Malware Domain List

Malware Related => Malicious Domains => Zlkon.lv => Topic started by: SysAdMini on April 05, 2009, 07:45:15 pm

Title: hs.3-150.zlkon.lv -(94.247.3.150)
Post by: SysAdMini on April 05, 2009, 07:45:15 pm

redirect to exploits

Code: [Select]

namebuyline.cn/in.cgi?income
filmtypemedia.cn/in.cgi?income
yourfilmmovie.cn/in.cgi?income
homenameregistration.cn/in.cgi?income
nameashop.cn/in.cgi?income
mainnameshop.cn/in.cgi?income
namesupermart.cn/in.cgi?income
namebrandmart.cn/in.cgi?income
namebuypicture.cn/in.cgi?income31


Title: Re: hs.3-150.zlkon.lv -(94.247.3.150)
Post by: CkreM on April 06, 2009, 04:35:59 pm

All Redirect to exploit stated below:

Code: [Select]

lotante.cn/in.cgi?income
japanhostnet.com/in.cgi?income
lotbetworld.cn/in.cgi?income
namestorefilmlife.cn/in.cgi?income
internetnamestore.cn/in.cgi?income
coolnameshop.cn/in.cgi?income
dotcomnameshop.cn/in.cgi?income
playbetwager.cn/in.cgi?income
thelotbet.cn/in.cgi?income


wepawet couldnt analyze this exploit and stated that the index.php response is empty(http://wepawet.iseclab.org/view.php?hash=0427b7627c9938608b886b095702247a&t=1239032970&type=js)
was able to d/l the pdf and sent it only.
anyway it download a trojan in the end in the same domain:

Code: [Select]

litehitscar.cn/index.phphttp://wepawet.iseclab.org/view.php?hash=4ad4419f482403c543365cad5e60269a&type=js

btw the domain with the trojan resolves 94.247.3.151 for me...

Title: Re: hs.3-150.zlkon.lv -(94.247.3.150)
Post by: CkreM on April 06, 2009, 07:09:06 pm

did all the domains with the redirections resolved  as 94.247.3.151 for you?(as stated on MDL )

because for me they are all  94.247.3.150 ,also checked on centralops,etc...

Title: Re: hs.3-150.zlkon.lv -(94.247.3.150)
Post by: SysAdMini on April 06, 2009, 07:37:17 pm

Quote from: CkreM on April 06, 2009, 07:09:06 pm

did all the domains with the redirections resolved  as 94.247.3.151 for you?(as stated on MDL )

because for me they are all  94.247.3.150 ,also checked on centralops,etc...

My mistake. Is is another disadvantage of adding urls manually. One mistake and then copy and paste.
Fixed.

Title: Re: hs.3-150.zlkon.lv -(94.247.3.150)
Post by: SysAdMini on April 07, 2009, 03:41:30 pm

another redirector to litehitscar.cn

Code: [Select]

superbetfair.cn/in.cgi?income43

Title: Re: hs.3-150.zlkon.lv -(94.247.3.150)
Post by: SysAdMini on April 08, 2009, 12:32:39 pm

redirects to hyperliteautoservices.cn

Code: [Select]

cheapslotplay.cn/in.cgi?income48
mixante.cn/in.cgi?income52

Title: Re: hs.3-150.zlkon.lv -(94.247.3.150)
Post by: SysAdMini on April 10, 2009, 12:07:07 pm

There is a panel at those sites at /user/panel.

for example

Code: [Select]

www.mediahomenamemartvideo.cn/user/panel

Title: Re: hs.3-150.zlkon.lv -(94.247.3.150)
Post by: Malware-Web-Threats on April 17, 2009, 09:21:59 am

two others on this IP

redirects to liteautogreatest[.]cn

Code: [Select]

hxxp://cutlot.cn/in.cgi?income
hxxp://lotmachinesguide.cn/in.cgi?income

Wepawet (http://wepawet.iseclab.org/view.php?hash=20142646ae8f7bfe737f067a3b9727b4&t=1239958979&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=40131580bd98592c013be3d33aa926b1&t=1239959058&type=js)

Title: Re: hs.3-150.zlkon.lv -(94.247.3.150)
Post by: SysAdMini on April 21, 2009, 05:53:33 pm

redirects to liteautogreatest[.]cn

Code: [Select]

http://betworldwager.cn/in.cgi?income69http://wepawet.cs.ucsb.edu/view.php?type=js&hash=da48bf59c24906de305cab2c634176ec&t=1240304816

Title: Re: hs.3-150.zlkon.lv -(94.247.3.150)
Post by: SysAdMini on April 25, 2009, 05:45:39 am

Code: [Select]

hxxp://litegreatestdirect.cn/in.cgi?income72
http://wepawet.iseclab.org/view.php?hash=df885fec22550614e9258bc5369ff0cb&t=1240618935&type=js

Title: Re: hs.3-150.zlkon.lv -(94.247.3.150)
Post by: SysAdMini on April 27, 2009, 06:58:42 pm

Code: [Select]

superlitecarbest.cn/in.cgi?income74redirects to exploits at litevehiclemall[.]cn 94.247.3.151