Malware Domain List

Malware Related => Malicious Domains => Zlkon.lv => Topic started by: SysAdMini on March 26, 2009, 08:53:47 pm

Title: hs.3-151.zlkon.lv -(94.247.3.151)
Post by: SysAdMini on March 26, 2009, 08:53:47 pm

Code: [Select]

casinoslotbet.cnhttp://wepawet.cs.ucsb.edu/view.php?hash=493c0f16f6eae3ae74370a4a3991a16d&t=1238100714&type=js

Code: [Select]

http://casinoslotbet.cn/cache/readme.pdfhttp://www.virustotal.com/analisis/b8ce1bf1381b07f64abea800d8f6e5b0 0/40

Code: [Select]

lotbetsite.cn/load.php?id=4http://www.virustotal.com/analisis/5e311f31e33578c93e57f5e6504521cf 17/40

Title: hs.3-151.zlkon.lv -(94.247.3.151)
Post by: SysAdMini on March 26, 2009, 08:57:34 pm

Code: [Select]

freeonlinehostguide.com/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=5802a3beabd9368daf35ad1eb4a995b3&t=1238099033&type=js

pdf exploit

Code: [Select]

freeonlinehostguide.com/cache/readme.pdfhttp://www.virustotal.com/analisis/86230dd2010ead6e92ae6b93fdbc2be2 0/40

Code: [Select]

http://zzz.free.hostindianet.com/load.php?id=4http://www.virustotal.com/analisis/65bac13aaf82cffdd84cf63bf64f0dbe 6/40

Title: Re: hs.3-151.zlkon.lv -(94.247.3.151)
Post by: SysAdMini on March 26, 2009, 09:09:10 pm

Code: [Select]

liteautofinestsite.cn/load.php

Code: [Select]

hugetopnonfat.cn/load.php

Code: [Select]

sdfi.hostindianet.com/load.php

Code: [Select]

ghrgt.hostindianet.com/load.php

Code: [Select]

asdasdw.hostindianet.com/load.php

Code: [Select]

idiandemocratcy.hostindianet.com/load.php

Code: [Select]

zzz.hostindianet.com/load.php

Code: [Select]

zzzz.hostindianet.com/load.phphttp://www.virustotal.com/analisis/40bef383cf68d15f0971e58b9c81a99c

Code: [Select]

bigtopescorts.cn/load.php

Code: [Select]

educationbigtop.cn/load.php

Code: [Select]

asdasf.free.hostindianet.com/load.php

Code: [Select]

zzz.free.hostindianet.com/load.php

Code: [Select]

whois.hostindianet.com/load.php

Code: [Select]

turq.whois.hostindianet.com/load.php

Code: [Select]

default.whois.hostindianet.com/load.phphttp://www.virustotal.com/analisis/65bac13aaf82cffdd84cf63bf64f0dbe

Title: Re: hs.3-151.zlkon.lv -(94.247.3.151)
Post by: SysAdMini on March 26, 2009, 09:14:16 pm

Code: [Select]

lieliteautobody.cn

Code: [Select]

lieliteautobody.cn/cache/readme.pdfhttp://www.virustotal.com/de/analisis/144db09111bd43c5199f13382af3ca58

Code: [Select]

[code]lieliteautobody.cn/load.php[/code]
http://www.virustotal.com/de/analisis/40bef383cf68d15f0971e58b9c81a99c

Title: Re: hs.3-151.zlkon.lv -(94.247.3.151)
Post by: MysteryFCM on March 26, 2009, 09:17:49 pm

http://hosts-file.net/pest.asp?show=94.247.3.

