Thursday, 11 August 2011
The malware appears to be a variant of Vundo / Virtumundo, the infection mechanism looks to be some sort of injection attack on third party sites.
Although the IP 126.96.36.199 is allocated to NetDirekt (now Leaseweb Germany), it belongs to part of a range suballocated to inferno.name of Serbia (apparently also known as v3Servers.net). Inferno featured recently in this blog with another similar malware attack, that time on 188.8.131.52. 184.108.40.206/4 seems to be full of (possibly fake) pharma sites.
A lot of other IP addresses associated with this company are implicated with forum spamming.
Just in case you want to block traffic to/from inferno.name (although there may well be legitimate sites and servers in these ranges) then I have identified the following IP ranges, although there may well be more:
As for 220.127.116.11, watch for traffic going to subdomains of reddingtaxcm.com, for example:
Tuesday, 2 August 2011
virtualmapping.org is hosted on 18.104.22.168 which is unsurprisingly enough in Romania, in a Cobalt IT SRL block suballocated to SC Coral IT Office SRL / xnetworkings.com also in Romania. Sites in these Cobalt ranges are either all evil or are of interest to Romanian visitors only, so one quick and easy way to secure your network is to block the entire 22.214.171.124/14 range.. at the very least, block 126.96.36.199/24, 188.8.131.52/24 and 184.108.40.206/24 which are especially toxic.
After hitting virtualmapping.org, visitors are then redirected to one of the following sites on 220.127.116.11, hosted at Netdirekt in Frankfurt but actually allocated to a host called inferno.name (Sogreev Anton, Serbia). 18.104.22.168/24 is full of Russian porn sites, so probably a good thing to block in any case.
Some of the domains that are loading the malware are:
Basically, anything in the nc-9.com domain apart from nc-9.com and www.nc-9.com has been hijacked and is pointing to the IP address in Frankfurt. It's not a surprise to see that nc-9.com is actually a legitimate domain registered at GoDaddy that appears to have been hijacked.
The payload is a nasty trojan according to various analysis tools (ThreatExpert, Comodo, Anubis). Detection rates are very low. The analysis tools might help you to clean up your PC if you have somehow become infected.
Of some interest, the trojan alters the HOSTS file to block access to popular torrent sites such as the Pirate Bay. It also calls home to two domains, assistancebeside.com (22.214.171.124) and imagehut4.cn which was actually deleted last year, but was registered to the scumbags at Real Host Ltd.
There's quite a lot to block here, the highest priorities are:
I see no harm in blocking the following /24s:
And if you're not afraid to block really quite large address ranges: