Author Topic: Rogue - Fake AV  (Read 113075 times)

0 Members and 1 Guest are viewing this topic.

September 20, 2009, 01:23:18 pm
Reply #120

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
Some new registrations for malware domains:

Code: [Select]
winfixscanner1.com TODAYNIC.COM, INC. 2009-09-18 - -
 winfixscanner2.com TODAYNIC.COM, INC. 2009-09-18 - -
 winfixscanner8.com TODAYNIC.COM, INC. 2009-09-18 - -
 winfixscanner7.com TODAYNIC.COM, INC. 2009-09-18 - -
 winfixscanner9.com TODAYNIC.COM, INC. 2009-09-18 - -
 fastscan-search.com PSI-USA, INC. DBA DO 2009-09-18 - -
 fastscan-search.net PSI-USA, INC. DBA DO 2009-09-18 - -
 fastscan-secure.com PSI-USA, INC. DBA DO 2009-09-18 - -
 fastscan-secure.net PSI-USA, INC. DBA DO 2009-09-18 - -
 fastscansecure.com PSI-USA, INC. DBA DO 2009-09-18 - -
 fastscansecure.net PSI-USA, INC. DBA DO 2009-09-18 - -
 protect-myzone.com PSI-USA, INC. DBA DO 2009-09-18 - - 
 protect-myzone.net PSI-USA, INC. DBA DO 2009-09-18 - -
 protectmyzone.com PSI-USA, INC. DBA DO 2009-09-18 - -
 protectmyzone.net PSI-USA, INC. DBA DO 2009-09-18 - -
 fast-searchprotection.com PSI-USA, INC. DBA DO 2009-09-18 - -
 fast-searchprotection.net PSI-USA, INC. DBA DO 2009-09-18 - -
 fastsearch-protection.com PSI-USA, INC. DBA DO 2009-09-18 - -
 fastsearch-protection.net PSI-USA, INC. DBA DO 2009-09-18 - -
 fastsearchprotection.com PSI-USA, INC. DBA DO 2009-09-18 - -
 fastsearchprotection.net PSI-USA, INC. DBA DO 2009-09-18 - -
 protect-myzone.com PSI-USA, INC. DBA DO 2009-09-18 - -
 protect-myzone.net PSI-USA, INC. DBA DO 2009-09-18 - -
 protectmyzone.com PSI-USA, INC. DBA DO 2009-09-18 - -
 protectmyzone.net PSI-USA, INC. DBA DO 2009-09-18 - -
 windowspcdefender.net PSI-USA, INC. DBA DO 2009-09-18 - -

A few of them are online except winfixscanner*.com (personal antivirus) which we must wait for the IP(s).

September 20, 2009, 01:24:38 pm
Reply #121

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
For domain with fastscan, searchprotection, protectzone etc the payload is:

Quote
/build8_186.php?cmd=getFile&counter=1&p=WKmimHVlcG%2BHjsbIo22EhHV8ipnVbWiMnNah2qeNm6nZwombm5h2lpd9fXGHodjSbmNel2ZwmV%2BSk2WaU9bYxKWspXOWh9esb2VraWtmbG6XYZSMlJNq

September 25, 2009, 03:22:10 am
Reply #122

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
new registrations for fake av domains :o

Code: [Select]
totalcomputerscan12.com    TODAYNIC.COM, INC. 2009-09-23 - -
my-computer-scan43.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycompscanner.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycompscanner02.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycompscanner07.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycompscanner12.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycompscanner22.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycompscanner31.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycompscanner42.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycomputer-scanner1a.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycomputer-scannerp.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycomputer-scannervv.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycomputerbestscan11.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycomputerfastscan11.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycomputerlivescan2.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycomputerproscan11.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycomputersecurescan2.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycomputersvirscan2.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycomputertotalscan2.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycomputertotalscann11.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycomputerwinscan2.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycomputerwinscan11.com    TODAYNIC.COM, INC. 2009-09-23 - -
mytotalscan11.com    TODAYNIC.COM, INC. 2009-09-23 - -
mytotalscan16.com    TODAYNIC.COM, INC. 2009-09-23 - -
mytotalscanner.com    TODAYNIC.COM, INC. 2009-09-23 - -
mytotalscanner17.com    TODAYNIC.COM, INC. 2009-09-23 - -
pc-scan23.com    TODAYNIC.COM, INC. 2009-09-23 - -
pc-scanner13.com    TODAYNIC.COM, INC. 2009-09-23 - -
pc-scanner16.com    TODAYNIC.COM, INC. 2009-09-23 - -
pc-scanner23.com    TODAYNIC.COM, INC. 2009-09-23 - -
pcvirusscan2.com    TODAYNIC.COM, INC. 2009-09-23 - -
1mytotalscan.com    TODAYNIC.COM, INC. 2009-09-23 - -
computer-scanner21.com    TODAYNIC.COM, INC. 2009-09-23 - -
computer-scanner12.com    TODAYNIC.COM, INC. 2009-09-23 - -
computer-scanner02.com    TODAYNIC.COM, INC. 2009-09-23 - -
computervirusscanner31.com    TODAYNIC.COM, INC. 2009-09-23 - -

