Author Topic: Mr Clean's dirt  (Read 130641 times)

0 Members and 2 Guests are viewing this topic.

March 28, 2009, 03:38:47 pm
Read 130641 times

Mr Clean

  • Special Members
  • Hero Member

  • Offline
  • *

  • 331
Code: [Select]
http://download.av-best.info/install.php?campaign=mmb_3593020743&country=en&counter=0&campaign=mmb_3593020743&landid=4
Referer: http://scanner.av-best.info/scan.php?campaign=mmb_3593020743&landid=4


Downloads a file called AntiVirusInstaller.exe

http://www.virustotal.com/analisis/7a63e24b4f5b13ea8f13c4ddeeb467f2
http://www.threatexpert.com/report.aspx?md5=8d7463acc24e8bcb5c569d0ad2a23dba

March 30, 2009, 12:42:29 pm
Reply #1

Mr Clean

  • Special Members
  • Hero Member

  • Offline
  • *

  • 331
Code: [Select]
http://dwnld.promotion-offer.com/secure/d3176d39144e0a6fc93c2a7d3f0b4471/49d0bb49/srm/srm_free_setup.exe

http://www.virustotal.com/analisis/7a0fe250cb4f063ccb32089f240842f6

March 30, 2009, 07:31:18 pm
Reply #2

Mr Clean

  • Special Members
  • Hero Member

  • Offline
  • *

  • 331
It all starts here:
Code: [Select]
GET: http://pnfzetnax.nethttp://pnfzetnax.net/est/ HTTP/1.1"

Referrer: http://media2.mediafileshost.com/images/5516_562850_7444899_250_300.swf?clickTAG=http%3A//12.47.196.61/ct.jsp%3Fp%3D112801%26appid%3D32255%2"


SRC: GET /est/ HTTP/1.1
SRC: Accept: */*
SRC: Accept-Language: en-us
SRC: UA-CPU: x86
SRC: Accept-Encoding: gzip, deflate
SRC: User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)
SRC: Host: pnfzetnax.net
SRC: Connection: Keep-Alive
SRC:
SRC:
DST: HTTP/1.1 302 Found
DST: Server: nginx/0.6.32
DST: Date: Mon, 30 Mar 2009 19:13:38 GMT
DST: Content-Type: text/html
DST: Transfer-Encoding: chunked
DST: Connection: close
DST: Set-Cookie: SL_25_0000=_1_; domain=webstatsmaster.com; path=/; expires=Tue, 31-Mar-2009 19:13:18 GMT
DST: Location: http://67.215.246.138/aff56.php

to download this nice pdf:

Code: [Select]
http://67.215.246.138/a9/pdf.php?u=i_7_0

http://www.virustotal.com/analisis/9e90711ccbb0a0d013a02094d5773fca
http://wepawet.iseclab.org/view.php?hash=7bff4ce3676fc2e12093b0791c1d0c9e&t=1238220458&type=js

immediately followed by this goodie:

Code: [Select]
http://67.215.246.138/a9/aff_9.exe?u=i_7_0&spl=p1

http://www.virustotal.com/analisis/030c906429c51e38b75bda1f15eee8f8
http://www.threatexpert.com/report.aspx?md5=264c543ac609726837815a398f1ea8df



March 31, 2009, 12:11:37 am
Reply #4

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Nice one, cheers :)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

March 31, 2009, 01:12:03 pm
Reply #5

Mr Clean

  • Special Members
  • Hero Member

  • Offline
  • *

  • 331
Nice one, cheers :)

thanks. 

I like what you guys/gals have going here.   

More dirt, without a doubt, is on it's way.   

March 31, 2009, 03:09:45 pm
Reply #6

Mr Clean

  • Special Members
  • Hero Member

  • Offline
  • *

  • 331
This domain isn't unknown but here's more evidence of it's bad behaviour

Code: [Select]
http://i1match361.biz/file/2440/f8ae8aedaf494548b681dedb37dd3d5f/0.exe.bak

http://www.virustotal.com/analisis/ddbc6d82836afea549062340220fed9c

March 31, 2009, 03:45:33 pm
Reply #7

Mr Clean

  • Special Members
  • Hero Member

  • Offline
  • *

  • 331

March 31, 2009, 03:50:33 pm
Reply #8

Mr Clean

  • Special Members
  • Hero Member

  • Offline
  • *

  • 331
Code: [Select]
http://ultracleaner.biz/download.php?affid=02935

downloads install.exe

http://www.virustotal.com/analisis/de2069149077bdac0ddb6ebb497d4e64
http://www.threatexpert.com/report.aspx?md5=319d046a673a0f50652b9e2884233dd6

BTW, there is an important lesson here, NEVER EVER trust DNS PTR records.  PTR record says it's google.com

Code: [Select]
$ dig ultracleaner.biz +short
84.16.227.222
$ dig -x 84.16.227.222 +short
84-16-227-222.google.com.

March 31, 2009, 09:07:33 pm
Reply #9

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day


March 31, 2009, 09:16:51 pm
Reply #11

Mr Clean

  • Special Members
  • Hero Member

  • Offline
  • *

  • 331

March 31, 2009, 10:06:02 pm
Reply #12

Mr Clean

  • Special Members
  • Hero Member

  • Offline
  • *

  • 331

March 31, 2009, 10:44:09 pm
Reply #13

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Code: [Select]
http://kol-development.com/viewtubesoftware.40019.exe

Code: [Select]
frg-softwares.com/viewtubesoftware.40019.exe
Ruining the bad guy's day

March 31, 2009, 11:17:52 pm
Reply #14

Mr Clean

  • Special Members
  • Hero Member

  • Offline
  • *

  • 331
Code: [Select]
http://kol-development.com/viewtubesoftware.40019.exe

Code: [Select]
frg-softwares.com/viewtubesoftware.40019.exe