Author Topic: daily something......  (Read 797407 times)

0 Members and 1 Guest are viewing this topic.

March 22, 2009, 03:27:03 pm
Reply #195

XiTri

  • Jr. Member

  • Offline
  • **

  • 24
Code: [Select]
http://judns.net/jud/pdf.php?id=124
http://judns.net/jud/pdf.php?id=111
http://judns.net/jud/load.php?id=9747&spl=2

March 22, 2009, 03:34:31 pm
Reply #196

XiTri

  • Jr. Member

  • Offline
  • **

  • 24
exe it is pasted to gif

Code: [Select]
ppkok.cn/file/mm.gif
http://28.16868.org/long/logo.gif
http://28.16868.org/long/logo18.gif

March 22, 2009, 04:01:19 pm
Reply #197

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Waledac
Code: [Select]
http://duklin.againstfear.com/news.exe
Mal-Aware

March 22, 2009, 07:24:33 pm
Reply #198

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
205.209.143.94/1122.htm
205.209.143.94/000f1.htm
205.209.143.94/000f2.htm

haola123123.com/7700.htm
haola123123.com/0081.htm

It seems that more domains are sharing the same files, as I got 1122.htm as a string in more than one executable, and all are requesting this file from other domain.

March 23, 2009, 07:54:50 am
Reply #199

sowhat-x

  • Guest
This one is quite a bit hilarious...
Quote
hxxp://ygy.ru/index.php

DL lists...
Quote
hxxp://b.wuc7.com/tt.txt
hxxp://l.sog369.com/list.txt
hxxp://www.iukjthgvg.cn/kankan.txt

Quote
hxxp://70.38.11.165/admin/cgi-bin/get_domain.php?type=download
hxxp://best-click-download.info/install.php ---> Spawns fake av executable...

Quote
hxxp://69.249.79.161/print.exe
-> Waledac variant:
http://www.virustotal.com/analisis/892cc1f2514f891fc20c81baa4ec1a2f

http://www.bfk.de/bfk_dnslogger_en.html?query=78.129.166.5#result
I especially enjoyed this one in particular...
Quote
hxxp://rbckc.com/redir=1566237.php

March 23, 2009, 12:30:37 pm
Reply #200

sparsha

  • Special Members
  • Hero Member

  • Offline
  • *

  • 305
Code: [Select]
http://dlmaldef09.com/maldef09/install.php?track_id=10284
http://getmaldef09.com/maldef09/setup.php?track_id=10284
http://84.16.247.29/maldef09/setup.php?track_id=10284

Now time to track the "Total Security Protection" rogue throwaway sites

Code: [Select]
http://transformercity.cn/soft.php?aid=0479&d=1&refer=9d9cbe78e
http://antivirusonlineproscanner.com/promo/1/freescan.php?nu=880479&back==jQx3Tz2NkMOMI=N

March 23, 2009, 01:06:55 pm
Reply #201

sowhat-x

  • Guest
Quote
hxxp://xprotect.us/index.php?affid=02935
hxxp://personal-antivirus.com//download/PersonalAntivirus.exe
hxxp://protectprivacy18.com/maldef09_2/4/10250
hxxp://www.secure-data-group.com/

Various crap hosted in the following ips,i've only had a really quick look at them:
some domains out of them were already spotted in the past,others seem to be temporary "inactive" or so (yeah,sure...)
http://www.bfk.de/bfk_dnslogger_en.html?query=78.26.179.189#result
http://www.bfk.de/bfk_dnslogger_en.html?query=94.247.3.40#result
http://www.bfk.de/bfk_dnslogger_en.html?query=94.247.3.41#result
http://www.bfk.de/bfk_dnslogger_en.html?query=94.247.3.42#result
http://www.bfk.de/bfk_dnslogger_en.html?query=212.117.165.126#result
http://www.bfk.de/bfk_dnslogger_en.html?query=212.117.165.127#result
http://www.bfk.de/bfk_dnslogger_en.html?query=212.117.165.128#result

March 23, 2009, 01:14:06 pm
Reply #202

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Code: [Select]
http://www.photogalleryy.com/image.phpRedirects to:
Code: [Select]
http://66.29.31.3/~rivux/PIC2009-02-15-JPG.exe
Code: [Select]
http://89.149.254.237/redirect.php?type=0redirect to:
Code: [Select]
http://cancelyourdreams.cn/Installer2.exe
there is malware there from 1-6:
Code: [Select]
http://hackdownload.cn/install/1.exe

