« previous next »
Pages: [1]   Go Down

Author Topic: aervrfhu.ru - Bredolab/Oficla Check In Site  (Read 4086 times)

0 Members and 1 Guest are viewing this topic.

February 25, 2010, 05:23:40 pm
Read 4086 times

eoin.miller

  • Sr. Member
  • Offline
  • ****
  • 179
aervrfhu.ru - Bredolab/Oficla Check In Site
Seeing infected hosts reach back out to aervrfhu.ru to check in:

Code: [Select]
GET /kjflth/bb.php?v=200&id=833711035&b=5541074310&tm=52 HTTP/1.1
User-Agent: Opera\9.64
Host: aervrfhu.ru

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 25 Feb 2010 14:23:03 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.11
Vary: Accept-Encoding,User-Agent
Content-Length: 37
[info]delay:45|upd:0|backurls:[/info]
This trips several snort alerts. Additionally this IP is listed in the MDL with other host names for running the YES exploit kit and Bredolab:

http://www.malwaredomainlist.com/mdl.php?search=193.104.94.45
Logged
February 25, 2010, 05:31:00 pm
Reply #1

CkreM

  • Special Access
  • Hero Member
  • Offline
  • *
  • 567
Re: aervrfhu.ru - Bredolab/Oficla Check In Site
this is oficla C&C

currently downloading a file from:
Code: [Select]
sys.telesweet.net/forums/download/za.exehttp://www.virustotal.com/analisis/e3b4fa1f2686cced685ce0727276db24ba1ebba8cb88d6b357c80d577f37d6be-1267118926
Logged
Mal-Aware
Pages: [1]   Go Up
« previous next »