Author Topic: daily something......  (Read 809169 times)

0 Members and 3 Guests are viewing this topic.

April 07, 2009, 08:24:37 pm
Reply #285

CM_MWR

  • Special Members
  • Hero Member

  • Offline
  • *

  • 319
Forget where these dingleberries fell from... ???

174.133.72.250/p0324/2.0/td.bin?bb021908657356
174.133.73.178/p0324/2.0/d.bin?bb021908154292
75.125.239.42/p0324/2.0/so.bin?bb021908350659
dglcxlcfmk.net/bbsuper0.php
dglcxlcfmk.net/bbsuper1.php
dglcxlcfmk.net/bbsuper2.php
dglcxlcfmk.net/bbsuper3.php
dglcxlcfmk.net/uniq.php?id=1693466186&p=0
zief.pl/wr.exe
install.8800.org/files/5.exe
install.8800.org/files/adx.exe
install.8800.org/files/ipk.exe
install.8800.org/files/zha.exe
stanishev.com/1/nfr.exe
stanishev.com/1/pp.06.exe
xz.wanggui.com/mem322.exe

April 07, 2009, 08:28:08 pm
Reply #286

Mr Clean

  • Special Members
  • Hero Member

  • Offline
  • *

  • 331
Oh,the .pdf file itself you meant?I'll check it tomorrow,my mind isn't working properly at the moment,plus i'm not in front of a vm...i need to sleep.
Last one for tonight - exploring the rest of this ip,is..."left as an excercise for the reader:D
http://www.bfk.de/bfk_dnslogger.html?query=220.196.59.17#result
Quote
hxxp://xdwlnbqsdsph5pc8rz81.cn/s_t.php



nifty!
sets up an ftp and AT jobs to run every 15 minutes, etal

http://wepawet.iseclab.org/view.php?hash=19d22d89420a09c6d59b1d032f19de94&t=1239135714&type=js

Code: [Select]
ftp> open 122.224.9.221
Connected to 122.224.9.221.
220 www.host.com FTP server (Version 6.00LS) ready.
500 AUTH GSSAPI: command not understood.
500 AUTH KERBEROS_V4: command not understood.
KERBEROS_V4 rejected as an authentication type
Name (122.224.9.221:sandbox): qqq
331 Password required for qqq.
Password:
230 User qqq logged in, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get calc.exe
local: calc.exe remote: calc.exe
227 Entering Passive Mode (122,224,9,221,202,67)
150 Opening BINARY mode data connection for 'calc.exe' (245248 bytes).
226 Transfer complete.
245248 bytes received in 2.7 seconds (89 Kbytes/s)
ftp> quit
221 Goodbye.
$ mv calc.exe oddyoy.exe

http://www.malwaredomainlist.com/mdl.php?search=122.224.9&colsearch=All&quantity=50

http://www.virustotal.com/analisis/b80457dd723351fa2a2ff176bcfe8e8b

http://anubis.iseclab.org/?action=result&task_id=141ccbbd213e2be145dd0d57fc0a2d48e

Code: [Select]
http://13-2005-search.com/new1.php

<A HREF=http://xxxhardpornteenxxx.com
><BR><BR><BR><BR><BR><BR><BR><BR><BR><CENTER><FONT SIZE=+6>ENTER</FONT></A>

$ dig 13-2005-search.com +short
220.196.59.1


Busy little network
http://www.malwaredomainlist.com/mdl.php?search=220.196.59&colsearch=All&quantity=50


April 08, 2009, 03:38:05 am
Reply #287

mercutio

  • Special Members
  • Full Member

  • Offline
  • *

  • 52
Regarding the PDF at hxxp://sh-hostz9.net/1/index.php, they must have something wrong in their scripts:
Code: [Select]
?>?>?><b>FPDF error:</b> Some data has already been output, can't send PDF file

