Author Topic: clickscompile and u.clickscompile  (Read 5349 times)

0 Members and 1 Guest are viewing this topic.

July 22, 2010, 02:35:44 pm
Read 5349 times

Barry

  • Newbie

  • Offline
  • *

  • 5
This seems to be rather recent:

http://clickscompile.com

and

http://u.clickscompile.com

I would be interested if someone has more information on these. I can offer the following meager stream information from a Wireshark pcap file:

Quote
GET /p/proxy/106 HTTP/1.0

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

Host: u.clickscompile.com

Pragma: no-cache



HTTP/1.1 200 OK

Date: Thu, 22 Jul 2010 01:29:02 GMT

Server: Apache/2.2.8 (Unix) PHP/5.2.6

X-Powered-By: PHP/5.2.6

Connection: close

Content-Type: text/html



70,5,2,0,0


July 22, 2010, 02:50:38 pm
Reply #1

Barry

  • Newbie

  • Offline
  • *

  • 5
Raw pcap file attached, for those interested

July 26, 2010, 07:24:51 pm
Reply #2

cr4shm0ney

  • Jr. Member

  • Offline
  • **

  • 27
Hi Barry,

Do you know what malware if any is associated with this domain?

Thanks!

July 27, 2010, 04:02:20 pm
Reply #3

Barry

  • Newbie

  • Offline
  • *

  • 5
Hi Barry,

Do you know what malware if any is associated with this domain?

Thanks!

Hi, don't know if this helps, but anecdotely, each time the PC in question has connected to the site in the manner shown, a variant of what appears to be deepdive shows up on the PC as C:\program files\shared\lib.dll and has an addon in IE8 associated with it. I say "appears", because although norton detects it and fixes it, it is by "reputation" and not by "signature". Meaning, it recognizes the directory and file as being suspicous, but did not find anything wrong with the file itself. I do not yet know what's on the PC that causes it to connect to the site, but continue to try and find it. I would not be surprised if the mechanism was capable of loading other malware. As you can see though, it definitely connects to the clickscompile url. Also, I believe the clickscompile domain was recently registered in June of this year, so it is probably something new.

July 27, 2010, 07:42:13 pm
Reply #4

cr4shm0ney

  • Jr. Member

  • Offline
  • **

  • 27
I think you might have a typo in the domain, I believe you might be thinking of clickzcompile.com part of the Exedot trojan.

http://www.threatexpert.com/report.aspx?md5=225aef2b0e613c37837d8a519a7d3b14

July 27, 2010, 08:15:43 pm
Reply #5

Barry

  • Newbie

  • Offline
  • *

  • 5
Hi, I was going by this, but it might not be the best source:

http://www.tastereports.com/domain.html?domain=clickscompile.com

The malware on the PC does a DNS on clickscompile.com, then uses the obtained ip address to do the rest. Thanks for your input, it would be great to find out what this is :)

August 19, 2010, 02:01:03 pm
Reply #6

Barry

  • Newbie

  • Offline
  • *

  • 5
Found a little more that may or may not be of value for this site:

http://www.robtex.com/dns/u.clickscompile.com.html#shared

http://www.robtex.com/dns/u.clickscompile.com.html#blacklists


August 19, 2010, 03:03:35 pm
Reply #7

cr4shm0ney

  • Jr. Member

  • Offline
  • **

  • 27
I believe this is the ExeDot trojan dropper, I would advise blocking the following.

http://www.symantec.com/security_response/writeup.jsp?docid=2010-072114-4649-99&tabid=2

k.komplexad.com
*.clickscompile.com
*.uatoolbar.com
aditopia.com
clickscompile.com
feed.aditopia.com
u.clickzcompile.com
u.uatoolbar.com
uametrics.com