Collection of malicious domains online

[ohmniscient]

INFECTED URLs:

#http://www.djrafaz.xpg.com.br/c99.txt
VT 30/41 - http://www.virustotal.com/analisis/720a2080f26c665bfb19d8a1739df04173be5789c03dd92ceac05855bb506aab-1265932023

#http://francanelli.sites.uol.com.br/svchosts.png
VT 6/41 - http://www.virustotal.com/analisis/749de44b725700e54a23b60e18264a803457ee2d49954d8b130aacfed2de21bd-1272419975

#http://francanelli.sites.uol.com.br/MSN.png
VT 16/40 - http://www.virustotal.com/analisis/91ad54556b8d958d95bb4394e93af7c672cc745c86d3bcf6a8e0d6e52c7b8309-1272420064

#http://francanelli.sites.uol.com.br/Explorer.png
VT 11/41 - http://www.virustotal.com/analisis/9aaa5c9b4454bd35fdf58511715ecea14b377b700cee13fb6e031fe4621faa4c-1272420609

#http://francanelli.sites.uol.com.br/ashservec.png
VT 10/41 - http://www.virustotal.com/analisis/59f827fa7e7680c0f62ff1e010510a4585766c211093b2dceccfdd5b9509e873-1272420771

#http://fotosgyn.pessoal.ws/pros.pi
VT 20/40 - http://www.virustotal.com/analisis/8a9e5946639b0faca4d0d15324a776dc67fbcc8daee7ed9e01665084ef02ec62-1272398782

#http://fotosgyn.pessoal.ws/proi.pi
VT 20/40 - http://www.virustotal.com/analisis/c0f2472ee98bf259508eb563d3a64d5deed3d88803f75b621f3aaf449c80209a-1272398783

#http://alf.inf.br/zcv.gif
VT 39/40 - http://www.virustotal.com/analisis/e76ae6b37435dadca881bafb68b5da85f2b70996448050c20bf3abbc0a92d23b-1272375057

#http://www.reportes201.com/inhouse/software/modulopc.exe
VT 11/39 - http://www.virustotal.com/analisis/1153d9bde37bcf3ddf98e5abd4d7a6e733f3d85fad4147bafee7e0a460df38b8-1272387384

#http://www.reportes201.com/inhouse/software/itautktb.rm
VT 11/40 - http://www.virustotal.com/analisis/bee9d74f4c07ac93cb1e1013ff99e4163c425557fe3bf0672ef84425a097d2bc-1272421248

#http://www.reportes201.com/inhouse/software/uq817alp192.rm
VT 13/40 - http://www.virustotal.com/analisis/abde0816a560d2e486aea7397ad0b1f560b250e51f869774fe37c13056d44f14-1272396812

#http://www.reportes201.com/inhouse/software/ipxzh7299.rm
VT 6/40 - http://www.virustotal.com/analisis/9a96b81e0381387cf96632bf41c8876fe3d9f871fff5408fa2f0b136684f6e52-1272311201

[ohmniscient]

INFECTED URLs:

#http://www.kranenborg.info/knerf/kw/G1noticias.php?=g1.globo.com/Noticias/0,,5597,00.html redirects to
#http://www.elara-m.ru/js/G1globo.php redirects to
#http://www.kranenborg.info/knerf/kw/AdobeFlashPlayer.exe
VT 17/39 - http://www.virustotal.com/analisis/b582ea089fa9e25445eeb74aac79fde1e0da01876928a752c474fc5cc00a2503-1272456193

AdobeFlashPlayer.exe downloads:
#http://www.22bin.com.pl/plugins/system/k.exe
VT 20/40 - http://www.virustotal.com/analisis/cba3d9f7073be3ec7efa275097cb908b551c373033eaa52e53af63028b61ec5a-1272030117

#http://safety.corna.com/cz/tu.jpg
VT 2/40 - http://www.virustotal.com/analisis/5d0f8f76d01aae946087205577034a8e6d0a2ea2b05b2adc10752be6d1d4fbea-1272241298

[ohmniscient]

1. TROJAN DOWNLOADER: http://www.threatexpert.com/report.aspx?md5=ca326e3dea72eaad30427b304596aa78
#http://www.xhostcoderx.hpg.com.br/ProcessR.jpg
#http://www.xhostcoderx.hpg.com.br/ProcessN.jpg
#http://www.xhostcoderx.hpg.com.br/ProcessU.jpg
#http://www.xhostcoderx.hpg.com.br/ProcessL.jpg
VT negative - malware developers are beginning to encrypt and/or fragment malware samples downloaded by trojan downloaders to not have their samples removed from the host.