April 08, 2009, 08:21:32 am
Reply #288

sowhat-x

  • Guest
The rest from the same ip mentioned yesterday...pretty easy task:
Quote
hxxp://dihbgbwqryuolfbebgme.cn/s_t.php
hxxp://dcz9ubei212vp3nrca5i.cn/s_t.php
hxxp://znchygdrmelzejjvofji.cn/s_t.php
hxxp://virevpcklvlrxjcqxtij.cn/s_t.php
hxxp://xbfnyukgdoqrjrsfmcdm.cn/s_t.php
hxxp://qjiv7qj4irh2f1o2v8sm.cn/s_t.php
hxxp://1zs0ewvqcget52rl1z1n.cn/s_t.php
hxxp://lufwhtelkadvrtaukqjo.cn/s_t.php
hxxp://ddvrrflabpqcuoaexpwp.cn/s_t.php
hxxp://lmempodfzrqqkteyupar.cn/s_t.php
hxxp://zjjrrhhuokjxgmulisxs.cn/s_t.php
hxxp://tckeblkiumuhysrwqlev.cn/s_t.php
hxxp://egntxselsaossawilurx.cn/s_t.php
hxxp://hsyzpbavkojdqclhnoqz.cn/s_t.php
==================
Quote
hxxp://msvcp70.biz/e514.gif
hxxp://msvcp70.biz/e536.gif
hxxp://msvcp70.biz/e509.gif

Quote
hxxp://msvcp50.biz/e514.gif
hxxp://msvcp50.biz/e536.gif
hxxp://msvcp50.biz/e509.gif

Quote
hxxp://yourguardon.com/
Iframes to goshak.biz listed earlier...
==================
Quote
Code: [Select]

ftp> open 122.224.9.221
Connected to 122.224.9.221.
............

Here's the rest of domains there...  :)
http://www.bfk.de/bfk_dnslogger.html?query=122.224.9.221#result
Quote
hxxp://wllvvkjknh.cn/md/index.php
hxxp://woqyymmptn.cn/md/index.php
hxxp://ozimzikjun.cn/md/index.php
hxxp://zusojbktvo.cn/md/index.php
hxxp://enjnzdfmts.cn/md/index.php
hxxp://fxlbubmkfs.cn/md/index.php
hxxp://pxciiruurw.cn/md/index.php

As for the one not listed above,miss-office-2009.com namely...
seems we've got a pretty hardcore spammer here,so...let's vote for him ;-)
http://www.google.com/search?q=miss-office-2009.com

April 08, 2009, 10:53:00 am
Reply #289

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Regarding the PDF at hxxp://sh-hostz9.net/1/index.php, they must have something wrong in their scripts:
Code: [Select]
?>?>?><b>FPDF error:</b> Some data has already been output, can't send PDF file


yeaa that what i was talking about,kept getting this error though in the end it did redirect me to the other iframe there at vparivatel.php
Mal-Aware

April 08, 2009, 11:30:55 am
Reply #290

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

April 08, 2009, 11:39:35 am
Reply #291

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

April 09, 2009, 01:19:05 am
Reply #292

sowhat-x

  • Guest
TDSS variant:
http://www.virustotal.com/analisis/f24fe6a2671b58376efafef6b068254c
Quote
hxxp://traffbox.com/in.cgi?6
hxxp://goscandata.com/?uid=12404
hxxp://scan7live.com/?uid=12404
hxxp://scan7live.com/download/install.php

Koobface variant:
http://www.virustotal.com/analisis/0d66a352aa6c6f7579fae43a1aba4c15
Quote
hxxp://traffbox.com/in.cgi?3
hxxp://hqviewworldmy1.com/view/1/1222/1/2
hxxp://hqviewworldmy1.com/download/1/1222/1/2
hxxp://hqviewworldmy1.com/software/c2fb59fa16/12221/1/2.exe

Notice that traffbox.com above redirects either to tdss or koobface,depending on parameters passed...

