Sponsored by..

Showing posts with label Zeus. Show all posts
Showing posts with label Zeus. Show all posts

Sunday 23 March 2014

Malware sites to block 23/3/14 (P2P/Gameover Zeus)

These domains and IPs are associated with the Peer-to-peer / Gameover variant of Zeus as described in this blog post at MalwareMustDie. I recommend that you block the IPs and/or domains listed as they are all malicious:

50.116.4.71 (Linode, US) [also mentioned here, here and here]
178.79.178.243 (Linode, UK)
212.71.235.232 (Linode, UK)
23.239.140.156 (Root Level Technology, US)

50.116.4.71
aqllbfahiivcelzqcfmdmoqhwc.com
aulbbiwslxpvvphxnjij.biz
balodcmzlqtcjbhllfwcmmb.biz
batlrintscnbytinqsqgbyvs.info
bqpwkxwsaudhehjzpwsvowcobqk.com
dahzlwskgileyplljlhq.org
ddxwnbusvwtwtcfizdmskxso.biz
dgqzkzxsmzqggiwccattorwobfu.ru
duonxdivrwbahpxdpmbzdhm.org
dwsirwclqopforlqkjrdpncqkr.net
gefifqtwgydaivpjbubuaiwglsrg.org
gqvwwcgqnjrkteyqacrkthfmxk.org
kblfxnrltorstolxcgqugbyyl.com
li430-71.members.linode.com
lxpvyhnbbmvkkfpbayuomnaqzx.org
lzrrgfmeuucvtpzpvhxdaqcbyay.info
pvgrkzdcidybihtsqweqnbgztjb.com
pypfyinnfhyvxkujlfbmkbdq.com
qmrowchvdejfaauclrfqhx.org
rgvoxwhtamqwbuhdvonbnjhytuo.org
rsaspfpzmzrobonylxp.biz
tceeaaetvgcypqfysqctam.com
twdepffvwpxxnbqyhgmtcx.org
xaqfmfzxvoxglzofedmjskhatwsw.net
xfmheaqdepbyinkfjbnztemhmvkvk.com
xmjdjbucxwztqoojordmfmzfexc.com
xoxllplffmaknofjbjnkbdisw.com
xpjrvoddmfempuwbymwhejbt.com
yxmfpffqhdyfyydcmpnifusrckjrkby.biz

178.79.178.243
aefaeamofemugdieddphebijb.org
aemfyldumrlithbaayzhib.com
auldivpzxeahilvcyvckrzpbepv.com
bjnovqmbkfqodiqiuwsqst.biz
jnhqtodhhgakndacuvojizdm.org
krwklrffanjydbimvbmgadmfydei.info
qkdapcqinizsczxrwaelaimznfbqq.biz
qkljydlcikfqktsunraynji.org
swsmjuseadpmrozdljofpddx.biz
tltdhasweiuorolzqweydmtdjr.biz
towohjnpxozxqwvbyxgayvc.info
usrgwobmqsxmruscudtgvwuccqvgwg.biz
vclytzcizhtyplbkrmfayburc.org
vwojamfqcipjnbobeafelvqprjzgacu.org
wceydihqmjexgtkvtqkdeh.com
yhzpojvizpbiztkjdaxzib.org
zxjzaypibnjayfmpzpalkbaunzl.com

212.71.235.232
ambaorbynbjrxwdeumvqohiytp.com
amxgeaehmpirsczhtdebunsc.info
fuambuvktwcnfddadytzrccmrsg.info
gajbceobcpvnvjbxomrnfgqlcu.org
hapeysdqhpjntcwcmrpqtcu.biz
hayzscyddatgfeyvwxgcuxifcy.org
izsodajzhrsingdygyvsvcmzlhyx.com
ldmbcqwsfuhebqlrfqmjpjtbm.net
lnipjrijfamnxkgenzypusztpnxhi.org
mbdaaywcbikbnzdiaebnzgaph.biz
peucehqxsgmzhgujfsoeihmpvhiz.info
pnfxwvsgqvctqkypwghlbnbiz.biz
qwlamzprordqxcyltgbqxqctgkfq.biz
rougorsxgeeiaqqclrmnxcnbdig.com
swhyijskpdxkzdfqeqlduydaet.org
uzhoxeuukrgprcxwjbdymbir.info
wcrydrkgzhqoeunduhttayh.biz
wsauqohqevirkreaocyzh.info
yfamzskpcikveahhynrztfa.org
ytsgugkfgadtkpjhmxsmjlkrnv.com
yxmfpffqhdyfyydcmpnifusrckjrkby.biz

