daily something......

[XiTri]

Code: [Select]

http://judns.net/jud/pdf.php?id=124
http://judns.net/jud/pdf.php?id=111
http://judns.net/jud/load.php?id=9747&spl=2


[XiTri]

exe it is pasted to gif

Code: [Select]

ppkok.cn/file/mm.gif
http://28.16868.org/long/logo.gif
http://28.16868.org/long/logo18.gif


[CkreM]

Waledac

Code: [Select]

http://duklin.againstfear.com/news.exe

[bobby]

205.209.143.94/1122.htm
205.209.143.94/000f1.htm
205.209.143.94/000f2.htm

haola123123.com/7700.htm
haola123123.com/0081.htm

It seems that more domains are sharing the same files, as I got 1122.htm as a string in more than one executable, and all are requesting this file from other domain.

[sowhat-x]

This one is quite a bit hilarious...

hxxp://ygy.ru/index.php

DL lists...

hxxp://b.wuc7.com/tt.txt
hxxp://l.sog369.com/list.txt
hxxp://www.iukjthgvg.cn/kankan.txt

hxxp://70.38.11.165/admin/cgi-bin/get_domain.php?type=download
hxxp://best-click-download.info/install.php ---> Spawns fake av executable...

hxxp://69.249.79.161/print.exe

-> Waledac variant:
http://www.virustotal.com/analisis/892cc1f2514f891fc20c81baa4ec1a2f

http://www.bfk.de/bfk_dnslogger_en.html?query=78.129.166.5#result
I especially enjoyed this one in particular...

hxxp://rbckc.com/redir=1566237.php

[sparsha]

Code: [Select]

http://dlmaldef09.com/maldef09/install.php?track_id=10284
http://getmaldef09.com/maldef09/setup.php?track_id=10284
http://84.16.247.29/maldef09/setup.php?track_id=10284

Now time to track the "Total Security Protection" rogue throwaway sites

Code: [Select]

http://transformercity.cn/soft.php?aid=0479&d=1&refer=9d9cbe78e
http://antivirusonlineproscanner.com/promo/1/freescan.php?nu=880479&back==jQx3Tz2NkMOMI=N

[sowhat-x]

hxxp://xprotect.us/index.php?affid=02935
hxxp://personal-antivirus.com//download/PersonalAntivirus.exe
hxxp://protectprivacy18.com/maldef09_2/4/10250
hxxp://www.secure-data-group.com/

Various crap hosted in the following ips,i've only had a really quick look at them:
some domains out of them were already spotted in the past,others seem to be temporary "inactive" or so (yeah,sure...)
http://www.bfk.de/bfk_dnslogger_en.html?query=78.26.179.189#result
http://www.bfk.de/bfk_dnslogger_en.html?query=94.247.3.40#result
http://www.bfk.de/bfk_dnslogger_en.html?query=94.247.3.41#result
http://www.bfk.de/bfk_dnslogger_en.html?query=94.247.3.42#result
http://www.bfk.de/bfk_dnslogger_en.html?query=212.117.165.126#result
http://www.bfk.de/bfk_dnslogger_en.html?query=212.117.165.127#result
http://www.bfk.de/bfk_dnslogger_en.html?query=212.117.165.128#result

[CkreM]

Code: [Select]

http://www.photogalleryy.com/image.phpRedirects to:

Code: [Select]

http://66.29.31.3/~rivux/PIC2009-02-15-JPG.exe

Code: [Select]

http://89.149.254.237/redirect.php?type=0redirect to:

Code: [Select]

http://cancelyourdreams.cn/Installer2.exe
there is malware there from 1-6:

Code: [Select]

http://hackdownload.cn/install/1.exe

[sowhat-x]

hxxp://anti-virus-2010-pro.info/install.php
hxxp://anti-virus-2010-pro-downloads.info/en/exe/install.exe

http://www.bfk.de/bfk_dnslogger_en.html?query=70.38.19.201#result
================================================

Now,if someone can explain me what in the world is the purpose of this one... 

hxxp://www.anti-virus-1.net/

It loads a Kaspersky .jpg advertisement from here...

hxxp://www.vaginoplasty-1.net/AV.jpg

Which is an open dir as well...

hxxp://www.vaginoplasty-1.net/

[CkreM]

Waledac:

Code: [Select]

http://antiterrornetwork.com/run.exe
http://fearalert.com/run.exe
http://terrorfear.com/run.exe
http://antiterroris.com/run.exe
http://terroralertstatus.com/run.exe
http://chatloveonline.com/run.exe
http://lovecentralonline.com/run.exe
http://supersalesonline.com/run.exe
http://bestlifeblog.com/run.exe
http://mobilephotoblog.com/run.exe

I could sit for hours and get like 100 of domains which host it

[sowhat-x]

I could sit for hours and get like 100 of domains which host it 

Lol ;-)
In a side-note,the ShadowServer people are mainting a regularly updated list of Waledac domains...
http://www.shadowserver.org/wiki/uploads/Calendar/waledac_domains.txt

[CkreM]

good to know 

i was checking domains registered on the same IP with  http://www.bfk.de/bfk_dnslogger_en.html

[GmG]

Rootkit TDss

Code: [Select]

http://plumpals.com/download/666c507271673d3d83b13d19/License.v.3.413.exe

OSX/RSPlug-F  (user agent=Mac OS X)

Code: [Select]

http://plumpals.com/download/666c507271673d3d83b13d19/License.v.3.413.dmg
http://www.virustotal.com/it/analisis/438939832ba104f34907e919bc2ddac1

[sowhat-x]

Waledac crap...current detection rates in VirusTotal at 6/39 (15.39%),here's a sample report:
http://www.virustotal.com/analisis/fb778f91c5a76e68eddbec3955c7dd44

hxxp://24.9.38.40/save.exe
hxxp://64.95.58.150/contact.exe
hxxp://64.95.58.153/news.exe
hxxp://67.223.10.108/save.exe
hxxp://69.242.22.235/main.exe
hxxp://69.14.54.169/save.exe
hxxp://69.14.99.11/contact.exe
hxxp://98.127.138.99/print.exe
hxxp://98.127.144.188/contact.exe
hxxp://99.190.177.125/run.exe

C&C servers...

hxxp://213.155.4.80/bm/controller.php?action=bot&entity_list=
hxxp://213.155.6.32/fine/controller.php?action=bot&entity_list=

hxxp://medievalmusic.by.ru/ -> Open dir...

More crap in the same ip,spamming/phishing etc...
http://www.bfk.de/bfk_dnslogger_en.html?query=87.242.78.57#result
http://www.robtex.com/ip/87.242.78.57.html

It also redirects strhq.cn that was spotted previously...

hxxp://medievalmusic.by.ru/mhstchk.php

[SysAdMini]

It also redirects strhq.cn that was spotted previously...

hxxp://medievalmusic.by.ru/mhstchk.php

Have you seen this ?

Code: [Select]

<?php echo "<!--"."hello_my_little_friend._You_have_download_this_page_and_see_th" . "is_source._We_do_not_delete_anything_only_upload_change_your_passwords_and_do_not_say_it_to_anybody"."-->"; ?>