September 25, 2009, 04:48:37 am
Reply #123

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
fake av redirectors:

Code: [Select]
blooddiamond.cn/go.php?id=2038-01&key=f91c68954&p=1
astro-boy.cn/go.php?id=2004&key=ff0057594&p=1
thefinaldestination.cn/go.php?id=2004&key=ff0057594&p=1
inglouriousbasterds.cn/go.php?id=2038-03&key=f91c68954&p=1
hellogoodby.cn/go.php?id=2021&key=01795d4e0&p=1
all-about-steve.cn/go.php?id=2038-03&key=f91c68954&p=1
james-taylor.cn/go.php?id=2004&key=ff0057594&p=1
bill-bailey.cn/go.php?id=2038-01&key=f91c68954&p=1
baconguide.cn/go.php?id=2004&key=ff0057594&p=1
xenotraf1.info/1.php?uid=127&isRedirected=1
securityland.cn/?uid=186&pid=3&ttl=b1d4e571b16
armysun3.com/?pid=75s10&sid=3e6b3a&d=3&name=beastiality+video
acawyr.cn/?uid=186&pid=3&ttl=b1d4e571b16
jennifer-hudson-site.com/?pid=71&sid=f3b6e0
boy-meets-world.com/?pid=21&sid=18b004&uid=108&isRedirected=1
cradleoffilthfan.com/?pid=99&sid=cd5681
marty.id-sign.com/albums/know/i-lay-myself-down?pdf3049.html
sexgirlsteen.com/111/ss.php?uid=194&isRedirected=1
mymobilas.net/monster/index.php
goldstats1.net/redirect2/
getallstats.com/redir/sm/?aid=
gomutescan.com
goneatscan.com

rogue smartprotector
Code: [Select]
scan.securedwebsafesurf.com/smrtprt_3/6/40014/
scan.securedwebsafesurf.com/download/smrtprt/install.php

September 26, 2009, 12:54:18 pm
Reply #124

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
they all redirects to bigbuckclub.cn to serve a fake av "1mytotalscan.com".

Also used in the redirection "third-eye-blind.com/?pid=252&sid=634302"

Code: [Select]
atlasofworld.cn/1/
bambooclub.cn/1/
beckettonline.cn/1/
clublacosta.cn/1/
coolbackround.cn/1/
coolgwen.cn/1/
cooljerk.cn/1/
coollettering.cn/1/
dailygraphic.cn/1/
devilsclub.cn/1/
eminemworld.cn/1/
greatful.cn/1/
greatfulldead.cn/1/
hostacare.cn/1/
interpollive.cn/1/
livermush.cn/1/
livestockfeed.cn/1/
needdirection.cn/1/
objetodirecto.cn/1/
onlinewill.cn/1/
onlineyahtzee.cn/1/
rummyonline.cn/1/
siriusonline.cn/1/
textsonline.cn/1/
thegreatloop.cn/1/
212.95.55.60/1/
212.95.55.62/1/
217.20.116.212/1/
217.20.116.213/1/
217.20.122.234/1/
217.20.122.235/1/
78.159.122.197/1/
78.159.122.198/1/
78.159.122.199/1/
78.159.122.226/1/
84.16.247.13/1/
84.16.247.14/1/
84.16.247.15/1/
89.149.236.141/1/
89.149.236.143/1/
89.149.236.144/1/
89.149.236.158/1/
89.149.236.185/1/
212.95.55.61/1/
greatpyrenes.cn/1/
mosconecenter.cn/1/
intercoolers.cn/1/
canyonclub.cn/1/
dcucenter.cn/1/
avatarscool.cn/1/
grouporgasm.cn/1/
speculumpages.cn/1/
cartercenter.cn/1/
dailyhotguys.cn/1/
bootyclub.cn/1/
mydailymovie.cn/1/
augustlive.cn/1/
bohemianclub.cn/1/
coolhaircuts.cn/1/
dailythumbs.cn/1/
dailysixer.cn/1/
daysourlives.cn/1/
dimworld.cn/1/
directpc.cn/1/
directtvhdtv.cn/1/
doitcenter.cn/1/
elswingerclub.cn/1/
fatlaneonline.cn/1/
freedvdclubs.cn/1/
freenewsgroup.cn/1/
greatfallsmt.cn/1/
greatgoals.cn/1/
groupnude.cn/1/
hostalmadrid.cn/1/
howdoilive.cn/1/
naturistclubs.cn/1/
newyorkworld.cn/1/
nycclubs.cn/1/
onlinebowling.cn/1/
sonydvdirect.cn/1/
stuffedolives.cn/1/
tottyworld.cn/1/
vizslaclub.cn/1/
vomitonline.cn/1/
welivetogther.cn/1/
zumaonline.cn/1/
humanliver.cn/1/
liverbird.cn/1/
livedeercam.cn/1/
livelounge.cn/1/
liveorgasm.cn/1/
nasalivetv.cn/1/

http://wepawet.iseclab.org/view.php?hash=e21f1121a038a29694c5d481cc4ad096&t=1253969687&type=js

