Malware Domain List

Malware Related => Malicious Domains => Zlkon.lv => Topic started by: Mr Clean on April 08, 2009, 10:35:18 am

Title: hs.2-107.zlkon.lv (94.247.2.107)
Post by: Mr Clean on April 08, 2009, 10:35:18 am
Code: [Select]
hxxp://clipan.net/download/4f3334764e513d3df0c9d80d/Playboy.The.Mansion.Gold.Edition..exe

$ dig clipan.net +short
94.247.2.107

$ dig -x 94.247.2.107 +short
hs.2-107.zlkon.lv.

http://www.virustotal.com/analisis/266475edf5ef3cf171e605f1fbbf2cff
http://anubis.iseclab.org/?action=result&task_id=1810e467179cb12a42dc3e6c489742f0b

Title: Re: hs.2-107.zlkon.lv (94.247.2.107)
Post by: sowhat-x on April 08, 2009, 12:57:42 pm
...noticed the "Registry Values Modified" ? Cernel Network Ltd.,heh...

Code: [Select]
HKLM\​SYSTEM\​CurrentControlSet\​Services\​Tcpip\​Parameters\​
DhcpNameServer  85.255.112.215,85.255.112.94
Code: [Select]
HKLM\​SYSTEM\​CurrentControlSet\​Services\​Tcpip\​Parameters\​
NameServer      85.255.112.215,85.255.112.94
Code: [Select]
HKLM\​SYSTEM\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Interfaces\​{B2B51064-BBF5-4528-B62B-E6D62A782874}
DhcpNameServer  85.255.112.215,85.255.112.94
Code: [Select]
HKLM\​SYSTEM\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Interfaces\​{B2B51064-BBF5-4528-B62B-E6D62A782874}
NameServer      85.255.112.215,85.255.112.94
Title: Re: hs.2-107.zlkon.lv (94.247.2.107)
Post by: SysAdMini on April 08, 2009, 01:00:18 pm
...noticed the "Registry Values Modified" ? Cernel Network Ltd.,heh...

Aha, DNSChanger !
Title: Re: hs.2-107.zlkon.lv (94.247.2.107)
Post by: sowhat-x on April 08, 2009, 01:02:21 pm
Yeap...   ;)
As described in full detail over at FireEye's blog:
http://blog.fireeye.com/research/2009/02/bad-actors-part-3-internet-pathcernel.html
Title: Re: hs.2-107.zlkon.lv (94.247.2.107)
Post by: SysAdMini on April 08, 2009, 03:17:12 pm
Code: [Select]
http://clipan.net/download/5a45475a35673d3de0ebc52f/FlashPlayer.exe
http://ingclip.com/download/5a45475a35673d3de0ebc52f/FlashPlayer.exe

Micha told me that you can use any file name for those DNSChangers.
As long as the number inside the url is valid then you can use whatyoulikename.exe.

Title: Re: hs.2-107.zlkon.lv (94.247.2.107)
Post by: SysAdMini on April 15, 2009, 07:21:45 am
Code: [Select]
bulkso.com/download/6271737536513d3d6d8f85ef/mediaplayer.exehttp://www.virustotal.com/analisis/b96399b7b37b72dac880731f5ca9a521 15/40
Title: Re: hs.2-107.zlkon.lv (94.247.2.107)
Post by: MarcusB on April 18, 2009, 04:44:10 am
OSX DNSChanger
Quote
hxxp://geodawn.com/download/3933657064413d3d7de86a0f/CodecUpdate.v1.19.dmg
hxxp://pligeo.com/download/3933657064413d3d7de86a0f/CodecUpdate.v1.19.dmg