Sponsored by..

Wednesday, 2 January 2013

Malware sites to block 2/1/13 part II

Here's a bunch of malicious IPs and domains to block, mostly based on this in-depth research at the Malware Must Die! blog.

As far as I can see, the domains in use are exclusively compromised consumer PCs dotted around the globe, rather than compromised or evil web servers.. so the ISPs are pretty irrelevant in this case. This type of infected host has a relatively short shelf-life, possibly just a few days, so you may or may not want to add them to your blocklist.

IPs:
1.169.174.98
5.79.227.65
14.97.222.104
24.14.110.124
27.3.193.56
27.188.153.72
37.19.146.142
37.229.235.32
46.109.154.27
46.161.190.98
58.99.12.25
62.61.52.166
66.176.136.81
68.56.17.213
72.177.166.48
77.45.11.232
77.106.119.105
87.110.18.105
88.206.64.69
88.222.224.163
89.221.113.36
89.230.155.107
90.46.70.228
93.105.37.117
93.105.108.84
95.104.102.82
96.49.157.112
109.126.30.178
111.249.158.111
111.255.78.122
112.105.92.46
114.39.91.89
119.70.17.64
151.32.120.175
159.148.43.126
159.148.124.172
177.199.108.51
178.44.196.20
178.137.235.238
178.218.65.83
182.156.158.115
184.82.27.102
187.186.74.50
188.19.160.215
188.129.225.16
201.213.124.107
202.122.63.80
203.80.126.186

Domains:
ahtiagge.ru
ahumamit.portrelay.com
aiev.zempakiv.ru
akmaxook.ru
asd9ja.zempakiv.ru
axcakqif.ru
b44z9w.kugfulyw.ru
b4i.cesivpil.ru
bakuzbuq.ru
batycfac.ru
bmwlummanets.info
bmwlummanets.name
cimhuspi.ru
cucaklif.ru
cundimam.ru
cyd3e.cesivpil.ru
d0hltlwy.lafdamow.ru
ektizzab.ru
epx2i9ae.zempakiv.ru
eth9.lafdamow.ru
faxaersaerfq.cu.cc
gasosvaz.ru
gegwikaf.ru
gipwf7i.zempakiv.ru
gywquroz.ru
hikutcur.ru
hoardrygfa.cu.cc
ikbyznod.ru
isbegisy.ru
ixfocgaf.ru
jilvoqsi.ru
jureetse.ru
lafdamow.ru
larstor.com
lejbomor.ru
libsnetingwors.info
libsnetingwors.name
linsubby.ru
lofibvar.ru
lymurufa.ru
malstpribizz.name
morrisgens.name
newrect.com
nopepkaq.ru
norfikuf.ru
nosgazim.ru
nypmivhy.ru
odmurwal.ru
ogedlayc.ru
oqivynle.ru
panasrtydertf.cu.cc
pikkokih.ru
pocaertvadrtn.cu.cc
poqawertdert.cu.cc
posertvaeryz.cu.cc
powosjec.ru
qysriloh.ru
rehvuwib.ru
ropitym.ezua.com
rosacomi.ru
sepsiqbo.ru
sexcol.cu.cc
towmidar.ru
tyjkexax.ru
tyryfpix.ru
videoroliki.nut.cc
voxyqjyc.ru
worgukiw.ru
worgukiw.ruc
wufjajcy.ru
xoztyhto.ru
yficebnu.ru
ykyczeis.ru
zedwyzuc.ru
zempakiv.ru
zuzikkeg.ru



2 comments:

unixfreaxjp said...

A ver good research and well explained to the point.
The only way to nail infection is the usage of DNS used by this bad actor, which we found ending up to a significant service only. In order to control these IP infectors, bad guys need to fully control NS of new domains set, and that cannot be made instantly (setting new or change DNS), we need to aim registration ID, contact ICANN to contact Registrant to shut it down. If this coordinated well, bad guys will cry hard.
#MalwareMustDie!!

unixfreaxjp said...

Hello Conrand,
You might be interested in this:

https://twitter.com/MalwareMustDie/status/286587621080182784

Had no time to blog, but might be useful for you.

verdicts:

1. InfoStealer
2. Steals Cerification & use it to encrypt decrypt POST data
3. Connect to some of SMTP server for sending spams.

Wrote analysis of payload is in VT:
https://www.virustotal.com/file/b9c4b1ecaa15631735cd56ac3c70a2492b2ebc052aa1b3187178765e508e2678/analysis/

Missed the SMTP servers connected:
smtp.compuserve.com
mail.airmail.net
smtp.directcon.net
smtp.sbcglobal.yahoo.com
smtp.mail.yahoo.com
smtp.live.com