Malware Domain List

Malware Related => Malicious Domains => Zlkon.lv => Topic started by: SysAdMini on April 05, 2009, 07:45:15 pm

Title: hs.3-150.zlkon.lv -(94.247.3.150)
Post by: SysAdMini on April 05, 2009, 07:45:15 pm
redirect to exploits
Code: [Select]
namebuyline.cn/in.cgi?income
filmtypemedia.cn/in.cgi?income
yourfilmmovie.cn/in.cgi?income
homenameregistration.cn/in.cgi?income
nameashop.cn/in.cgi?income
mainnameshop.cn/in.cgi?income
namesupermart.cn/in.cgi?income
namebrandmart.cn/in.cgi?income
namebuypicture.cn/in.cgi?income31
Title: Re: hs.3-150.zlkon.lv -(94.247.3.150)
Post by: CkreM on April 06, 2009, 04:35:59 pm
All Redirect to exploit stated below:
Code: [Select]
lotante.cn/in.cgi?income
japanhostnet.com/in.cgi?income
lotbetworld.cn/in.cgi?income
namestorefilmlife.cn/in.cgi?income
internetnamestore.cn/in.cgi?income
coolnameshop.cn/in.cgi?income
dotcomnameshop.cn/in.cgi?income
playbetwager.cn/in.cgi?income
thelotbet.cn/in.cgi?income


wepawet couldnt analyze this exploit and stated that the index.php response is empty(http://wepawet.iseclab.org/view.php?hash=0427b7627c9938608b886b095702247a&t=1239032970&type=js)
was able to d/l the pdf and sent it only.
anyway it download a trojan in the end in the same domain:
Code: [Select]
litehitscar.cn/index.phphttp://wepawet.iseclab.org/view.php?hash=4ad4419f482403c543365cad5e60269a&type=js

btw the domain with the trojan resolves 94.247.3.151 for me...
Title: Re: hs.3-150.zlkon.lv -(94.247.3.150)
Post by: CkreM on April 06, 2009, 07:09:06 pm
did all the domains with the redirections resolved  as 94.247.3.151 for you?(as stated on MDL )

because for me they are all  94.247.3.150 ,also checked on centralops,etc...
Title: Re: hs.3-150.zlkon.lv -(94.247.3.150)
Post by: SysAdMini on April 06, 2009, 07:37:17 pm
did all the domains with the redirections resolved  as 94.247.3.151 for you?(as stated on MDL )

because for me they are all  94.247.3.150 ,also checked on centralops,etc...

My mistake. Is is another disadvantage of adding urls manually. One mistake and then copy and paste.
Fixed.
Title: Re: hs.3-150.zlkon.lv -(94.247.3.150)
Post by: SysAdMini on April 07, 2009, 03:41:30 pm
another redirector to litehitscar.cn
Code: [Select]
superbetfair.cn/in.cgi?income43
Title: Re: hs.3-150.zlkon.lv -(94.247.3.150)
Post by: SysAdMini on April 08, 2009, 12:32:39 pm
redirects to hyperliteautoservices.cn
Code: [Select]
cheapslotplay.cn/in.cgi?income48
mixante.cn/in.cgi?income52
Title: Re: hs.3-150.zlkon.lv -(94.247.3.150)
Post by: SysAdMini on April 10, 2009, 12:07:07 pm
There is a panel at those sites at /user/panel.

for example
Code: [Select]
www.mediahomenamemartvideo.cn/user/panel
Title: Re: hs.3-150.zlkon.lv -(94.247.3.150)
Post by: Malware-Web-Threats on April 17, 2009, 09:21:59 am
two others on this IP

redirects to liteautogreatest[.]cn

Code: [Select]
hxxp://cutlot.cn/in.cgi?income
hxxp://lotmachinesguide.cn/in.cgi?income

Wepawet (http://wepawet.iseclab.org/view.php?hash=20142646ae8f7bfe737f067a3b9727b4&t=1239958979&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=40131580bd98592c013be3d33aa926b1&t=1239959058&type=js)
Title: Re: hs.3-150.zlkon.lv -(94.247.3.150)
Post by: SysAdMini on April 21, 2009, 05:53:33 pm
redirects to liteautogreatest[.]cn
Code: [Select]
http://betworldwager.cn/in.cgi?income69http://wepawet.cs.ucsb.edu/view.php?type=js&hash=da48bf59c24906de305cab2c634176ec&t=1240304816
Title: Re: hs.3-150.zlkon.lv -(94.247.3.150)
Post by: SysAdMini on April 25, 2009, 05:45:39 am
Code: [Select]
hxxp://litegreatestdirect.cn/in.cgi?income72
http://wepawet.iseclab.org/view.php?hash=df885fec22550614e9258bc5369ff0cb&t=1240618935&type=js
Title: Re: hs.3-150.zlkon.lv -(94.247.3.150)
Post by: SysAdMini on April 27, 2009, 06:58:42 pm
Code: [Select]
superlitecarbest.cn/in.cgi?income74redirects to exploits at litevehiclemall[.]cn 94.247.3.151