==================================================================== // #MalwareMustDie - Evidence of Malware Infector // CoolExploit Malware Infector, // Served IP ADDRESS 64.120.190.183 // Infector URL: h00p://64.120.190.183/news/FLAT.DHTI // Connecting to 192.168.7.11:80... seconds 0.00, connected. // Registrant leads to bob@bobfaith.com (LOL) a hacked domain // looks like some cyber criminal is seriously want to frame Bob Faith. ==================================================================== ============================ INTERNET / DOMAINS/REGISTRANT ============================ // Infector domain used (with the typical CookEK callback PseudoDomain) 50f2c40a75730.buyliftem.org A 64.120.190.183 50f3308d0dc4d.mentalfocus.org A 64.120.190.183 50f2d9ddf1471.azhypnotistbob.com A 64.120.190.183 50f2afa39be68.azreptheatre.com A 64.120.190.183 50f28a4b9a4fe.tempeazhomeloans.com A 64.120.190.183 50f30534b0cb0.hypnoaz.com A 64.120.190.183 50f34659158a0.mentalfocusaz.com A 64.120.190.183 50f31ac55ce66.hypnotherapyaz.com A 64.120.190.183 leads to the CoolExploit Malware Infector at 64.120.190.183 Via url: h00p://64.120.190.183/news/FLAT.DHTI Evidence: pic at https://twitter.com/kafeine/status/290607837250457600 // PoC of Current Pseudo Domain is connecting to 64.120.190.183 @unixfreaxjp /malware/checkdomains]$ date Mon Jan 14 15:51:39 JST 2013 @unixfreaxjp /malware/checkdomains]$ dig 50f31ac55ce66.hypnotherapyaz.com ; <<>> DiG 9.8.1-P1 <<>> 50f31ac55ce66.hypnotherapyaz.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49149 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;50f31ac55ce66.hypnotherapyaz.com. IN A ;; ANSWER SECTION: 50f31ac55ce66.hypnotherapyaz.com. 1755 IN A 64.120.190.183 ;; AUTHORITY SECTION: hypnotherapyaz.com. 3555 IN NS ns16.domaincontrol.com. hypnotherapyaz.com. 3555 IN NS ns15.domaincontrol.com. ;; ADDITIONAL SECTION: ns15.domaincontrol.com. 768 IN A 216.69.185.8 ns16.domaincontrol.com. 3568 IN A 208.109.255.8 ;; Query time: 15 msec ;; SERVER: 202.238.95.24#53(202.238.95.24) ;; WHEN: Mon Jan 14 15:51:53 2013 ;; MSG SIZE rcvd: 150 ============================ DNS SERVICE USED ============================ NS15.DOMAINCONTROL.COM NS16.DOMAINCONTROL.COM Related DNS Service: NSxxx.DOMAINCONTROL.COM ============================ THE REGISTRANT BEHIND THIS ============================ // the below domains was registered to the same contact IP: mentalfocus.org, azhypnotistbob.com, hypnoaz.com, mentalfocusaz.com, hypnotherapyaz.com Bob Faith Entertainment 660 S Parkcrest Mesa, Arizona 85206 United States bob@bobfaith.com // must be a hacked domain (other hacked domains also used, see the below PoC/Evidence part) // PoC/Evidence: Domain ID:D164373631-LROR Domain Name:MENTALFOCUS.ORG Created On:12-Jan-2012 20:35:36 UTC Last Updated On:13-Jan-2013 01:35:22 UTC Expiration Date:12-Jan-2014 20:35:36 UTC Sponsoring Registrar:GoDaddy.com, LLC (R91-LROR) Status:CLIENT DELETE PROHIBITED Status:CLIENT RENEW PROHIBITED Status:CLIENT TRANSFER PROHIBITED Status:CLIENT UPDATE PROHIBITED Status:AUTORENEWPERIOD Registrant ID:CR102662608 