Author Topic: 195.88.191.46  (Read 43484 times)

0 Members and 1 Guest are viewing this topic.

September 06, 2009, 02:03:24 pm
Read 43484 times

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
directs to exploits:

Code: [Select]
kvumurij.cn/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&ab_trash=1&antibot_hash=bot
Wepawet

The site below doesn't seems to work so I will check later if this domain redirects to a new one.

The urls was:

Code: [Select]
ssesodoq.cn/uin/
ssesodoq.cn/uin/whichGoodS.pdf
ssesodoq.cn/uin/searchMakeChunk.swf
ssesodoq.cn/uin/update.php?id=5
ssesodoq.cn/uin/update.php?id=6
Wepawet

also work:
Code: [Select]
ssesodoq.cn/uin/update.exe

VirusTotal - 8/41 (19.51%)
Threat Expert

It connect to 91.207.4.250 (see threatexpert) and start spamming

Quote
GET spm/get_id.php
GET spm/page.php

Other on this IP:

http://www.malwareurl.com/listing.php?ip=195.88.191.46
http://www.malwaredomainlist.com/mdl.php?search=195.88.191.46&colsearch=All&quantity=50

Anything else?

http://www.bfk.de/bfk_dnslogger.html?query=195.88.191.46

September 06, 2009, 02:15:11 pm
Reply #1

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
same as below:

Code: [Select]
ns1.vvukufan.com/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&ab_trash=1&antibot_hash=bot
ns1.jagbibiv.cn/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&ab_trash=1&antibot_hash=bot
ns2.jagbibiv.cn/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&ab_trash=1&antibot_hash=bot

http://wepawet.iseclab.org/view.php?hash=94f15cbfb2fffd42daa369ad1c85eda7&t=1252247278&type=js
http://wepawet.iseclab.org/view.php?hash=e08d6e782c77ed81f7aa041a0aeadbc0&t=1252247286&type=js
http://wepawet.iseclab.org/view.php?hash=879f28c20c7cef91aaade18e0777f45e&t=1252247298&type=js

September 06, 2009, 02:18:48 pm
Reply #2

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
payload is not in sub-dir /uin but in root....

hxxp://ssesodoq.cn/update.exe

-- gerhard

September 07, 2009, 08:41:57 am
Reply #3

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
Interesting - another MD5

Code: [Select]
kvumurij.cn/update.exe
Wepawet
MD5: 455575b550ae3c6c3d39b44ac5e501c8

Code: [Select]
kvumurij.cn/2cv/update.exe
Wepawet
MD5: 230eb4adb27b2697e2076f34a73cab13

the exploit kit with urls:

Code: [Select]
kvumurij.cn/2cv/
kvumurij.cn/2cv/dontLayoutDont.pdf
kvumurij.cn/2cv/wordA.swf
kvumurij.cn/2cv/update.php
kvumurij.cn/2cv/update.exe
kvumurij.cn/2cv/admin.php
Wepawet
VirusTotal - 4/41 (9.76%)

AVG: Packed.Monder
Kaspersky: Packed.Win32.Krap.x
Microsoft: Spammer:Win32/Tedroo.AA
Rising: Unknown Win32 Virus

September 07, 2009, 08:53:37 am
Reply #4

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
the ThreatExpert report also show a connection to 91.207.6.242

The following GET requests were made:
Quote
spm/get_id.php
spm/page.php?id=231828&tick=231828&ver=112&smtp=ok&task=0

Threat Expert

September 07, 2009, 10:09:19 am
Reply #5

Serg

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 132
Under Packed.Win32.Krap.x kaspersky means Email-Worm.Win32.Joleee

September 07, 2009, 10:19:14 am
Reply #6

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Under Packed.Win32.Krap.x kaspersky means Email-Worm.Win32.Joleee

I always use the identifier "Tedroo" for this spamming trojan. Many av vendors like Microsoft, Sophos, Bitdefender or Ikarus use this identifier.