2. TROJAN DOWNLOADER: http://www.threatexpert.com/report.aspx?md5=64948c7cb644d7e416aac1799ac6343d
#http://cpereira5775.hpg.com.br/winhelpens.jpg
VT 6/38 - http://www.virustotal.com/analisis/19cc0c3da6ec719004ed6e8eedd76613eeb5df01b4900a1f3e05262c4169fffc-1272499164
#http://parisfesta.hpg.com.br/winupdate.jpg
VT 18/39 - http://www.virustotal.com/analisis/6761e8653926914b45b5cd680f1b0e978e4a4a8ef1ffc311fe3ef47ba3ed4720-1272495923
#http://cpereira5775.hpg.com.br/winlogne.jpg
VT 7/38 - http://www.virustotal.com/analisis/a6d4739b9b1a9d2261fc658a70506220b556f8a5bf9bf382cff3a66eed3b4bd4-1272499157
#http://cpereira5775.hpg.com.br/msmsn.jpg
VT 19/38 - http://www.virustotal.com/analisis/d3f91dbe70b59adcb7d853e4eb3e76f94c932d8cbd2f38d7ae5674c99d6cb84b-1272499168

3.
#http://updatemania.info/setup86.exe
VT 9/41 - http://www.virustotal.com/analisis/5f2ceef57c7f1a8a898a070ea15f1c2c8c1480befbec476a7cb2ed604b77a572-1272506588

4. TROJAN DOWNLOADER: http://www.threatexpert.com/report.aspx?md5=ea4ee5b2fcddeb28a85579969ed06275
#http://www.estortetotal.hpg.com.br/rende/hj/ext/bfisica.jpg
VT 6/38 - http://www.virustotal.com/analisis/51d034cff991d25da1504ad19a76ba4e2434c805ac3a6e5747cffa85204c83ef-1272499137
#http://www.estortetotal.hpg.com.br/rende/hj/ext/waba.jpg
VT 21/39 - http://www.virustotal.com/analisis/a424fcb75b8ec8782d9ca4559b4950da2525b78e22f1b068ea132323a07f986e-1272499139
#http://www.estortetotal.hpg.com.br/rende/hj/ext/acaonet.jpg
VT 9/38 - http://www.virustotal.com/analisis/a285b826d034166bb6517bb5f19c1e52924e93770bebe1ce428a34deca0f3490-1272499147

5. TROJAN DOWNLOADER: http://www.threatexpert.com/report.aspx?md5=c8c2f1740aff62b739c71207e8b0ceed
#http://ajudasonline.info/images/oi/sb.dll
VT 4/39 - http://www.virustotal.com/analisis/3b5a27cbb7ca039c3d7ac9386cd038cae2f3853a9fecbdd64a680c6e7b903b81-1272493486

6.
#http://alf.inf.br/vxap.htm (javascript exploit)
VT 28/40 - http://www.virustotal.com/analisis/f789805ad85166efa39c4e8610c0f325d65fcd4fcc79d9290a28d20d863bd5af-1271853205
Wepawet analysis: http://wepawet.iseclab.org/view.php?hash=d595f2ce0b2acfb2209a57ece5bb2c2b&t=1272488092&type=js

[ohmniscient]

INFECTED URLs:

1.
#http://download.mandeibem.com.br/arquivos/20100423-214321-0745/wdowloadse.zip
VT 17/39 - http://www.virustotal.com/analisis/efbd36d0876085fe12707dad312098fca9dec7abbc7e125d32707f760dadcf53-1272520784

