Author Topic: daily something......  (Read 797411 times)

0 Members and 1 Guest are viewing this topic.

March 31, 2009, 11:31:12 am
Reply #240

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Code: [Select]
http://steer2.co.uk/im/172.exe
http://steer2.co.uk/im/88.exe
http://steer2.co.uk/im/adv.exe
http://steer2.co.uk/im/avscan.exe
http://steer2.co.uk/im/podmena.exe

already added some days ago.  ;)

http://www.malwaredomainlist.com/mdl.php?search=steer2.co.uk&colsearch=All&quantity=50
Ruining the bad guy's day

March 31, 2009, 01:00:55 pm
Reply #241

GmG

  • Special Members
  • Full Member

  • Offline
  • *

  • 92
Code: [Select]
http://steer2.co.uk/im/172.exe
http://steer2.co.uk/im/88.exe
http://steer2.co.uk/im/adv.exe
http://steer2.co.uk/im/avscan.exe
http://steer2.co.uk/im/podmena.exe

already added some days ago.  ;)

http://www.malwaredomainlist.com/mdl.php?search=steer2.co.uk&colsearch=All&quantity=50

Sorry  :'(

Rootkit TDSS
Code: [Select]
http://91.207.61.180/images/138/v3/file.exe

Code: [Select]
http://kxc-softwaresportal.com/promo.exe
http://updateserver.info/loads/traff.exe
http://updateserver.info/loads/instcash.exe
http://f-o-r.ms/xpre.tmp
http://f-o-r.ms/xrun.tmp

Mebroot
Code: [Select]
http://1681online.com/ld/dx/
http://wepawet.cs.ucsb.edu/view.php?hash=79ec6e02b38cad246c44c87dbeb4c2c6&t=1238508047&type=js

Rogue on googlecode like
http://sunbeltblog.blogspot.com/2009/03/google-code-site-used-as-malware.html

Code: [Select]
http://vlrm.googlecode.com/svn/trunk/
http://ultra-av.googlecode.com/svn/trunk/

Refpron
Code: [Select]
http://174.133.72.250/p1212/2.0/w.bin

Code: [Select]
http://mnnz.biz/ar/
http://mnnz.biz/ar/exe.php

March 31, 2009, 01:13:00 pm
Reply #242

sowhat-x

  • Guest

March 31, 2009, 01:14:48 pm
Reply #243

GmG

  • Special Members
  • Full Member

  • Offline
  • *

  • 92

March 31, 2009, 01:25:46 pm
Reply #244

sowhat-x

  • Guest
Lol,Bluetack is pretty much one of the best english-speaking malware hunting forums out there,
but it doesn't really get the attention that it should from the security community unfortunately...  :(

March 31, 2009, 02:01:44 pm
Reply #245

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

March 31, 2009, 03:35:44 pm
Reply #246

Mr Clean

  • Special Members
  • Hero Member

  • Offline
  • *

  • 331
Hi everyone, I'm a newbie here.  Just want to say hi!

I really like this site and I'm embarrassed that I didn't start to appreciate it sooner. 

Anyway, on a daily  basis I run across all sorts of crazy stuff and I'm sure you do too.   This bizarre little goodie just flashed on my screen so I thought I'd post it here to see what ya think.    ???

Code: [Select]
POST / HTTP/1.0
TagId: xxxxxxxxxxx
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;)
Host: search.namequery.com
Content-Length: 15
Pragma: no-cache
Via: 1.1 localhost:80 (squid)
Cache-Control: max-age=259200
Connection: keep-alive

~G.....p...o.\~HTTP/1.0 200 OK

Server: Microsoft-IIS/6.0
Content-Type: image/jpeg
Content-Length: 553
Connection: Close
TagId: xxxxxxxxxxx


~. ....MZ......................@...............................................!..L.!This program cannot be run in DOS mode.

Any insight would be appreciated   :)

The binary is attached.

March 31, 2009, 04:10:30 pm
Reply #247

sowhat-x

  • Guest
"binary3" unfortunately seems to be download-corrupted,ie.it's not a valid executable...
Did you grab it via a POST request?

March 31, 2009, 04:21:20 pm
Reply #248

Mr Clean

  • Special Members
  • Hero Member

  • Offline
  • *

  • 331
"binary3" unfortunately seems to be download-corrupted,ie.it's not a valid executable...
Did you grab it via a POST request?

No, I pulled it from a pcap.  Yeah, I noticed that it's broken.  The squid proxy likely killed it.     What I find bizarre is that it's a POST request, and the server responded by pushing down an apparent binary with a Content-Type: image/jpeg.   This isn't exactly normal behaviour.   Does anyone have anything on the domain "search.namequery.com"?

March 31, 2009, 04:36:03 pm
Reply #249

sowhat-x

  • Guest

March 31, 2009, 04:52:02 pm
Reply #250

Mr Clean

  • Special Members
  • Hero Member

  • Offline
  • *

  • 331
Google returns a few bad history records from what it seems...
http://www.bfk.de/bfk_dnslogger.html?query=209.53.113.223#result
http://www.google.com/search?q=209.53.113.223

Ok, this is generated by a program call "computrace" by absolute software.  It's laptop "lojack" software

March 31, 2009, 05:08:56 pm
Reply #251

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Zbot,domain on MDL but different path this time:

Code: [Select]
http://amnepofig.ru/test/config.bin
http://amnepofig.ru/test/loader.exe
Mal-Aware

April 01, 2009, 12:53:45 am
Reply #252

sowhat-x

  • Guest
Quote
hxxp://bublik.biz/in.cgi?2 // Newer domain hosted over at 88.198.48.247...

Redirects to ->
Quote
hxxp://cximnik.cn/img2/index.php // Already spotted in previous days...pdf exploits etc.
= = = = = = = = = = = = = = = = =

Quote
hxxp://basesrv3.net/update/main.exe
Result: 9/40 (22.5%):
http://www.virustotal.com/analisis/bc75d1265dcad80564f03cfb3cc1e1ae

April 01, 2009, 12:07:46 pm
Reply #253

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Mal-Aware

April 01, 2009, 12:14:47 pm
Reply #254

sowhat-x

  • Guest
Code: [Select]
hxxp://213.155.6.33/new/controller.php?action=bot&entity_list=One more c&c server in the same netblock,213.155.6.32 already spotted couple days ago...

Code: [Select]
hxxp://213.155.4.82/new/controller.php?action=bot&entity_list=C&C server,213.155.4.80 also spotted earlier in the same netblock...

For sparsha - as i know he has a special preference in fake AVs...  :)
Code: [Select]
hxxp://pornorawa.com
hxxp://sys-scan-1.biz
hxxp://sys-scanner-1.biz/download.php?page=
hxxp://www.system-protector.net/

Few more fake AVs...
Code: [Select]
hxxp://pcsolutionshelp.com/
hxxp://download.pcsolutionshelp.com/secure/fb4b4716a45f37c3694efcab0d41ee69/49d376e5/bestvirusremover2009.com/virusremover2009_setup_free_rezer_en.exe
hxxp://malwareremovingtool.com/
hxxp://download.malwareremovingtool.com/secure/ab3dc06cc30452c69f2a70caf88d36bb/49d376e5/AntiMalwareGF_Rezer.exe

Code: [Select]
hxxp://download.malwareremovingtool.com/  -> Open dir...have fun ;-)