clickscompile and u.clickscompile

[Barry]

This seems to be rather recent:

http://clickscompile.com

and

http://u.clickscompile.com

I would be interested if someone has more information on these. I can offer the following meager stream information from a Wireshark pcap file:

GET /p/proxy/106 HTTP/1.0

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

Host: u.clickscompile.com

Pragma: no-cache



HTTP/1.1 200 OK

Date: Thu, 22 Jul 2010 01:29:02 GMT

Server: Apache/2.2.8 (Unix) PHP/5.2.6

X-Powered-By: PHP/5.2.6

Connection: close

Content-Type: text/html



70,5,2,0,0

[Barry]

Raw pcap file attached, for those interested

[cr4shm0ney]

Hi Barry,

Do you know what malware if any is associated with this domain?

Thanks!

[Barry]

Hi Barry,

Do you know what malware if any is associated with this domain?

Thanks!

Hi, don't know if this helps, but anecdotely, each time the PC in question has connected to the site in the manner shown, a variant of what appears to be deepdive shows up on the PC as C:\program files\shared\lib.dll and has an addon in IE8 associated with it. I say "appears", because although norton detects it and fixes it, it is by "reputation" and not by "signature". Meaning, it recognizes the directory and file as being suspicous, but did not find anything wrong with the file itself. I do not yet know what's on the PC that causes it to connect to the site, but continue to try and find it. I would not be surprised if the mechanism was capable of loading other malware. As you can see though, it definitely connects to the clickscompile url. Also, I believe the clickscompile domain was recently registered in June of this year, so it is probably something new.

[cr4shm0ney]

I think you might have a typo in the domain, I believe you might be thinking of clickzcompile.com part of the Exedot trojan.

http://www.threatexpert.com/report.aspx?md5=225aef2b0e613c37837d8a519a7d3b14

[Barry]

Hi, I was going by this, but it might not be the best source:

http://www.tastereports.com/domain.html?domain=clickscompile.com

The malware on the PC does a DNS on clickscompile.com, then uses the obtained ip address to do the rest. Thanks for your input, it would be great to find out what this is

[Barry]

Found a little more that may or may not be of value for this site:

http://www.robtex.com/dns/u.clickscompile.com.html#shared

http://www.robtex.com/dns/u.clickscompile.com.html#blacklists

[cr4shm0ney]

I believe this is the ExeDot trojan dropper, I would advise blocking the following.

http://www.symantec.com/security_response/writeup.jsp?docid=2010-072114-4649-99&tabid=2

k.komplexad.com
*.clickscompile.com
*.uatoolbar.com
aditopia.com
clickscompile.com
feed.aditopia.com
u.clickzcompile.com
u.uatoolbar.com
uametrics.com