Ruining the bad guy's day

September 12, 2009, 06:10:04 am
Reply #7

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
trojan:
Code: [Select]
mcanavib.cn/update.exe
pbigupaz.cn/update.exe
tbegicoz.cn/update.exe
wpupadop.cn/update.exe

redirects to exploits:
Code: [Select]
mcanavib.cn/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&ab_trash=1&antibot_hash=bot
pbigupaz.cn/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&ab_trash=1&antibot_hash=bot
tbegicoz.cn/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&ab_trash=1&antibot_hash=bot
wpupadop.cn/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&ab_trash=1&antibot_hash=bot

September 12, 2009, 10:27:13 am
Reply #8

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
Redirects to exploits:
Code: [Select]
sexygallets.com/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&antibot_hash=2990857606&ur=1&HTTP_REFERER=

September 13, 2009, 12:35:57 am
Reply #9

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
Exploits:
Code: [Select]
nfovidab.cn/a1/
nfovidab.cn/a1/index_files/x1079.js
nfovidab.cn/stat1/index.php
nfovidab.cn/stat1/overEverIsnt.pdf
nfovidab.cn/stat1/anComes.swf
Wepawet

Trojan Tedroo / Packed Krap:
Code: [Select]
nfovidab.cn/update.exe
VirusTotal - 31/41 (75.61%)
ThreatExpert

Trojan Dropper:
Code: [Select]
nfovidab.cn/stat1/update.php
nfovidab.cn/stat1/update.exe
VirusTotal - 5/41 (12.2%)

September 13, 2009, 09:32:41 pm
Reply #10

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
Redirects to exploits:

Code: [Select]
xguxerob.cn/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&ab_trash=1&antibot_hash=bot

http://wepawet.iseclab.org/view.php?hash=f17c505f84eaebe97f3a5bc1a9fd3359&t=1252877484&type=js

September 14, 2009, 01:05:02 pm
Reply #11

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
Exploits:
Code: [Select]
http://kzayopoq.cn/dj/
http://kzayopoq.cn/stat1/
http://kzayopoq.cn/stat2
http://kzayopoq.cn/2cv/
http://kzayopoq.cn/de/
http://kzayopoq.cn/rur/

http://kpizuyuw.cn/dj/
http://kpizuyuw.cn/stat1/
http://kpizuyuw.cn/stat2/
http://kpizuyuw.cn/2cv/
http://kpizuyuw.cn/de/
http://kpizuyuw.cn/rur/

Trojan:
Code: [Select]
http://kzayopoq.cn/update.exe
http://kzayopoq.cn/dj/update.exe
http://kzayopoq.cn/stat1/update.exe
http://kzayopoq.cn/stat2/update.exe
http://kzayopoq.cn/2cv/update.exe
http://kzayopoq.cn/de/update.exe
http://kzayopoq.cn/s/update.exe
http://kzayopoq.cn/rur/update.exe

http://kpizuyuw.cn/update.exe
http://kpizuyuw.cn/dj/update.exe
http://kpizuyuw.cn/stat1/update.exe
http://kpizuyuw.cn/stat2/update.exe
http://kpizuyuw.cn/2cv/update.exe
http://kpizuyuw.cn/de/update.exe
http://kpizuyuw.cn/s/update.exe
http://kpizuyuw.cn/rur/update.exe

September 14, 2009, 01:06:10 pm
Reply #12

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
optional control panel (Liberty Exploit Toolkit)
Code: [Select]
http://kpizuyuw.cn/dj/admin.php
http://kzayopoq.cn/dj/admin.php

September 14, 2009, 01:14:03 pm
Reply #13

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
optional control panel (Liberty Exploit Toolkit)
Code: [Select]
http://kpizuyuw.cn/dj/admin.php
http://kzayopoq.cn/dj/admin.php

user,pass works as well and there are alot of referers to check.
Ruining the bad guy's day

September 14, 2009, 01:16:13 pm
Reply #14

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
Seems to be always the same pwd.

For the URLs below the update.exe at the root doesn't seems to work.