September 26, 2009, 01:08:46 pm
Reply #125

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
more personal fake av scareware aka alpha antivirus - renamed a few days ago

new registrations:
Code: [Select]
browserspywarecheck.com
my-computer-check24.com
my-computer-scan43.com
my-computer-check15.com
my-computer-check03.com

online:
Code: [Select]
computeron-linescan03.com/load/Alpha-Scan-fc9e07_2018.exe
mycomputeronlinescan04.com/load/Alpha-Scan-fc9e07_2018.exe
mycomputeronlinescan09.com/load/Alpha-Scan-fc9e07_2018.exe
mycomputeronlinescan08.com/load/Alpha-Scan-fc9e07_2018.exe
1mytotalscan.com/scan1/?pid=71&engine=%3DnWy9DTuMzQzLjI0LjE3NyZ0aW1lPTEyNTI5MIcOOAkM
1mytotalscan.com1mytotalscan.com/download/Soft_21.exe
mycomputertotalscann11.com/scan1/?pid=71&engine=%3DnWy9DTuMzQzLjI0LjE3NyZ0aW1lPTEyNTI5MIcOOAkM
mycomputertotalscann11.com1mytotalscan.com/download/Soft_21.exe
mytotalscan16.com/scan1/?pid=71&engine=%3DnWy9DTuMzQzLjI0LjE3NyZ0aW1lPTEyNTI5MIcOOAkM
mytotalscan16.com/download/Soft_21.exe
mytotalscan11.com/download/Soft_21.exe
mytotalscanner.com/scan1/?pid=21&engine=%3D3G39DTuMzQzLjI3LjEyOSZ0aW1lPTEyNTI4MIcOOAkN

redirectors:
Code: [Select]
makkahintro.com/?pid=71&sid=f3b6e0
greece-tours.cn/go.php?id=2004&key=ff0057594&p=1

payment page:
Code: [Select]
statickingdom.com/buy.php
online-soft-payments.com/buy.php
secure.online-soft-payments.com/buy.php
secure.personalpurchuaseweb.com/buy.php?

alpha antivirus?
Code: [Select]
nkdf.org/uploads/software/alpha-antivirus.htmlhttp://wepawet.iseclab.org/view.php?hash=346161bbe6a489a018cf536f4cfe32fd&t=1253838508&type=js

September 28, 2009, 05:34:05 am
Reply #126

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
All redirects to fake av:

payload: /1/index.php

78.159.122.151

Code: [Select]
bigbuckclub.cn
bowtieclub.cn
clubcytherea.cn
clubplatinumx.cn
coolaltcodes.cn
coolwriting.cn
greatflood.cn
groupdelay.cn
hustlerlive.cn
liverpoolfctv.cn
onlinegrammar.cn
onlinemazes.cn
onlinepolls.cn
onlinesnooker.cn
resumesonline.cn
rvclubs.cn
wescooley.cn

84.16.247.13
Code: [Select]
dailyfreeman.cn
greatfallsmt.cn
greatpyrenes.cn
intercoolers.cn
kiwanisclub.cn
lorshasworld.cn
newyorkworld.cn
onlinetuner.cn
thewinxclub.cn

