Oficla Trojan spreads through keygens and software cracks
Block unknown processes with NoVirusThanks EXE Radar Pro
Here is a new list of dangerous domains logged by internal honeypots and submitted by users, used to spread trojans, rogue security software and other malicious threats, some domains have a low detection rate as of today:
Rogue Security Software:
www4.checkpc96.co.cc / 209.212.149.23
www4.checkpc97.co.cc / 209.212.149.23
www4.checkpc98.co.cc / 209.212.149.23
www4.checkpc95.co.cc / 209.212.149.23
www4.checkpc94.co.cc / 209.212.149.23
www4.checkpc93.co.cc / 209.212.149.23
www1.makeptotect79.co.cc / 94.228.220.117
www1.makeptotect78.co.cc / 94.228.220.117
www1.makeptotect77.co.cc / 94.228.220.117
www1.makeptotect76.co.cc / 94.228.220.117
www1.makeptotect75.co.cc / 94.228.220.117
www1.makeptotect74.co.cc / 74.3.166.117
www1.makeptotect73.co.cc / 74.3.166.117
www1.makeptotect72.co.cc / 74.3.166.117
www1.makeptotect71.co.cc / 74.3.166.117
www1.makeptotect70.co.cc / 74.3.166.117
Trojan Distribution (Oficla/Renos):
gourlz.net / 178.63.3.138
thestockfiles.com / 69.10.36.218
vo2ov.com / 95.211.10.178
cvaohn.org / 209.123.181.48
mechadairysystems.com / 208.87.240.230
longsoft.org / 64.21.53.43
kenborden.com / 209.123.181.48
hotworldmedia.com / 69.10.36.218
Infected Websites:
absfixer.com/catalog/images/news.php?page=keyword (200 OK)
cafetorredealba.com/images/news.php?page=keyword (200 OK)
demo.itlinkonline.com/tcartz2/images/news.php?page=keyword (200 OK)
meyal.com/images/news.php?page=keyword (200 OK)
delisuper.com/images/page.php?page=keyword (200 OK)
antoniasecrets.com/catalog/images/news.php?page=keyword (200 OK)
ap2.dataoz.com/catalog/images/page.php?page=keyword (200 OK)
shylittle.com/catalog/images/page.php?page=keyword (200 OK)
dtechsac.com/tienda/images/news.php?page=keyword (200 OK)
cafetorredealba.com/images/news.php?page=keyword (200 OK)
donegalanglingcentre.com/shop/images/page.php?page=keyword (200 OK)
gravure3d.fr/catalog/images/page.php?page=keyword (200 OK)
exerciseelite.com/images/news.php?page=keyword (200 OK)
econdbike.it/negozio/images/news.php?page=keyword (200 OK)
seobrand.net/private_label/images/news.php?page=keyword (200 OK)
The IP address 209.123.181.48 (AS8001 – NAC Net Access Corp) looks like to have hosted and to actually host a very high number of malicious domains that are mostly used to distribute trojans as keygen or cracks for popular commercial software:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 | allmusic.com.ua amorphia.com.ua artsofboreal.com botaime.com c-charts.com cflor.org creaweblog.com cvaohn.org digitaldepotstore.net dwrz.com.ua gsis-bro.com imvu.com.ua ineverforget.com job-hotel.com.ua k-p.km.ua kenborden.com loweimages.com mail.allmusic.com.ua mail.amorphia.com.ua mail.artsofboreal.com mail.creaweblog.com mail.cvaohn.org mail.digitaldepotstore.net mail.dwrz.com.ua mail.gsis-bro.com mail.imvu.com.ua mail.ineverforget.com mail.job-hotel.com.ua mail.k-p.km.ua mail.kenborden.com mail.maple-shion.net mail.newlife3o.com mail.obama4.in.ua mail.obogreva.net mail.pekinform.com.ua mail.pill-flag.com mail.ranta-kone.com mail.serce.com.ua mail.setite.com mail.snak.vn.ua mail.techwave.com.ua mail.toptvproduct.ru mail.ukreunov.com.ua mail.xocit.com mail.yazv.net nasharu.org newenglandgroup.us newlife3o.com ns1.obama4.in.ua ns1.snak.kiev.ua obama4.in.ua pekinform.com.ua pill-flag.com ranta-kone.com serce.com.ua snak.vn.ua techwave.com.ua toptvproduct.ru ukreunov.com.ua www.botaime.com www.dwrz.com.ua www.ineverforget.com www.loweimages.com www.nasharu.org www.xwarezzz.com xwarezzz.com yazv.net |
Whois details for 209.123.181.48:
NetRange: 209.123.0.0 – 209.123.255.255
CIDR: 209.123.0.0/16
OriginAS: AS8001
NetName: NAC-NETBLK02
