daily something......

[SysAdMini]

Code: [Select]

http://steer2.co.uk/im/172.exe
http://steer2.co.uk/im/88.exe
http://steer2.co.uk/im/adv.exe
http://steer2.co.uk/im/avscan.exe
http://steer2.co.uk/im/podmena.exe


already added some days ago. 

http://www.malwaredomainlist.com/mdl.php?search=steer2.co.uk&colsearch=All&quantity=50

[GmG]

Code: [Select]

http://steer2.co.uk/im/172.exe
http://steer2.co.uk/im/88.exe
http://steer2.co.uk/im/adv.exe
http://steer2.co.uk/im/avscan.exe
http://steer2.co.uk/im/podmena.exe


already added some days ago. 

http://www.malwaredomainlist.com/mdl.php?search=steer2.co.uk&colsearch=All&quantity=50

Sorry 

Rootkit TDSS

Code: [Select]

http://91.207.61.180/images/138/v3/file.exe


Code: [Select]

http://kxc-softwaresportal.com/promo.exe
http://updateserver.info/loads/traff.exe
http://updateserver.info/loads/instcash.exe
http://f-o-r.ms/xpre.tmp
http://f-o-r.ms/xrun.tmp

Mebroot

Code: [Select]

http://1681online.com/ld/dx/
http://wepawet.cs.ucsb.edu/view.php?hash=79ec6e02b38cad246c44c87dbeb4c2c6&t=1238508047&type=js

Rogue on googlecode like
http://sunbeltblog.blogspot.com/2009/03/google-code-site-used-as-malware.html

Code: [Select]

http://vlrm.googlecode.com/svn/trunk/
http://ultra-av.googlecode.com/svn/trunk/

Refpron

Code: [Select]

http://174.133.72.250/p1212/2.0/w.bin


Code: [Select]

http://mnnz.biz/ar/
http://mnnz.biz/ar/exe.php


[sowhat-x]

f-o-r.ms -> seems we've got a jackpot here,heh...
http://www.bfk.de/bfk_dnslogger.html?query=85.17.162.100#result

[GmG]

f-o-r.ms -> seems we've got a jackpot here,heh...
http://www.bfk.de/bfk_dnslogger.html?query=85.17.162.100#result

Malicious Advertising, xrun.exe - xpre.exe and friends
http://www.bluetack.co.uk/forums/index.php?showtopic=18462
 

[sowhat-x]

Lol,Bluetack is pretty much one of the best english-speaking malware hunting forums out there,
but it doesn't really get the attention that it should from the security community unfortunately... 

[SysAdMini]

f-o-r.ms -> seems we've got a jackpot here,heh...
http://www.bfk.de/bfk_dnslogger.html?query=85.17.162.100#result

Malicious Advertising, xrun.exe - xpre.exe and friends
http://www.bluetack.co.uk/forums/index.php?showtopic=18462
 

Ok, Marcel Heler and friends. Well known.

[Mr Clean]

Hi everyone, I'm a newbie here.  Just want to say hi!

I really like this site and I'm embarrassed that I didn't start to appreciate it sooner. 

Anyway, on a daily  basis I run across all sorts of crazy stuff and I'm sure you do too.   This bizarre little goodie just flashed on my screen so I thought I'd post it here to see what ya think.   

Code: [Select]

POST / HTTP/1.0
TagId: xxxxxxxxxxx
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;)
Host: search.namequery.com
Content-Length: 15
Pragma: no-cache
Via: 1.1 localhost:80 (squid)
Cache-Control: max-age=259200
Connection: keep-alive

~G.....p...o.\~HTTP/1.0 200 OK

Server: Microsoft-IIS/6.0
Content-Type: image/jpeg
Content-Length: 553
Connection: Close
TagId: xxxxxxxxxxx


~. ....MZ......................@...............................................!..L.!This program cannot be run in DOS mode.

Any insight would be appreciated   

The binary is attached.

[sowhat-x]

"binary3" unfortunately seems to be download-corrupted,ie.it's not a valid executable...
Did you grab it via a POST request?

[Mr Clean]

"binary3" unfortunately seems to be download-corrupted,ie.it's not a valid executable...
Did you grab it via a POST request?

No, I pulled it from a pcap.  Yeah, I noticed that it's broken.  The squid proxy likely killed it.     What I find bizarre is that it's a POST request, and the server responded by pushing down an apparent binary with a Content-Type: image/jpeg.   This isn't exactly normal behaviour.   Does anyone have anything on the domain "search.namequery.com"?

[sowhat-x]

Google returns a few bad history records from what it seems...
http://www.bfk.de/bfk_dnslogger.html?query=209.53.113.223#result
http://www.google.com/search?q=209.53.113.223

[Mr Clean]

Google returns a few bad history records from what it seems...
http://www.bfk.de/bfk_dnslogger.html?query=209.53.113.223#result
http://www.google.com/search?q=209.53.113.223

Ok, this is generated by a program call "computrace" by absolute software.  It's laptop "lojack" software

[CkreM]

Zbot,domain on MDL but different path this time:

Code: [Select]

http://amnepofig.ru/test/config.bin
http://amnepofig.ru/test/loader.exe

[sowhat-x]

hxxp://bublik.biz/in.cgi?2 // Newer domain hosted over at 88.198.48.247...

Redirects to ->

hxxp://cximnik.cn/img2/index.php // Already spotted in previous days...pdf exploits etc.

= = = = = = = = = = = = = = = = =

hxxp://basesrv3.net/update/main.exe

Result: 9/40 (22.5%):
http://www.virustotal.com/analisis/bc75d1265dcad80564f03cfb3cc1e1ae

[CkreM]

Exploit/Trojan:

Code: [Select]

murka-best.com/include/spl.phphttp://wepawet.iseclab.org/view.php?hash=f6e9a5645ca288e481b17453d05491d0&t=1238524847&type=js

Trojan:

Code: [Select]

luks5.cn/unique/1.exehttp://www.virustotal.com/analisis/9cec63d35bafded6092bee37132e6e0a

[sowhat-x]

Code: [Select]

hxxp://213.155.6.33/new/controller.php?action=bot&entity_list=One more c&c server in the same netblock,213.155.6.32 already spotted couple days ago...

Code: [Select]

hxxp://213.155.4.82/new/controller.php?action=bot&entity_list=C&C server,213.155.4.80 also spotted earlier in the same netblock...

For sparsha - as i know he has a special preference in fake AVs... 

Code: [Select]

hxxp://pornorawa.com
hxxp://sys-scan-1.biz
hxxp://sys-scanner-1.biz/download.php?page=
hxxp://www.system-protector.net/
Few more fake AVs...

Code: [Select]

hxxp://pcsolutionshelp.com/
hxxp://download.pcsolutionshelp.com/secure/fb4b4716a45f37c3694efcab0d41ee69/49d376e5/bestvirusremover2009.com/virusremover2009_setup_free_rezer_en.exe
hxxp://malwareremovingtool.com/
hxxp://download.malwareremovingtool.com/secure/ab3dc06cc30452c69f2a70caf88d36bb/49d376e5/AntiMalwareGF_Rezer.exe

Code: [Select]

hxxp://download.malwareremovingtool.com/  -> Open dir...have fun ;-)