Author Topic: glondis.cn  (Read 3618 times)

0 Members and 1 Guest are viewing this topic.

May 22, 2009, 12:26:42 pm
Read 3618 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
We should keep an eye on  this domain.
I have found

Code: [Select]
glondis.cn/in.cgi?2
glondis.cn/in.cgi?3

in todays logs. They return an iframe
to
Code: [Select]
msnewqqer.comand
Code: [Select]
msnerwqrt.com
Both domains are not registered at the moment, but I'm sure they will.

glondis.cn has been registered at May, 14 and the registrant is an indicator for malware.

Whenever you see the the addresses
Michell.Gregory2009 @yahoo.com / steven_lucas_2000@ yahoo.com
or any combination of the names "Michaell Gregory" and "Steven Lucas" for the registrant, you
probably have found malware.

http://www.malwaredomainlist.com/mdl.php?search=lucas&colsearch=Registrant&quantity=50&inactive=on
http://www.malwaredomainlist.com/mdl.php?search=Gregory2009&colsearch=Registrant&quantity=50&inactive=on

a compromized site which contains an obfuscated iframe to glondis.cn is  for example bonsai.pl.
Look at the end of the page.
Code: [Select]
<script type="text/javascript">document.write('\u003c\u0069\u0066\.......</script></body>
Ruining the bad guy's day

May 23, 2009, 07:02:28 pm
Reply #1

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
can see that megabot[.]cn was previously implicated
Wepawet

followed by this exploit (also with an iframe)
Code: [Select]
hxxp://wc-host.in/mix/in.php
Wepawet fail

pdf exploit
Code: [Select]
hxxp://wc-host.in/mix/pdf.php
Wepawet
VirusTotal - 6/40 (15%)

trojan:
Code: [Select]
hxxp://wc-host.in/mix/load.php
VirusTotal - 12/40 (30%)

The file has the Windows Media Player Icon

May 26, 2009, 10:22:41 pm
Reply #2

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
glondis.cn has a new destination

Luckysploit
Code: [Select]
http://poppka.net/pore/?7876256053563003de306eb5c094240d
Ruining the bad guy's day