NetHandle: NET-209-123-0-0-1
Parent: NET-209-0-0-0-0
NetType: Direct Allocation
NameServer: NS2.NAC.NET
NameServer: NS1.NAC.NET
Comment: Additional Information Available via whois.nac.net
RegDate: 1997-08-06
Updated: 2007-09-18
Ref: http://whois.arin.net/rest/net/NET-209-123-0-0-1OrgName: Net Access Corporation
OrgId: NAC
Address: 9 Wing Drive
City: Cedar Knolls
StateProv: NJ
PostalCode: 07927
Country: US
RegDate:
Updated: 2008-01-16
Ref: http://whois.arin.net/rest/org/NACOrgAbuseHandle: ABUSE156-ARIN
OrgAbuseName: Abuse Department
OrgAbusePhone: +1-800-638-6336
OrgAbuseEmail: XXXXX@nac.net
OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE156-ARIN
Also the IP address 64.21.53.43 (AS8001 – NAC Net Access Corp) looks like to host malicious domains, in particular longsoft.org that is used to distribute trojans by promising keygens and craks for software:
Trojan spreading in action:
Report 2010-08-19 15:09:47 (GMT 1)
File Name paragon.exe
File Size 135168 bytes
File Type Executable File (EXE)
MD5 Hash f1d62efaea0986dd6b8ef1eee470e8dc
SHA1 Hash 90f59e41ad56204390f58f34c61c4aea04538a31
Detections: 3 / 16 ( 19 %)
Status INFECTED
Trojan Activity:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | POST /98ds7c98ds7c98ds7c98.php?ini= Host: duidrive.net (64.20.63.58) POST /logos/XXX Host: devtempest.com (91.188.60.233) POST /98ds7c98ds7c98ds7c98.php?ini= Host: duidrive.net (64.20.63.58) POST /werber/34b520e6b47/217.gif HTTP/1.1 Host: mybubblebean.com (85.234.190.47) POST /perce/XXX Host: peribox.net (77.78.239.42) |
64.21.53.43 (AS8001 – NAC Net Access Corp)
1 2 3 4 5 6 7 | longsoft.org mail.longsoft.org mail.real-downloads.net mail.thenewamsterdams.net mail.web-zik.com real-downloads.net web-zik.com |
69.10.36.218 (AS19318 – NJIIX.net 110B Meadowlands Pkwy Secaucus)
1 2 3 4 5 6 | mediaidentifier.com movieregion.com multimedianame.com ns1.prominentupstairs.com realplayerpro.com yourreload.com |
178.63.3.138 (AS24940 – Hetzner Online AG RZ)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | gourlz.net aevitasecuritystore.com atzan.com buydedicated.ru buyvps.ru ddiscompstore.com de2.reserver.ru erosik.com fasturls.net finmill.com funnyseo.biz hentaix.ru humorarchive.info jaguarconsultant.com keygen-crack.net kino2012.ru kinovam.com mail.all4-sex.info marconmedia.com ns1.buydedicated.ru photo63.www.vk.com.www2in.net serialpost.net sey.su softwareserialnumbers.net soshinenie.ru trusted-warez.com vadoz.ru www.erosik.com www.photo63.www.vk.com.www2in.net www.soshinenie.ru www.xmancer.org www2in.net xmancer.org |
208.87.240.230 (AS40676 – Proxy registration for downstream)
1 2 3 4 5 6 7 8 9 10 11 12 13 | bigbizoo.net grosskopf.net grrrey.com mail.konseed.org mail.richfootball.net ns1.richfootball.net ns2.richfootball.net pixelfish.net richfootball.net setite.com theapps.org www.setite.com xocit.com |
217.23.5.74 (AS49981 – WorldStream)
1 2 3 4 | billgable.com dlov.org softwareshare.org techrev.net |
8.14.147.235 (AS26481 – BONDWEB Bondweb)
1 2 3 4 5 6 7 8 9 10 11 12 13 | directdownloads.ws loaded.ws mail.directdownloads.ws mail.loaded.ws mail.skinnyrons.com mail.unlimitedserials.com skinnyrons.com unlimitedserials.com warez411.com loaded.ws unlimitedserials.com warez411.com unlimitedserials.com |
69.55.50.102 (AS23393 – ISPRIME , Inc.)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | downloadwarez.org filereleases.com fulldownload.ws fullrapidshare.com fullreleases.ws fullversions.org kevin.internal.realitychecknetwork.com mail.fulldownload.ws rcn560.realitychecknetwork.com sharingaccess.com downloadwarez.org filereleases.com fulldownload.ws fullrapidshare.com fullreleases.ws fullversions.org sharingaccess.com sharingnova.com |
We will stop here for now, but list is very long!