Author Topic: redirectcounter1.com  (Read 3666 times)

0 Members and 1 Guest are viewing this topic.

November 09, 2009, 05:50:44 pm
Read 3666 times

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Site is hosting some nasty stuff.
http://www.redirectcounter1.com/lborzp2.exe (you have to check in before you are able to DL).

Pulled the binary from the pcaps and only 4/41 triggered on virustotal:
http://www.virustotal.com/analisis/ea8c35f562103284c582220d32b076e83bb6d0acd0ec79342c017c7bc219adc1-1257433073

ThreatExpert Report:
http://www.threatexpert.com/report.aspx?md5=c23e0f9dd1e61dd54e1814bd225bbd0f


November 09, 2009, 08:38:21 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

November 09, 2009, 10:25:58 pm
Reply #2

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Yea, looks like you have to have checked in to another URL prior to DL'ing (or have referrer)

http://91.212.127.226/check - Listed in MalwareURL.com
http://91.212.127.227/check - Listed in MalwareURL.com
http://193.169.12.50/check - Listed in MalwareURL.com
http://193.169.12.53/check - NOT listed anywhere currently

If you try to go to the URL for the exe posted previously, it wont let you pull it and spits back this error:
Quote
The encoded file /var/www/user/data/www/redirectcounter1.com/load.php is not permissioned for xxx.xxx.xxx.xxx

This is just more Internet Antivirus Pro, we have found it to be pushed by malicious PDF and the 193.169.12.0/23 seems to be quite suspect.

November 09, 2009, 10:34:04 pm
Reply #3

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Thanks for the explanation.

Ruining the bad guy's day

November 10, 2009, 02:25:36 am
Reply #4

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
Interesting...

Fragus exploit pack at:
Code: [Select]
redirectcounter1.com/news.php
Trojan Alureon (TDSS):
Code: [Select]
193.169.12.51/trt.exe
193.169.12.53/trt.exe

http://www.virustotal.com/analisis/c1c1980b2e25dabf215db976efd879a91517dd9151467960e300cc173181b755-1257818989 - 17/40 (42.50%)

November 10, 2009, 12:51:23 pm
Reply #5

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
or you can just remove the www

Code: [Select]
www.redirectcounter1.com/load.php
will give The encoded file /var/www/user/data/www/redirectcounter1.com/load.php is not permissioned for xxx.xxx.xxx.xx

but
Code: [Select]
redirectcounter1.com/load.phpwill not
Mal-Aware