#MalwareMustDie - Loaded+Weaponized BHEK 2012 Dec 22 -1

1. ===============================================
2. #MalwareMustDie! Fri Dec 21 22:25:12 JST 2012
3. Updated: Sat Dec 22 23:59 JST 2012
4. Three russian (.RU) domains malware infectors EK,
5. ===============================================
6.  
7. Domains: afjdoospf.ru, akionokao.ru, apendiksator.ru
8. Proxies: nginx/1.0.10 proxies Port 8080
9. Server: Apache/2.2.16 (Debian) Server
10. PHP/5.3.18-1~dotdeb.0
11. Exploit Kit: BlackHole EK v.2.x
12.  
13. Active IP's & domains:
14.  
15. afjdoospf.ru A 210.71.250.131
16. akionokao.ru A 210.71.250.131
17. apendiksator.ru A 210.71.250.131
18. bilainkos.ru A 210.71.250.131
19.  
20. afjdoospf.ru A 91.224.135.20
21. akionokao.ru A 91.224.135.20
22. apendiksator.ru A 91.224.135.20
23. bilainkos.ru A 91.224.135.20
24.  
25. afjdoospf.ru A 187.85.160.106
26. akionokao.ru A 187.85.160.106
27. apendiksator.ru A 187.85.160.106
28. bilainkos.ru A 187.85.160.106
29.  
30. // connections PoC:
31.  
32. --2012-12-21 22:07:45--
33. Resolving akionokao.ru (akionokao.ru)... 210.71.250.131, 91.224.135.20, 187.85.160.106
34. Caching akionokao.ru => 210.71.250.131 91.224.135.20 187.85.160.106
35. Connecting to akionokao.ru (akionokao.ru)|210.71.250.131|:8080... connected.
36.  
37. Caching apendiksator.ru => 210.71.250.131 91.224.135.20 187.85.160.106
38. Connecting to apendiksator.ru (apendiksator.ru)|210.71.250.131|:8080... connected.
39.  
40. Caching afjdoospf.ru => 210.71.250.131 91.224.135.20 187.85.160.106
41. Connecting to afjdoospf.ru (afjdoospf.ru)|210.71.250.131|:8080... connected.
42.  
43. Resolving bilainkos.ru (bilainkos.ru)... 210.71.250.131, 187.85.160.106, 91.224.135.20
44. Connecting to bilainkos.ru (bilainkos.ru)|210.71.250.131|:8080... connected.
45.  
46. // DNS Servers used:
47. ASN |Prefix |ASName | CN | Domain | ISP of an IP Address
48. ----------------------------------------------------------
49. 57010 | 62.76.184.0/21 | CLODO | RU | NIC.RU | ROSNIIROS RUSSIAN INSTITUTE PUBLIC NETWORKS
50. 45629 | 110.164.0.0/17 | JASTEL | TH | 3BB.CO.TH | 3BB BROADBAND ISP THAILAND
51. 37963 | 42.121.0.0/16 | ALIBAB | CN | ALIYUN.COM | CNNIC-ALIBABA-CN-NET - ALIYUN COMPUTING
52. 36937 | 41.168.0.0/16 | Neotel | ZA | NEOTELZA.NET | NEOTEL PTY LTD
53.  
54. //Evil NS Listed for this infector group:
55. 3165 IN A 62.76.186.24
56. 3165 IN A 110.164.58.250
57. 3165 IN A 42.121.116.38
58. 3165 IN A 41.168.5.140
59. 60 IN A 110.164.58.250
60. 60 IN A 41.168.5.140
61. 60 IN A 62.76.186.24
62. 60 IN A 209.51.221.247
63. 60 IN A 163.10.12.83
64. 60 IN A 216.99.149.226
65. 60 IN A 208.87.243.196
66. 60 IN A 203.146.208.180
67. 60 IN A 74.117.61.66
68.  
69. //WHOIS:
70. domain: AKIONOKAO.RU
71. nserver: ns1.akionokao.ru. 62.76.186.24
72. nserver: ns2.akionokao.ru. 110.164.58.250
73. nserver: ns3.akionokao.ru. 42.121.116.38
74. nserver: ns4.akionokao.ru. 41.168.5.140
75. state: REGISTERED, DELEGATED, UNVERIFIED
76. person: Private Person
77.  
78. domain: AFJDOOSPF.RU
79. nserver: ns1.afjdoospf.ru. 62.76.186.24
80. nserver: ns2.afjdoospf.ru. 110.164.58.250
81. nserver: ns3.afjdoospf.ru. 42.121.116.38
82. nserver: ns4.afjdoospf.ru. 41.168.5.140
83. state: REGISTERED, DELEGATED, UNVERIFIED
84. person: Private Person
85.  
86. domain: APENDIKSATOR.RU
87. nserver: ns1.apendiksator.ru. 62.76.186.24
88. nserver: ns2.apendiksator.ru. 110.164.58.250
89. nserver: ns3.apendiksator.ru. 42.121.116.38
90. nserver: ns4.apendiksator.ru. 41.168.5.140
91. state: REGISTERED, NOT DELEGATED, UNVERIFIED
92. person: Private Person
93.  
94. domain: BILAINKOS.RU <NEW!!
95. nserver: ns1.bilainkos.ru. 62.76.186.24
96. nserver: ns2.bilainkos.ru. 110.164.58.250
97. nserver: ns3.bilainkos.ru. 42.121.116.38
98. nserver: ns4.bilainkos.ru. 41.168.5.140
99. state: REGISTERED, DELEGATED, UNVERIFIED
100. person: Private Person
101.  
102. // Shut these IP / Service down!
103. // #MalwareMustDie!