API tools faq
paste
MalwareMustDie

Name.com LLC's hacked user's domains used to serve #Malware

MalwareMustDie
Jan 11th, 2013
1,485
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.68 KB | None | 0 0
raw download clone embed print report
  1. ====================================================
  2. #MalwareMustDie!
  3. Registrar Name.com LLC's stolen/hacked user's domains
  4. is used to serve evil DNS malware infector
  5. with base service IP:PORT 173.246.102.246:80
  6. Serving Blackholes & Ransomwares
  7. @unixfreaxjp /malware]$ date
  8. Fri Jan 11 20:18:19 JST 2013
  9. ====================================================
  10.  
  11. //Infector IP to block:
  12.  
  13. 173.246.102.246
  14.  
  15.  
  16. //infector domains:
  17.  
  18. 11.livinghistorytheatre.ca
  19. 11.laptopvspc.com
  20. 11.sephoracouponscode.com
  21. 11.awarenesscreateschange.com
  22. 11.livinghistorytheatre.com
  23. 11.b2cviaggi.com
  24. 11.13dayz.com
  25. 11.lamarianella.info
  26. 11.lwin.ws
  27. 11.studiocitynorth.tv
  28. 11.scntv.tv
  29. :
  30.  
  31.  
  32. ===========================
  33. Malware infector activities
  34. ==========================
  35.  
  36. // Blackholes.....
  37.  
  38. http://11.lamarianella.info/read/engineering_best.php
  39.  
  40. http://11.studiocitynorth.tv/read/defined_regulations-frequently.php?eshx=1m:30:2v:1h:1k&fkil=1h:1l:1k:2v:32:2w:32:30:1f:1o&xkqsl=1i&lcmsip=juhkht&pszv=ldafumo
  41.  
  42. http://11.studiocitynorth.tv/read/defined_regulations-frequently.php?iakwxmo=1m:30:2v:1h:1k&mtall=1h:1l:1k:2v:32:2w:32:30:1f:1o&cwyop=1i&npjhxobh=xylrx&dwx=fgqc
  43.  
  44. http://11.studiocitynorth.tv/read/defined_regulations-frequently.php?ibpxx=1m:30:2v:1h:1k&khxl=1h:1l:1k:2v:32:2w:32:30:1f:1o&wutyjk=1i&rfmnwhj=havwt&zxzd=lxpghowa
  45.  
  46. http://11.studiocitynorth.tv/read/defined_regulations-frequently.php?wilfelbh=1m:30:2v:1h:1k&agr=1h:1l:1k:2v:32:2w:32:30:1f:1o&eokmsy=1i&zqkgp=ogwhwrwi&pfs=faz
  47.  
  48.  
  49. // Payload Malware Trojans...
  50.  
  51. http://11.lamarianella.info/adobe/update_flash_player.exe //Ransomware
  52. http://11.laptopvspc.com/adobe/update_flash_player.exe //Ransomware
  53. http://11.b2cviaggi.com/adobe/update_flash_player.exe //Ransomware
  54. http://11.13dayz.com/adobe/update_flash_player.exe //Zbot
  55. http://11.duote.com.cn/papawnagshangyoulaingkdie.zip //Dropper
  56. :
  57.  
  58. //URLQuery records:
  59. http://urlquery.net/search.php?q=173.246.102.246&type=string&start=2012-12-27&end=2013-01-11&max=100
  60.  
  61. //NS Resolved PoC
  62.  
  63. Resolving 11.lamarianella.info... seconds 0.00, 173.246.102.246
  64. Caching 11.lamarianella.info => 173.246.102.246
  65. Connecting to 11.lamarianella.info|173.246.102.246|:80
  66.  
  67. Resolving 11.studiocitynorth.tv... seconds 0.00, 173.246.102.246
  68. Caching 11.studiocitynorth.tv => 173.246.102.246
  69. Connecting to 11.studiocitynorth.tv|173.246.102.246|:80... seconds
  70.  
  71. Resolving 11.laptopvspc.com... seconds 0.00, 173.246.102.246
  72. Caching 11.laptopvspc.com => 173.246.102.246
  73. Connecting to 11.laptopvspc.com|173.246.102.246|:80
  74.  
  75. Resolving 11.b2cviaggi.com... seconds 0.00, 173.246.102.246
  76. Caching 11.b2cviaggi.com => 173.246.102.246
  77. Connecting to 11.b2cviaggi.com|173.246.102.246|:80
  78.  
  79. Resolving 11.13dayz.com... seconds 0.00, 173.246.102.246
  80. Caching 11.13dayz.com => 173.246.102.246
  81. Connecting to 11.13dayz.com|173.246.102.246|:80
  82.  
  83.  
  84. // Usage of Random Subdomains EVIL DNS Server of
  85.  
  86. ----------------------------------------------------
  87. ns[a-z0-9]{4}\.name\.com Registrar: NAME.COM LLC
  88. ----------------------------------------------------
  89. ns1fkl.name.com.
  90. ns4bht.name.com.
  91. ns3cfp.name.com.
  92. ns2nsw.name.com.
  93. ----------------------------
  94.  
  95. Registrar: NAME.COM LLC
  96. Server Name: NS1FKL.NAME.COM
  97. IP Address: 108.168.138.47
  98. Server Name: NS3CFP.NAME.COM
  99. IP Address: 208.43.116.46
  100. Server Name: NS4BHT.NAME.COM
  101. IP Address: 184.72.223.255
  102. Server Name: NS2NSW.NAME.COM
  103. IP Address: 5.153.6.221
  104.  