2.
#http://202.96.106.6/vacinacaoinfluenza?grupo=Jovens
VT 16/40 - http://www.virustotal.com/analisis/66943ea70004646741992d8e6ff2d6f6ffd9d61b4221677dc6a31f4a5c089404-1272543967

which downloads:

3.
#http://71.0.121.105/icons/k.png
VT 4/40 - http://www.virustotal.com/analisis/1b995008f31a424c2ed54368b5d76c1418d54a78209f188cf1f7c659f7a8a945-1272547645

4.
#http://202.96.106.6/kl.png
VT 13/40 - http://www.virustotal.com/analisis/cba272004581e521af2a6e5dc7945c6489e7345ef2753997a72cb12b569c2e6b-1272543976

5.
#http://202.96.106.6/wm.png
VT 13/40 - http://www.virustotal.com/analisis/af782aeda77f728713ff857e11ca17c959062ffd5f686e812ec57ff590d6aeef-1272561175

[ohmniscient]

INFECTED URLs:

1.
#http://migre.me/zHkM redirects to
#http://www.salveme.net/deposito.exe
VT 22/40 - http://www.virustotal.com/analisis/317905f4a213584429b413836e1b41fb22ef367552a55aa9d6d58124eaa8ee97-1272574285

which downloads:

2.
#http://www.salveme.net/vai/ws2_32.exe
VT 13/39 - http://www.virustotal.com/analisis/25018a9056b55b43afc7a0aecfd3f5f8d79a7b65d17ec9f29faeb1e398e1fd1b-1272489545

3.
#http://sydl.gov.cn/sm/2009-09/10/abrir-20EVO-0UH4829.exe
VT 19/40 - http://www.virustotal.com/analisis/54516b419db2481114840577ba3b638e567f052e9bca5cac814e62b4980c474d-1272576961

which downloads malware samples reproduced in different webservers:

4.
#http://www.andremichells.com/images/ki.gif
#http://www.bigassgames.com/images/ki.gif
#http://adcampodecambui.com.br/erros/ki.gif
VT 4/39 - http://www.virustotal.com/analisis/17b4b8f41909c5a24298686a315508299c4f2fed6656e64e7331717a959863fc-1272591062

6.
#http://www.andremichells.com/images/5.gif
#http://www.bigassgames.com/images/5.gif
#http://adcampodecambui.com.br/erros/5.gif
VT 15/40 - http://www.virustotal.com/analisis/74fc269ef1c7246473668413100a0e87150b025cd9ed4606294501ce8c2ef5db-1272571855

7.
#http://www.andremichells.com/images/AZIP32.DLL
#http://www.bigassgames.com/images/AZIP32.DLL
#http://adcampodecambui.com.br/erros/AZIP32.DLL
VT 7/39 - http://www.virustotal.com/analisis/8ea073609c84210d3df8f75cc177558f6922dbf454ca617d02c81101e67b57b6-1270654680

8.
#http://www.andremichells.com/images/AUNZIP32.DLL
#http://www.bigassgames.com/images/AUNZIP32.DLL
#http://adcampodecambui.com.br/erros/AUNZIP32.DLL
VT 0/39 - http://www.virustotal.com/analisis/209c4cf427ba3bf80cdc742e6c5ff22df8ade6c5bb19eac55bb0d68fa81144f8-1272514274

9.
#http://www.andremichells.com/images/mv.gif
#http://www.bigassgames.com/images/mv.gif
#http://adcampodecambui.com.br/erros/mv.gif
VT 0/40 - http://www.virustotal.com/analisis/9b51a2e2a8a89849ae3d39fc35fe583c65d50c2f234cf1ca65fc10a02a142f5e-1272283105

[ohmniscient]

INFECTED URLs:

These domains are host of replicated malware samples,

#http://www.andremichells.com/images/"sample-name"
#http://www.bigassgames.com/images/"sample-name"
#http://adcampodecambui.com.br/erros/"sample-name"
#http://www.aquirecosmeticos.com.br/ddd/"sample-name"
#http://acpbdf.com.br/images/"sample-name"

the distribution of the samples follows the following pattern (same sample-name):