:)

Title: Re: hs.3-151.zlkon.lv -(94.247.3.151)
Post by: SysAdMini on March 26, 2009, 09:27:00 pm

Code: [Select]

greatbethere.cnhttp://wepawet.cs.ucsb.edu/view.php?hash=666f614786902fd2352c0039e9dd2d04&t=1238102754&type=js

pdf exploit

Code: [Select]

greatbethere.cn/cache/readme.pdfhttp://www.virustotal.com/analisis/f38170514d07f671b0f9345a0314525c 0/40

Code: [Select]

http://greatbethere.cn/load.php?id=4http://www.virustotal.com/analisis/893c4ed46d09f4d1c43ae40fbdef2bf8

Title: Re: hs.3-151.zlkon.lv -(94.247.3.151)
Post by: SysAdMini on March 26, 2009, 09:30:48 pm

Code: [Select]

freewebhostguide.comhttp://wepawet.cs.ucsb.edu/view.php?hash=d3b31aec68fbd623923819e6ab24827b&t=1238103048&type=js

Code: [Select]

freewebhostguide.com/cache/readme.pdfhttp://www.virustotal.com/analisis/144db09111bd43c5199f13382af3ca58

Code: [Select]

http://lieliteautobody.cn/load.php?id=4http://www.virustotal.com/analisis/40bef383cf68d15f0971e58b9c81a99c

Title: Re: hs.3-151.zlkon.lv -(94.247.3.151)
Post by: SysAdMini on March 26, 2009, 09:49:25 pm

Code: [Select]

sadcwed.hostindianet.comhttp://wepawet.cs.ucsb.edu/view.php?hash=a42855fe1642b8ae577b7ae9e0a19c3f&t=1238104181&type=js

Code: [Select]

sadcwed.hostindianet.com/cache/readme.pdfhttp://www.virustotal.com/de/analisis/144db09111bd43c5199f13382af3ca58

Code: [Select]

http://lieliteautobody.cn/load.php?id=4http://www.virustotal.com/analisis/40bef383cf68d15f0971e58b9c81a99c

Title: Re: hs.3-151.zlkon.lv -(94.247.3.151)
Post by: SysAdMini on April 01, 2009, 09:49:59 am

Code: [Select]

farm-en-12san.hostindianet.com/cache/readme.pdfhttp://www.virustotal.com/analisis/329ae964d886aac2adb3f267da4d6e92

Code: [Select]

farm-en-12san.hostindianet.com/load.php?id=4http://www.virustotal.com/analisis/fdcfb0c9fea4179acff041866423e61c

Title: Re: hs.3-151.zlkon.lv -(94.247.3.151)
Post by: GmG on April 01, 2009, 11:57:29 am

Code: [Select]

http://mediahousenameshopfilm.cn/in.cgi?income28
http://liteautorepair.cn/index.php

http://wepawet.iseclab.org/view.php?hash=167120b68a639671373decc73a463dc2&t=1238586233&type=js

Title: Re: hs.3-151.zlkon.lv -(94.247.3.151)
Post by: CkreM on April 01, 2009, 12:03:43 pm

Quote from: GmG on April 01, 2009, 11:57:29 am

Code: [Select]

http://mediahousenameshopfilm.cn/in.cgi?income28
http://liteautorepair.cn/index.php

http://wepawet.iseclab.org/view.php?hash=167120b68a639671373decc73a463dc2&t=1238586233&type=js

was just about to post 

Code: [Select]

http://liteautorepair.cn/index.php  ;D

anyway heres another one:

Code: [Select]

yournonfatbest.cnhttp://wepawet.iseclab.org/view.php?hash=e89d7bf9986d2d0c646386ce37a66711&t=1238583254&type=js

Title: Re: hs.3-151.zlkon.lv -(94.247.3.151)
Post by: CkreM on April 01, 2009, 12:19:17 pm

Another one:

Code: [Select]

Freehostinternet.comhttp://wepawet.iseclab.org/view.php?hash=854bf32e548e595bce3d53e0097c1898&t=1238587969&type=js

leads to another trojan on the same IP:

Code: [Select]

http://daddybigtop.cn/load.php?id=4http://www.virustotal.com/analisis/7c2d54062f6bef2a15f888f6e70dd371

Title: Re: hs.3-151.zlkon.lv -(94.247.3.151)
Post by: SysAdMini on April 06, 2009, 10:21:09 am