Now,same type Koobface variant as above,different hash though:
http://www.virustotal.com/analisis/2104a7d2b8c8a3fd2f84128d90c84fe9
Quote
hxxp://hqviewworldmy1.com/software/c2fb59fa16/10005/1/Setup.exe
========================
Quote
hxxp://welovesandi.com/?cmpid=
hxxp://crustat.com/ts/in.cgi?gen&se=oth&ur=1&hxxp_REFERER=wel-cmpid%3D
hxxp://www.scanspywareonline.com/online-scan.html?ewmid=231&pwebmid=gen&rejurl=hxxp://pnfzetnax.net/asw/gen/
hxxp://pnfzetnax.net/asw/gen/
hxxp://truconv.com/?a=125&s=gen-asw
hxxp://top-name.cn/in.cgi?default&a=ks125&s=gen-asw
hxxp://total-virusprotection.com/xpprot/7/?a=ks125&s=gen-asw&z=
hxxp://setup.total-virusprotection.com/secure/b4b8fee44a494ff05f405da47d3dd5b3/49dd5a25/setupfiles/totalvirusprotections.exe
--->
Quote
hxxp://setup.total-virusprotection.com/ -> Open dir... ;-)
--->
The executables there... (md5 dupes not listed)
Quote
hxxp://setup.total-virusprotection.com/total-malwareprotection.com/1.0.11.0/updatexpvps.exe
hxxp://setup.total-virusprotection.com/setupfiles/totalvirusprotectionp.exe.1
hxxp://setup.total-virusprotection.com/setupfiles/totalvirusprotectionp.exe
hxxp://setup.total-virusprotection.com/secure/b4b8fee44a494ff05f405da47d3dd5b3/49dd5a25/setupfiles/totalvirusprotections.exe

Play around with crustat.com's parameters above,it generates numerous nifty links...
========================
Plus another open dir with fake AVs...have fun:
Quote
hxxp://download.pcantimalwaresolution.com/

Quote
hxxp://offer-provider.com/srm/adv/142/
hxxp://dwnld.offer-provider.com/secure/940907dc34c7bed5e75f1e517b2b3a42/49dd612d/srm/srm_free_setup.exe

Quote
hxxp://infracleaner.in/download.php?affid=02935

Quote
hxxp://onlinebrandsecurity.com/download.php?affid=17503

April 09, 2009, 12:36:07 pm
Reply #293

sowhat-x

  • Guest
Direct link to the executable in dwnld.offer-provider.com above,seems to have changed since yesterday...
Quote
hxxp://dwnld.offer-provider.com/secure/85f2be819efd8db13b4fab89c8a1d2db/49dde7f1/srm/srm_free_setup.exe

Plus,it's open dir,for the time being...
Quote
hxxp://dwnld.offer-provider.com/

36 unique .exes there - here are the md5 checksums...
Code: [Select]
0651b7a4652b62c9bb74493c7440063d
2a5e21896b3043558a44f578a3b4cfea
2f590df32718d03c1c2a8fbeec715cac
2f7a9243cf4179157e382c39b1b8d1ef
31111c18393fcc7a08f7992aedc750ec
3228f756e74b05325beec3c6beeb2dea
3345b80c425dc6affe139ace94fee877
347271c8d9dc43d19b6c96708da08546
4795a9ae8a745c954f7a49944b8383a8
5a9087a4ef2dbf7f9e5a98226e94d8ff
5fb2e122b013aaf49f53502fd137e868
6737ff1d0c98962b515875283458095d
6890de6ce038b5d591aa14533a55292e
75b367bd2754b7dabfe2d1fd9bed789f
7a0051905effe054878aff73e4d01625
84f37f3f8f5434b8e6dad753bea717e9
8cfa3151df73debd3cb9b1bde978239c
9523d691f47fb8eb2457d2dbb3baed29
991c4f16c2f6fdb1712fccb573f6bfaa
9a8ecb72c0ca39145e0a6913f029abad
9b584cad38175a050bcd50805b12417e
a40e8cb47af24ef91023d4c078ad77ac
af862463f039fdc8b53e06406de73e67
b1705495d54f8c8f2f283c4886efb081
bb734c355149c3eed3389d309ea13fb1
c3328da0fa70305efeca816d735fca01
c3ef149dcfc5b3ca9da2578921de0007
c4a362df8a92650f6af41de9c733019a
c96bab9c4c7838b5eab3462e34ad8ec1
d7edd052b5363c57777addb72e8ae47c
d889b0e868832fd4ee7ba868656a6827
d9195a978f8cf2ba213471f4d3f484c3
dd18136c665be386bd02476e523df04e
e9cfd70907cf607b6fe7e92557989e20
f0afe3b1d0d4536cede447ea59053071
feed65765e05fcf542ff797147a88f8f