89.149.236.145
Code: [Select]
animalgroups.cn
animatedworld.cn
argosdirect.cn
aronoffcenter.cn
assistonline.cn
atardeonline.cn
atlantaclubs.cn
atlasofworld.cn
atvclubs.cn
atvdirect.cn
autodirection.cn
bambooclub.cn
barneylive.cn
bbwclubs.cn
bbwgroup.cn
beckettonline.cn
beersonline.cn
bestwebpages.cn
beverlycenter.cn
bibliagratis.cn
billyclub.cn
bloodgrouping.cn
bostonclubs.cn
boxingclubs.cn
bragasgratis.cn
carlitocool.cn
carpetdirect.cn
cdsonline.cn
christmasclub.cn
cineworlduk.cn
clivedavis.cn
clubavalon.cn
clublacosta.cn
clubmixes.cn
clubnikki.cn
clubstiletto.cn
coloniecenter.cn
coolantpump.cn
coolbackround.cn
coolbedding.cn
coolbelts.cn
coolbuilding.cn
coolclipart.cn
coolcrosses.cn
coolgifs.cn
coolgwen.cn
coolhobbies.cn
coolhoodies.cn
cooljerk.cn
coollettering.cn
coollighters.cn
coolnickname.cn
coolonesies.cn
coolpapabell.cn
coolphones.cn
coolringtones.cn
coolsanta.cn
cooltricks.cn
coolwordart.cn
coscoclub.cn
cultgroups.cn
dailygazette.cn
dailygraphic.cn
dailyhottie.cn
dailyhunk.cn
dailyjoke.cn
dailynylon.cn
dailywav.cn
damasgratis.cn
devilsclub.cn
diecastdirect.cn
directcd.cn
directgeneral.cn
directioncard.cn
dunkinsworld.cn
duracool.cn
eattolive.cn
efilive.cn
elephantslive.cn
eminemlive.cn
eminemworld.cn
enginecoolant.cn
ercoworldwide.cn
fastcoolcar.cn
fkksaunaclub.cn
freedailypic.cn
fristcenter.cn
greatful.cn
greatfulldead.cn
greatingcards.cn
greatpoets.cn
greatsayings.cn
greatskate.cn
greatsongs.cn
greatswamp.cn
greattit.cn
greattitties.cn
greattoast.cn
greatzimbabwe.cn
grolieronline.cn
groupbang.cn
groupieluv.cn
groupiesluts.cn
grouppiss.cn
groupxlyrics.cn
heterofanclub.cn
horsecoolers.cn
hostacare.cn
hostessaprons.cn
hostessgift.cn
hostle.cn
hultcenter.cn
icantlive.cn
ichbincool.cn
imabeliver.cn
insectsworld.cn
interpollive.cn
iranhostages.cn
islamicworld.cn
jcrewonline.cn
kennelclubs.cn
knivesonline.cn
kogercenter.cn
labordelivery.cn
learningpages.cn
lindellcooley.cn
livecrickets.cn
liveinfiji.cn
livejas.cn
livekoi.cn
liverabscess.cn
liveradar.cn
liveradiousa.cn
livercells.cn
liverlocation.cn
livermush.cn
liverocksale.cn
liverpoolcity.cn
liverpoolpa.cn
liversupport.cn
livestockfeed.cn
livestreaming.cn
livethislife.cn
livetotell.cn
livewells.cn
livewelltimer.cn
madonnalive.cn
madworldgary.cn
mcwanecenter.cn
midigratis.cn
needdirection.cn
neilwelliver.cn
newworldmap.cn
nikoncoolscan.cn
nitrogengroup.cn
nodirection.cn
nubiaolive.cn
objetodirecto.cn
oliveoildips.cn
oliveskin.cn
onepercenter.cn
onetonline.cn
onlinearcades.cn
onlineclipart.cn
onlinecme.cn
onlinecraps.cn
onlinedangers.cn
onlinediaries.cn
onlinediets.cn
onlineecards.cn
onlinefaxing.cn
onlinegrocer.cn
onlinemapsuk.cn
onlinemaths.cn
onlinepoems.cn
onlinesodoku.cn
onlinevicodin.cn
onlinewill.cn
onlinewills.cn
onlineyahtzee.cn
pacemakerclub.cn
palominoclub.cn
panteralive.cn
pcworldhome.cn
pcworlduk.cn
psoworld.cn
ptlclub.cn
pulpwmphost.cn
quranonline.cn
radioheadlive.cn
rafclub.cn
raquelsworld.cn
reliantcenter.cn
robertclive.cn
rottendaily.cn
rummyonline.cn
rustycooley.cn
scoresclub.cn
shemalecenter.cn
shootersworld.cn
shostakovitch.cn
siriusonline.cn
sissyworld.cn
sliverphone.cn
sliverstein.cn
sofasonline.cn
songmadworld.cn
stevevailive.cn
stripperclubs.cn
tarotgratis.cn
tesolonline.cn
textsonline.cn
thegreatloop.cn
theriverlive.cn
titlepages.cn
tompsoncenter.cn
tortugaclub.cn
transworldmx.cn
trecoolnaked.cn
tvonlinefree.cn
tylenolliver.cn
unbeliveable.cn
utusanonline.cn
vbeltsonline.cn
wangcenter.cn
webhostinfo.cn
webhostnews.cn
welivehere.cn
whittierdaily.cn
wifiesworld.cn
willtolive.cn
worldanimals.cn
worldcensus.cn
worldhungry.cn
worldmissions.cn
worldofcoke.cn
worldrelief.cn
worldrunning.cn
worldtgp.cn
worldtimemap.cn
worldwallmap.cn
yahtzeeonline.cn
youthcenters.cn

