=================================================== #MalwareMustDie - Cool Exploit Kit Infectors Crusade Research Data - Shared for the Blocking Purpose ONLY Checked by : @unixfreaxjp /malware]$ date Tue Jan 15 19:48:40 JST 2013 =================================================== =================== 72.46.132.214 =================== 50f2e82b777c7.bobfaith.com/news/ARCHBISHOP/OPERATION.PHP5 50f2e0e1f35ef.azhypnotistbob.com/news/ARCHBISHOP/OPERATION.PHP5 50f2cb535212f.azhypno.com/news/ARCHBISHOP/OPERATION.PHP5 50f2e82b777c7.bobfaith.com/news/Sun_Relinquish.aspx 50f2e0e1f35ef.azhypnotistbob.com/news/Bible.phps // with additional possibilities: 50f337d06c182.mentalfocus.org 50f3ec90cd3e0.sportsfocus.org 50f2a2c25a1f4.arizonareptheatre.com 50f2a86714d29.azreptheatre.com 50f289732df55.arizonarepertorytheatre.com 50f2b63491312.buyliftem.com 50f2cb535212f.azhypno.com 50f39fe3d7007.socialmediahypnotist.com 50f34d99e5ea9.quitsmokingaz.com 50f30c7628d58.hypnoaz.com 50f2f6b923593.healthhypnosisaz.com 50f2fdf67d0ad.healthhypnosisaz.com 50f33f178173a.mentalfocusaz.com 50f3294603c37.loseweightaz.com 50f322095740b.loseweightaz.com 50f3138673ee9.hypnotherapyaz.com 50f2bd7964ae8.buyliftem.net 50f282b40a901.bestbridalregistry.net =================== 64.120.190.183 =================== 50f31ac55ce66.hypnotherapyaz.com/news/Guilt.phtm 50f2d9ddf1471.azhypnotistbob.com/news/Bible.phps 50f2d9ddf1471.azhypnotistbob.com/news/Guilt.phtm =================== 46.165.209.218 =================== geto.mysuperwelfare.net/contacts/Sale.Dilute.jsp viagra.pharmacylegasy.com/contacts/electron_turn.php3 umyaovatet.dewaserto.com/public/Fury.phtm goel.mysuperwelfare.net/contacts/Sale.Dilute.jsp gula.mysuperhealthinfo.com/contacts/Sale.Dilute.jsp cialis.pharma-services.com/contacts/economics.shtml levitra.pharmaparty.com/contacts/economics.shtml foru.superhealthye.com/contacts/Sale.Dilute.jsp hope.mysuperhealthinfo.com/contacts/Sale.Dilute.jsp scor.superhealthye.com/contacts/Sale.Dilute.jsp // PoC of activated domains: $ date Tue Jan 15 18:18:24 JST 2013 $ bash check.sh $ cat details.csv geto.mysuperwelfare.net,46.165.209.218, viagra.pharmacylegasy.com,46.165.209.218, umyaovatet.dewaserto.com,46.165.209.218, goel.mysuperwelfare.net,46.165.209.218, gula.mysuperhealthinfo.com,46.165.209.218, cialis.pharma-services.com,46.165.209.218, levitra.pharmaparty.com,46.165.209.218, foru.superhealthye.com,46.165.209.218, hope.mysuperhealthinfo.com,46.165.209.218, // the possibilities of this IP is very huge... can't paste it here.. hundreds! ================ 46.28.71.85 ================ 50ed011e85acc.bobbi-starr-tube.com/news/Budget_Focus.html 46.28.71.85 50ec62f02c992.ashlynn-brooke-tube.com/news/Violent/Lengthy.php5 46.28.71.85 50ec4d638626f.aria-giovanni-tube.com/news/Punch/Valuable.jsp 46.28.71.85 50eee51b7f359.createlivingwater.org/news/SLEEVE.PHP3 46.28.71.26 ( still updating...) ================ 188.120.230.142 ================ 50f233ebe3465.bridalregistry4adownpayment.net/news/ARCHBISHOP/OPERATION.PHP5 188.120.230.142 50f1de9962a55.barrynemet.com/news/STATEMENT.PRESENT.HTML 188.120.230.142 50f2500414440.ourdownpayment.biz/news/Bible.phps 188.120.230.142 ( still updating...) ================ 193.150.0.202 ================ 50f1f97a16de5.serenedentalaz.com/news/ARCHBISHOP/OPERATION.PHP5 193.150.0.202 50f257570ee2f.ourdownpayment.com/news/Bible.phps 193.150.0.202 50f066e4da692.virtueelectric.com/news/CONVENE.PHP4 193.150.0.201 ( still updating...) ================ 173.237.198.25 ================ 50f1a4b606e1f.allinonecontracting.biz/news/ARCHBISHOP/OPERATION.PHP5 173.237.198.25 50f17ac105471.airreducer1.com/news/ray.dhtml 173.237.198.25 50f1d0136ff36.allinonemaintenance.info/news/Bible.phps 173.237.198.25 ( still updating...) ================ 178.63.150.225 ================ 50ee9b85f0fbe.iswatertheanswer.com/news/wise.php4 178.63.150.225 50eebf5c6c4e0.antijesus.com/news/COMBINE.RETIRED.PHP 178.63.150.225 ( still updating...) ================ 31.131.27.114 ================ 50ec9a3dc6911.bbw-streaming.com/news/thermal_fellow.htm 31.131.27.114 50eda9734eecf.thewateruniversity.com/news/Connection.php5 31.131.27.114 ( still updating...) ================ 184.82.27.130 ================ 50ee3baab1dd6.pandorasantan.biz/news/COSTLY-PROCURE.PHTML 184.82.27.130 50edcab2d9c86.themarketdisruption.com/news/LINGER.CGI 184.82.27.130 ( still updating...) // some just popped ups... fiqaturhalwoaenu.myftp.org/read/offer-canvas.jsp 67.211.197.32 50ef0ba01bb78.educationandskills.com/news/CUTTING.CGI 185.10.211.11 drls.info/news/CUTTING.CGI 5.199.135.103 ( still updating...) ----- #MalwareMustDie