Malware Domain List

Malware Related => Malicious Domains => Topic started by: Winston Smith on July 30, 2009, 06:24:27 pm

Title: a2h7uploading.com Malware Site unknown functionality
Post by: Winston Smith on July 30, 2009, 06:24:27 pm
Saw a2h7uploading.com appearing on a number of Zeus infected machines, the string was usually something like:

hxxp://133007d90712.a2h7uploading.com/get.php?c=HXBIBLID&d=26606B673934206A616D37783C3F3F3C2026222A327A7A73476C737F21282E2A164311161403534E4C141A1D1C1E6D1705720B70750002060000037E7909097A05710306737D03727F796C28203B2B3D6D6761753D263733353034666C7B2B315D145A0006515341071A1C0E1E05075245571D000210041B17

hxxp://212907d90701.a2h7uploading.com/get.php

hxxp://062907d90730.a2h7uploading.com/get.php

Don't know if its a drop site or Zeus call home site, or if it is just a secondary infection, but WhoIs shows it was registered on 15-jul-2009

Wepawet lists site as suspicious. 
Title: Re: a2h7uploading.com Malware Site unknown functionality
Post by: SysAdMini on July 30, 2009, 08:00:23 pm
I don't know what it is, but you can use anything as a subdomain name.
The "d" parameter has to be valid. Modifying the subdomain or the "c" parameter doesn't change the response.
If "d" is invalid, then site returns 404. Other filenames than get.php redirect to uploading.com.
Title: Re: a2h7uploading.com Malware Site unknown functionality
Post by: Winston Smith on August 06, 2009, 07:00:18 pm
That would make sense.  Base on what you saw, I suspect the D parameter is a machine specific identifier.

The C parameter is most likely the encrypted outbound data going back home.