#http://adcampodecambui.com.br/erros/1.gif
#http://adcampodecambui.com.br/erros/5.gif
#http://adcampodecambui.com.br/erros/atual.gif
#http://adcampodecambui.com.br/erros/atual5.gif
#http://adcampodecambui.com.br/erros/c99.txt
#http://adcampodecambui.com.br/erros/imagem.gif
#http://adcampodecambui.com.br/erros/ki.gif
#http://adcampodecambui.com.br/erros/kill.gif
#http://adcampodecambui.com.br/erros/mv.gif
#http://adcampodecambui.com.br/erros/t1.gif
#http://adcampodecambui.com.br/erros/AZIP32.DLL
#http://adcampodecambui.com.br/erros/AUNZIP32.DLL

VT 14/40 - http://www.virustotal.com/analisis/fbc8eb07cee5e8ebacdda7d6157934c93addca7b01a1948af8e24d4ceae9cc86-1272603544
VT 15/40 - http://www.virustotal.com/analisis/74fc269ef1c7246473668413100a0e87150b025cd9ed4606294501ce8c2ef5db-1272571855
VT 7/41 - http://www.virustotal.com/analisis/d4fdedbe5891a13bd83b9d90f39a951ffa2f144df0b5d0ed613f7a107e6da1ad-1272603747
VT 8/41 - http://www.virustotal.com/analisis/d4fdedbe5891a13bd83b9d90f39a951ffa2f144df0b5d0ed613f7a107e6da1ad-1272603784
VT 0/40 - http://www.virustotal.com/analisis/836f84248190ba00bbf0102f74931d07e9f0b0f6858437c984b05ef4170de526-1272603903
VT 7/38 - http://www.virustotal.com/analisis/6485271fe48f7be4cb49735c60fa4cf2ff52f235e2b24bfba22df6ea75fda1d7-1272540526
VT 4/39 - http://www.virustotal.com/analisis/17b4b8f41909c5a24298686a315508299c4f2fed6656e64e7331717a959863fc-1272591062
VT 4/41 - http://www.virustotal.com/analisis/1661737f6e56c80cc57dcdf92368f789aa53bf49ff77cb181314fb72a364949d-1272604025
VT 0/40 - http://www.virustotal.com/analisis/9b51a2e2a8a89849ae3d39fc35fe583c65d50c2f234cf1ca65fc10a02a142f5e-1272283105
VT 0/41 - http://www.virustotal.com/analisis/0053ead0cb0e630bfcf8462732e732cf3b230c344bc48afc1e5a020aa7b1d179-1272604265
VT 7/39 - http://www.virustotal.com/analisis/8ea073609c84210d3df8f75cc177558f6922dbf454ca617d02c81101e67b57b6-1270654680
VT 0/39 - http://www.virustotal.com/analisis/209c4cf427ba3bf80cdc742e6c5ff22df8ade6c5bb19eac55bb0d68fa81144f8-1272514274

[ohmniscient]

INFECTED URLs:

1.
#http://santanawebs.com/Receita2.avi
VT 18/40 - http://www.virustotal.com/analisis/7d3386cf98c8c2995290016ffa23c6658d8a92eb30228a3e14f29cb5ea27ce9e-1272653557

2.
#http://santanawebs.com/Receita3.avi
VT 14/40 - http://www.virustotal.com/analisis/8ae9188bc40b7ff80fc5d17aff38290a2efe4a6bab4158964844c8bd9be18318-1272653564

3.
#http://santanawebs.com/Receita4.avi
VT 19/40 - http://www.virustotal.com/analisis/e019263e6a284e44a515b4ad2445be4f85a23bc4d4f71780637bce6a529126f2-1272653576

[ohmniscient]

INFECTED URLs:

