daily something......

[CM_MWR]

Forget where these dingleberries fell from...

174.133.72.250/p0324/2.0/td.bin?bb021908657356
174.133.73.178/p0324/2.0/d.bin?bb021908154292
75.125.239.42/p0324/2.0/so.bin?bb021908350659
dglcxlcfmk.net/bbsuper0.php
dglcxlcfmk.net/bbsuper1.php
dglcxlcfmk.net/bbsuper2.php
dglcxlcfmk.net/bbsuper3.php
dglcxlcfmk.net/uniq.php?id=1693466186&p=0
zief.pl/wr.exe
install.8800.org/files/5.exe
install.8800.org/files/adx.exe
install.8800.org/files/ipk.exe
install.8800.org/files/zha.exe
stanishev.com/1/nfr.exe
stanishev.com/1/pp.06.exe
xz.wanggui.com/mem322.exe

[Mr Clean]

Oh,the .pdf file itself you meant?I'll check it tomorrow,my mind isn't working properly at the moment,plus i'm not in front of a vm...i need to sleep.
Last one for tonight - exploring the rest of this ip,is..."left as an excercise for the reader" 
http://www.bfk.de/bfk_dnslogger.html?query=220.196.59.17#result

hxxp://xdwlnbqsdsph5pc8rz81.cn/s_t.php

nifty!
sets up an ftp and AT jobs to run every 15 minutes, etal

http://wepawet.iseclab.org/view.php?hash=19d22d89420a09c6d59b1d032f19de94&t=1239135714&type=js

Code: [Select]

ftp> open 122.224.9.221
Connected to 122.224.9.221.
220 www.host.com FTP server (Version 6.00LS) ready.
500 AUTH GSSAPI: command not understood.
500 AUTH KERBEROS_V4: command not understood.
KERBEROS_V4 rejected as an authentication type
Name (122.224.9.221:sandbox): qqq
331 Password required for qqq.
Password:
230 User qqq logged in, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get calc.exe
local: calc.exe remote: calc.exe
227 Entering Passive Mode (122,224,9,221,202,67)
150 Opening BINARY mode data connection for 'calc.exe' (245248 bytes).
226 Transfer complete.
245248 bytes received in 2.7 seconds (89 Kbytes/s)
ftp> quit
221 Goodbye.
$ mv calc.exe oddyoy.exe

http://www.malwaredomainlist.com/mdl.php?search=122.224.9&colsearch=All&quantity=50

http://www.virustotal.com/analisis/b80457dd723351fa2a2ff176bcfe8e8b

http://anubis.iseclab.org/?action=result&task_id=141ccbbd213e2be145dd0d57fc0a2d48e

Code: [Select]

http://13-2005-search.com/new1.php

<A HREF=http://xxxhardpornteenxxx.com
><BR><BR><BR><BR><BR><BR><BR><BR><BR><CENTER><FONT SIZE=+6>ENTER</FONT></A>

$ dig 13-2005-search.com +short
220.196.59.1


Busy little network
http://www.malwaredomainlist.com/mdl.php?search=220.196.59&colsearch=All&quantity=50

[mercutio]

Regarding the PDF at hxxp://sh-hostz9.net/1/index.php, they must have something wrong in their scripts:

Code: [Select]

?>?>?><b>FPDF error:</b> Some data has already been output, can't send PDF file


[sowhat-x]

The rest from the same ip mentioned yesterday...pretty easy task:

hxxp://dihbgbwqryuolfbebgme.cn/s_t.php
hxxp://dcz9ubei212vp3nrca5i.cn/s_t.php
hxxp://znchygdrmelzejjvofji.cn/s_t.php
hxxp://virevpcklvlrxjcqxtij.cn/s_t.php
hxxp://xbfnyukgdoqrjrsfmcdm.cn/s_t.php
hxxp://qjiv7qj4irh2f1o2v8sm.cn/s_t.php
hxxp://1zs0ewvqcget52rl1z1n.cn/s_t.php
hxxp://lufwhtelkadvrtaukqjo.cn/s_t.php
hxxp://ddvrrflabpqcuoaexpwp.cn/s_t.php
hxxp://lmempodfzrqqkteyupar.cn/s_t.php
hxxp://zjjrrhhuokjxgmulisxs.cn/s_t.php
hxxp://tckeblkiumuhysrwqlev.cn/s_t.php
hxxp://egntxselsaossawilurx.cn/s_t.php
hxxp://hsyzpbavkojdqclhnoqz.cn/s_t.php

==================

hxxp://msvcp70.biz/e514.gif
hxxp://msvcp70.biz/e536.gif
hxxp://msvcp70.biz/e509.gif

hxxp://msvcp50.biz/e514.gif
hxxp://msvcp50.biz/e536.gif
hxxp://msvcp50.biz/e509.gif

hxxp://yourguardon.com/

Iframes to goshak.biz listed earlier...
==================

Code: [Select]


ftp> open 122.224.9.221
Connected to 122.224.9.221.
............

