Author Topic: a2h7uploading.com Malware Site unknown functionality  (Read 3584 times)

0 Members and 1 Guest are viewing this topic.

July 30, 2009, 06:24:27 pm
Read 3584 times

Winston Smith

  • Jr. Member

  • Offline
  • **

  • 10
Saw a2h7uploading.com appearing on a number of Zeus infected machines, the string was usually something like:

hxxp://133007d90712.a2h7uploading.com/get.php?c=HXBIBLID&d=26606B673934206A616D37783C3F3F3C2026222A327A7A73476C737F21282E2A164311161403534E4C141A1D1C1E6D1705720B70750002060000037E7909097A05710306737D03727F796C28203B2B3D6D6761753D263733353034666C7B2B315D145A0006515341071A1C0E1E05075245571D000210041B17

hxxp://212907d90701.a2h7uploading.com/get.php

hxxp://062907d90730.a2h7uploading.com/get.php

Don't know if its a drop site or Zeus call home site, or if it is just a secondary infection, but WhoIs shows it was registered on 15-jul-2009

Wepawet lists site as suspicious. 

July 30, 2009, 08:00:23 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
I don't know what it is, but you can use anything as a subdomain name.
The "d" parameter has to be valid. Modifying the subdomain or the "c" parameter doesn't change the response.
If "d" is invalid, then site returns 404. Other filenames than get.php redirect to uploading.com.
Ruining the bad guy's day

August 06, 2009, 07:00:18 pm
Reply #2

Winston Smith

  • Jr. Member

  • Offline
  • **

  • 10
That would make sense.  Base on what you saw, I suspect the D parameter is a machine specific identifier.

The C parameter is most likely the encrypted outbound data going back home.