September 28, 2009, 05:57:06 am
Reply #127

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
A nice name server:

http://www.malwareurl.com/ns_listing.php?ns=ns1.nmsrv24.cn

complete list:
Code: [Select]
aarpautoclub.cn
akoonline.cn
amsterdamlive.cn
animalgroups.cn
animatedworld.cn
argosdirect.cn
argosonline.cn
aronoffcenter.cn
assistonline.cn
atardeonline.cn
atlantaclubs.cn
atlasofworld.cn
atvclubs.cn
atvdirect.cn
augustlive.cn
autodirection.cn
avatarscool.cn
bambooclub.cn
barneylive.cn
bbandtonline.cn
bbwclubs.cn
bbwgroup.cn
beckettonline.cn
beersonline.cn
bestwebpages.cn
beverlycenter.cn
biaoliveira.cn
bibliagratis.cn
bigbuckclub.cn
bikerclubs.cn
bikinipages.cn
billyclub.cn
bloodgrouping.cn
bmgmusicclub.cn
bohemianclub.cn
bootyclub.cn
bostonclubs.cn
bowtieclub.cn
boxersarecool.cn
boxingclubs.cn
bragasgratis.cn
businesspages.cn
campersworld.cn
canyonclub.cn
carlitocool.cn
carpetdirect.cn
cartercenter.cn
cdsonline.cn
christmasclub.cn
cigarsonline.cn
cineworlduk.cn
clivedavis.cn
clubavalon.cn
clubchicks.cn
clubcrissy.cn
clubcytherea.cn
clubgetaway.cn
clublacosta.cn
clubmixes.cn
clubnikki.cn
clubpedo.cn
clubpinguin.cn
clubplatinumx.cn
clubstiletto.cn
clubtechno.cn
clubupskirt.cn
coloniecenter.cn
coolaltcodes.cn
coolantpump.cn
coolbackround.cn
coolbedding.cn
coolbelts.cn
coolbikes.cn
coolbuilding.cn
coolclipart.cn
coolcrosses.cn
coolcursors.cn
cooldragons.cn
cooldrawing.cn
coolfacts.cn
coolgifs.cn
coolguns.cn
coolgwen.cn
coolhaircuts.cn
coolhobbies.cn
coolhoodies.cn
cooljerk.cn
coollettering.cn
coollighters.cn
coolnickname.cn
coolonesies.cn
coolpapabell.cn
coolphones.cn
coolpurses.cn
coolringtones.cn
coolroms.cn
coolsanta.cn
coolskulls.cn
cooltattoo.cn
cooltricks.cn
coolwordart.cn
coolwriting.cn
coscoclub.cn
costcoonline.cn
ctrealworld.cn
cultgroups.cn
dailybikinis.cn
dailycomics.cn
dailyfreeman.cn
dailygazette.cn
dailygraphic.cn
dailyhotguys.cn
dailyhottie.cn
dailyhunk.cn
dailyjigsaw.cn
dailyjoke.cn
dailynylon.cn
dailypictures.cn
dailythumbs.cn
dailywav.cn
damasgratis.cn
daysourlives.cn
dcucenter.cn
deftoneslive.cn
detoxcenter.cn
devilsclub.cn
dhldelivery.cn
didrexonline.cn
diecastdirect.cn
dimworld.cn
directcd.cn
directgeneral.cn
directioncard.cn
directobjects.cn
directpc.cn
directtire.cn
directtvdish.cn
directvdealer.cn
directvtivo.cn
disenyworld.cn
doddirectives.cn
doitcenter.cn
dunkinsworld.cn
duracool.cn
dvdmovieclub.cn
eattolive.cn
ebamsworld.cn
ebaumworld.cn
ecdlonline.cn
efilive.cn
elephantslive.cn
elswingerclub.cn
eminemlive.cn
eminemworld.cn
endofzworld.cn
enginecoolant.cn
ercoworldwide.cn
ethnicgroup.cn
ethnicgroups.cn
fastcoolcar.cn
fatlaneonline.cn
fivepopgroup.cn
fkkclub.cn
fkksaunaclub.cn
fotogratis.cn
freedailypic.cn
freedvdclubs.cn
freefunpages.cn
freenewsgroup.cn
fristcenter.cn
ftspages.cn
funnypages.cn
gangbangclub.cn
garymadworld.cn
gmpartsdirect.cn
greatbigtits.cn
greatbreasts.cn
greatdanedog.cn
greatfallsmt.cn
greatflood.cn
greatful.cn
greatfulldead.cn
greatgoals.cn
greatgreyowl.cn
greatingcards.cn
greatlake.cn
greatpoets.cn
greatpyranees.cn
greatpyrenes.cn
greatsayings.cn
greatskate.cn
greatsongs.cn
greatswamp.cn
greattit.cn
greattitties.cn
greattoast.cn
greatzimbabwe.cn
grolieronline.cn
groupbang.cn
groupdelay.cn
groupieluv.cn
groupiesluts.cn
groupnaked.cn
groupnude.cn
grouporgasm.cn
grouppiss.cn
groupxlyrics.cn
gstringpages.cn
halloweenclub.cn
hboonline.cn
heterofanclub.cn
HOMEPAGE
horsecoolers.cn
hostacare.cn
hostagerescue.cn
hostalmadrid.cn
hostedpbx.cn
hostessaprons.cn
