Malware Domain List

Malware Related => Malicious Domains => Topic started by: eoin.miller on February 25, 2010, 05:23:40 pm

Title: aervrfhu.ru - Bredolab/Oficla Check In Site
Post by: eoin.miller on February 25, 2010, 05:23:40 pm
Seeing infected hosts reach back out to aervrfhu.ru to check in:

Code: [Select]
GET /kjflth/bb.php?v=200&id=833711035&b=5541074310&tm=52 HTTP/1.1
User-Agent: Opera\9.64
Host: aervrfhu.ru

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 25 Feb 2010 14:23:03 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.11
Vary: Accept-Encoding,User-Agent
Content-Length: 37
[info]delay:45|upd:0|backurls:[/info]

This trips several snort alerts. Additionally this IP is listed in the MDL with other host names for running the YES exploit kit and Bredolab:

http://www.malwaredomainlist.com/mdl.php?search=193.104.94.45
Title: Re: aervrfhu.ru - Bredolab/Oficla Check In Site
Post by: CkreM on February 25, 2010, 05:31:00 pm
this is oficla C&C

currently downloading a file from:
Code: [Select]
sys.telesweet.net/forums/download/za.exehttp://www.virustotal.com/analisis/e3b4fa1f2686cced685ce0727276db24ba1ebba8cb88d6b357c80d577f37d6be-1267118926