Code: [Select]

litedownloadfinest.cnhttp://wepawet.cs.ucsb.edu/view.php?hash=233e11cebbf860a6b689cd27b0a0cd92&t=1239013312&type=js

Code: [Select]

cache/readme.pdfhttp://www.virustotal.com/analisis/b0185c9501864e90120edb5cd42e607e 9/38

Code: [Select]

litedownloadfinest.cn/load.php?id=0http://www.virustotal.com/analisis/4b25552e0659179a22fec8cc6208ad57 5/38

Title: Re: hs.3-151.zlkon.lv -(94.247.3.151)
Post by: SysAdMini on April 07, 2009, 10:26:25 pm

exploits/trojan

Code: [Select]

hyperliteautoservices.cn

Code: [Select]

hyperliteautoservices.cn/load.phphttp://www.virustotal.com/analisis/8327265e423bd2c7e19456119d389691 2/40

Title: Re: hs.3-151.zlkon.lv -(94.247.3.151)
Post by: SysAdMini on April 11, 2009, 01:10:23 pm

Code: [Select]

litebest.cn/cache/readme.pdfhttp://wepawet.cs.ucsb.edu/view.php?hash=ecddc1a64b8f7538b1435126ba21e4b8&type=js
http://www.virustotal.com/analisis/556b3c9fe600e11a89a8e4e5d5e81f54 11/40

Title: Re: hs.3-151.zlkon.lv -(94.247.3.151)
Post by: SysAdMini on April 14, 2009, 06:09:52 am

Story is related to hyperliteautoservices.cn

http://mnin.blogspot.com/2009/04/malware-forensics-how-ironic-can-it-get.html

Title: Re: hs.3-151.zlkon.lv -(94.247.3.151)
Post by: Malware-Web-Threats on April 17, 2009, 04:47:05 am

Exploits:

Code: [Select]

hxxp://liteautogreatest.cn

Wepawet (http://wepawet.iseclab.org/view.php?hash=88dbec3ba9da0df0a5f94806ec303516&t=1239816944&type=js)

Code: [Select]

hxxp://liteautogreatest.cn/cache/readme.pdf

Wepawet for readme.pdf (http://wepawet.iseclab.org/view.php?hash=88dbec3ba9da0df0a5f94806ec303516&t=1239816944&type=js)
VirusTotal for readme.pdf (http://www.virustotal.com/analisis/1fd56bcd583e005d9478cd715fa74945) - 5/40 (12.5%)

Code: [Select]

hxxp://liteautogreatest.cn/cache/flash.swf

VirusTotal for flash.swf (http://www.virustotal.com/analisis/d53523199a75b38f03300473508594d8) - 4/39 (10.26%)

Code: [Select]

hxxp://liteautogreatest.cn/load.php?id=5

VirusTotal for load.exe (http://www.virustotal.com/analisis/6585b1eb0192e6e808c537c09c61d25d) - 12/40 (30%)
Anubis report for load.exe (http://anubis.iseclab.org/?action=result&task_id=19d052d8429d68d3409883523bde4b33d)

Botnet C&C: 78.109.29.112

Quote

78.109.29.112:80
Request: GET /new/controller.php?action=bot&entity_list=&uid=1&first=1&guid=1824245000&rnd=981633 
Response: 200 "OK" 

Title: Re: hs.3-151.zlkon.lv -(94.247.3.151)
Post by: SysAdMini on April 19, 2009, 05:51:13 pm

PDF/Flash exploits

Code: [Select]

liteupyourride.cn

Code: [Select]

liteupyourride.cn/cache/readme.pdfhttp://www.virustotal.com/analisis/46adc25de221146ea1a2458c97602518 6/40
http://wepawet.cs.ucsb.edu/view.php?hash=4925255f3716377f7fcb7c9bfb038795&t=1240163655&type=js

Code: [Select]

liteupyourride.cn/cache/flash.swfhttp://www.virustotal.com/analisis/470c291cdcc653d9fa59067bcd0e2549 0/40

readme.pdf redirects to

Code: [Select]

litehitscar.cn/load.php?id=5
flash.swf redirects to

Code: [Select]

autobestwestern.cn/load.php?id=7&0

Title: Re: hs.3-151.zlkon.lv -(94.247.3.151)
Post by: SysAdMini on April 19, 2009, 06:04:34 pm