Here's the rest of domains there... 
http://www.bfk.de/bfk_dnslogger.html?query=122.224.9.221#result

hxxp://wllvvkjknh.cn/md/index.php
hxxp://woqyymmptn.cn/md/index.php
hxxp://ozimzikjun.cn/md/index.php
hxxp://zusojbktvo.cn/md/index.php
hxxp://enjnzdfmts.cn/md/index.php
hxxp://fxlbubmkfs.cn/md/index.php
hxxp://pxciiruurw.cn/md/index.php

As for the one not listed above,miss-office-2009.com namely...
seems we've got a pretty hardcore spammer here,so...let's vote for him ;-)
http://www.google.com/search?q=miss-office-2009.com

[CkreM]

Regarding the PDF at hxxp://sh-hostz9.net/1/index.php, they must have something wrong in their scripts:

Code: [Select]

?>?>?><b>FPDF error:</b> Some data has already been output, can't send PDF file


yeaa that what i was talking about,kept getting this error though in the end it did redirect me to the other iframe there at vparivatel.php

[SysAdMini]

exploits/trojan

Code: [Select]

www.besplatnoe-porno.info/downloads/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=937bb224a8eb2fd48d1d812a867c9623&t=1239190412&type=js
http://www.virustotal.com/analisis/99a1a9d2003b23212842cd22ee90c129 3/40

[SysAdMini]

exploits

Code: [Select]

m.winxyz.comhttp://wepawet.iseclab.org/view.php?hash=d66445fca10663d693af2f98cd2d398c&t=1239171377&type=js

Code: [Select]

http://winxyz.com/win/j.exehttp://www.virustotal.com/analisis/ce445dadf7062fd70787035dbca77edf 13/40

Code: [Select]

http://winzxm.com/win/u.exehttp://www.virustotal.com/analisis/e06dfabe4a1a7fabf065604678b24b9c 11/39

[sowhat-x]

TDSS variant:
http://www.virustotal.com/analisis/f24fe6a2671b58376efafef6b068254c

hxxp://traffbox.com/in.cgi?6
hxxp://goscandata.com/?uid=12404
hxxp://scan7live.com/?uid=12404
hxxp://scan7live.com/download/install.php

Koobface variant:
http://www.virustotal.com/analisis/0d66a352aa6c6f7579fae43a1aba4c15

hxxp://traffbox.com/in.cgi?3
hxxp://hqviewworldmy1.com/view/1/1222/1/2
hxxp://hqviewworldmy1.com/download/1/1222/1/2
hxxp://hqviewworldmy1.com/software/c2fb59fa16/12221/1/2.exe

Notice that traffbox.com above redirects either to tdss or koobface,depending on parameters passed...

Now,same type Koobface variant as above,different hash though:
http://www.virustotal.com/analisis/2104a7d2b8c8a3fd2f84128d90c84fe9

hxxp://hqviewworldmy1.com/software/c2fb59fa16/10005/1/Setup.exe

========================

hxxp://welovesandi.com/?cmpid=
hxxp://crustat.com/ts/in.cgi?gen&se=oth&ur=1&hxxp_REFERER=wel-cmpid%3D
hxxp://www.scanspywareonline.com/online-scan.html?ewmid=231&pwebmid=gen&rejurl=hxxp://pnfzetnax.net/asw/gen/
hxxp://pnfzetnax.net/asw/gen/
hxxp://truconv.com/?a=125&s=gen-asw
hxxp://top-name.cn/in.cgi?default&a=ks125&s=gen-asw
hxxp://total-virusprotection.com/xpprot/7/?a=ks125&s=gen-asw&z=
hxxp://setup.total-virusprotection.com/secure/b4b8fee44a494ff05f405da47d3dd5b3/49dd5a25/setupfiles/totalvirusprotections.exe

--->

hxxp://setup.total-virusprotection.com/ -> Open dir... ;-)

--->
The executables there... (md5 dupes not listed)

hxxp://setup.total-virusprotection.com/total-malwareprotection.com/1.0.11.0/updatexpvps.exe
hxxp://setup.total-virusprotection.com/setupfiles/totalvirusprotectionp.exe.1
hxxp://setup.total-virusprotection.com/setupfiles/totalvirusprotectionp.exe
hxxp://setup.total-virusprotection.com/secure/b4b8fee44a494ff05f405da47d3dd5b3/49dd5a25/setupfiles/totalvirusprotections.exe

Play around with crustat.com's parameters above,it generates numerous nifty links...
========================
Plus another open dir with fake AVs...have fun:

hxxp://download.pcantimalwaresolution.com/

hxxp://offer-provider.com/srm/adv/142/
hxxp://dwnld.offer-provider.com/secure/940907dc34c7bed5e75f1e517b2b3a42/49dd612d/srm/srm_free_setup.exe

hxxp://infracleaner.in/download.php?affid=02935

hxxp://onlinebrandsecurity.com/download.php?affid=17503

[sowhat-x]

Direct link to the executable in dwnld.offer-provider.com above,seems to have changed since yesterday...

hxxp://dwnld.offer-provider.com/secure/85f2be819efd8db13b4fab89c8a1d2db/49dde7f1/srm/srm_free_setup.exe

Plus,it's open dir,for the time being...

hxxp://dwnld.offer-provider.com/

36 unique .exes there - here are the md5 checksums...