Mal-Aware

March 23, 2009, 02:31:31 pm
Reply #203

sowhat-x

  • Guest
Quote
hxxp://anti-virus-2010-pro.info/install.php
hxxp://anti-virus-2010-pro-downloads.info/en/exe/install.exe
http://www.bfk.de/bfk_dnslogger_en.html?query=70.38.19.201#result
================================================

Now,if someone can explain me what in the world is the purpose of this one...  ???
Quote
hxxp://www.anti-virus-1.net/
It loads a Kaspersky .jpg advertisement from here...
Quote
hxxp://www.vaginoplasty-1.net/AV.jpg
Which is an open dir as well...
Quote
hxxp://www.vaginoplasty-1.net/

March 23, 2009, 04:35:21 pm
Reply #204

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Waledac:

Code: [Select]
http://antiterrornetwork.com/run.exe
http://fearalert.com/run.exe
http://terrorfear.com/run.exe
http://antiterroris.com/run.exe
http://terroralertstatus.com/run.exe
http://chatloveonline.com/run.exe
http://lovecentralonline.com/run.exe
http://supersalesonline.com/run.exe
http://bestlifeblog.com/run.exe
http://mobilephotoblog.com/run.exe

I could sit for hours and get like 100 of domains which host it ;D
Mal-Aware

March 23, 2009, 04:48:59 pm
Reply #205

sowhat-x

  • Guest
Quote
I could sit for hours and get like 100 of domains which host it  ;D
Lol ;-)
In a side-note,the ShadowServer people are mainting a regularly updated list of Waledac domains...
http://www.shadowserver.org/wiki/uploads/Calendar/waledac_domains.txt

March 23, 2009, 04:52:34 pm
Reply #206

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
good to know  :o

i was checking domains registered on the same IP with  http://www.bfk.de/bfk_dnslogger_en.html
Mal-Aware

March 23, 2009, 07:03:30 pm
Reply #207

GmG

  • Special Members
  • Full Member

  • Offline
  • *

  • 92
Rootkit TDss
Code: [Select]
http://plumpals.com/download/666c507271673d3d83b13d19/License.v.3.413.exe

OSX/RSPlug-F  (user agent=Mac OS X)
Code: [Select]
http://plumpals.com/download/666c507271673d3d83b13d19/License.v.3.413.dmg
http://www.virustotal.com/it/analisis/438939832ba104f34907e919bc2ddac1

March 24, 2009, 05:23:55 am
Reply #208

sowhat-x

  • Guest
Waledac crap...current detection rates in VirusTotal at 6/39 (15.39%),here's a sample report:
http://www.virustotal.com/analisis/fb778f91c5a76e68eddbec3955c7dd44
Quote
hxxp://24.9.38.40/save.exe
hxxp://64.95.58.150/contact.exe
hxxp://64.95.58.153/news.exe
hxxp://67.223.10.108/save.exe
hxxp://69.242.22.235/main.exe
hxxp://69.14.54.169/save.exe
hxxp://69.14.99.11/contact.exe
hxxp://98.127.138.99/print.exe
hxxp://98.127.144.188/contact.exe
hxxp://99.190.177.125/run.exe

C&C servers...
Quote
hxxp://213.155.4.80/bm/controller.php?action=bot&entity_list=
hxxp://213.155.6.32/fine/controller.php?action=bot&entity_list=

Quote
hxxp://medievalmusic.by.ru/ -> Open dir...
More crap in the same ip,spamming/phishing etc...
http://www.bfk.de/bfk_dnslogger_en.html?query=87.242.78.57#result
http://www.robtex.com/ip/87.242.78.57.html

It also redirects strhq.cn that was spotted previously...
Quote
hxxp://medievalmusic.by.ru/mhstchk.php

March 24, 2009, 07:14:57 am
Reply #209

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335

It also redirects strhq.cn that was spotted previously...
Quote
hxxp://medievalmusic.by.ru/mhstchk.php

Have you seen this ?

Code: [Select]
<?php echo "<!--"."hello_my_little_friend._You_have_download_this_page_and_see_th" "is_source._We_do_not_delete_anything_only_upload_change_your_passwords_and_do_not_say_it_to_anybody"."-->"?>
Ruining the bad guy's day