Here they are archived in .7z format ...78mb approximately:
http://www.megaupload.com/?d=Y33LVTZH

April 09, 2009, 06:20:17 pm
Reply #294

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Rogue:
Code: [Select]
scanner.rapid-antivir-2009.com/35/?advid=1694&ref=0&p=1000000000
soft-traffic.com

Redirect to rogue:
Code: [Select]
rd-point.net/go.php?id=1188
Exploit/trojan:
Code: [Select]
http://projectns.biz/sploits/pdf.php?id=2http://wepawet.iseclab.org/view.php?hash=46aa9abb1ac32cdd3134f0230694fc1b&t=1239188557&type=js

Exploit/trojan:
Code: [Select]
vas4k.cn/pabl/http://wepawet.iseclab.org/view.php?hash=f39bbd62bab727dc7c075547dd3df249&t=1239191102&type=js

trojan:
Code: [Select]
http://secondgate.ru/77/load.php?id=2http://www.virustotal.com/analisis/4c5fd3e65565e2b33c68c855a58de0ca

trojan:
Code: [Select]
http://bankitrade.com/exp/l.php?b=2&s=djdakhttp://www.virustotal.com/analisis/7070fe304677bbda85dfd8a6970ab46f
Mal-Aware

April 10, 2009, 01:24:35 pm
Reply #295

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

April 10, 2009, 02:43:58 pm
Reply #296

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

April 10, 2009, 03:00:06 pm
Reply #297

sowhat-x

  • Guest
C&C server:
Quote
hxxp://moneystyle.com.cn/bmngr/controller.php?action=bot&entity_list=

Quote
hxxp://www.new-mrcash.net/images/x_01.jpg
Seems like a failed attempt at using Thinstall to me,anyway...
http://anubis.iseclab.org/?action=result&task_id=13ee47e6969787c64dd38f52f3e9842ee&format=html
http://www.virustotal.com/analisis/34a6262329fda4fb398c57de90201a7a

Quote
hxxp://www.new-mrcash.net/images/win_04.jpg
http://www.virustotal.com/analisis/b188a358f58d5b8a0074f81fc79a0f25

April 10, 2009, 04:16:08 pm
Reply #298

GmG

  • Special Members
  • Full Member

  • Offline
  • *

  • 92
Exploit
Code: [Select]
http://67.215.246.139/a12/index.php
http://67.215.246.140/a12/index.php
http://67.215.246.141/a12/index.php
http://67.215.246.142/a12/index.php

April 10, 2009, 04:25:03 pm
Reply #299

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Exploit
Code: [Select]
http://67.215.246.139/a12/index.php
http://67.215.246.140/a12/index.php
http://67.215.246.141/a12/index.php
http://67.215.246.142/a12/index.php


all lead to

trojan Hiloti
Code: [Select]
67.215.246.138/a12/aff_12.exe?u=i_7_0&spl=4http://virscan.org/report/e01f5e00ab1a5916117edaf06bdfd4f1.html 4/37
Ruining the bad guy's day