Author Topic: daily something......  (Read 808821 times)

0 Members and 4 Guests are viewing this topic.

April 25, 2009, 05:01:16 am
Reply #345

sparsha

  • Special Members
  • Hero Member

  • Offline
  • *

  • 305
Code: [Select]

http://antivir-scan-pro-best.com/11041/3/
http://files.load-archive-av-pro.com/normal/setup_11041_3_1.exe
http://int.sysproreport1.com/stat.php?func=installrun&id=11041&landing=-1&lang=EN&sub=1&notstat=1
http://dl.super-top-scan-pro.com/get/?pin=11041&lnd=-1&type=main

http://files.get-fails-load-av.com/release/setup.exe
http://dl.scan-anti-spy-4free.com/get/?pin=0&lnd=-1&type=scanner


April 25, 2009, 09:33:12 am
Reply #346

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

April 26, 2009, 07:03:19 am
Reply #347

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Exploit/trojan:
Code: [Select]
wtopcompany.ru/cms/cache/readme.pdfhttp://wepawet.iseclab.org/view.php?hash=3f1acb074a6e8c6b03da890c06e1c4db&t=1240555768&type=js

Fake AV scan:
Code: [Select]
tubeontvgl.com/scan/?id=262whats downloaded from there:
Code: [Select]
uploadmoviez.com/codec.exehttp://www.virustotal.com/analisis/3a09d83950707cd8c0f4c23d913c0129

Same files on the same ip:
Code: [Select]
youngsters.ru/codec.exe
pc-codec-pack.com/codec.exe
suckitnow1.net/codec.exe
velzevuladmin.com/codec.exe
Mal-Aware

April 26, 2009, 09:03:18 am
Reply #348

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Rogue:
Code: [Select]
Snobelium.com
Diastolea.com
cussermono.com
Mal-Aware

April 26, 2009, 10:24:31 am
Reply #349

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Rogue:
Code: [Select]
Snobelium.com
Diastolea.com
cussermono.com

look like templates for future fake avs. there is no additional content than the page itself.
Ruining the bad guy's day

April 27, 2009, 04:19:36 am
Reply #350

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Rogue:
Code: [Select]
Snobelium.com
Diastolea.com
cussermono.com

look like templates for future fake avs. there is no additional content than the page itself.

yea i noticed that.
will have content in the future probably..


seem like irc bot/backdoor:
Code: [Select]
77.75.105.221/e-card/e-card.gif.exehttp://www.virustotal.com/analisis/335638c7877b9d21eabb7f5e12881fe9
Mal-Aware

April 27, 2009, 11:28:05 am
Reply #351

RS-232

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 165
For the fun of it...
Quote
hxxp://youarelucky.biz/SmartDownload.exe
http://www.virustotal.com/analisis/786657fbd9af08fef0cb1745bce68fa5
hxxp://200.122.168.229/dl/goldvipclub/TrackDownload.dll?DID=991392
http://www.virustotal.com/analisis/5d97aab77fba7ca6ab7ecf6728034a15
hxxp://200.122.168.229/dl/goldvipclub/
http://www.virustotal.com/analisis/aef4b913ccfbe8918e83a8ed48870ddd
Only for the "fun" of it...rs-232 aka sowhat-x aka younameit ;-)
http://www.youtube.com/watch?v=fADjY97_KTw

April 27, 2009, 03:16:41 pm
Reply #352

XiTri

  • Jr. Member

  • Offline
  • **

  • 24
This
Code: [Select]
http://neono.biz/myy/index.phpAnd this
Code: [Select]
http://tipojud.com/quq/1/loads.php?id=68

April 27, 2009, 10:06:49 pm
Reply #353

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
exploits:
Code: [Select]
hxxp://210.240.61.68/fish/GV14.htmWepawet

trojan:
Code: [Select]
hxxp://www.spps.hlc.edu.tw/fish/1.exeVirusTotal - 17/40 (42.5%)
Anubis

April 28, 2009, 02:17:16 am
Reply #354

michajp

  • Full Member

  • Offline
  • ***

  • 59
'Greeting cards' (IRC bot/backdoor):

Code: [Select]
hxxp://greetings.3utilities.com/logs/greetings.exe
hxxp://66.83.239.226/E-Greetings.exe

April 28, 2009, 03:51:19 am
Reply #355

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Fake AV:
Code: [Select]
fullsecurityaction.com
Anytoplikedsite.com
yourpcshield.com
totalvirushield.com
myfirstsecurityscan.com
stopspyware.org

Exploit/trojan
Code: [Select]
78.47.132.221/l3/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=6f5cdfe1c1aeb5cd68a034c3c2984dc8&t=1240889755&type=js

Seems like koobface
Code: [Select]
70.254.41.230/setup.exehttp://www.virustotal.com/analisis/9dfc0bc4f3e5ea13ae76859d939a8fd8
Mal-Aware

April 28, 2009, 07:36:57 am
Reply #356

RS-232

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 165
Quote
hxxp://verringo.cn/bmngr2/controller.php?action=bot&entity_list=
From the same ip:
Quote
hxxp://www.downloads-123.com/dyyhhj1g/3j2khf32/aap.exe
http://www.virustotal.com/analisis/85d89df7d1f11b6178ba112551a4c248
hxxp://downloads-123.com/guard.exe
http://www.virustotal.com/analisis/1e3f57b7808d6e154dcea62a6e53d2f0
Result: 1/40 (2.5%)