Code: [Select]

liteupyourride.cn/load.php?id=0http://www.virustotal.com/analisis/84c843b670e272983c36df81d489b1c7 11/40

Title: Re: hs.3-151.zlkon.lv -(94.247.3.151)
Post by: SysAdMini on April 19, 2009, 06:49:09 pm

Code: [Select]

autobestwestern.cn/load.php?id=7&0
finditbig.cn/load.php?id=0
lotwageronline.cn/load.php?id=0
bestfindaloan.cn/load.php?id=0
casinobigtop.cn/load.php?id=0
findbigthinker.cn/load.php?id=0
nanotopdiscover.cn/load.php?id=0http://www.virustotal.com/analisis/07cbfa835cf93c2f866d7e7fa18eabf5 10/40

Title: Re: hs.3-151.zlkon.lv -(94.247.3.151)
Post by: SysAdMini on April 21, 2009, 06:07:44 pm

Code: [Select]

bigtopliteworld.cn/index.php

Code: [Select]

bigtopliteworld.cn/cache/readme.pdfhttp://www.virustotal.com/analisis/04849a3b94bd19e3744dad8c73fe1837 5/40

Code: [Select]

bigtopliteworld.cn/cache/flash.swfhttp://www.virustotal.com/analisis/e6aa538f7429685ebc57c229fcf60e12 0/40

payload

Code: [Select]

liteupyourride.cn/load.php?id=5http://www.virustotal.com/analisis/a7235085d030a368a2e252b2f349e88c 5/40

Title: Re: hs.3-151.zlkon.lv -(94.247.3.151)
Post by: SysAdMini on April 24, 2009, 12:24:26 pm

Code: [Select]

bigfirststopnonfat.cn/cache/readme.pdfhttp://www.virustotal.com/de/analisis/9df853e9e91da997d69ffa57cdfc1009 6/40

Code: [Select]

bigfirststopnonfat.cn/cache/flash.swfhttp://www.virustotal.com/de/analisis/1062ccad3b0ca5230aa812b1e2a0fe75 8/40

Code: [Select]

bigfirststopnonfat.cn/load.php?id=0http://www.virustotal.com/analisis/4addace3fd995166bd398c49f36730eb 4/40

Title: Re: hs.3-151.zlkon.lv -(94.247.3.151)
Post by: CkreM on April 26, 2009, 06:51:42 am

Exploits/trojan:

Code: [Select]

liteautoexcellent.cn/cache/readme.pdfhttp://wepawet.iseclab.org/view.php?hash=a36d423bba260475c37ddb159934d3c7&t=1240725719&type=js
The downloaded trojan:

Code: [Select]

bigfindtopguide.cn/load.php?id=8http://www.virustotal.com/analisis/1d3885e6ca1855e868cff94a6470dba5

Title: Re: hs.3-151.zlkon.lv -(94.247.3.151)
Post by: CkreM on April 27, 2009, 02:52:55 am

Exploits/trojan:

Code: [Select]

liteautomobileinsurance.cn/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=2e8bf3872891782a22bdf1ed93b49c5f&t=1240801054&type=js

Title: Re: hs.3-151.zlkon.lv -(94.247.3.151)
Post by: SysAdMini on April 27, 2009, 07:14:07 pm

Code: [Select]

litevehiclemall.cn
the usual readme.pdf /flash.swf combination of exploits

Code: [Select]

litevehiclemall.cn/cache/readme.pdfhttp://wepawet.cs.ucsb.edu/view.php?hash=b9963d36150f370f54c1ac1281d58805&t=1240858677&type=js
http://www.virustotal.com/analisis/a125d69e7fb2522c4c83d07516f1793d 6/40

Code: [Select]

litevehiclemall.cn/cache/flash.swfhttp://www.virustotal.com/analisis/d8aea9a028fce12370bcd373df28b170 2/40