#MalwareMustDie! Kuluoz CnC list

1. // #MalwareMustDie! Win32/Kuluoz.B CnC list..
2. // FakeAV spreader, Spam campaign attachment (mostly zips)
3. // Within a week we took three takes for grabbing these CnC
4. // Usually used port 8080 is not written
5. // block these IP's 8080 or 993 is a way on mitigation
6. // For cleanup purpose, I will keep on adding these..
7.  
8. // Service signature (header)
9. // ngnix proxies, i.e.:
10.  
11. Server: nginx/1.2.6
12. Date: Mon, 08 Jul 2013 07:56:51 GMT
13. Content-Type: text/html
14. Content-Length: 20
15. Connection: close
16. X-Powered-By: PHP/5.4.4-7
17. Vary: Accept-Encoding
18. Content-Encoding: gzip
19.  
20. // take one..
21.  
22. 178.208.35.190
23. 186.112.214.158 <---- old
24. 95.140.42.27
25. 203.146.208.180:
26. 202.29.229.232
27. 77.92.140.241
28.  
29. // take two..
30.  
31. 149.210.130.18 (993)
32. 95.140.42.27
33. 186.112.214.158 <----- old
34. 77.92.140.241
35. 202.29.229.232
36. 178.208.35.190
37. 62.113.200.95 (993)
38.  
39. // take three..
40.  
41. 149.210.130.18 (993)
42. 186.112.214.158 <----- old
43. 202.29.229.232
44. 178.208.35.190
45. 64.76.19.241
46. 95.173.186.184
47. 176.122.224.62
48. 82.192.91.224
49.  
50. //CnC data from config(decrypted)
51. // CnC data extracted from spam config:
52. 188.138.23.51:8080
53. 213.180.70.141:8080
54. 46.45.170.13:8080
55. 50.57.228.220:8080
56. 68.169.55.248:8090
57. 80.78.245.96:8080
58. 59.147.251.35
59.  
60. // Unique historical:
61. 178.208.35.190
62. 186.112.214.158
63. 95.140.42.27
64. 203.146.208.180
65. 202.29.229.232
66. 77.92.140.241
67. 149.210.130.18
68. 62.113.200.95
69. 64.76.19.241
70. 95.173.186.184
71. 176.122.224.62
72. 82.192.91.224
73. 188.138.23.51
74. 213.180.70.141
75. 46.45.170.13
76. 50.57.228.220
77. 68.169.55.248
78. 80.78.245.96
79. 59.147.251.35
80.  
81.  
82. // up and alive PoC:
83.  
84. Nmap scan report for 178.208.35.190.static.hosted.by.combell.com (178.208.35.190)
85. Host is up (0.27s latency).
86. Nmap scan report for 186.112.214.158
87. Host is up (0.25s latency).
88. Nmap scan report for server01.liveport.hu (95.140.42.27)
89. Host is up (0.30s latency).
90. Nmap scan report for 203.146.208.180
91. Host is up (0.13s latency).
92. Nmap scan report for 202.29.229.232
93. Host is up (0.12s latency).
94. Nmap scan report for mail.nusozluk.com (77.92.140.241)
95. Host is up (0.34s latency).
96. Nmap scan report for 149-210-130-18.colo.transip.net (149.210.130.18)
97. Host is up (0.28s latency).
98. Nmap scan report for 62.113.200.95
99. Host is up (0.28s latency).
100. Nmap scan report for boromir.mauriciofrappa.com.ar (64.76.19.241)
101. Host is up (0.33s latency).
102. Nmap scan report for 1844604uw.ni.net.tr (95.173.186.184)
103. Host is up (0.36s latency).
104. Nmap scan report for 176.122.224.62
105. Host is up (0.31s latency).
106. Nmap scan report for voip6.brite-voice.com (82.192.91.224)
107. Host is up (0.28s latency).
108. Nmap scan report for static-ip-188-138-23-51.inaddr.ip-pool.com (188.138.23.51)
109. Host is up (0.30s latency).
110. Nmap scan report for 213.180.70.141
111. Host is up (0.32s latency).
112. Nmap scan report for 46-45-170-13.turkrdns.com (46.45.170.13)
113. Host is up (0.32s latency).
114. Nmap scan report for 50-57-228-220.static.cloud-ips.com (50.57.228.220)
115. Host is up (0.20s latency).
116. Nmap scan report for entrevistasdeunhada.com (68.169.55.248)
117. Host is up (0.20s latency).
118. Nmap scan report for vm3990.vps.agava.net (80.78.245.96)
119. Host is up (0.34s latency).
120. Nmap scan report for 59.147.251.35 [host down]
121. Nmap done: 19 IP addresses (18 hosts up) scanned in 3.87 seconds
122.  
123. // Scan the proxies use in 8080:
124.  
125. Scanning 18 hosts [1 port/host]
126. Discovered open port 8080/tcp on 202.29.229.232
127. Discovered open port 8080/tcp on 186.112.214.158
128. Discovered open port 8080/tcp on 64.76.19.241
129. Discovered open port 8080/tcp on 46.45.170.13
130. Discovered open port 8080/tcp on 80.78.245.96
131. Discovered open port 8080/tcp on 178.208.35.190
132. Discovered open port 8080/tcp on 213.180.70.141
133. Discovered open port 8080/tcp on 188.138.23.51
134. Discovered open port 8080/tcp on 68.169.55.248
135. Discovered open port 8080/tcp on 50.57.228.220
136. Discovered open port 8080/tcp on 95.173.186.184
137.  
138. // Scan ports 993...
139.  
140. Discovered open port 993/tcp on 77.92.140.241
141. Discovered open port 993/tcp on 82.192.91.224
142. Discovered open port 993/tcp on 64.76.19.241
143. Discovered open port 993/tcp on 46.45.170.13
144. Discovered open port 993/tcp on 62.113.200.95
145. Discovered open port 993/tcp on 68.169.55.248
146. Discovered open port 993/tcp on 149.210.130.18
147. Discovered open port 993/tcp on 213.180.70.141
148.  
149. #MalwareMustDie!
150. $ date
151. Mon Jul 10 15:00:02 JST 2013