Author Topic: New Zeus server  (Read 345747 times)

0 Members and 1 Guest are viewing this topic.

January 22, 2010, 04:43:57 pm
Reply #60

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Downloads trojan Zbot and other malware.
The malware configure servers


Code: [Select]
http://klitar.cn/cp/l/28/088f1f3a888617973b88c21a23f907d5/f8fdf0601bcc3453b8b4d90fce622406
http://klitar.cn/cp/l/11/d38bb79c97509e07111c3dea6d92cb58/efc66d8f9d32309cfe56382f69c95e6e
hxxp://klitar.cn/cp/l/19/c95535db0ebc2d416bbefcacd3345420/f1a64914c01f584549056805acc61736
hxxp://klitar.cn/cp/l/20/299c49cc5225165610cd08227e9d5562/af73d9596a9a6363ffd5d968628f7a9c
hxxp://klitar.cn/cp/l/2/e99eb3a724872da6cff5f99b87ade5de/6ab84adb1bcb02622c89af526a2a2fe8
hxxp://klitar.cn/cp/l/12/e2b3be27fddbce37ba168e5bb9d7b484/47ce9e84a768603f9de7c1325386d39b
IP 193.104.110.89
AS50073
dministrative Email: gamegalenty@mail.ru
Registrant Name: googlegoogle

I don't find any Zbot.  ???
Ruining the bad guy's day

January 22, 2010, 05:59:42 pm
Reply #61

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508

I don't find any Zbot.  ???

Code: [Select]
hxxp://klitar.cn/cp/l/28/088f1f3a888617973b88c21a23f907d5/f8fdf0601bcc3453b8b4d90fce622406
downloads 1.exe  md5sum 0e2a961da9504c243a8605e3325d246e
http://www.virustotal.com/analisis/3077da26818ed411d55d29708de40b4ce10c15a94804e7253a60ec634ce701bc-1264146214
http://www.threatexpert.com/report.aspx?md5=0e2a961da9504c243a8605e3325d246e
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=12054933&cs=5D45E0548CAF1906FEB502CA393D2E22


Code: [Select]
hxxp://klitar.cn/cp/l/11/d38bb79c97509e07111c3dea6d92cb58/efc66d8f9d32309cfe56382f69c95e6e
downloads 1.exe ====> md5sum efc66d8f9d32309cfe56382f69c95e6e
http://www.virustotal.com/analisis/a8b2b227383cec0f74966b5796130b535caf563873e99406e546107ff1d10812-1264164713
http://www.threatexpert.com/report.aspx?md5=efc66d8f9d32309cfe56382f69c95e6e
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=53536503&cs=8F1334C420884380CF9B8986A6E7770C

Code: [Select]
hxxp://klitar.cn/cp/l/19/c95535db0ebc2d416bbefcacd3345420/f1a64914c01f584549056805acc61736
downloads  1.exe ====> md5sum f1a64914c01f584549056805acc61736
http://www.virustotal.com/analisis/510f22b8ab8e26bbba57c069c4c828a5914a69bdfa79759c3b55fdf84493aac7-1264112515
http://www.threatexpert.com/report.aspx?md5=f1a64914c01f584549056805acc61736
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=12054935&cs=689759CBCBA3ED5C1AF9E5AAC0B4AFD6

Code: [Select]
hxxp://klitar.cn/cp/l/20/299c49cc5225165610cd08227e9d5562/af73d9596a9a6363ffd5d968628f7a9c
downloads 1.exe ====> md5sum af73d9596a9a6363ffd5d968628f7a9c
http://www.virustotal.com/analisis/c41d106d812ddd638d884ecfad511f538ade219a75e6040fd2a0fe1c40f48ebf-1264136631
http://www.threatexpert.com/report.aspx?md5=af73d9596a9a6363ffd5d968628f7a9c
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=53279518&cs=FCEC6FF1EAD0F6210D125D351881629F

Code: [Select]
hxxp://klitar.cn/cp/l/2/e99eb3a724872da6cff5f99b87ade5de/6ab84adb1bcb02622c89af526a2a2fe8
downloads 1.exe ====> md5sum 6ab84adb1bcb02622c89af526a2a2fe8
http://www.virustotal.com/analisis/88b9fd77e5dad8f827a170ffee412f97306ed8202f3619b75ab4b7585382ac1b-1264170738
http://www.threatexpert.com/report.aspx?md5=6ab84adb1bcb02622c89af526a2a2fe8
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=53539007&cs=40ADC24C6CA30B8C6B74165843738B84

Code: [Select]
hxxp://klitar.cn/cp/l/12/e2b3be27fddbce37ba168e5bb9d7b484/47ce9e84a768603f9de7c1325386d39b
downloads 1.exe ====> md5sum 47ce9e84a768603f9de7c1325386d39b
http://www.virustotal.com/analisis/9d22b7762aac30ba9885a4d06e6ee0bb881653fe22119c9624bd49dd7c982d5c-1264033266
http://www.threatexpert.com/report.aspx?md5=47ce9e84a768603f9de7c1325386d39b
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=12055006&cs=99A744B6D2E52EC02178F552105E628F

January 22, 2010, 06:06:15 pm
Reply #62

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Thanks. Ok, now I see which one it is.  But I don't get the Zbot sample.
Download returns 0 byte.
Ruining the bad guy's day

January 22, 2010, 06:17:06 pm
Reply #63

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Thanks. Ok, now I see which one it is.  But I don't get the Zbot sample.
Download returns 0 byte.

