Malware Domain List

Malware Related => Malicious Domains => Topic started by: SysAdMini on May 22, 2009, 12:26:42 pm

Title: glondis.cn
Post by: SysAdMini on May 22, 2009, 12:26:42 pm
We should keep an eye on  this domain.
I have found

Code: [Select]
glondis.cn/in.cgi?2
glondis.cn/in.cgi?3

in todays logs. They return an iframe
to
Code: [Select]
msnewqqer.comand
Code: [Select]
msnerwqrt.com
Both domains are not registered at the moment, but I'm sure they will.

glondis.cn has been registered at May, 14 and the registrant is an indicator for malware.

Whenever you see the the addresses
Michell.Gregory2009 @yahoo.com / steven_lucas_2000@ yahoo.com
or any combination of the names "Michaell Gregory" and "Steven Lucas" for the registrant, you
probably have found malware.

http://www.malwaredomainlist.com/mdl.php?search=lucas&colsearch=Registrant&quantity=50&inactive=on
http://www.malwaredomainlist.com/mdl.php?search=Gregory2009&colsearch=Registrant&quantity=50&inactive=on

a compromized site which contains an obfuscated iframe to glondis.cn is  for example bonsai.pl.
Look at the end of the page.
Code: [Select]
<script type="text/javascript">document.write('\u003c\u0069\u0066\.......</script></body>
Title: Re: glondis.cn
Post by: Malware-Web-Threats on May 23, 2009, 07:02:28 pm
can see that megabot[.]cn was previously implicated
Wepawet (http://wepawet.iseclab.org/view.php?hash=81b8132f01a853d6813e5ef5b44e947f&t=1243011797&type=js)

followed by this exploit (also with an iframe)
Code: [Select]
hxxp://wc-host.in/mix/in.php
Wepawet fail

pdf exploit
Code: [Select]
hxxp://wc-host.in/mix/pdf.php
Wepawet (http://wepawet.iseclab.org/view.php?hash=320fd15a566aef7320aaa96048a039a8&t=1243105566&type=js)
VirusTotal (http://www.virustotal.com/analisis/98137e7b8aed76d82961a2306a210b3286b19db6761602c02d2d222850fc7d74-1243104891) - 6/40 (15%)

trojan:
Code: [Select]
hxxp://wc-host.in/mix/load.php
VirusTotal (http://www.virustotal.com/analisis/1dbbfbcf8241a038041036fb2f8a2a1fa5b10955af07cb47f66fb05dc1e86a2d-1243105044) - 12/40 (30%)

The file has the Windows Media Player Icon
Title: Re: glondis.cn
Post by: SysAdMini on May 26, 2009, 10:22:41 pm
glondis.cn has a new destination

Luckysploit
Code: [Select]
http://poppka.net/pore/?7876256053563003de306eb5c094240d