Author Topic: Attention !! Malwaredomainlist(s).com distributes Rogue AV  (Read 18936 times)

0 Members and 1 Guest are viewing this topic.

August 01, 2009, 09:59:06 pm
Read 18936 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3325
Some of our visitors has just sent me note about a new Rogue Antivirus site.

This site uses the domain name malwaredomainlists.com.
Notice the s at the end of the name !!

The entry point to this crap is url
Code: [Select]
malwaredomainlists.com/block.php
Don't mix it up with our site.
Ruining the bad guy's day

August 02, 2009, 02:25:07 am
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1689
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

August 02, 2009, 03:57:02 am
Reply #2

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Mal-Aware

August 03, 2009, 06:50:28 am
Reply #3

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3325
Ruining the bad guy's day

August 04, 2009, 05:14:30 pm
Reply #4

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1689
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
MalwareURL has a fan now too, hehe;

malwareurlblock.com

Kudos to Anthony for the heads up.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

August 04, 2009, 05:39:52 pm
Reply #5

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3325
MalwareURL has a fan now too, hehe;

malwareurlblock.com

Kudos to Anthony for the heads up.

Looks exactly like the issue we had.

Code: [Select]
malwareurlblock.com/block.php
Also hosted in Germany - coincidence ?

The ip address is also known for malware.

http://www.malwaredomainlist.com/mdl.php?search=83.133.123.113&colsearch=All&quantity=50

The ip address were the MDL fake was hosted a fews ago, was also a known Fake AV host.

http://www.malwaredomainlist.com/mdl.php?search=78.47.91.153&colsearch=All&quantity=50&inactive=on

Looks like some kind of revenge.
Ruining the bad guy's day

August 05, 2009, 09:32:49 am
Reply #6

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3325
One more:

Code: [Select]
explorersecurityhelper.com/block.php
Ruining the bad guy's day

August 05, 2009, 04:17:26 pm
Reply #7

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
here is this piece of code as evidence:

-- gerhard
Code: [Select]
start tracing target: 83.133.123.113 ()

Tracing __________________________________________________________________________!____.

TTL  LFT trace to t1010.greatnet.de (83.133.123.113):80/tcp
 1   [AS15968] [RIPE-C3/NETPILOTGMBH-DE] gwy.netpilot.net (62.67.240.1) 0.6/1.5ms
 2   [AS15968] [RIPE-C3/NETPILOTGMBH-DE] gwy34.netpilot.net (62.67.240.17) 1.0/0.8ms
 3   [AS15968] [RIPE-C3/NETPILOTGMBH-DE] l3gate1.netpilot.net (62.67.194.62) 1.5/1.9ms
 4   [AS3356] [RIPE-NCC-212/UK-LVLT-990218] gi-6-3.car1.Munich1.Level3.net (212.162.1.65) 2.5/125.5ms
 5   [AS3356] [LVLT-ORG-4-8] ae-4-4.ebr1.Frankfurt1.Level3.net (4.69.134.2) 8.4/8.9ms
 6   [AS3356] [LVLT-ORG-4-8] ae-81-81.csw3.Frankfurt1.Level3.net (4.69.140.10) 19.2/19.3ms
 7   [AS3356] [LVLT-ORG-4-8] ae-3-89.edge6.Frankfurt1.Level3.net (4.68.23.142) 8.3/8.7ms
 8   [AS3356] [RIPE-CBLK3/BBNPLANET-INTL] LAMBDANET.edge6.Frankfurt1.Level3.net (195.16.161.6) 9.2/10.3ms
 9   [AS13237] [217-RIPE/EU-LAMBDANET-CORE-DE-P2P-2] MUC-1-eth000.de.lambdanet.net (217.71.96.166) 15.4/16.0ms
**   [firewall] the next gateway may statefully inspect packets
10   [AS13237] [217-RIPE/LNC-DE-CUSTOMERLINKS3] GRE-0-pos1337.de.lambdanet.net (217.71.107.50) 16.4/16.3ms
11   [AS13237] [83-RIPE/LNCDE-GREATNET-NEWMEDIA] [target] t1010.greatnet.de (83.133.123.113):80 16.4/17.0/*/*/*ms

LFT's trace took 3.75 seconds.  Resolution required 12.09 seconds.



end tracing target 83.133.123.113
start whois lasthop for (83.133.123.113)

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '83.133.96.0 - 83.133.127.255'

inetnum:        83.133.96.0 - 83.133.127.255
netname:        LNCDE-GREATNET-NEWMEDIA
descr:          Greatnet New Media.
country:        DE
admin-c:        FL1331-RIPE
tech-c:         FL1331-RIPE
status:         ASSIGNED PA
mnt-by:         LNC-MNT
mnt-lower:      LNC-MNT
source:         RIPE # Filtered

person:         Frazzetta Lindner
address:        Greatnet New Media
address:        Brentenstrasse 4a
address:        D-83734 Hausham
address:        Germany
phone:          +49 1805 47328638
fax-no:         +49 1805 444894696
nic-hdl:        FL1331-RIPE
abuse-mailbox:  abuse@greatnet.de
mnt-by:         LNC-MNT
source:         RIPE # Filtered

% Information related to '83.133.0.0/16AS13237'

route:          83.133.0.0/16
descr:          Lambdanet Operations - German region
origin:         AS13237
mnt-by:         LNC-MNT
source:         RIPE # Filtered




end whois lasthop for (83.133.123.113)
start list of email contacts:

abuse@greatnet.de


end list of email contacts:
start transcript of session:

DEBUG output created by Wget 1.10.2 on linux-gnu.

