is causing the download of the loader here:

http://2677.in/log.exe
Report: http://www.virustotal.com/analisis/85344c5db45eb5bba6702091afdefe634387038d9c7f7704d5e8648507b9482e-1276270061
Title: Re: iamcome.in
Post by: eoin.miller on June 11, 2010, 06:33:09 pm
The iframes:
http://2677.in/cnzz.html
http://2677.in/ie.html

Flash:
http://2677.in/anhey.swf
Report 2/41: http://www.virustotal.com/analisis/725f0cc85e34151e7e6af81a4f221b47a6825944cbaf68a4b5daf4023e5143e4-1276280998

Symantec classifies this flash file as a trojan? wepawet claims it to be benign.

Also pulls script from below site for tracking purposes, the guys handle is dnf666 (how charming):
http://s11.cnzz.com/stat.php?id=1990191&web_id=1990191