hs.2-107.zlkon.lv (94.247.2.107)

[Mr Clean]

Code: [Select]

hxxp://clipan.net/download/4f3334764e513d3df0c9d80d/Playboy.The.Mansion.Gold.Edition..exe

$ dig clipan.net +short
94.247.2.107

$ dig -x 94.247.2.107 +short
hs.2-107.zlkon.lv.

http://www.virustotal.com/analisis/266475edf5ef3cf171e605f1fbbf2cff
http://anubis.iseclab.org/?action=result&task_id=1810e467179cb12a42dc3e6c489742f0b

[sowhat-x]

...noticed the "Registry Values Modified" ? Cernel Network Ltd.,heh...

Code: [Select]

HKLM\​SYSTEM\​CurrentControlSet\​Services\​Tcpip\​Parameters\​
DhcpNameServer  85.255.112.215,85.255.112.94

Code: [Select]

HKLM\​SYSTEM\​CurrentControlSet\​Services\​Tcpip\​Parameters\​
NameServer      85.255.112.215,85.255.112.94

Code: [Select]

HKLM\​SYSTEM\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Interfaces\​{B2B51064-BBF5-4528-B62B-E6D62A782874}
DhcpNameServer  85.255.112.215,85.255.112.94

Code: [Select]

HKLM\​SYSTEM\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Interfaces\​{B2B51064-BBF5-4528-B62B-E6D62A782874}
NameServer      85.255.112.215,85.255.112.94

[SysAdMini]

...noticed the "Registry Values Modified" ? Cernel Network Ltd.,heh...

Aha, DNSChanger !

[sowhat-x]

Yeap...   
As described in full detail over at FireEye's blog:
http://blog.fireeye.com/research/2009/02/bad-actors-part-3-internet-pathcernel.html

[SysAdMini]

Code: [Select]

http://clipan.net/download/5a45475a35673d3de0ebc52f/FlashPlayer.exe
http://ingclip.com/download/5a45475a35673d3de0ebc52f/FlashPlayer.exe
Micha told me that you can use any file name for those DNSChangers.
As long as the number inside the url is valid then you can use whatyoulikename.exe.

[SysAdMini]

Code: [Select]

bulkso.com/download/6271737536513d3d6d8f85ef/mediaplayer.exehttp://www.virustotal.com/analisis/b96399b7b37b72dac880731f5ca9a521 15/40

[MarcusB]

OSX DNSChanger

hxxp://geodawn.com/download/3933657064413d3d7de86a0f/CodecUpdate.v1.19.dmg
hxxp://pligeo.com/download/3933657064413d3d7de86a0f/CodecUpdate.v1.19.dmg