#http://path.to/a2f6/ redirects to
#http://emailserver1.megabyet.net/index1.php
VT 17/40 - http://www.virustotal.com/analisis/23b3adc50ba5cb67faa7c20b62d1225fe23d0ca03b871ea381e0bae1a9265f77-1272755968

#http://www.2010diaenoite.org/protecao/index.php redirects to
#http://www.protecaodiaenoite2010.org/cadastro/2010/modulodeprotecao.exe
VT 10/40 - http://www.virustotal.com/analisis/9033823ee1c605fd421791d7e04d63a188b3b9111b5d09e2a2570c3e9e35db30-1272827512

[ohmniscient]

INFECTED URLs - MALWARE REPLICATION PART 2:

#http://videohouseal.kit.net/videos.wma.zip
or
#http://windowslive-videos.kit.net/nf22iyNrxQwpps.zip
VT 26/40 - http://www.virustotal.com/analisis/5d10c83cda56c0c4ad3ab499d0c2124181edef971cf551a27c43076ede449a6c-1272805008
TROJAN DOWNLOADER: http://www.threatexpert.com/report.aspx?md5=fe39e1329233f7cd4adf2512afdb2cf5

and

#http://www.videosyoutub.kit.net/Chifrudo=MUUUUU.zip
VT 21/39 - http://www.virustotal.com/analisis/68ebfe9107bebf87bab7028bf12dd7d4befc7e81891e2cce85df201d48b8852c-1270866137
TROJAN DOWNLOADER: http://www.threatexpert.com/report.aspx?md5=20c6cd3d25e38dfefdc8721e04f4b173

Both malware samples downloads an encrypted file (image.zip) from either one of the 17 sources below:

#http://www.asturmed.org/index_archivos/images.zip
#http://www.cerradao.kit.net/images.zip
#http://www.jpx-arq.com/staff/images.zip
#http://www.windowslive-videos.kit.net/images.zip
#http://www.cartao_natal.kit.net/images.zip
#http://www.sovips.kit.net/images.zip
#http://catolicanet.net/images/images.zip
#http://www.vidrocampos.kit.net/images.zip
#http://www.escvisao.kit.net/images.zip
#http://www.mchapuleta.kit.net/images.zip
#http://dynamicsport.com.br/js/images.zip
#http://www.rajkotchamber.com/images/images.zip
#http://www.pronauti.com/loja/includes/modules/images.zip
#http://carlos-gaspa.com/images.zip
#http://www.naminhacasa.kit.net/images.zip
#http://www.globo-bbb10.kit.net/images.zip
#http://www.porta-retratos.kit.net/images.zip

#http://www.aquirecosmeticos.com.br/ddd/rem.zip
VT 5/40 - http://www.virustotal.com/analisis/7fbb2c6888b2639ebd68d3d980afff4057a633b99423dd46a974d46ab013dadb-1272815015

[ohmniscient]

INFECTED URL:

#http://64.32.27.149/DSC209854.com
VT 13/40 - http://www.virustotal.com/analisis/7cb46f16c8709bcdacb5ba0f6a643cb73b84177cb50500ee79a5b6d955461b01-1272916618

[ohmniscient]

INFECTED URLs:

1.
#http://www.dgiz.de/dateien/cache/Boleto_Uol.php redirects to
#http://www.dgiz.de/bilder/Play/Boleto-7898734_Uol_html.exe
VT 7/41 - http://www.virustotal.com/analisis/480c602df447abca09cee3ac2ec15cfbadba7be5b38a9e93286725cc540f707c-1273007811

2.
#http://www.dgiz.de/dateien/cache/PagSeguro/BoletoCompra.php redirects to
#http://www.dgiz.de/bilder/Play/Boleto_Pagseguro_html.exe
VT 13/41 - http://www.virustotal.com/analisis/d95cc9cc3181f51fad3a98658d0eefec3ccf875132836403f5d00386cfd67092-1272991753

it downloads an encrypted malware sample:
#http://legacy.comercial.ws/desertor.swf