23.239.140.156
cedivwojozpjnmzphdmgscrkcqgq.info
dmeiljtpjfnrwolrucyppbqnjmn.biz
dqdycmfqbuxabufqhehejngapcy.biz
dtuwswgunvgayzpxolvclzaiw.com
hguvmrrgljldtkfcuuwmfhda.com
hqzdwauwkrvcpifdontobbat.org
hywkvojryttvwvkxccehmbadtcepz.biz
jnhqtodhhgakndacuvojizdm.org
lduemshmhceamlflrvoehrw.org
ltmbcqyheqjnrcuucwbipqsjnbe.biz
ojdqolcirkamyhursqozxin.com
pfceceprcxzhqstcyvodepzx.info
qcejrvgsydqpzzdixonvugysktk.com
qkfeutkgmfqxrwmbxgxcdymz.biz
tcvkwsbqnjhjobgyttklnfxo.com
udewxdqkxtwqwjvhvgbuzhx.org
vclytzcizhtyplbkrmfayburc.org
vxwdtkfjfqotkdaivkfqgaedx.biz
wslhrwfmwkhmozhambvwhuzpnb.net
xcvshidqgwotvfetvcydfajnof.com
zludaswlfrwphijtkknya.info

Thursday 8 August 2013

Citibank spam / Loan_08082013.exe

This fake Citibank spam comes with a malicious attachment:

Date:      Thu, 8 Aug 2013 13:09:04 -0500 [14:09:04 EDT]
From:      Erin_Gay [Erin_Gay@citibank.com]
Subject:      RE: Loan Approved

Your documents are ready , please sign them and email them back.

Thank you

Erin_Gay
Level III Account Management
817-835-6023 office
817-074-9181 cell Erin_Gay@citibank.com

Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE

The security of personal information about you is our priority. We protect this
information by maintaining physical, electronic, and procedural safeguards that meet
applicable law. We train our employees in the proper handling of personal information.
When we use other companies to provide services for us, we require them to protect the
confidentiality of personal information they receive.

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.

The attachment is in the format Loan.recipient-name.zip and contains the executable Loan_08082013.exe (note the date is encoded into the filename).

The initial file is just a trojan downloader. VirusTotal results are 10/45. The Malwr analysis gives some excellent details of what is going in, included attempted downloads from the following locations:
[donotclick]www.arki.com/ponyb/gate.php
[donotclick]ftp.miniaturesbykim.com/fzKU1Y.exe
[donotclick]www.gfchargers.org/iwa4s1.exe
[donotclick]ftp.jason-tooling.com/nhdx.exe
[donotclick]www.rachelcondry.com/nLiZVHtr.exe

This downloads a Zeus variant with a very low detection rate of 4/45. The Malwr analysis for this part shows some apparent peer-to-peer traffic (note some of these IPs are legitimate and belong to Google):
88.84.107.110
184.39.153.172
116.15.200.129
108.210.216.93
79.10.245.249
130.251.186.103
75.32.154.102
50.65.158.6
99.146.98.160
69.246.97.159
76.226.134.206
88.68.122.74
200.91.49.183
157.100.168.252
99.181.10.118
108.234.133.110
108.240.232.212
108.74.172.39
178.238.233.29
69.115.119.227
99.26.122.34
173.194.67.99
23.25.36.93
173.194.67.94
174.96.27.128
2.158.160.98
123.201.22.66
187.214.18.148
174.141.40.194
97.67.116.122
173.209.69.2
103.1.71.126
204.155.62.5
97.96.126.195
208.118.221.212
50.78.124.173

Friday 2 March 2012

Malware sites to block 2/3/12

The Spam Analysis blog has an excellent post analysing what is happening behind the scenes in the malware from some recent spam runs. I've taken their hard work and have broken out the domains and IP addresses that you may want to block.

Note that some of these sites may be legitimate hacked sites. Also 66.96.160.133 is a parking IP,, so there are several thousand other sites on the same address.

