Malware Domain List

Malware Related => Malicious Domains => Topic started by: eoin.miller on October 07, 2009, 05:27:11 pm

Title: clspring / clickspring
Post by: eoin.miller on October 07, 2009, 05:27:11 pm
Been seeing some clspring infections and haven't found these domains in any of the malware lists:

www.clickspring.net
nf.clickspring.net
cu.clickspring.net
pisces.clickspring.net
campaigns.outerinfo.com
legend.psdtools.com
66.150.193.xxx IP range
cu.outerinfo.com

Source (I know I know, its CA):
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=42280


Emergingthreats.net has some sigs for this stuff as well:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Clickspring.net Spyware Reporting"; flow: to_server,established; content:"Host\: www.bullseye-network.com"; nocase; classtype: trojan-activity; reference:url,sarc.com/avcenter/venc/data/adware.bargainbuddy.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001501; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bullseye-Network.com; sid: 2001501; rev:6;)


Title: Re: clspring / clickspring
Post by: SysAdMini on October 07, 2009, 06:33:17 pm
I don't think that those domains are involved in malicious activity. All look offline or parked.
The CA report is very old.
Title: Re: clspring / clickspring
Post by: eoin.miller on October 07, 2009, 08:01:28 pm
We are having machines successfully connect to hosts within the outerinfo.com domain. We played around with it a bit, and it is pulling down some bin files:

http://campaigns.outerinfo.com/client_settings.bin
http://campaigns.outerinfo.com/campaigns2_2.bin
http://campaigns.outerinfo.com/campaigns3_2.bin
http://campaigns.outerinfo.com/campaigns4_2.bin
http://campaigns.outerinfo.com/campaigns5_2.bin
http://campaigns.outerinfo.com/campaigns6_2.bin
http://campaigns.outerinfo.com/campaigns7_2.bin
http://campaigns.outerinfo.com/campaigns8_2.bin
http://campaigns.outerinfo.com/campaigns9_2.bin
http://campaigns.outerinfo.com/campaigns10_2.bin
http://campaigns.outerinfo.com/campaigns11_2.bin


campaigns.outerinfo.com resolves to 63.251.135.15
www.outerinfo.com resolves to 63.251.135.18


Also found this goolging around:
http://fp.outerinfo.com/dispatcher.php

fp.outerinfo.com resolves to 63.251.135.24

ARIN:
ClickSpring LLC INAP-BSN-CLICKSPRING-0971 (NET-63-251-135-0-1)
                                  63.251.135.0 - 63.251.135.63

Of course nothing has reverse lookup. It looks like they may have moved IP space, but the old sigs are still firing off on the communcations.

Also seeing clicklinks.net on 63.251.135.21 (appears they discontinued the use of this domain after it was found out):
http://www.bing.com/search?q=ip%3A63.251.135.21&go=&form=QBRE

duhiki.com, adparatus.com, marketprecision.com, thesearchassistant.com (broke), on 63.251.135.22:
http://www.bing.com/search?q=ip%3A63.251.135.22&go=&form=QBRE3
Title: Re: clspring / clickspring
Post by: eoin.miller on October 07, 2009, 08:29:05 pm
Coup de grāce:

http://www.outerinfo.com/OiUninstaller.exe
VirusTotal:
MD5:     c6f466ced488582ce66a05651f53206d
First received:    2008.09.18 11:36:48 UTC
Date:    2009.10.06 18:23:59 UTC [+1D]
Results:    32/41
Source:
http://www.virustotal.com/analisis/b860a3f4f63657bceffe5e3f3b043c088f7905b67672e07f09f0f62e60503a19-1254947224

Most classify as PurityScan/Yazzle.

ThreatExpert:
http://www.threatexpert.com/report.aspx?md5=c6f466ced488582ce66a05651f53206d

Anubis:
http://anubis.iseclab.org/?action=result&task_id=1f6ffb7e619bccd34e51f5abcd9621576&format=html
Title: Re: clspring / clickspring
Post by: SysAdMini on October 08, 2009, 06:58:55 pm
duhiki.com, adparatus.com, marketprecision.com, thesearchassistant.com (broke), on 63.251.135.22:
http://www.bing.com/search?q=ip%3A63.251.135.22&go=&form=QBRE3

Hmm,

Code: [Select]
http://www.duhiki.com/downloads/DuhikiSetup.exehttp://www.virustotal.com/de/analisis/e23c0e43439028fa7304ed45a9079585da9fd3838dd2bd0af4e2ec3e2bc947fc-1255027974 0/41

Code: [Select]
http://www.adparatus.com/AdparatusUninstaller.exehttp://www.virustotal.com/analisis/759bdc7d09cff81e02205cfbccce9da53d5499661037bae36a17a3f5181b7747-1255028023 0/41

And now ? Is it malware or not ?
Title: Re: clspring / clickspring
Post by: RS-232 on October 09, 2009, 01:22:22 am
...these are (more or less) "Potentially Unwanted" applications,adware at worst - wouldn't classify/blacklist them as malware...