hostessgift.cn
hostle.cn
howdoilive.cn
hultcenter.cn
humanliver.cn
hustlerlive.cn
icantlive.cn
ichbincool.cn
imabeliver.cn
insectsworld.cn
intercoolers.cn
interpollive.cn
iranhostages.cn
islamicworld.cn
jcrewonline.cn
journalpages.cn
kennelclubs.cn
keystonegroup.cn
kiwanisclub.cn
knivesonline.cn
kogercenter.cn
labordelivery.cn
learningpages.cn
lindellcooley.cn
livecrickets.cn
livedeercam.cn
liveinfiji.cn
livejas.cn
livekoi.cn
livelyrics.cn
liveoaktrees.cn
liveorgasm.cn
liverabscess.cn
liveradar.cn
liveradiousa.cn
liverbird.cn
livercells.cn
liverlesions.cn
liverlocation.cn
livermoreca.cn
livermush.cn
liverocksale.cn
liverpoolcity.cn
liverpoolfctv.cn
liverpoolpa.cn
liversupport.cn
livestockfeed.cn
livestreaming.cn
livetheriver.cn
livethislife.cn
livetogether.cn
livetotell.cn
livetraps.cn
livewells.cn
livewelltimer.cn
lorshasworld.cn
madonnalive.cn
madworldgary.cn
madworldrem.cn
mcwanecenter.cn
midigratis.cn
mosconecenter.cn
mtvnewshost.cn
mybackpages.cn
mydailymovie.cn
myspacepages.cn
nasalivetv.cn
naturistclubs.cn
neckcooler.cn
needdirection.cn
neilwelliver.cn
newworldmap.cn
newyorkworld.cn
nhsonline.cn
nikoncoolscan.cn
nirvanalive.cn
nitrogengroup.cn
nodirection.cn
ns1.nmsrv24.cn
ns2.nmsrv24.cn
nubiaolive.cn
nudeboysworld.cn
nudegroups.cn
nudistgroups.cn
nuttercenter.cn
nwarapgroup.cn
nycclubs.cn
objetodirecto.cn
oldworldmap.cn
oliveoildips.cn
oliveskin.cn
olivewood.cn
olivewreath.cn
onepercenter.cn
onetonline.cn
onlinearcades.cn
onlinebowling.cn
onlineclipart.cn
onlinecme.cn
onlinecraps.cn
onlinedangers.cn
onlinediaries.cn
onlinediets.cn
onlineecards.cn
onlinefaxing.cn
onlinegrammar.cn
onlinegrocer.cn
onlinehosiery.cn
onlinemapsuk.cn
onlinemaths.cn
onlinemazes.cn
onlinenovels.cn
onlinepoems.cn
onlinepolls.cn
onlinepranks.cn
onlinequizes.cn
onlineromance.cn
onlineruler.cn
onlinesnooker.cn
onlinesodoku.cn
onlinetuner.cn
onlinevicodin.cn
onlinewill.cn
onlinewills.cn
onlineyahtzee.cn
pacemakerclub.cn
palominoclub.cn
panteralive.cn
patriotcenter.cn
pcworldhome.cn
pcworlduk.cn
picturepages.cn
primetimelive.cn
prophesyclub.cn
psoworld.cn
ptlclub.cn
pulpwmphost.cn
quranonline.cn
racquelsworld.cn
radioheadlive.cn
rafclub.cn
ramgolfclubs.cn
raquelsworld.cn
reliantcenter.cn
resumesonline.cn
robertclive.cn
robynlively.cn
rogerscenter.cn
rottendaily.cn
rummyonline.cn
rustycooley.cn
rvclubs.cn
scarlettsworld.cn
scoresclub.cn
sgaonline.cn
shemalecenter.cn
shootersworld.cn
shostakovitch.cn
siriusonline.cn
sissyworld.cn
sliverphone.cn
sliverstein.cn
sofasonline.cn
songmadworld.cn
sonydvdirect.cn
speculumpages.cn
stevevailive.cn
stripperclubs.cn
stuffedolives.cn
tarotgratis.cn
tesolonline.cn
textsonline.cn
thegreatloop.cn
theriverlive.cn
thewinxclub.cn
titlepages.cn
tompsoncenter.cn
tortugaclub.cn
tottyworld.cn
trannyworld.cn
transworldmx.cn
trecoolnaked.cn
tupacalive.cn
tvonlinefree.cn
tylenolliver.cn
unbeliveable.cn
underoathlive.cn
undocooljoke.cn
unoonline.cn
uselesspages.cn
uswhitepages.cn
utusanonline.cn
vbeltsonline.cn
vizslaclub.cn
vomitonline.cn
wangcenter.cn
webhostinfo.cn
webhostnews.cn
weidnercenter.cn
welivehere.cn
welivetogther.cn
wescooley.cn
whittierdaily.cn
wifiesworld.cn
willtolive.cn
worldanimals.cn
worldcensus.cn
worldhungry.cn
worldlolitas.cn
worldmissions.cn
worldofblogs.cn
worldofcoke.cn
worldrelief.cn
worldrunning.cn
worldscollide.cn
worldtgp.cn
worldtimemap.cn
worldwallmap.cn
xeoncoolers.cn
yahtzeeonline.cn
yoladagreat.cn
youthcenters.cn
zeldaonline.cn
zoegroup.cn
zumaonline.cn