Domains:
almeconstruction.com
ampndesignclients.com
buddysbarbq.com
chovattuvt.com
curchamp.com
curcharge.com
curchart.com
ftp.intervene.com.br
impressiveclimate.com
indianwildlifetourism.com
mixestudio.com
pollypaw.com
pollypeaceful.com
ragsnipe.com
sadropped.com
splatstep.com
top59serv.ro
trucktumble.com
truckturtle.com
wonderfulwriggle.com

IPs and hosts:
50.2.7.120 (Infinitie, US)
64.150.166.137 (iPower, US)
66.96.160.133 (Endurance International, US) [parked]
66.232.108.46 (Kevin Shick, US)
74.207.245.244 (Linode, US)
78.47.211.154 (Hetzner, Germany)
85.9.26.253 (GTS, Romania)
112.78.2.141 (Online Data Services JSC, Vietnam)
173.213.90.237 (Serverhub, US)
173.213.90.238 (Serverhub, US)
174.123.39.34 (ThePlanet, US)
174.136.0.68 (Colo4, US)
184.173.192.173 (ThePlanet, US)
200.58.124.129 (Dattatec.com, Argentina)
200.98.197.68 (UOL, Brazil)
209.140.16.128 (Landis Holdings, US)
216.251.43.98 (InternetNamesForBusiness.com, US)

Plain IP list:
50.2.7.120
64.150.166.137
66.96.160.133
66.232.108.46
74.207.245.244
78.47.211.154
85.9.26.253
112.78.2.141
173.213.90.237
173.213.90.238
174.123.39.34
174.136.0.68
184.173.192.173
200.58.124.129
200.98.197.68
209.140.16.128
216.251.43.98

Tuesday 25 October 2011

Some malware sites to block

These sites and IPs seem to be distributing some sort of Zeus variant. In this case users are being enticed to download a file called Fattura.zip (Italian for "invoice") which then contains an executable with the name Fattura.Doc_________________________________________________________________.exe (there are 65 underscores in the filename). That seems daft until you realise that all those underscores are designed to hide the .exe extension by making the filename so big that it is truncated.

At the moment, the malware (MD5 09886612d542e1b354aeda6a16f9ccf5)  is poorly detected (4/43 at VirusTotal). ThreatExpert's prognosis is here.

The back end is a big more interesting and gives a large number of IPs and domains to block if you want to be proactive about stopping this sort of thing.

The back end servers are primarly:
41.189.229.65 (Djibouti Telecom)
60.19.30.131 (China Unicom)
60.19.30.135 (China Unicom)
67.40.211.116 (Qwest Communications, Seattle)
71.217.16.11 (Qwest Communications, Seattle)
82.210.157.9 (Aster, Poland)
113.161.87.176 (VietNam Post and Telecom Corporation)
195.214.238.241 (Interphone, Ukraine)
202.199.160.107 (Dongbei University of Finance and Economics, China)
218.24.113.3 (China Unicom)

Associated domains:

axeswizardepx.ru
bellicbridge.ru
bellicoreturbo.ru
blackofspogus.com
booksforbool.com
brentnallfg.com
dartzofmybpull.ru
digibeetlesop.ru
dontstop21523510.com
duffiduffid.ru
duklio.com
dzmeritelshop.ru
ebaliu.com
esperadooptic.ru
fabsnot.ru
fgrag3.com
financialactivson.com
financialpoet.com
fitle8.com
florianarray.ru
freakcan.ru
getinmo.net
gorycup.ru
hoperjulia.com
itchysauce.ru
jetsetflysystems.asia
koklip.com
krufop.com
linkmoduledso.com
lu4isa.com
lurofletzhen.com
microhousezez.com
musicframeit.com
n3ot6op.com
naughtywifepal.ru
onepet.ru
paperrain.net
papertulip.ru
pellicslotersa.ru
plasticinetec.ru
poczta.orgmasz.pl
popspostenkple.ru
recruitaimsfg.com
routerstructo.ru
rudeink.ru
runnystorm.ru
secondconcert.ru
sichererautoverkauf.net
simulatormage.ru
so47nop.com
softmarkets.ru
steelcinetecs.ru
t3a4ano.com
tamilworldinfo.net
tinpiano.com
tradesystemsy.com
vanilaprojectlive.com
weaktrash.ru
widuop.com