Registrant Name:Bob Faith Registrant Organization:Bob Faith Entertainment Registrant Street1:660 S Parkcrest Registrant Street2: Registrant Street3: Registrant City:Mesa Registrant State/Province:Arizona Registrant Postal Code:85206 Registrant Country:US Registrant Phone:+1.4808980023 Registrant Phone Ext.: Registrant FAX:+1.4808980023 Registrant FAX Ext.: Registrant Email:bob@bobfaith.com Admin ID:CR102662610 Admin Name:Bob Faith Admin Organization:Bob Faith Entertainment Admin Street1:660 S Parkcrest Admin Street2: Admin Street3: Admin City:Mesa Admin State/Province:Arizona Admin Postal Code:85206 Admin Country:US Admin Phone:+1.4808980023 Admin Phone Ext.: Admin FAX:+1.4808980023 Admin FAX Ext.: Admin Email:bob@bobfaith.com Domain Name: AZHYPNOTISTBOB.COM Registrar: GODADDY.COM, LLC Whois Server: whois.godaddy.com Referral URL: http://registrar.godaddy.com Name Server: NS15.DOMAINCONTROL.COM Name Server: NS16.DOMAINCONTROL.COM Status: clientDeleteProhibited Status: clientRenewProhibited Status: clientTransferProhibited Status: clientUpdateProhibited Updated Date: 13-jan-2012 Creation Date: 13-jan-2012 Expiration Date: 13-jan-2013 Registered through: GoDaddy.com, LLC (http://www.godaddy.com) Domain Name: AZHYPNOTISTBOB.COM Created on: 13-Jan-12 Expires on: 13-Jan-13 Last Updated on: 13-Jan-12 Registrant: Bob Faith Entertainment 660 S Parkcrest Mesa, Arizona 85206 United States Administrative Contact: Faith, Bob bob@bobfaith.com Bob Faith Entertainment 660 S Parkcrest Mesa, Arizona 85206 United States (480) 898-0023 Fax -- (480) 898-0023 Technical Contact: Faith, Bob bob@bobfaith.com Bob Faith Entertainment 660 S Parkcrest Mesa, Arizona 85206 United States (480) 898-0023 Fax -- (480) 898-0023 Domain servers in listed order: NS15.DOMAINCONTROL.COM NS16.DOMAINCONTROL.COM Domain Name: HYPNOAZ.COM Registrar: GODADDY.COM, LLC Whois Server: whois.godaddy.com Referral URL: http://registrar.godaddy.com Name Server: NS15.DOMAINCONTROL.COM Name Server: NS16.DOMAINCONTROL.COM Status: clientDeleteProhibited Status: clientRenewProhibited Status: clientTransferProhibited Status: clientUpdateProhibited Updated Date: 13-dec-2012 Creation Date: 13-jan-2012 Expiration Date: 13-jan-2015 Registered through: GoDaddy.com, LLC (http://www.godaddy.com) Domain Name: HYPNOAZ.COM Created on: 13-Jan-12 Expires on: 13-Jan-15 Last Updated on: 13-Dec-12 Registrant: Bob Faith Entertainment 660 S Parkcrest Mesa, Arizona 85206 United States Administrative Contact: Faith, Bob bob@bobfaith.com Bob Faith Entertainment 660 S Parkcrest Mesa, Arizona 85206 United States (480) 898-0023 Fax -- (480) 898-0023 Technical Contact: Faith, Bob bob@bobfaith.com Bob Faith Entertainment 660 S Parkcrest Mesa, Arizona 85206 United States (480) 898-0023 Fax -- (480) 898-0023 Domain servers in listed order: NS15.DOMAINCONTROL.COM NS16.DOMAINCONTROL.COM Domain Name: MENTALFOCUSAZ.COM Registrar: GODADDY.COM, LLC Whois Server: whois.godaddy.com Referral URL: http://registrar.godaddy.com Name Server: NS15.DOMAINCONTROL.COM Name Server: NS16.DOMAINCONTROL.COM Status: clientDeleteProhibited Status: clientRenewProhibited Status: clientTransferProhibited Status: clientUpdateProhibited Updated Date: 13-jan-2013 Creation Date: 12-jan-2012 Expiration Date: 12-jan-2014 Registered through: GoDaddy.com, LLC (http://www.godaddy.com) Domain Name: MENTALFOCUSAZ.COM Created on: 12-Jan-12 Expires on: 12-Jan-13 Last Updated on: 12-Jan-12 Registrant: Bob Faith Entertainment 660 S Parkcrest Mesa, Arizona 85206 United States Administrative Contact: Faith, Bob bob@bobfaith.com Bob Faith Entertainment 660 S Parkcrest Mesa, Arizona 85206 United States +1.4808980023 Fax -- +1.4808980023 Technical Contact: Faith, Bob bob@bobfaith.com Bob Faith Entertainment 660 S Parkcrest Mesa, Arizona 85206 United States +1.4808980023 Fax -- +1.4808980023 Domain servers in listed order: NS15.DOMAINCONTROL.COM NS16.DOMAINCONTROL.COM Domain Name: HYPNOTHERAPYAZ.COM Registrar: GODADDY.COM, LLC Whois Server: whois.godaddy.com Referral URL: http://registrar.godaddy.com Name Server: NS15.DOMAINCONTROL.COM Name Server: NS16.DOMAINCONTROL.COM Status: clientDeleteProhibited Status: clientRenewProhibited Status: clientTransferProhibited Status: clientUpdateProhibited Updated Date: 13-jan-2012 Creation Date: 13-jan-2012 Expiration Date: 13-jan-2013 Registered through: GoDaddy.com, LLC (http://www.godaddy.com) Domain Name: HYPNOTHERAPYAZ.COM Created on: 13-Jan-12 Expires on: 13-Jan-13 Last Updated on: 13-Jan-12 Registrant: Bob Faith Entertainment 660 S Parkcrest Mesa, Arizona 85206 United States Administrative Contact: Faith, Bob bob@bobfaith.com Bob Faith Entertainment 660 S Parkcrest Mesa, Arizona 85206 United States (480) 898-0023 Fax -- (480) 898-0023 Technical Contact: Faith, Bob bob@bobfaith.com Bob Faith Entertainment 660 S Parkcrest Mesa, Arizona 85206 United States (480) 898-0023 Fax -- (480) 898-0023 Domain servers in listed order: NS15.DOMAINCONTROL.COM NS16.DOMAINCONTROL.COM Domain ID:D164348967-LROR Domain Name:BUYLIFTEM.ORG Created On:10-Jan-2012 16:36:00 UTC Last Updated On:11-Jan-2013 11:21:18 UTC Expiration Date:10-Jan-2014 16:36:00 UTC Sponsoring Registrar:GoDaddy.com, LLC (R91-LROR) Status:CLIENT DELETE PROHIBITED Status:CLIENT RENEW PROHIBITED Status:CLIENT TRANSFER PROHIBITED Status:CLIENT UPDATE PROHIBITED Status:AUTORENEWPERIOD Registrant ID:CR102449532 Registrant Name:Zoe Yeoman Registrant Organization:Lift 'Em, LLC Registrant Street1:Post Office Box 40283 Registrant Street2: Registrant Street3: Registrant City:Phoenix Registrant State/Province:Arizona Registrant Postal Code:85067 Registrant Country:US Registrant Phone:+1.6022341200 Registrant Phone Ext.: Registrant FAX: Registrant FAX Ext.: Registrant Email:zoeyeoman@hotmail.com Admin ID:CR102449534 Admin Name:Zoe Yeoman Admin Organization:Lift 'Em, LLC Admin Street1:Post Office Box 40283 Admin Street2: Admin Street3: Admin City:Phoenix Admin State/Province:Arizona Admin Postal Code:85067 Admin Country:US Admin Phone:+1.6022341200 Admin Phone Ext.: Admin FAX: Admin FAX Ext.: Admin Email:zoeyeoman@hotmail.com Domain Name: AZREPTHEATRE.COM Registrar: GODADDY.COM, LLC Whois Server: whois.godaddy.com Referral URL: