========================================================= #MalwareMustDie! BLOCK THESE URL AND 178.63.214.21 ASAP!! @unixfreaxjp Thu Feb 7 04:37:01 2013 Blackhole "/closest/" version Multiple Landing Page, multiple Payload per landing page At IP: 178.63.214.21 (Dynamic Addr) --------------------------------------------------------------------------------- ASN |Prefix |ASName |CN |Domain |ISP of an IP Address --------------------------------------------------------------------------------- 24940 | 178.63.0.0/16 | HETZNER | DE | YOUR-SERVER.DE | JUST HOSTING MO: changes of the domain infector i.e. : ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 44edkjhgc.mymom.info 4wjgiwgjw.mymom.info 4drguvub.mywww.biz 5uwdfhwui.mywww.biz 4tyuijhbnm.mywww.biz 5jijefijdjw.mywww.biz =========================================================== 1. http://178.63.214.21/closest/black_dragon.php 2. http://178.63.214.21/closest/984y3fh8u3hfu3jcihei.php 3. http://178.63.214.21/closest/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php 4. http://178.63.214.21/closest/209tuj2dsljdglsgjwrigslgkjskga.php 5. http://178.63.214.21/closest/98y7y432ufh49gj23sldkkqowpsskfnv.php 6. http://178.63.214.21/closest/209tuj2dsljdglsgjwrigslgkjskga.php landing page1: http://178.63.214.21/closest/black_dragon.php --> Cridex (27/45) jar1: https://www.virustotal.com/file/32023c224aa49ad4187f610e09cb65a1c99bc11ea11c944a39cf4ff2f1f4b5e8/analysis/1360240607/ jar2: https://www.virustotal.com/file/e22a7a11dfb2ac17de9f590f9a5f5f1f17afea5a46d9d61cef689bdd131df800/analysis/1360240617/ pdf1: https://www.virustotal.com/file/bf74ba6d5bf1ea4a16d6a11a2819667ede24baacfe7c04525a8f1baa643c911c/analysis/1360240743/ pdf2: https://www.virustotal.com/file/6357a00c86c9b36f15766e31c4c4f5cbb7385167fbfb766dd1188cb758c6c9c0/analysis/1360240751/ Payload: https://www.virustotal.com/file/7876ab47a6ef51ef87545a2634528cf0d887d62f97675c97d74175714fc975ae/analysis/1360238712/ landing page2: http://178.63.214.21/closest/984y3fh8u3hfu3jcihei.php --> Trojan Dropper DLL (run w/rundll32.exe) pdf1 https://www.virustotal.com/file/f7c54a821afec66e89d598e767d93b86a09f2332f8245babbfdc0c7d2cef4a8d/analysis/1360243427/ pdf2 https://www.virustotal.com/file/5516d2525c0c5bf45625d1309d97a77df547a48d3517b5502e93c96c19158c80/analysis/1360243440/ jar1 https://www.virustotal.com/file/32023c224aa49ad4187f610e09cb65a1c99bc11ea11c944a39cf4ff2f1f4b5e8/analysis/ jar2 https://www.virustotal.com/file/e22a7a11dfb2ac17de9f590f9a5f5f1f17afea5a46d9d61cef689bdd131df800/analysis/ Payload: https://www.virustotal.com/file/38a4e42d8a1de1c666d3672173862eab246193e7ab800a58883a23a49bd5ef31/analysis/ The below landing page also loaded and weaponized: ^^^^^^^^^^^^^^^^^^^ http://178.63.214.21/closest/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php http://178.63.214.21/closest/209tuj2dsljdglsgjwrigslgkjskga.php http://178.63.214.21/closest/98y7y432ufh49gj23sldkkqowpsskfnv.php http://178.63.214.21/closest/209tuj2dsljdglsgjwrigslgkjskga.php ---- #MalwareMustDie!! @unixfreaxjp