Quote
hxxp://91.207.61.12/stata/controller.php?action=bot&entity_list=
From the same ip:
Quote
hxxp://tomohappy.com/forum/data.php?id=500
hxxp://tomohappy.com/forum/data.php?id=5xx   // where xx is whatever numeric value...
http://www.virustotal.com/analisis/97eb93b986035c20b613677ba6235136
Result: 13/40 (32.50%)

Quote
hxxp://goooodbill.cn/unig/load.php
http://www.virustotal.com/analisis/5b838bbb5899ae16758851bf33d7521c
Result: 15/40 (37.5%)

Quote
hxxp://myspyfiles.cn/qazwsx/index.php
Injection - redirects to the already listed rutraff.cn:
http://www.google.com/search?hl=en&q=myspyfiles.cn&btnG=Google+Search

Quote
hxxp://xcount.cc/ads/in.cgi?13
hxxp://weh8dnb.com/cp/index.php
hxxp://weh8dnb.com/cp/load.php
http://www.virustotal.com/analisis/143e40ce67aa7846b7a06ac080c6bb34
Result: 4/40 (10%)
Only for the "fun" of it...rs-232 aka sowhat-x aka younameit ;-)
http://www.youtube.com/watch?v=fADjY97_KTw

April 28, 2009, 09:10:29 am
Reply #357

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Code: [Select]
sorwwwros.cn/life/t.php
Code: [Select]
sorwwwros.cn/life/fdoc.pdfhttp://www.virustotal.com/analisis/7e2777e6031abc9c55597bd880ad2f25 6/40
MD5...: 9de067ace8636a8a788a3925533e9660
http://wepawet.cs.ucsb.edu/view.php?hash=9de067ace8636a8a788a3925533e9660&type=js

Code: [Select]
sorwwwros.cn/life/fdem.swfhttp://www.virustotal.com/analisis/75ff201372b07627b2e00defa0739510 0/40
MD5...: c7c0f03b8a7fec6b163c501bcb4d8500

payload
Code: [Select]
sorwwwros.cn/life/l.php?b=4&s=PDFhttp://www.virustotal.com/analisis/0b67d1b488abcb478155d20ec2708633 17/40
MD5...: 84909a9d6cdc7c50cfd9da181232df7a
Ruining the bad guy's day

April 28, 2009, 10:38:14 am
Reply #358

RS-232

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 165
The...usual suspects:
Quote
hxxp://rxtraffclicks.com/download/1/1000/5
http://www.virustotal.com/analisis/4e670f047ca735c1e65f8e8aa458ca1f
Result: 15/40 (37.5%)

Quote
hxxp://pornosbest.com/movies/movie1.wmv.exe
http://www.virustotal.com/analisis/64bb880feb8b31a351c2809dc8549dde
Result: 12/40 (30%)
====================
These ones are currently being injected in unsuspected sites...for now,they all leed to (already listed) litevehiclemall.cn...
Quote
hxxp://betbigwager.cn/in.cgi?income61
hxxp://hotslotpot.cn/in.cgi?income65
hxxp://litecartop.cn/in.cgi?income70
hxxp://lotultimatebet.cn/in.cgi?income60

http://www.robtex.com/ip/213.163.91.93.html
http://www.bfk.de/bfk_dnslogger.html?query=213.163.91.93#result
And...
http://www.robtex.com/ip/213.182.197.23.html
http://www.bfk.de/bfk_dnslogger.html?query=213.182.197.23#result

Another one which is being injected...
Quote
hxxp://nyoflak.com/?click=3C5DCB
According to Wepawet,it also leads to "openstats.info":
http://wepawet.cs.ucsb.edu/view.php?hash=b8ace1842982cb47ee7a390120812436&t=1240920333&type=js
But someone didn't wanted to blacklist openstats.info few days earlier that i had mentioned it...   ;D  ;)

Yet one more:
Quote
hxxp://nipkelo.net/?click=5A158BD

The story in short - with even more domains to be blocked etc etc...
http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from-cn-domains/

Quote
hxxp://simple-faq.cc/stat.js
hxxp://a-stone.biz/xZfmG3YK1/
hxxp://a-stone.biz/xZfmG3YK1/flash.php?id=1647&spl=14
hxxp://a-stone.biz/xZfmG3YK1/load.php?id=1647
http://www.virustotal.com/analisis/b9495d617e3535b2420d19e25ce1b57f
Result: 16/40 (40%)

Now,what i've found rather interesting...is what happens when quering a-stone.biz directly,via Wepawet...and without with simple-faq.cc referrer:
http://wepawet.cs.ucsb.edu/view.php?hash=5a514c44b04f33c1834083a2a05e1432&t=1240934612&type=js
Code: [Select]
Redirects
From
http://a-stone.biz/xZfmG3YK1/
To
http://grabberz.com
It's a small world out there...   ;)
Only for the "fun" of it...rs-232 aka sowhat-x aka younameit ;-)
http://www.youtube.com/watch?v=fADjY97_KTw

April 29, 2009, 08:49:20 am
Reply #359

RS-232

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 165
Another lameness which is being injected to sites out there...
Quote
hxxp://77.92.158.122/webmail/inc/web/index.php
Quote
hxxp://77.92.158.122/webmail/inc/web/include/two.pdf
http://www.virustotal.com/analisis/29e7ee82e1302ef9559db58b41527755
Result: 14/40 (35%)
Quote
hxxp://77.92.158.122/webmail/inc/ -> Open dir...
Only for the "fun" of it...rs-232 aka sowhat-x aka younameit ;-)
http://www.youtube.com/watch?v=fADjY97_KTw