Sponsored by..

Showing posts with label Waledac. Show all posts
Showing posts with label Waledac. Show all posts

Wednesday, 13 February 2013

Malware sites to block 13/2/13

These malicious sites appear to be part of a Waledac botnet. I haven't had much time to analyse what exactly what it going on, but here is one example from [donotclick]merwiqca.ru/nothing.exe: URLquery, VirusTotal, Comodo CAMAS, ThreatExpert.

I'm still working on IP addresses (there are a LOT), but these are the domains that I have managed to identify.. it is probably not an exhaustive list though.

afxeftof.ru
ahtiagge.ru
ajgijuap.ru
amxylkap.ru
apnifosa.ru
aqqajofi.ru
atxembef.ru
awetefid.ru
azvaebyn.ru
bakuzbuq.ru
bangurec.ru
bowbiluk.ru
bugfivin.ru
citpoloj.ru
copapjid.ru
didcufun.ru
dikojnah.ru
diqnawug.ru
diteqciq.ru
dubfoluc.ru
dohjapju.ru
dufyhive.ru
dyrzaqfu.ru
dyxketam.ru
ecrihgep.ru
egygumlo.ru
epejanhi.ru
ewenhugi.ru
fachejyp.ru
fawsilom.ru
fedvojvy.ru
fytfotlo.ru
gegwikaf.ru
guphumsa.ru
gybebeho.ru
gyvolnac.ru
gywquroz.ru
hikutcur.ru
ikbyznod.ru
ixfocgaf.ru
jiwviqpa.ru
jizugqux.ru
joljihuk.ru
junedles.ru
jureetse.ru
lafdamow.ru
linsubby.ru
linyaqor.ru
liwmiccu.ru
liwuwquh.ru
merwiqca.ru
narzoquc.ru
nozwyhvi.ru
nylzudwo.ru
nypmivhy.ru
nyzvelew.ru
ocbiccan.ru
ojvectyk.ru
ophirjih.ru
owideker.ru
papcybop.ru
pegkowoz.ru
picifcym.ru
pypwalve.ru
qiqwoxki.ru
qysmahku.ru
qysriloh.ru
rabpabyr.ru
racapsyq.ru
raguhloc.ru
rehvuwib.ru
rulwusyc.ru
secegbiw.ru
sedfibyr.ru
soduvnec.ru
solhusny.ru
sumjecyg.ru
syofzaim.ru
tijenric.ru
todqenym.ru
towmidar.ru
tubtihiv.ru
tunzovnu.ru
ugnyspyr.ru
vacrajak.ru
vehyfgor.ru
viackipa.ru
vibewpav.ru
voxyqjyc.ru
wowrizep.ru
xitydjeg.ru
xyjiekfe.ru
ypvudhek.ru
zazzeqan.ru
zehyqjol.ru
zempakiv.ru
zyqutfeb.ru
fpyyb.axcakqif.ru
gipwf7i.zempakiv.ru
gkca7nkr.tyryfpix.ru
boomsco.com
larstor.com
newrect.com

Monday, 20 April 2009

barefootsies.com: possible Joe Job.

The Waledac gang strike again with an uncharacteristic spam advertising a foot fetish site.

From: [redacted]
Sent: 19 April 2009 22:53
To: [redacted]
Subject: Free foot fetish pics

Amatuer, girl-girl feet tickling movies, and foot worship movies at http://barefootsies.com/
Spammers sending out links to porn sites is not exactly big news. Except in this case, the registrant and the hosting server is identical the the blizzardimagehosting.com spam run from a few days ago. What's more, the WHOIS details for barefootsies.com appear to be valid.

Studios, First Choice
1st Choice Studios
6741 Sprinkle Rd, Ste 293
Portage, Michigan 49002
United States
2694929957 Fax --

It turns out that this domain is for sale along with some others.

But, as the the blizzardimagehosting.com run, this doesn't exactly fit into the usual Waledac approach and it could well be a Joe Job attack.

Friday, 17 April 2009

Waledac: freeservesms.com

Waledac is pretty common these days, and it usually tries to point the victim to a fake video codec that is actually a trojan, often through a sensational "news" headline or the promise of nudity.

This particular pitch promises something quite different:
Do you want to test your partner or just to read somebody's SMS? This program is exactly what you need then!
It's so easy! You don't need to install it at the mobile phone of your partner.
Just download the program and you will able to read all SMS when you are online.
Be aware of everything! This is an extremely new service!


The download file is called smstrap.exe. So this magical piece of software can read someone else's SMS messages without having to install software on the phone, right? Wrong.. it's just another variant of the Waledac trojan (see the VirusTotal results, ThreatExpert prognosis).

In this case the domain in use is freeservesms.com although it is likely that there will be others. For the records, the WHOIS details are:

Domain Name : freeservesms.com

Registrant Contact Information :
SHANGGUANMING
GONGYUWUYEYOUXIANGONGSI
jongchangde@126.com
QIANJIN, 2005451
tel:
fax:

Administrative Contact Information :
SHANGGUANMING
GONGYUWUYEYOUXIANGONGSI
jongchangde@126.com
QIANJIN, 2005451
tel:
fax:

Technical Contact Information :
SHANGGUANMING
GONGYUWUYEYOUXIANGONGSI
jongchangde@126.com
QIANJIN, 2005451
tel:
fax:

Billing Contact Information :
SHANGGUANMING
GONGYUWUYEYOUXIANGONGSI
jongchangde@126.com
QIANJIN, 2005451
tel:
fax:

Status :
clientDeleteProhibited
clientTransferProhibited

Domain Name Server :
ns1.moneymedal.com
ns2.moneymedal.com
ns3.moneymedal.com
ns4.moneymedal.com
ns5.moneymedal.com
ns6.moneymedal.com

Registration Date :2009-4-13
Expiration Date : 2010-4-13
Added: downloadfreesms.com is punting the same malware.