3.
#http://www.essencialservicos.net/baixar/  redirects to
#http://www.essencialservicos.net/asner39493548mnknkjaer/
VT 29/41 - http://www.virustotal.com/analisis/edbd278544c6b61f8f7320752625a638cbb5470be4a967907e585394d2f064b2-1272982255

[ohmniscient]

INFECTED URLs:

#http://www.skinfocus.com.hk/sys/images/items/Bradesco.com.br/?AtualizacaoBradesco003414-2010 redirects to
#http://www.pacificlanguage.com/item/Bradesco.com.br/AtualizacaoBradesco003414-2010.exe
VT 7/41 - http://www.virustotal.com/analisis/c27646936f519338b5b796aedc458dab1333515f107ce00dcdc7edf392830bb3-1273089732

#http://www.skinfocus.com.hk/sys/images/items/Correios.com.br/TELEGRAMA/ redirects to
#http://www.pacificlanguage.com/item/Correios.com.br/TELEGRAMA/Telegrama398471920.exe
VT 9/41 - http://www.virustotal.com/analisis/d311019be85d8fe903de07e34686691407554917e32024a004c0d94af8e830b6-1273072011

which downloads:

#http://www.mammothlakespd.org/images/page002.JPG
VT 12/41 - http://www.virustotal.com/analisis/2d5ae3bfb3cff59ba8a2d1b6fb0a6370981ce9026052b299fbf3d898ccad672c-1273096977
#http://www.hudsonterracenyc.com/images/page1.JPG
VT 13/41 - http://www.virustotal.com/analisis/62b025d412591e0760a3948289b6e9d5be7517e749cd6a54ba45e45fbd34d34b-1273077194
#http://www.hudsonterracenyc.com/images/page2.JPG
VT 13/40 - http://www.virustotal.com/analisis/be558be289c9551f7a97b674cb7f3eedfec44bdff835fe2e589928e5e637f462-1273077268

Bonus - Hacking the malware developer server
try out: telnet://number11231.freehostia.com:21
user sdadsf51
pass 4244531

[ohmniscient]

#http://consultoriadeposito.agropecuaria.ws/Comprovante_Deposito.php?Comprovante_Deposito.jpg
VT 14/41 - http://www.virustotal.com/analisis/6b68c1cb96e4a003aa7835f10cbc490e2a20bcec7f0b969d976f55118b4339dc-1273180369

it downloads:

#http://leaomodulos.hpg.com.br/hostplug.jpg
VT 9/41 - http://www.virustotal.com/analisis/4b8401ee3c1dd81ba4b594afcfa7dceacf6ff93baabc0f65d487a4b0c5a83416-1273186623

#http://leaomodulos.hpg.com.br/winhelpens.jpg
VT 8/41 - http://www.virustotal.com/analisis/2176f2653b259f16130773392e0e284790010b1b1341401071b36d27f04b6abb-1273186680

#http://leaomodulos.hpg.com.br/winlogne.jpg
VT 8/41 - http://www.virustotal.com/analisis/779834e0db6d122ded0c4733c8c55454c5fb6e3e97acd9568519ca497f393b15-1273186728

#http://leaomodulos.hpg.com.br/msmsn.jpg
VT 20/41 - http://www.virustotal.com/analisis/6f67139bc70f35d97a207926590bd51835aad40a4df019110097686469ad8f8f-1273186798

#http://leaomodulos.hpg.com.br/winupdate.jpg
VT 18/41 - http://www.virustotal.com/analisis/4b30d00eb8bc609abc593f1db0f09cb84db36781337cced17f494ee5ac391381-1273187010

[ohmniscient]

INFECTED URLs:

Trojans

1.
#http://path.to/fce5e18/?babycards.com redirects to
#http://xxxxz.justfree.com/index.php

2.
#http://dwg98.internetdsl.tpnet.pl/images/DSC0204201001.asp redirects to
#http://83.103.44.141/ROBOVIDEO.IT/images/DSC0204201001.scr

3.
#http://www.guaciarabar.com.br/imagens/.../download.php?ARQUIVO  
#http://64.50.201.98/aspnet_client/system_web/1_1_4322/arquivo.exe