Malware sites to block 13/2/13

These malicious sites appear to be part of a Waledac botnet. I haven't had much time to analyse what exactly what it going on, but here is one example from [donotclick]merwiqca.ru/nothing.exe: URLquery, VirusTotal, Comodo CAMAS, ThreatExpert.

I'm still working on IP addresses (there are a LOT), but these are the domains that I have managed to identify.. it is probably not an exhaustive list though.

afxeftof.ru
ahtiagge.ru
ajgijuap.ru
amxylkap.ru
apnifosa.ru
aqqajofi.ru
atxembef.ru
awetefid.ru
azvaebyn.ru
bakuzbuq.ru
bangurec.ru
bowbiluk.ru
bugfivin.ru
citpoloj.ru
copapjid.ru
didcufun.ru
dikojnah.ru
diqnawug.ru
diteqciq.ru
dubfoluc.ru
dohjapju.ru
dufyhive.ru
dyrzaqfu.ru
dyxketam.ru
ecrihgep.ru
egygumlo.ru
epejanhi.ru
ewenhugi.ru
fachejyp.ru
fawsilom.ru
fedvojvy.ru
fytfotlo.ru
gegwikaf.ru
guphumsa.ru
gybebeho.ru
gyvolnac.ru
gywquroz.ru
hikutcur.ru
ikbyznod.ru
ixfocgaf.ru
jiwviqpa.ru
jizugqux.ru
joljihuk.ru
junedles.ru
jureetse.ru
lafdamow.ru
linsubby.ru
linyaqor.ru
liwmiccu.ru
liwuwquh.ru
merwiqca.ru
narzoquc.ru
nozwyhvi.ru
nylzudwo.ru
nypmivhy.ru
nyzvelew.ru
ocbiccan.ru
ojvectyk.ru
ophirjih.ru
owideker.ru
papcybop.ru
pegkowoz.ru
picifcym.ru
pypwalve.ru
qiqwoxki.ru
qysmahku.ru
qysriloh.ru
rabpabyr.ru
racapsyq.ru
raguhloc.ru
rehvuwib.ru
rulwusyc.ru
secegbiw.ru
sedfibyr.ru
soduvnec.ru
solhusny.ru
sumjecyg.ru
syofzaim.ru
tijenric.ru
todqenym.ru
towmidar.ru
tubtihiv.ru
tunzovnu.ru
ugnyspyr.ru
vacrajak.ru
vehyfgor.ru
viackipa.ru
vibewpav.ru
voxyqjyc.ru
wowrizep.ru
xitydjeg.ru
xyjiekfe.ru
ypvudhek.ru
zazzeqan.ru
zehyqjol.ru
zempakiv.ru
zyqutfeb.ru
fpyyb.axcakqif.ru
gipwf7i.zempakiv.ru
gkca7nkr.tyryfpix.ru
boomsco.com
larstor.com
newrect.com

barefootsies.com: possible Joe Job.

This summary is not available. Please click here to view the post.

Waledac: freeservesms.com

Waledac is pretty common these days, and it usually tries to point the victim to a fake video codec that is actually a trojan, often through a sensational "news" headline or the promise of nudity.

This particular pitch promises something quite different:

Do you want to test your partner or just to read somebody's SMS? This program is exactly what you need then!
It's so easy! You don't need to install it at the mobile phone of your partner.
Just download the program and you will able to read all SMS when you are online.
Be aware of everything! This is an extremely new service!

The download file is called smstrap.exe. So this magical piece of software can read someone else's SMS messages without having to install software on the phone, right? Wrong.. it's just another variant of the Waledac trojan (see the VirusTotal results, ThreatExpert prognosis).

In this case the domain in use is freeservesms.com although it is likely that there will be others. For the records, the WHOIS details are:

Domain Name : freeservesms.com

Registrant Contact Information :
SHANGGUANMING
GONGYUWUYEYOUXIANGONGSI
jongchangde@126.com
QIANJIN, 2005451
tel:
fax:

Administrative Contact Information :
SHANGGUANMING
GONGYUWUYEYOUXIANGONGSI
jongchangde@126.com
QIANJIN, 2005451
tel:
fax:

Technical Contact Information :
SHANGGUANMING
GONGYUWUYEYOUXIANGONGSI
jongchangde@126.com
QIANJIN, 2005451
tel:
fax:

Billing Contact Information :
SHANGGUANMING
GONGYUWUYEYOUXIANGONGSI
jongchangde@126.com
QIANJIN, 2005451
tel:
fax:

Status :
clientDeleteProhibited
clientTransferProhibited

Domain Name Server :
ns1.moneymedal.com
ns2.moneymedal.com
ns3.moneymedal.com
ns4.moneymedal.com
ns5.moneymedal.com
ns6.moneymedal.com

Registration Date :2009-4-13
Expiration Date : 2010-4-13

Added: downloadfreesms.com is punting the same malware.