Code: [Select]
hxxp://klitar.cn/cp/l/20/299c49cc5225165610cd08227e9d5562/af73d9596a9a6363ffd5d968628f7a9c
downloads now the binary; but is randomly.

January 22, 2010, 09:18:46 pm
Reply #64

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://secline333.net
IP 195.78.108.70
AS49544

Created: 2010-01-06
Registrant Contact: HardSoft, inc
hilarykneber@yahoo.com

config url:
Code: [Select]
hxxp://secline333.net/files/saw.nrg

January 22, 2010, 09:58:00 pm
Reply #65

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://tttbbbttt.zapto.org
IP 95.31.234.3
AS8402

Registrant Name:Domain Operations No-IP.com
Registrant email: domains@no-ip.com

config url:
Code: [Select]
hxxp://tttbbbttt.zapto.org/zv/config.bin
dropzone:
Code: [Select]
hxxp://tttbbbttt.zapto.org/zv/gate.php

January 23, 2010, 09:05:53 am
Reply #66

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://windowsserverinfo.comIP   109.95.114.194
AS50369

Status: DELEGATED

Creation Date: 11-jan-2010
Updated Date: 21-jan-2010

Registrant ID: VX9UXHD-RU
Registrant Name: Vera V Zaytseva
Registrant Organization: Vera V Zaytseva

Contact E-mail: taffy@blogbuddy.ru

config url:
Code: [Select]
hxxp://windowsserverinfo.com/rock.bin
trojan:
Code: [Select]
hxxp://windowsserverinfo.com/respunka.exe
dropzone:
Code: [Select]
hxxp://windowsserverinfo.com/lartunka.php

January 23, 2010, 11:37:53 am
Reply #67

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://dafaroff.freehostia.com
IP   66.40.52.185
AS11388

Administrative Contact:
Whois Privacy Protection Service, Inc.

Contact E-mail: nfqlrftxvf@whoisprivacyprotect.com

config url:
Code: [Select]
hxxp://dafaroff.freehostia.com/php/config.bin
dropzone:
Code: [Select]
hxxp://dafaroff.freehostia.com/php/gate.php

January 23, 2010, 01:24:03 pm
Reply #68

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://dnsserverbackupzones.comIP   109.95.114.196
AS50369

Creation Date: 03-dec-2009
Updated Date: 03-dec-2009

Administrative Contact: Mikhail Vorobiev


Contact E-mail:  bombs@maillife.ru

config url:
Code: [Select]
hxxp://dnsserverbackupzones.com/5vnty85y8yt.bin
trojan:
Code: [Select]
hxxp://dnsserverbackupzones.com/nerbertop.exe
dropzone:
Code: [Select]
hxxp://dnsserverbackupzones.com/oleaumt.php

"Mikhail Vorobiev" owns about 149 other domains

See Heuristics Analysis:
http://www.threatexpert.com/report.aspx?md5=de23202b75977830770c4f6ac90d0f4c

January 23, 2010, 02:41:28 pm
Reply #69

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Coming soon:

Code: [Select]
hxxp://nm.fcrazy.com/doit.phpload/zs_update.exe
(
Code: [Select]
bl.fcrazy.eu/hhf/info.bin)


Code: [Select]
hxxp://nm.fcrazy.com
IP 59.53.91.102
AS4134

Registration Service Provided By: ZONEREG.RU

Creation Date: 20-Jan-2010

Registrant: Frost Alex
dj.psyimported@gmail.com

January 24, 2010, 01:52:53 pm
Reply #70

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://bandbmlc.it
IP:
Code: [Select]
94.75.228.36Reverse:
Code: [Select]
hosted-by.leaseweb.comAS16265

Registrant
Name: MARIA LUIGIA CRIVELLA

config url:
Code: [Select]
hxxp://bandbmlc.it/includes/you.zip

January 24, 2010, 05:34:49 pm
Reply #71

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
New files for

Code: [Select]
hxxp://193.104.27.11
AS12604

Kamushnoy Vladimir Vasulyovich
vla.kam@citygameru.cn

Url config:
Code: [Select]
hxxp://193.104.27.11/gig.cnf
trojan:
Code: [Select]
hxxp://193.104.27.11/gig.exe
dropzone:
Code: [Select]
hxxp://193.104.27.11/gogo.php

January 24, 2010, 05:35:58 pm
Reply #72

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
New files for

Code: [Select]
hxxp://mybackuper.info
IP 193.104.106.61
AS34305

Domain Name:MYBACKUPER.INFO
Created On:05-Jan-2010 17:25:46 UTC

Registrant ID:DI_10788102
Registrant Name: Polev Igor Aleksandrovich
Registrant Email:formyfirst@gmail.com

config url:
Code: [Select]
hxxp://mybackuper.info/ext/profi.bin
dropzone:
Code: [Select]
hxxp://mybackuper.info/ext/s.php

January 24, 2010, 05:56:37 pm
Reply #73

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
New trojan for

Code: [Select]
hxxp://115.100.250.81
Code: [Select]
hxxp://115.100.250.81/us/directwin.exe
md5sum ===>  039a10002e6e8ffd5d78e0d2a7360a4e

January 24, 2010, 08:58:24 pm
Reply #74

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://www.bumagajet.net
IP: 72.167.95.90
IP Location: United States - Arizona - Scottsdale - Godaddy.com Inc

Reverse: ip-72-167-95-90.ip.secureserver.net

AS26496


Date Registered: 2010-1-19
Date Modified: 2010-1-19

Registrant: STEVE PARK
lanenoeliatzg@gmail.com


Url config:
Code: [Select]
hxxp://www.bumagajet.net/webstatics/binder.bin