September 28, 2009, 07:46:32 am
Reply #128

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
all located in germany ! kleyer street, is one of the biggest datacenters directly conneced to de-cix...
Code: [Select]
lft -ANTE 89.149.236.145

Tracing _______________________________________________________________!_______.

TTL  LFT trace to 89.149.236.145.internetserviceteam.com (89.149.236.145):80/tcp
 1   [AS15968] [RIPE-C3/NETPILOTGMBH-DE] gwy34.netpilot.net (62.67.240.17) 0.5/1.0ms
 2   [AS15968] [RIPE-C3/NETPILOTGMBH-DE] l3gate1.netpilot.net (62.67.194.62) 1.0/1.7ms
 3   [AS3356] [RIPE-NCC-212/UK-LVLT-990218] gi-6-3.car1.Munich1.Level3.net (212.162.1.65) 2.8/2.2ms
 4   [AS3356] [LVLT-ORG-4-8] ae-4-4.ebr1.Frankfurt1.Level3.net (4.69.134.2) 7.9/8.1ms
 5   [AS3356] [LVLT-ORG-4-8] ae-91-91.csw4.Frankfurt1.Level3.net (4.69.140.14) 9.0/8.9ms
 6   * [AS3356] [LVLT-ORG-4-8] ae-4-99.edge5.Frankfurt1.Level3.net (4.68.23.205) 7.9ms
 7   [AS3356] [RIPE-CBLK3/BBNPLANET-INTL] 195.16.160.46 9.3/30.3ms
**   [firewall] the next gateway may statefully inspect packets
 8   [AS28753] [89-RIPE/NETDIRECT-NET] 89-149-218-178.internetserviceteam.com (89.149.218.178) 13.1/8.5ms
 9   [AS28753] [89-RIPE/GIBIBITS-LTD-966647] [target] 89.149.236.145.internetserviceteam.com (89.149.236.145):80 11.4/9.3/*/*/*ms

LFT's trace took 3.53 seconds.  Resolution required 12.58 seconds.

Code: [Select]
inetnum:        89.149.236.0 - 89.149.236.255
netname:        GIBIBITS-LTD-966647
descr:          Gibibits-Limited
country:        CN
admin-c:        KB1643-RIPE
tech-c:         SR614-RIPE
status:         ASSIGNED PA
mnt-by:         NETDIRECT-MNT
mnt-lower:      NETDIRECT-MNT
mnt-routes:     NETDIRECT-MNT
source:         RIPE # Filtered

person:         Konstantin Begidzhanov
address:        UL. Jovana Tomasevicha 23
address:        Bar
address:        Montenegro
phone:          +381 69 649426
fax-no:         +381 69 649 426
abuse-mailbox:  support@gibibits.com
nic-hdl:        KB1643-RIPE
mnt-by:         NETDIRECT-MNT
source:         RIPE # Filtered

person:       Simon Roehl
address:      netdirekt e. K.
address:      Kleyer Strasse 79 /Tor 14
address:      60326 Frankfurt
address:      DE
phone:        +49 69 90556880
fax-no:       +49 69 905568822
nic-hdl:      SR614-RIPE
mnt-by:       NETDIRECT-MNT
source:       RIPE # Filtered

% Information related to '89.149.192.0/18AS28753'

route:          89.149.192.0/18
descr:          netdirect Frankfurt, DE
origin:         AS28753
org:            ORG-nA8-RIPE
mnt-lower:      NETDIRECT-MNT
mnt-routes:     NETDIRECT-MNT
mnt-by:         NETDIRECT-MNT
source:         RIPE # Filtered

organisation:   ORG-nA8-RIPE
org-name:       netdirect
org-type:       LIR
address:        netdirekt e. K.
                Kleyer Strasse 79 / Tor 14
                60326 Frankfurt
                Germany
phone:          +49 69 90556880
fax-no:         +49 69 905568822
admin-c:        SR614-RIPE
admin-c:        WW200-RIPE
mnt-ref:        NETDIRECT-MNT
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
source:         RIPE # Filtered


October 01, 2009, 03:25:15 pm
Reply #129

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
New campaign.

Code: [Select]
www.adtcp.ru/ads.js
Don't click on the search results !!

http://www.google.com/#hl=en&q=script+src%3Dwww.adtcp.ru&start=10&sa=N&fp=1&cad=b
Ruining the bad guy's day

October 01, 2009, 04:11:31 pm
Reply #130

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
New campaign.

Code: [Select]
www.adtcp.ru/ads.js
Don't click on the search results !!

http://www.google.com/#hl=en&q=script+src%3Dwww.adtcp.ru&start=10&sa=N&fp=1&cad=b

Just found on Gary Warner's blog

Six Million? or is it 188 Million? Compromised Webpages
http://garwarner.blogspot.com/2009/10/cyber-security-awareness-month-day-one.html

Quote
Last night we received word that the ASProx SQL injection attack was back in full swing. After several months of no activity, this botnet is back to its old tricks of attacking vulnerable the ASP pages on IIS Servers trying to add a malicious javascript link to legitimate webpages by manipulating the underlying Microsoft SQL servers.