--18:19:10--  http://explorersecurityhelper.com/block.php
           => `/tmp/BARv4HToC'
Connecting to 62.67.194.52:3128... connected.
Created socket 19.
Releasing 0x0808f138 (new refcount 0).
Deleting unused 0x0808f138.

---request begin---
GET http://explorersecurityhelper.com/block.php HTTP/1.0
Pragma: no-cache
User-Agent: Mozilla/5.0 (compatible; en-US)
Accept: */*
Host: explorersecurityhelper.com

---request end---
Proxy request sent, awaiting response...
---response begin---
HTTP/1.0 200 OK
Date: Wed, 05 Aug 2009 16:19:10 GMT
Server: Apache
X-Powered-By: PHP/5.2.8
Content-Length: 2629
Content-Type: text/html
X-Cache: MISS from dbserver.op.netpilot.net
X-Cache-Lookup: MISS from dbserver.op.netpilot.net:23128
Proxy-Connection: close

---response end---

  HTTP/1.0 200 OK
  Date: Wed, 05 Aug 2009 16:19:10 GMT
  Server: Apache
  X-Powered-By: PHP/5.2.8
  Content-Length: 2629
  Content-Type: text/html
  X-Cache: MISS from dbserver.op.netpilot.net
  X-Cache-Lookup: MISS from dbserver.op.netpilot.net:23128
  Proxy-Connection: close
Length: ignored [text/html]

    0K ..                                                        3.76 MB/s

Closed fd 19
18:19:10 (3.76 MB/s) - `/tmp/BARv4HToC' saved [2629]



end transcript of session
start of offending raw content:

<html xmlns="http://www.w3.org/1999/xhtml" class="blacklist">
  <head>
    <link rel="stylesheet" href="img/style.css" type="text/css" media="all"/>
  <title>Warning! Visiting this site may harm your computer!</title></head>
<body>
  <table width="645" border="0" align="center" cellpadding="0" cellspacing="0" style="margin-top:60px;
font-size:11px;">
    <tr>
      <td width="18"><img src="img/001.gif" width="19" height="19"></td>
      <td width="620" bgcolor="#772222"  style=" border-top:#808080 solid 1px;">&nbsp;</td>
      <td width="18" align="right"><img src="img/002.gif" width="19" height="19"></td>
    </tr>
    <tr>
      <td width="18" bgcolor="#772222"  style=" border-left:#808080 solid 1px;">&nbsp;</td>
      <td width="620" bgcolor="#772222"><table width="100%" border="0" cellspacing="5" cellpadding="0">
        <tr>
          <td width="13%" valign="top" align="center"><img src="img/ico.gif" width="63" height="64"></td>
          <td width="87%" valign="top"><div style="font-size:17px; color:#ffffff; border-bottom:1px solid
#FFF;"><strong>Warning! Visiting this site may harm your computer!</strong>
          </div>
          <div style=" margin-top:18px; color:#FFF; font-size:12px;">
         
         
     
            <p>This web site probably contains malicious software program, which can cause damage to your computer or
perform actions without your permission. Your computer may be infected after visiting such web site.</p>
            <p>We recommend you to install (or activate) antivirus security software.</p>
            <p>I do realize that visiting this site can cause harm to my computer.</p>
            <table width="100%" border="0" cellspacing="0" cellpadding="0" style="margin-top:26px;">
              <tr>
                <td width="18%"><form action="" method="GET"><input type="submit" id="button" value="Continue
Unprotected"></form></td>
                <td width="4%">&nbsp;</td>
                <td width="78%"><form action="/1/" method="GET"><input type="hidden" value="" name="id"><input
type="submit" id="button2" value="Get security software"></form></td>
              </tr>
            </table>
          </div></td>
        </tr>
      </table></td>
      <td width="18" bgcolor="#772222"  style=" border-right:#808080 solid 1px;">&nbsp;</td>
    </tr>
    <tr>
      <td width="18"><img src="img/004.gif" width="19" height="19"></td>
      <td width="620" bgcolor="#772222"  style=" border-bottom:#808080 solid 1px;">&nbsp;</td>
      <td width="18" align="right"><img src="img/003.gif" width="19" height="19"></td>
    </tr>
  </table>


</body>
</html>

end of offending raw content

August 05, 2009, 05:00:26 pm
Reply #8

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3325
here is this piece of code as evidence:

I'm sorry, I don't understand. Please explain.
Ruining the bad guy's day

August 05, 2009, 06:13:06 pm
Reply #9

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
hi

look into previous post code box...

content:

1st: trace from our site to them
2nd: whois informations for ip
3rd: wget transcript
4th: wget content of this piece of shit...

-- gerhard

August 05, 2009, 06:27:06 pm
Reply #10

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3325
hi

look into previous post code box...

content:

1st: trace from our site to them
2nd: whois informations for ip
3rd: wget transcript
4th: wget content of this piece of shit...

I don't see any relation to the rogue av discussed in this thread.
Ruining the bad guy's day

August 05, 2009, 06:35:40 pm
Reply #11

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
i just wanted to document the content of "http://explorersecurityhelper.com/block.php" ...
nothing else...

-- gerhard

August 05, 2009, 06:42:54 pm
Reply #12

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3325
i just wanted to document the content of "http://explorersecurityhelper.com/block.php" ...
nothing else...

-- gerhard

Please don't feel offended. I just wanna understand it. To be honest : I still don't see it.
Ruining the bad guy's day

August 06, 2009, 09:08:01 am
Reply #13

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1689
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

August 06, 2009, 11:34:40 am
Reply #14

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3325
Ruining the bad guy's day