http://registrar.godaddy.com Name Server: NS51.DOMAINCONTROL.COM Name Server: NS52.DOMAINCONTROL.COM Status: clientDeleteProhibited Status: clientRenewProhibited Status: clientTransferProhibited Status: clientUpdateProhibited Updated Date: 01-oct-2012 Creation Date: 30-sep-2010 Expiration Date: 30-sep-2014 Registered through: GoDaddy.com, LLC (http://www.godaddy.com) Domain Name: AZREPTHEATRE.COM Created on: 30-Sep-10 Expires on: 30-Sep-14 Last Updated on: 01-Oct-12 Registrant: Domains By Proxy, LLC DomainsByProxy.com 14747 N Northsight Blvd Suite 111, PMB 309 Scottsdale, Arizona 85260 United States Administrative Contact: Private, Registration AZREPTHEATRE.COM@domainsbyproxy.com Domains By Proxy, LLC DomainsByProxy.com 14747 N Northsight Blvd Suite 111, PMB 309 Scottsdale, Arizona 85260 United States (480) 624-2599 Fax -- (480) 624-2598 Technical Contact: Private, Registration AZREPTHEATRE.COM@domainsbyproxy.com Domains By Proxy, LLC DomainsByProxy.com 14747 N Northsight Blvd Suite 111, PMB 309 Scottsdale, Arizona 85260 United States (480) 624-2599 Fax -- (480) 624-2598 Domain servers in listed order: NS51.DOMAINCONTROL.COM NS52.DOMAINCONTROL.COM Domain Name: TEMPEAZHOMELOANS.COM Registrar: GODADDY.COM, LLC Whois Server: whois.godaddy.com Referral URL: http://registrar.godaddy.com Name Server: NS15.DOMAINCONTROL.COM Name Server: NS16.DOMAINCONTROL.COM Status: clientDeleteProhibited Status: clientRenewProhibited Status: clientTransferProhibited Status: clientUpdateProhibited Updated Date: 15-jan-2012 Creation Date: 15-jan-2012 Expiration Date: 15-jan-2014 Registered through: GoDaddy.com, LLC (http://www.godaddy.com) Domain Name: TEMPEAZHOMELOANS.COM Created on: 15-Jan-12 Expires on: 15-Jan-14 Last Updated on: 15-Jan-12 Registrant: John Cabello 270 E. Pinion Way Gilbert, Arizona 85234 United States Administrative Contact: Cabello, John john@cabellohomeloans.com 270 E. Pinion Way Gilbert, Arizona 85234 United States (602) 326-5626 Technical Contact: Cabello, John john@cabellohomeloans.com 270 E. Pinion Way Gilbert, Arizona 85234 United States (602) 326-5626 Domain servers in listed order: NS15.DOMAINCONTROL.COM NS16.DOMAINCONTROL.COM ============================ ADDITIONAL: NETWORK / IP ============================ // Where is it hosted, and abuse contact PiC IP: 64.120.190.183 reverse IP Pointer: 64-120-190-183.static.hostnoc.net NetRange: 64.120.128.0 - 64.120.255.255 CIDR: 64.120.128.0/17 OriginAS: AS21788 NetName: HOSTNOC-5BLK NetHandle: NET-64-120-128-0-1 Parent: NET-64-0-0-0-0 NetType: Direct Allocation RegDate: 2009-04-27 Updated: 2012-03-02 Ref: http://whois.arin.net/rest/net/NET-64-120-128-0-1 OrgName: Network Operations Center Inc. OrgId: NOC Address: PO Box 591 City: Scranton StateProv: PA PostalCode: 18501-0591 Country: US RegDate: 2001-04-04 Updated: 2011-09-24 Comment: Abuse Dept: abuse@hostnoc.net Ref: http://whois.arin.net/rest/org/NOC OrgAbuseHandle: SMA4-ARIN OrgAbuseName: Arcus, S. Matthew OrgAbusePhone: +1-570-343-2200 OrgAbuseEmail: nic@hostnoc.net OrgAbuseRef: http://whois.arin.net/rest/poc/SMA4-ARIN ---- #MalwareMustDie!