Author Topic: drv32.data sites  (Read 4879 times)

0 Members and 1 Guest are viewing this topic.

May 03, 2008, 03:06:33 pm
Read 4879 times

steven

  • Newbie

  • Offline
  • *

  • 3
    • Shadowserver Foundation
I saw at least one of the websites that hosts this malware was posted on here, so I thought I'd pull together a quick laundry list of related hosts/domains.

onlinevideosoftex.com
onlinesoftwarexchange.net
softwaredestributiononlinecorp.com
globalsoftwareagreement.com
ieantiavdownload.com
malwarebellagreement.com
ieantivirus.com
files-secure.com


"drv32.data" is typically the same or a similar piece of malware that is generally grabbed to make sure the trojan is up-to-date.  The following URLs serve drv32.data:

hxxp://58.65.238.34/drv32.data
hxxp://onlinevideosoftex.com/drv32.data
hxxp://onlinesoftwarexchange.net/drv32.data
hxxp://softwaredestributiononlinecorp.com/drv32.data
hxxp://78.129.166.25/drv32.data
hxxp://globalsoftwareagreement.com/drv32.data
hxxp://ieantiavdownload.com/drv32.data
hxxp://malwarebellagreement.com/drv32.data

Some longer paths to the same or similar files:

hxxp://ieantivirus.com/download.php -> hxxp://ieantiavdownload.com/ieav.exe = hxxp://ieantiavdownload.com/drv32.data
hxxp://files-secure.com/d.php -> hxxp://malwarebellagreement.com/mb.exe

These hosts are primarily spread out over these IPs:

78.129.158.225
78.129.166.25
78.129.166.35
89.149.227.195

There are some other related domains for the affiliate program such as:

stable2.com
ruler-cash.com
spy-partners.com

These things are spread in a number of ways.  Many of them involve a fake video codec error.  Others attempt to sell products or memberships to sites music, pornography, etc.

May 03, 2008, 04:09:54 pm
Reply #1

sowhat-x

  • Guest
Thanks steven...and welcome on board!  :)

May 03, 2008, 11:11:43 pm
Reply #2

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Thanks Steven.

Sites hosted on 89.149.227.195

files-secure-c.com
files-secure.com
ieantiavdownload.com
ieantivirus.com
malwarebell.com
malwarebellagreement.com
ruler-cash.com
spy-partners.com
stable-cash.com
stable2.com
verifiedpaymentsolutionsonline.com
ns2.musicportalfree.com


I think they belong to the people behind the IEDefender rogue, but I might be mistaken.

Previous IPs they have used (no longer alive):

213.189.27.137
202.83.212.233 (creatonsoft.com/greatprofit4you.com/hyip-den.com/investors-heaven.com)
213.189.27.133 (ns1.creatonsoft.com)
85.255.119.92 (files-secure.com)
85.255.119.93 (shockbabetv.com/creatonprojects.com)
85.255.121.125 (xiedefender.com)
69.50.191.27 (ns2.thevideomodels.com)
195.5.117.234 (iwannaseeyounude.com/boomgirltv.com)
78.159.96.135 (somenudefuck.com/my-nude-girl.com)
84.16.252.148 (ns1.spy-partners.com)
74.50.97.51 (online-nude-videos.com)

Current IPs used:

58.65.238.34
78.129.158.225 (onlinevideosoftex.com)
78.129.166.25 (softwaredestributiononlinecorp.com)
78.129.166.35 (globalsoftwareagreement.com)
89.149.209.160 (somenudefuck.com)
89.149.226.22 (best-porncollection.com/videovideoiditenah.com)
89.149.227.195 (files-secure.com)
66.232.113.44 (youtube-hoster.com)
66.232.113.45 (ns2.youtube-hoster.com)
69.49.101.19 (sevendownloadshost.com)
208.72.168.85 (thevideomodels.com)
69.50.160.210 (hottop.biz/previously hosting thevideomodels.com)
64.191.112.53 (widget-adult.info)
78.129.166.25 (softwaredestributiononlinecorp.com)

May 04, 2008, 11:15:29 pm
Reply #3

steven

  • Newbie

  • Offline
  • *

  • 3
    • Shadowserver Foundation
Thanks steven...and welcome on board!  :)

Thanks ;D