Attention !! Malwaredomainlist(s).com distributes Rogue AV

[SysAdMini]

Some of our visitors has just sent me note about a new Rogue Antivirus site.

This site uses the domain name malwaredomainlists.com.
Notice the s at the end of the name !!

The entry point to this crap is url

Code: [Select]

malwaredomainlists.com/block.php
Don't mix it up with our site.

[MysteryFCM]

Blogified

http://hphosts.blogspot.com/2009/08/warning-malware-domain-list-has-new.html

[CkreM]

/lame

[SysAdMini]

Rogue AV Using Malware Domains List
http://www.f-secure.com/weblog/archives/00001743.html

[MysteryFCM]

MalwareURL has a fan now too, hehe;

malwareurlblock.com

Kudos to Anthony for the heads up.

[SysAdMini]

MalwareURL has a fan now too, hehe;

malwareurlblock.com

Kudos to Anthony for the heads up.

Looks exactly like the issue we had.

Code: [Select]

malwareurlblock.com/block.php
Also hosted in Germany - coincidence ?

The ip address is also known for malware.

http://www.malwaredomainlist.com/mdl.php?search=83.133.123.113&colsearch=All&quantity=50

The ip address were the MDL fake was hosted a fews ago, was also a known Fake AV host.

http://www.malwaredomainlist.com/mdl.php?search=78.47.91.153&colsearch=All&quantity=50&inactive=on

Looks like some kind of revenge.

[SysAdMini]

One more:

Code: [Select]

explorersecurityhelper.com/block.php

[cleanmx]

here is this piece of code as evidence:

-- gerhard

Code: [Select]

start tracing target: 83.133.123.113 ()

Tracing __________________________________________________________________________!____.

TTL  LFT trace to t1010.greatnet.de (83.133.123.113):80/tcp
 1   [AS15968] [RIPE-C3/NETPILOTGMBH-DE] gwy.netpilot.net (62.67.240.1) 0.6/1.5ms
 2   [AS15968] [RIPE-C3/NETPILOTGMBH-DE] gwy34.netpilot.net (62.67.240.17) 1.0/0.8ms
 3   [AS15968] [RIPE-C3/NETPILOTGMBH-DE] l3gate1.netpilot.net (62.67.194.62) 1.5/1.9ms
 4   [AS3356] [RIPE-NCC-212/UK-LVLT-990218] gi-6-3.car1.Munich1.Level3.net (212.162.1.65) 2.5/125.5ms
 5   [AS3356] [LVLT-ORG-4-8] ae-4-4.ebr1.Frankfurt1.Level3.net (4.69.134.2) 8.4/8.9ms
 6   [AS3356] [LVLT-ORG-4-8] ae-81-81.csw3.Frankfurt1.Level3.net (4.69.140.10) 19.2/19.3ms
 7   [AS3356] [LVLT-ORG-4-8] ae-3-89.edge6.Frankfurt1.Level3.net (4.68.23.142) 8.3/8.7ms
 8   [AS3356] [RIPE-CBLK3/BBNPLANET-INTL] LAMBDANET.edge6.Frankfurt1.Level3.net (195.16.161.6) 9.2/10.3ms
 9   [AS13237] [217-RIPE/EU-LAMBDANET-CORE-DE-P2P-2] MUC-1-eth000.de.lambdanet.net (217.71.96.166) 15.4/16.0ms
**   [firewall] the next gateway may statefully inspect packets
10   [AS13237] [217-RIPE/LNC-DE-CUSTOMERLINKS3] GRE-0-pos1337.de.lambdanet.net (217.71.107.50) 16.4/16.3ms
11   [AS13237] [83-RIPE/LNCDE-GREATNET-NEWMEDIA] [target] t1010.greatnet.de (83.133.123.113):80 16.4/17.0/*/*/*ms

LFT's trace took 3.75 seconds.  Resolution required 12.09 seconds.



end tracing target 83.133.123.113
start whois lasthop for (83.133.123.113)

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '83.133.96.0 - 83.133.127.255'

inetnum:        83.133.96.0 - 83.133.127.255
netname:        LNCDE-GREATNET-NEWMEDIA
descr:          Greatnet New Media.
country:        DE
admin-c:        FL1331-RIPE
tech-c:         FL1331-RIPE
status:         ASSIGNED PA
mnt-by:         LNC-MNT
mnt-lower:      LNC-MNT
source:         RIPE # Filtered

person:         Frazzetta Lindner
address:        Greatnet New Media
address:        Brentenstrasse 4a
address:        D-83734 Hausham
address:        Germany
phone:          +49 1805 47328638
fax-no:         +49 1805 444894696
nic-hdl:        FL1331-RIPE
abuse-mailbox:  abuse@greatnet.de
mnt-by:         LNC-MNT
source:         RIPE # Filtered

% Information related to '83.133.0.0/16AS13237'

route:          83.133.0.0/16
descr:          Lambdanet Operations - German region
origin:         AS13237
mnt-by:         LNC-MNT
source:         RIPE # Filtered




end whois lasthop for (83.133.123.113)
start list of email contacts:

abuse@greatnet.de


end list of email contacts:
start transcript of session:

DEBUG output created by Wget 1.10.2 on linux-gnu.

