Malware Domain List
Malware Related => Malicious Domains => Zlkon.lv => Topic started by: Mr Clean on April 08, 2009, 10:35:18 am
-
hxxp://clipan.net/download/4f3334764e513d3df0c9d80d/Playboy.The.Mansion.Gold.Edition..exe
$ dig clipan.net +short
94.247.2.107
$ dig -x 94.247.2.107 +short
hs.2-107.zlkon.lv.
http://www.virustotal.com/analisis/266475edf5ef3cf171e605f1fbbf2cff
http://anubis.iseclab.org/?action=result&task_id=1810e467179cb12a42dc3e6c489742f0b
-
...noticed the "Registry Values Modified" ? Cernel Network Ltd.,heh...
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
DhcpNameServer 85.255.112.215,85.255.112.94HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
NameServer 85.255.112.215,85.255.112.94 HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B2B51064-BBF5-4528-B62B-E6D62A782874}
DhcpNameServer 85.255.112.215,85.255.112.94 HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B2B51064-BBF5-4528-B62B-E6D62A782874}
NameServer 85.255.112.215,85.255.112.94
-
...noticed the "Registry Values Modified" ? Cernel Network Ltd.,heh...
Aha, DNSChanger !
-
Yeap... ;)
As described in full detail over at FireEye's blog:
http://blog.fireeye.com/research/2009/02/bad-actors-part-3-internet-pathcernel.html
-
http://clipan.net/download/5a45475a35673d3de0ebc52f/FlashPlayer.exe
http://ingclip.com/download/5a45475a35673d3de0ebc52f/FlashPlayer.exe
Micha told me that you can use any file name for those DNSChangers.
As long as the number inside the url is valid then you can use whatyoulikename.exe.
-
bulkso.com/download/6271737536513d3d6d8f85ef/mediaplayer.exehttp://www.virustotal.com/analisis/b96399b7b37b72dac880731f5ca9a521 15/40
-
OSX DNSChanger
hxxp://geodawn.com/download/3933657064413d3d7de86a0f/CodecUpdate.v1.19.dmg
hxxp://pligeo.com/download/3933657064413d3d7de86a0f/CodecUpdate.v1.19.dmg