Oficla Trojan spreads through keygens and software cracks

Here is a new list of dangerous domains logged by internal honeypots and submitted by users, used to spread trojans, rogue security software and other malicious threats, some domains have a low detection rate as of today:

Rogue Security Software:

www4.checkpc96.co.cc / 209.212.149.23
www4.checkpc97.co.cc / 209.212.149.23
www4.checkpc98.co.cc / 209.212.149.23
www4.checkpc95.co.cc / 209.212.149.23
www4.checkpc94.co.cc / 209.212.149.23
www4.checkpc93.co.cc / 209.212.149.23
www1.makeptotect79.co.cc / 94.228.220.117
www1.makeptotect78.co.cc / 94.228.220.117
www1.makeptotect77.co.cc / 94.228.220.117
www1.makeptotect76.co.cc / 94.228.220.117
www1.makeptotect75.co.cc / 94.228.220.117
www1.makeptotect74.co.cc / 74.3.166.117
www1.makeptotect73.co.cc / 74.3.166.117
www1.makeptotect72.co.cc / 74.3.166.117
www1.makeptotect71.co.cc / 74.3.166.117
www1.makeptotect70.co.cc / 74.3.166.117

Trojan Distribution (Oficla/Renos):

gourlz.net / 178.63.3.138
thestockfiles.com / 69.10.36.218
vo2ov.com / 95.211.10.178
cvaohn.org / 209.123.181.48
mechadairysystems.com / 208.87.240.230
longsoft.org / 64.21.53.43
kenborden.com / 209.123.181.48
hotworldmedia.com / 69.10.36.218

Infected Websites:

absfixer.com/catalog/images/news.php?page=keyword (200 OK)
cafetorredealba.com/images/news.php?page=keyword (200 OK)
demo.itlinkonline.com/tcartz2/images/news.php?page=keyword (200 OK)
meyal.com/images/news.php?page=keyword (200 OK)
delisuper.com/images/page.php?page=keyword (200 OK)
antoniasecrets.com/catalog/images/news.php?page=keyword (200 OK)
ap2.dataoz.com/catalog/images/page.php?page=keyword (200 OK)
shylittle.com/catalog/images/page.php?page=keyword (200 OK)
dtechsac.com/tienda/images/news.php?page=keyword (200 OK)
cafetorredealba.com/images/news.php?page=keyword (200 OK)
donegalanglingcentre.com/shop/images/page.php?page=keyword (200 OK)
gravure3d.fr/catalog/images/page.php?page=keyword (200 OK)
exerciseelite.com/images/news.php?page=keyword (200 OK)
econdbike.it/negozio/images/news.php?page=keyword (200 OK)
seobrand.net/private_label/images/news.php?page=keyword (200 OK)

The IP address 209.123.181.48 (AS8001 – NAC Net Access Corp) looks like to have hosted and to actually host a very high number of malicious domains that are mostly used to distribute trojans as keygen or cracks for popular commercial software:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
allmusic.com.ua
amorphia.com.ua
artsofboreal.com
botaime.com
c-charts.com
cflor.org
creaweblog.com
cvaohn.org
digitaldepotstore.net
dwrz.com.ua
gsis-bro.com
imvu.com.ua
ineverforget.com
job-hotel.com.ua
k-p.km.ua
kenborden.com
loweimages.com
mail.allmusic.com.ua
mail.amorphia.com.ua
mail.artsofboreal.com
mail.creaweblog.com
mail.cvaohn.org
mail.digitaldepotstore.net
mail.dwrz.com.ua
mail.gsis-bro.com
mail.imvu.com.ua
mail.ineverforget.com
mail.job-hotel.com.ua
mail.k-p.km.ua
mail.kenborden.com
mail.maple-shion.net
mail.newlife3o.com
mail.obama4.in.ua
mail.obogreva.net
mail.pekinform.com.ua
mail.pill-flag.com
mail.ranta-kone.com
mail.serce.com.ua
mail.setite.com
mail.snak.vn.ua
mail.techwave.com.ua
mail.toptvproduct.ru
mail.ukreunov.com.ua
mail.xocit.com
mail.yazv.net
nasharu.org
newenglandgroup.us
newlife3o.com
ns1.obama4.in.ua
ns1.snak.kiev.ua
obama4.in.ua
pekinform.com.ua
pill-flag.com
ranta-kone.com
serce.com.ua
snak.vn.ua
techwave.com.ua
toptvproduct.ru
ukreunov.com.ua
www.botaime.com
www.dwrz.com.ua
www.ineverforget.com
www.loweimages.com
www.nasharu.org
www.xwarezzz.com
xwarezzz.com
yazv.net

Whois details for 209.123.181.48:

NetRange: 209.123.0.0 – 209.123.255.255
CIDR: 209.123.0.0/16
OriginAS: AS8001
NetName: NAC-NETBLK02
NetHandle: NET-209-123-0-0-1
Parent: NET-209-0-0-0-0
NetType: Direct Allocation
NameServer: NS2.NAC.NET
NameServer: NS1.NAC.NET
Comment: Additional Information Available via whois.nac.net
RegDate: 1997-08-06
Updated: 2007-09-18
Ref: http://whois.arin.net/rest/net/NET-209-123-0-0-1

OrgName: Net Access Corporation
OrgId: NAC
Address: 9 Wing Drive
City: Cedar Knolls
StateProv: NJ
PostalCode: 07927
Country: US
RegDate:
Updated: 2008-01-16
Ref: http://whois.arin.net/rest/org/NAC

OrgAbuseHandle: ABUSE156-ARIN
OrgAbuseName: Abuse Department
OrgAbusePhone: +1-800-638-6336
OrgAbuseEmail: XXXXX@nac.net
OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE156-ARIN

Also the IP address 64.21.53.43 (AS8001 – NAC Net Access Corp) looks like to host malicious domains, in particular longsoft.org that is used to distribute trojans by promising keygens and craks for software:

Trojan spreading in action:

Image

Report 2010-08-19 15:09:47 (GMT 1)
File Name paragon.exe
File Size 135168 bytes
File Type Executable File (EXE)
MD5 Hash f1d62efaea0986dd6b8ef1eee470e8dc
SHA1 Hash 90f59e41ad56204390f58f34c61c4aea04538a31
Detections: 3 / 16 ( 19 %)
Status INFECTED

Trojan Activity:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /98ds7c98ds7c98ds7c98.php?ini=
Host: duidrive.net (64.20.63.58)		
 
POST /logos/XXX
Host: devtempest.com (91.188.60.233)
 
POST /98ds7c98ds7c98ds7c98.php?ini=
Host: duidrive.net (64.20.63.58)
 
POST /werber/34b520e6b47/217.gif HTTP/1.1
Host: mybubblebean.com (85.234.190.47)
 
POST /perce/XXX
Host: peribox.net (77.78.239.42)

64.21.53.43 (AS8001 – NAC Net Access Corp)

1
2
3
4
5
6
7
longsoft.org
mail.longsoft.org
mail.real-downloads.net
mail.thenewamsterdams.net
mail.web-zik.com
real-downloads.net
web-zik.com

69.10.36.218 (AS19318 – NJIIX.net 110B Meadowlands Pkwy Secaucus)

1
2
3
4
5
6
mediaidentifier.com
movieregion.com
multimedianame.com
ns1.prominentupstairs.com
realplayerpro.com
yourreload.com

178.63.3.138 (AS24940 – Hetzner Online AG RZ)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
gourlz.net
aevitasecuritystore.com
atzan.com
buydedicated.ru
buyvps.ru
ddiscompstore.com
de2.reserver.ru
erosik.com
fasturls.net
finmill.com
funnyseo.biz
hentaix.ru
humorarchive.info
jaguarconsultant.com
keygen-crack.net
kino2012.ru
kinovam.com
mail.all4-sex.info
marconmedia.com
ns1.buydedicated.ru
photo63.www.vk.com.www2in.net
serialpost.net
sey.su
softwareserialnumbers.net
soshinenie.ru
trusted-warez.com
vadoz.ru
www.erosik.com
www.photo63.www.vk.com.www2in.net
www.soshinenie.ru
www.xmancer.org
www2in.net
xmancer.org

208.87.240.230 (AS40676 – Proxy registration for downstream)

1
2
3
4
5
6
7
8
9
10
11
12
13
bigbizoo.net
grosskopf.net
grrrey.com
mail.konseed.org
mail.richfootball.net
ns1.richfootball.net
ns2.richfootball.net
pixelfish.net
richfootball.net
setite.com
theapps.org
www.setite.com
xocit.com

217.23.5.74 (AS49981 – WorldStream)

1
2
3
4
billgable.com
dlov.org
softwareshare.org
techrev.net

8.14.147.235 (AS26481 – BONDWEB Bondweb)

1
2
3
4
5
6
7
8
9
10
11
12
13
directdownloads.ws
loaded.ws
mail.directdownloads.ws
mail.loaded.ws
mail.skinnyrons.com
mail.unlimitedserials.com
skinnyrons.com
unlimitedserials.com
warez411.com
loaded.ws
unlimitedserials.com
warez411.com
unlimitedserials.com

69.55.50.102 (AS23393 – ISPRIME , Inc.)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
downloadwarez.org
filereleases.com
fulldownload.ws
fullrapidshare.com
fullreleases.ws
fullversions.org
kevin.internal.realitychecknetwork.com
mail.fulldownload.ws
rcn560.realitychecknetwork.com
sharingaccess.com
downloadwarez.org
filereleases.com
fulldownload.ws
fullrapidshare.com
fullreleases.ws
fullversions.org
sharingaccess.com
sharingnova.com

We will stop here for now, but list is very long!