The main site which is hosting the malicious code right now is "ads-t.ru". Sites which have been hacked by this attack tool will contain a tag which leads to the page "ads-t.ru/ads.js". A quick Google search for this string will currently reveal more than 6.5 Million webpages which have had this code injected.

The Javascript causes an IFRAME to be loaded which causes the following file to be loaded:
adtcp.ru/ad/index.php
Ruining the bad guy's day

October 01, 2009, 07:00:02 pm
Reply #131

RS-232

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 165
Some more info about the recent Asprox attacks...
http://phil-secu.over-blog.net/article-36697187.html
Only for the "fun" of it...rs-232 aka sowhat-x aka younameit ;-)
http://www.youtube.com/watch?v=fADjY97_KTw

October 01, 2009, 07:18:39 pm
Reply #132

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Some more info about the recent Asprox attacks...
http://phil-secu.over-blog.net/article-36697187.html

The article mentions the low detection rate of the pdf exploit.
This is the current status:
https://www.virustotal.com/analisis/697993b5e5e7d882aa66a8ccef66363b22439bcf770513c2800c6de136c2a164-1254424431
McAfee   5758   2009.10.01   Exploit-PDF.q.gen!stream
McAfee+Artemis   5758   2009.10.01   Exploit-PDF.q.gen!stream
Sophos   4.45.0   2009.10.01   Troj/PDFJs-DJ
Sunbelt   3.2.1858.2   2009.10.01   Exploit.PDF-JS.Gen (v)
Ruining the bad guy's day

October 01, 2009, 07:33:28 pm
Reply #133

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
TE report of the pdf payload
http://www.threatexpert.com/report.aspx?md5=a44f0a660223e92d3119d49e5fce20ef

VT 6/41
http://www.virustotal.com/analisis/7d01a99514d5c2b6c5f8c81b0aa8c697b869c87d7f0f66797d6f2319c07d67cf-1254425485
AntiVir   7.9.1.27   2009.10.01   TR/FraudPack.ams
F-Secure   8.0.14470.0   2009.10.01   Suspicious:W32/Malware!Gemini
McAfee+Artemis   5758   2009.10.01   Artemis!A44F0A660223
McAfee-GW-Edition   6.8.5   2009.10.01   Trojan.FraudPack.ams
Microsoft   1.5101   2009.10.01   VirTool:Win32/Obfuscator.FI
Rising   21.49.22.00   2009.09.30   Packer.Win32.UnkPacker.a
Ruining the bad guy's day

October 02, 2009, 09:24:32 am
Reply #134

RS-232

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 165
...based on the TE reports above,some of them already added - you're faster than me...  ;)

Result: 12/41 (29.27%)
http://www.virustotal.com/analisis/4487fbec24ab08491e1e5272ed6079ab82dd081ecbcf1915cc805499214978fb-1254474418

Quote
hxxp://linkertagubert.com/apw1f1Vj0K3F0vdR4Ew7Xl -> already listed...
hxxp://okavanubares.com/apw1f1Vj0K3F0vdR4Ew7Xl -> already listed...
hxxp://buleropihertan.com/apw1f1Vj0K3F0vdR4Ew7Xl -> already listed...
hxxp://konitorsabure.com/apw1f1Vj0K3F0vdR4Ew7Xl
hxxp://ofaderhabewuit.com/apw1f1Vj0K3F0vdR4Ew7Xl
hxxp://uvgaderbotario.com/apw1f1Vj0K3F0vdR4Ew7Xl

Code: [Select]
linkertagubert.com   69.10.61.243
okavanubares.com     69.10.61.244
buleropihertan.com   69.10.61.245

linkertagubert.com   74.86.145.48
okavanubares.com     74.86.145.49
buleropihertan.com   74.86.145.50

ofaderhabewuit.com   66.79.179.44
konitorsabure.com    66.79.179.45
uvgaderbotario.com   66.79.179.46

A "lonesome" one of the same...69.10.40.163:
Quote
hxxp://dabertugaburav.com/apw1f1Vj0K3F0vdR4Ew7Xl

Quote
hxxp://ertonaferdogalo.com/apw1f1Vj0K3F0vdR4Ew7Xl -> 204.12.226.67 (and/or) 204.27.58.230...
hxxp://ertugasedumil.com/apw1f1Vj0K3F0vdR4Ew7Xl    -> 204.12.226.68 (and/or) 204.27.58.231...
hxxp://ertunagertos.com/apw1f1Vj0K3F0vdR4Ew7Xl      -> 204.27.58.232
Only for the "fun" of it...rs-232 aka sowhat-x aka younameit ;-)
http://www.youtube.com/watch?v=fADjY97_KTw