« previous next »
Pages: [1]   Go Down

Author Topic: Gumblar Drop sites grizimvozim.name and ShopVideoSchools.cn  (Read 4469 times)

0 Members and 1 Guest are viewing this topic.

June 04, 2009, 05:21:14 pm
Read 4469 times

Winston Smith

  • Jr. Member
  • Offline
  • **
  • 10
Gumblar Drop sites grizimvozim.name and ShopVideoSchools.cn
Systems began calling out to grizimvozim.name and ShopVideoSchools.cn after visiting Gumblar site 78.109.29.112

hxxp://ShopVideoSchools.cn/v3/index.php and hxxp://grizimvozim.name/main.php accessed at one hour intervals following infection.
Logged
June 05, 2009, 04:27:58 am
Reply #1

redwolfe_98

  • Special Members
  • Jr. Member
  • Offline
  • *
  • 21
Re: Gumblar Drop sites grizimvozim.name and ShopVideoSchools.cn
interestingly, "grizimvozim.name" resolves to ip address 21.53.74.215:

21.0.0.0 - 21.255.255.255; DoD Network Information Center

i suppose that "DoD" is U.S. "department of defense", especially considering that their contact information is "HOSTMASTER@nic.mil"..

Logged
June 08, 2009, 01:33:26 pm
Reply #2

esh

  • Newbie
  • Offline
  • *
  • 1
Re: Gumblar Drop sites grizimvozim.name and ShopVideoSchools.cn
I sent grizimvozim.name to bluecoat on 5/28 to be added to their malware category.

If you are seeing it, it is a botnet (well you knew that much), they are utilizing grizimvozim.name subdomains (ww1, ww2, etc...) for their C&C.
Logged
Pages: [1]   Go Up
« previous next »