Malware Domain List

Malware Related => Malicious Domains => Topic started by: Winston Smith on June 04, 2009, 05:21:14 pm

Title: Gumblar Drop sites grizimvozim.name and ShopVideoSchools.cn
Post by: Winston Smith on June 04, 2009, 05:21:14 pm

Systems began calling out to grizimvozim.name and ShopVideoSchools.cn after visiting Gumblar site 78.109.29.112

hxxp://ShopVideoSchools.cn/v3/index.php and hxxp://grizimvozim.name/main.php accessed at one hour intervals following infection.

Title: Re: Gumblar Drop sites grizimvozim.name and ShopVideoSchools.cn
Post by: redwolfe_98 on June 05, 2009, 04:27:58 am

interestingly, "grizimvozim.name" resolves to ip address 21.53.74.215:

21.0.0.0 - 21.255.255.255; DoD Network Information Center

i suppose that "DoD" is U.S. "department of defense", especially considering that their contact information is "HOSTMASTER@nic.mil"..

Title: Re: Gumblar Drop sites grizimvozim.name and ShopVideoSchools.cn
Post by: esh on June 08, 2009, 01:33:26 pm

I sent grizimvozim.name to bluecoat on 5/28 to be added to their malware category.

If you are seeing it, it is a botnet (well you knew that much), they are utilizing grizimvozim.name subdomains (ww1, ww2, etc...) for their C&C.