--18:19:10--  http://explorersecurityhelper.com/block.php
           => `/tmp/BARv4HToC'
Connecting to 62.67.194.52:3128... connected.
Created socket 19.
Releasing 0x0808f138 (new refcount 0).
Deleting unused 0x0808f138.

---request begin---
GET http://explorersecurityhelper.com/block.php HTTP/1.0
Pragma: no-cache
User-Agent: Mozilla/5.0 (compatible; en-US)
Accept: */*
Host: explorersecurityhelper.com

---request end---
Proxy request sent, awaiting response...
---response begin---
HTTP/1.0 200 OK
Date: Wed, 05 Aug 2009 16:19:10 GMT
Server: Apache
X-Powered-By: PHP/5.2.8
Content-Length: 2629
Content-Type: text/html
X-Cache: MISS from dbserver.op.netpilot.net
X-Cache-Lookup: MISS from dbserver.op.netpilot.net:23128
Proxy-Connection: close

---response end---

  HTTP/1.0 200 OK
  Date: Wed, 05 Aug 2009 16:19:10 GMT
  Server: Apache
  X-Powered-By: PHP/5.2.8
  Content-Length: 2629
  Content-Type: text/html
  X-Cache: MISS from dbserver.op.netpilot.net
  X-Cache-Lookup: MISS from dbserver.op.netpilot.net:23128
  Proxy-Connection: close
Length: ignored [text/html]

    0K ..                                                        3.76 MB/s

Closed fd 19
18:19:10 (3.76 MB/s) - `/tmp/BARv4HToC' saved [2629]



end transcript of session
start of offending raw content:

<html xmlns="http://www.w3.org/1999/xhtml" class="blacklist">
  <head>
    <link rel="stylesheet" href="img/style.css" type="text/css" media="all"/>
  <title>Warning! Visiting this site may harm your computer!</title></head>
<body>
  <table width="645" border="0" align="center" cellpadding="0" cellspacing="0" style="margin-top:60px;
font-size:11px;">
    <tr>
      <td width="18"><img src="img/001.gif" width="19" height="19"></td>
      <td width="620" bgcolor="#772222"  style=" border-top:#808080 solid 1px;">&nbsp;</td>
      <td width="18" align="right"><img src="img/002.gif" width="19" height="19"></td>
    </tr>
    <tr>
      <td width="18" bgcolor="#772222"  style=" border-left:#808080 solid 1px;">&nbsp;</td>
      <td width="620" bgcolor="#772222"><table width="100%" border="0" cellspacing="5" cellpadding="0">
        <tr>
          <td width="13%" valign="top" align="center"><img src="img/ico.gif" width="63" height="64"></td>
          <td width="87%" valign="top"><div style="font-size:17px; color:#ffffff; border-bottom:1px solid
#FFF;"><strong>Warning! Visiting this site may harm your computer!</strong>
          </div>
          <div style=" margin-top:18px; color:#FFF; font-size:12px;">
         
         
     
            <p>This web site probably contains malicious software program, which can cause damage to your computer or
perform actions without your permission. Your computer may be infected after visiting such web site.</p>
            <p>We recommend you to install (or activate) antivirus security software.</p>
            <p>I do realize that visiting this site can cause harm to my computer.</p>
            <table width="100%" border="0" cellspacing="0" cellpadding="0" style="margin-top:26px;">
              <tr>
                <td width="18%"><form action="" method="GET"><input type="submit" id="button" value="Continue
Unprotected"></form></td>
                <td width="4%">&nbsp;</td>
                <td width="78%"><form action="/1/" method="GET"><input type="hidden" value="" name="id"><input
type="submit" id="button2" value="Get security software"></form></td>
              </tr>
            </table>
          </div></td>
        </tr>
      </table></td>
      <td width="18" bgcolor="#772222"  style=" border-right:#808080 solid 1px;">&nbsp;</td>
    </tr>
    <tr>
      <td width="18"><img src="img/004.gif" width="19" height="19"></td>
      <td width="620" bgcolor="#772222"  style=" border-bottom:#808080 solid 1px;">&nbsp;</td>
      <td width="18" align="right"><img src="img/003.gif" width="19" height="19"></td>
    </tr>
  </table>


</body>
</html>

end of offending raw content


[SysAdMini]

here is this piece of code as evidence:

I'm sorry, I don't understand. Please explain.

[cleanmx]

hi

look into previous post code box...

content:

1st: trace from our site to them
2nd: whois informations for ip
3rd: wget transcript
4th: wget content of this piece of shit...

-- gerhard

[SysAdMini]

hi

look into previous post code box...

content:

1st: trace from our site to them
2nd: whois informations for ip
3rd: wget transcript
4th: wget content of this piece of shit...

I don't see any relation to the rogue av discussed in this thread.

[cleanmx]

i just wanted to document the content of "http://explorersecurityhelper.com/block.php" ...
nothing else...

-- gerhard

[SysAdMini]

i just wanted to document the content of "http://explorersecurityhelper.com/block.php" ...
nothing else...

-- gerhard

Please don't feel offended. I just wanna understand it. To be honest : I still don't see it.

[MysteryFCM]

The domain isn't resolving here?

[SysAdMini]

The domain isn't resolving here?

Is down. Resolves to 127.0.0.1