Malware Domain List
Malware Related => Malicious Domains => Topic started by: eoin.miller on October 07, 2009, 05:27:11 pm
-
Been seeing some clspring infections and haven't found these domains in any of the malware lists:
www.clickspring.net
nf.clickspring.net
cu.clickspring.net
pisces.clickspring.net
campaigns.outerinfo.com
legend.psdtools.com
66.150.193.xxx IP range
cu.outerinfo.com
Source (I know I know, its CA):
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=42280
Emergingthreats.net has some sigs for this stuff as well:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Clickspring.net Spyware Reporting"; flow: to_server,established; content:"Host\: www.bullseye-network.com"; nocase; classtype: trojan-activity; reference:url,sarc.com/avcenter/venc/data/adware.bargainbuddy.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001501; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bullseye-Network.com; sid: 2001501; rev:6;)
-
I don't think that those domains are involved in malicious activity. All look offline or parked.
The CA report is very old.
-
We are having machines successfully connect to hosts within the outerinfo.com domain. We played around with it a bit, and it is pulling down some bin files:
http://campaigns.outerinfo.com/client_settings.bin
http://campaigns.outerinfo.com/campaigns2_2.bin
http://campaigns.outerinfo.com/campaigns3_2.bin
http://campaigns.outerinfo.com/campaigns4_2.bin
http://campaigns.outerinfo.com/campaigns5_2.bin
http://campaigns.outerinfo.com/campaigns6_2.bin
http://campaigns.outerinfo.com/campaigns7_2.bin
http://campaigns.outerinfo.com/campaigns8_2.bin
http://campaigns.outerinfo.com/campaigns9_2.bin
http://campaigns.outerinfo.com/campaigns10_2.bin
http://campaigns.outerinfo.com/campaigns11_2.bin
campaigns.outerinfo.com resolves to 63.251.135.15
www.outerinfo.com resolves to 63.251.135.18
Also found this goolging around:
http://fp.outerinfo.com/dispatcher.php
fp.outerinfo.com resolves to 63.251.135.24
ARIN:
ClickSpring LLC INAP-BSN-CLICKSPRING-0971 (NET-63-251-135-0-1)
63.251.135.0 - 63.251.135.63
Of course nothing has reverse lookup. It looks like they may have moved IP space, but the old sigs are still firing off on the communcations.
Also seeing clicklinks.net on 63.251.135.21 (appears they discontinued the use of this domain after it was found out):
http://www.bing.com/search?q=ip%3A63.251.135.21&go=&form=QBRE
duhiki.com, adparatus.com, marketprecision.com, thesearchassistant.com (broke), on 63.251.135.22:
http://www.bing.com/search?q=ip%3A63.251.135.22&go=&form=QBRE3
-
Coup de grāce:
http://www.outerinfo.com/OiUninstaller.exe
VirusTotal:
MD5: c6f466ced488582ce66a05651f53206d
First received: 2008.09.18 11:36:48 UTC
Date: 2009.10.06 18:23:59 UTC [+1D]
Results: 32/41
Source:
http://www.virustotal.com/analisis/b860a3f4f63657bceffe5e3f3b043c088f7905b67672e07f09f0f62e60503a19-1254947224
Most classify as PurityScan/Yazzle.
ThreatExpert:
http://www.threatexpert.com/report.aspx?md5=c6f466ced488582ce66a05651f53206d
Anubis:
http://anubis.iseclab.org/?action=result&task_id=1f6ffb7e619bccd34e51f5abcd9621576&format=html
-
duhiki.com, adparatus.com, marketprecision.com, thesearchassistant.com (broke), on 63.251.135.22:
http://www.bing.com/search?q=ip%3A63.251.135.22&go=&form=QBRE3
Hmm,
http://www.duhiki.com/downloads/DuhikiSetup.exehttp://www.virustotal.com/de/analisis/e23c0e43439028fa7304ed45a9079585da9fd3838dd2bd0af4e2ec3e2bc947fc-1255027974 0/41
http://www.adparatus.com/AdparatusUninstaller.exehttp://www.virustotal.com/analisis/759bdc7d09cff81e02205cfbccce9da53d5499661037bae36a17a3f5181b7747-1255028023 0/41
And now ? Is it malware or not ?
-
...these are (more or less) "Potentially Unwanted" applications,adware at worst - wouldn't classify/blacklist them as malware...