Malware Domain List

Malware Related => Malicious Domains => Topic started by: SysAdMini on May 18, 2009, 09:04:53 am

Title: martuz.cn -(95.129.145.58)
Post by: SysAdMini on May 18, 2009, 09:04:53 am
gumblar.cn has a successor :

martuz.cn

Code: [Select]
martuz.cn/vid/?id=0
downloads a pdf exploit
Code: [Select]
martuz.cn/vid/?id=2http://www.virustotal.com/analisis/71dcf146b308af42b4e7d51142c7bd90 3/40
BitDefender   7.2   2009.05.18   Exploit.PDF-JS.Gen
Sunbelt   3.2.1858.2   2009.05.17   Exploit.PDF-JS.Gen (v)
Symantec   1.4.4.12   2009.05.18   Bloodhound.PDF.7
http://wepawet.cs.ucsb.edu/view.php?hash=6830abddd7a716b2b4f8a93cfabc01dd&type=js

and a flash exploit
Code: [Select]
martuz.cn/vid/?id=3http://www.virustotal.com/analisis/6a529be0a99a47aec0af841b371ecb03 0/40

payload is a badly detected trojan
Code: [Select]
martuz.cn/vid/?id=10&http://www.virustotal.com/analisis/26ccc949ec81029591bbb6c33476a9de 6/40
AntiVir   7.9.0.168   2009.05.18   HEUR/Crypted.E
eSafe   7.0.17.0   2009.05.17   Suspicious File
Prevx   3.0   2009.05.18   Medium Risk Malware
Rising   21.30.01.00   2009.05.18   Trojan.Spy.Win32.Delf.dpt
Symantec   1.4.4.12   2009.05.18   Backdoor.Trojan
TrendMicro   8.950.0.1092   2009.05.18   PAK_Generic.001
http://www.threatexpert.com/report.aspx?md5=2131112053ed144c46277b9024bcf39f




Title: Re: martuz.cn -(95.129.145.58)
Post by: SysAdMini on May 18, 2009, 09:46:05 am
Martuz .cn - New Incarnation of the Gumblar Exploit. So What’s New?
http://blog.unmaskparasites.com/2009/05/18/martuz-cn-is-a-new-incarnation-of-gumblar-exploit/

gumblar.cn switches to martuz.cn (95.129.145.58 - netname: NET-VENTREX)
http://hphosts.blogspot.com/2009/05/gumblarcn-switches-to-martuzcn.html

martuz.cn injection attack
http://www.dynamoo.com/blog/2009/05/martuzcn-injection-attack.html
Title: Re: martuz.cn -(95.129.145.58)
Post by: Malware-Web-Threats on May 18, 2009, 09:27:08 pm
Found the exploit that came with this domain

(http://img134.imageshack.us/img134/9507/exploits.jpg)
Title: Re: martuz.cn -(95.129.145.58)
Post by: SysAdMini on May 19, 2009, 09:11:27 pm
martuz.cn doesn't resolve any longer.
Let's see what comes next.

http://blog.scansafe.com/journal/2009/5/19/gumblar-up-another-7-martuzcn-is-down.html
Title: Re: martuz.cn -(95.129.145.58)
Post by: Malware-Web-Threats on May 19, 2009, 10:33:11 pm
two hours ago
http://wepawet.iseclab.org/view.php?hash=13e9dafef418b538fdb1b34144a269ec&t=1242764583&type=js (http://wepawet.iseclab.org/view.php?hash=13e9dafef418b538fdb1b34144a269ec&t=1242764583&type=js)

updated with new scripts:
http://wepawet.iseclab.org/view.php?hash=9944fbc2873a20af8963a3eda934ae79&t=1242771345&type=js (http://wepawet.iseclab.org/view.php?hash=9944fbc2873a20af8963a3eda934ae79&t=1242771345&type=js)

190.1.246.170
exe:
Code: [Select]
hxxp://ruisjop.com/liloadercdi.php?id=3536002
Wepawet (http://wepawet.iseclab.org/view.php?hash=211ddcd57256b0e6952277941bdf51cc&t=1242771964&type=js)
VirusTotal (http://www.virustotal.com/analisis/961849023d1bae7eef11567f4e1db26f) - 38/39 (97.44%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=1bd05e5cd2527183465acdd8c339c06c8&call=first)

Code: [Select]
hxxp://ruisjop.com/p1d2f3.php?id=3536002
Wepawet (http://wepawet.iseclab.org/view.php?hash=4111910fe3b0ada2380df004e0c7cb99&t=1242772051&type=js) (link)
Wepawet (http://wepawet.iseclab.org/view.php?hash=48428ef0674f5b5bec9e6f5ea35621ba&type=js) (pdf)
VirusTotal (http://www.virustotal.com/analisis/45002387adbca927c78ce90143c4c413) - 14/40 (35%)

ThreatExpert (http://www.threatexpert.com/report.aspx?md5=3a03a20bfefe3fdd01659d47d2ed76c8)

Quote
From ANUBIS:1033 to 99.49.23.215:80 - [peskostruikaz[.]com] 
Request: GET /auq.php?d2aff5=1972515&id=14671282555627 
Response: 200 "OK" 
From ANUBIS:1035 to 72.167.131.174:80 - [johnsonbodyshop[.]com] 
Request: GET /images/logo.gif?d4c599=1992031&id=14671282555627 
Response: 200 "OK" 

Quote
hxxp://peskostruikaz.com/auq.php?211ffb=310125&id=4111362546981
hxxp://johnsonbodyshop.com/images/logo.gif?2d35a7=423265&id=4111362546981
hxxp://shopatforgetmenot.com/images/mainlogo.gif?2d6c57=425265&id=4111362546981
hxxp://corporateshelters.com/images/logo.gif?2da377=427281&id=4111362546981
Title: Re: martuz.cn -(95.129.145.58)
Post by: SysAdMini on May 20, 2009, 09:23:38 pm
Automatic removal of Gumblar/Martuz trojan
http://www.danielansari.com/wordpress/2009/05/automatic-removal-of-gumblarmartuz-trojan/
Title: Re: martuz.cn -(95.129.145.58)
Post by: boston on May 21, 2009, 02:36:22 pm
a fix tool:
http://jpshortstuff.247fixes.com/beta/DaonolFix.exe

btw:
could anyone explain what the function of this c:\_.e file is?
thanks a lot.
Title: Re: martuz.cn -(95.129.145.58)
Post by: MysteryFCM on May 21, 2009, 07:11:20 pm
could anyone explain what the function of this c:\_.e file is?

Not without a sample ....

/edit

Thanks to a friend (;)), it has been determined previously, that _.exe is a backdoor trojan.
Title: Re: martuz.cn -(95.129.145.58)
Post by: SysAdMini on May 21, 2009, 07:33:39 pm
Gumblar - An Analysis and History
http://securitylabs.websense.com/content/Blogs/3401.aspx

Title: Re: martuz.cn -(95.129.145.58)
Post by: SysAdMini on May 21, 2009, 07:36:08 pm
Inside the Massive Gumblar Attack
http://www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/
Title: Re: martuz.cn -(95.129.145.58)
Post by: SysAdMini on May 22, 2009, 03:48:08 pm
Attached you find the joebox analysis report of the executable.