Code: [Select]

0651b7a4652b62c9bb74493c7440063d
2a5e21896b3043558a44f578a3b4cfea
2f590df32718d03c1c2a8fbeec715cac
2f7a9243cf4179157e382c39b1b8d1ef
31111c18393fcc7a08f7992aedc750ec
3228f756e74b05325beec3c6beeb2dea
3345b80c425dc6affe139ace94fee877
347271c8d9dc43d19b6c96708da08546
4795a9ae8a745c954f7a49944b8383a8
5a9087a4ef2dbf7f9e5a98226e94d8ff
5fb2e122b013aaf49f53502fd137e868
6737ff1d0c98962b515875283458095d
6890de6ce038b5d591aa14533a55292e
75b367bd2754b7dabfe2d1fd9bed789f
7a0051905effe054878aff73e4d01625
84f37f3f8f5434b8e6dad753bea717e9
8cfa3151df73debd3cb9b1bde978239c
9523d691f47fb8eb2457d2dbb3baed29
991c4f16c2f6fdb1712fccb573f6bfaa
9a8ecb72c0ca39145e0a6913f029abad
9b584cad38175a050bcd50805b12417e
a40e8cb47af24ef91023d4c078ad77ac
af862463f039fdc8b53e06406de73e67
b1705495d54f8c8f2f283c4886efb081
bb734c355149c3eed3389d309ea13fb1
c3328da0fa70305efeca816d735fca01
c3ef149dcfc5b3ca9da2578921de0007
c4a362df8a92650f6af41de9c733019a
c96bab9c4c7838b5eab3462e34ad8ec1
d7edd052b5363c57777addb72e8ae47c
d889b0e868832fd4ee7ba868656a6827
d9195a978f8cf2ba213471f4d3f484c3
dd18136c665be386bd02476e523df04e
e9cfd70907cf607b6fe7e92557989e20
f0afe3b1d0d4536cede447ea59053071
feed65765e05fcf542ff797147a88f8f
Here they are archived in .7z format ...78mb approximately:
http://www.megaupload.com/?d=Y33LVTZH

[CkreM]

Rogue:

Code: [Select]

scanner.rapid-antivir-2009.com/35/?advid=1694&ref=0&p=1000000000
soft-traffic.com
Redirect to rogue:

Code: [Select]

rd-point.net/go.php?id=1188
Exploit/trojan:

Code: [Select]

http://projectns.biz/sploits/pdf.php?id=2http://wepawet.iseclab.org/view.php?hash=46aa9abb1ac32cdd3134f0230694fc1b&t=1239188557&type=js

Exploit/trojan:

Code: [Select]

vas4k.cn/pabl/http://wepawet.iseclab.org/view.php?hash=f39bbd62bab727dc7c075547dd3df249&t=1239191102&type=js

trojan:

Code: [Select]

http://secondgate.ru/77/load.php?id=2http://www.virustotal.com/analisis/4c5fd3e65565e2b33c68c855a58de0ca

trojan:

Code: [Select]

http://bankitrade.com/exp/l.php?b=2&s=djdakhttp://www.virustotal.com/analisis/7070fe304677bbda85dfd8a6970ab46f

[SysAdMini]

pdf/flash exploit

Code: [Select]

x.lousecn.cnhttp://wepawet.cs.ucsb.edu/view.php?hash=bc0b5c2d562ee175849da928de2727b4&t=1239369858&type=js

Code: [Select]

http://x.lousecn.cn/load.php?id=2http://virscan.org/report/b0abe06d8536b4abe35c6beb9079a5b6.html 4/37

[SysAdMini]

Code: [Select]

msn-gallery.us/f.jpghttp://virscan.org/report/6735f8decd6ffb129052f297220957c3.html 0/37

[sowhat-x]

C&C server:

hxxp://moneystyle.com.cn/bmngr/controller.php?action=bot&entity_list=

hxxp://www.new-mrcash.net/images/x_01.jpg

Seems like a failed attempt at using Thinstall to me,anyway...
http://anubis.iseclab.org/?action=result&task_id=13ee47e6969787c64dd38f52f3e9842ee&format=html
http://www.virustotal.com/analisis/34a6262329fda4fb398c57de90201a7a

hxxp://www.new-mrcash.net/images/win_04.jpg

http://www.virustotal.com/analisis/b188a358f58d5b8a0074f81fc79a0f25

[GmG]

Exploit

Code: [Select]

http://67.215.246.139/a12/index.php
http://67.215.246.140/a12/index.php
http://67.215.246.141/a12/index.php
http://67.215.246.142/a12/index.php


[SysAdMini]

Exploit

Code: [Select]

http://67.215.246.139/a12/index.php
http://67.215.246.140/a12/index.php
http://67.215.246.141/a12/index.php
http://67.215.246.142/a12/index.php


all lead to

trojan Hiloti

Code: [Select]

67.215.246.138/a12/aff_12.exe?u=i_7_0&spl=4http://virscan.org/report/e01f5e00ab1a5916117edaf06bdfd4f1.html 4/37