  105.  
  106. // PoC
  107.  
  108. ;; AUTHORITY SECTION:
  109. lamarianella.info. 3600 IN NS ns4fmx.name.com.
  110. lamarianella.info. 3600 IN NS ns2dhj.name.com.
  111. lamarianella.info. 3600 IN NS ns3flt.name.com.
  112. lamarianella.info. 3600 IN NS ns1kpv.name.com.
  113.  
  114. 13dayz.com. 3600 IN NS ns1fkl.name.com.
  115. 13dayz.com. 3600 IN NS ns4bht.name.com.
  116. 13dayz.com. 3600 IN NS ns3cfp.name.com.
  117. 13dayz.com. 3600 IN NS ns2nsw.name.com.
  118.  
  119. studiocitynorth.tv. 3600 IN NS ns3cfp.name.com.
  120. studiocitynorth.tv. 3600 IN NS ns4bht.name.com.
  121. studiocitynorth.tv. 3600 IN NS ns2nsw.name.com.
  122. studiocitynorth.tv. 3600 IN NS ns1fkl.name.com.
  123. :
  124.  
  125. (etc etc ...)
  126.  
  127. ;; ADDITIONAL SECTION:
  128. ns1fkl.name.com. 453 IN A 108.168.138.47
  129. ns2nsw.name.com. 453 IN A 5.153.6.221
  130. ns3cfp.name.com. 1394 IN A 208.43.116.46
  131. ns4bht.name.com. 2374 IN A 184.72.223.255
  132.  
  133.  
  134. // IDs:
  135.  
  136. Domain ID:D36007326-LRMS
  137. Domain Name:LAMARIANELLA.INFO
  138. Created On:23-Dec-2010 14:39:09 UTC
  139. Last Updated On:23-Dec-2012 22:22:07 UTC
  140. Expiration Date:23-Dec-2013 14:39:09 UTC
  141. Sponsoring Registrar:Name.com LLC (R279-LRMS)
  142. Status:CLIENT TRANSFER PROHIBITED
  143. Status:AUTORENEWPERIOD
  144. Registrant ID:ncr-257697-b88ed
  145. Registrant Name:Luca Vignali
  146. Registrant Organization:EasyAdmin web technologies di Luca Vignali
  147. Registrant Street1:vie E. Fermi 8
  148. Registrant Street2:
  149. Registrant Street3:
  150. Registrant City:Montemerano
  151. Registrant State/Province:Grosseto
  152. Registrant Postal Code:58014
  153. Registrant Country:IT
  154. Registrant Phone:+39.3392353115
  155. Registrant Phone Ext.:
  156. Registrant FAX:
  157. Registrant FAX Ext.:
  158. Registrant Email:web.easyadmin@gmail.com
  159.  
  160. Domain Name: 13dayz.com
  161. Registrar: Name.com LLC
  162. Expiration Date: 2013-11-25 16:27:23
  163. Creation Date: 2012-11-25 16:27:23
  164.  
  165. Name Servers:
  166. ns1fkl.name.com
  167. ns2nsw.name.com
  168. ns3cfp.name.com
  169. ns4bht.name.com
  170.  
  171. REGISTRANT CONTACT INFO
  172. Christopher Healy
  173. Christopher Healy
  174. 60 Ruddington Drive
  175. Apt 408
  176. Toronto
  177. ON
  178. M2K 2J9
  179. CA
  180. Phone: +1.4168849466
  181. Email Address: chrishealytv@gmail.com
  182.  
  183.  
  184. Domain Name: studiocitynorth.tv
  185. Registrar: Name.com LLC
  186. Expiration Date: 2013-10-29 14:57:32
  187. Creation Date: 2007-10-29 14:57:32
  188.  
  189. Name Servers:
  190. ns1fkl.name.com
  191. ns2nsw.name.com
  192. ns3cfp.name.com
  193. ns4bht.name.com
  194.  
  195. REGISTRANT CONTACT INFO
  196. Whois Privacy Protection Service, Inc.
  197. Whois Agent
  198. PMB 368, 14150 NE 20th St - F1
  199. Bellevue
  200. WA
  201. 98007
  202. US
  203. Phone: +1.4252740657
  204. Fax: +1.4259744730
  205. Email Address: studiocitynorth.tv@protecteddomainservices.com
  206.  
  207.  
  208. Domain Name: laptopvspc.com
  209. Registrar: Name.com LLC
  210. Expiration Date: 2013-04-08 08:50:28
  211. Creation Date: 2012-04-08 08:50:28
  212.  
  213. Name Servers:
  214. ns1dhq.name.com
  215. ns2btz.name.com
  216. ns3jwx.name.com
  217. ns4jpz.name.com
  218.  
  219. REGISTRANT CONTACT INFO
  220. ariyanto
  221. ariyanto ,
  222. dsn kelir rt/rw 04/01 desa jintung
  223. kecamatan ayah kabupaten kebumen
  224. kebumen
  225. jawa tengah
  226. 54473
  227. ID
  228. Phone: +1.6285224790040
  229. Email Address: ary_miraclepitu@yahoo.com
  230.  
  231. ----
  232. #MalwareMustDie!
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!