Advertisement
DhiaLite

Suspicious .pl short lived subdomains - Nov 15, 2013

Nov 15th, 2013
204
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.74 KB | None | 0 0
  1. Thu, Nov 15 2013
  2. #DhiaLite - New set of suspicious short lived .pl subdomains shifted from 109.236.83.184 and 109.236.83.185 to start resolving to 109.236.83.186 today and still going on.
  3. Follow up to http://pastebin.com/s8ARXGd2
  4. and
  5. http://pastebin.com/hBS4u1cT
  6.  
  7. Likely subdomains will shift to the next few contiguous IPs.
  8.  
  9. Spike in traffic for these subdomains then they stop resolving.
  10.  
  11. Possibly used for a similar Malvertising -> EK -> ransomware campaign as in
  12. http://www.malekal.com/2013/07/31/en-urausy-adultfriendzfinder-malvertising-banner/
  13.  
  14. Yet to be confirmed.
  15.  
  16. Possible Sakura EK based on suggestions from @MalwareSigs
  17.  
  18. Currently about 130+ subdomains have resolved to this IP, and more are popping up.
  19.  
  20. These subdomains are registered under the Polish city 2LDs
  21.  
  22. pruszkow.pl
  23.  
  24. #Sample of subdomains on 109.236.83.186
  25.  
  26. znamo.taxidermy.pruszkow.pl
  27. yz67.grippro.pruszkow.pl
  28. youtu.musicvideoswiz.pruszkow.pl
  29. yingb.ngs55.pruszkow.pl
  30. xpres.grippro.pruszkow.pl
  31. wools.cambridgeaudio.pruszkow.pl
  32. wirec.modaskidka.pruszkow.pl
  33. westl.seligaparaiba.pruszkow.pl
  34. wella.modaskidka.pruszkow.pl
  35. webte.citybeat.pruszkow.pl
  36. webia.fadama.pruszkow.pl
  37. vwt4f.wtfgang.pruszkow.pl
  38. vrcep.fadama.pruszkow.pl
  39. vidpi.cambridgeaudio.pruszkow.pl
  40. venus.cambridgeaudio.pruszkow.pl
  41. vecto.alnatura.pruszkow.pl
  42. utpue.ngs55.pruszkow.pl
  43. ultim.wtfgang.pruszkow.pl
  44. tvsh2.seligaparaiba.pruszkow.pl
  45. tvmah.seligaparaiba.pruszkow.pl
  46. tusex.usefulbookmarks.pruszkow.pl
  47. trues.citybeat.pruszkow.pl
  48. trada.grippro.pruszkow.pl
  49. topcl.bowl.pruszkow.pl
  50. tntpa.alnatura.pruszkow.pl
  51. tcmba.citybeat.pruszkow.pl
  52. tbb.seligaparaiba.pruszkow.pl
  53. swell.artgrafica.pruszkow.pl
  54. subba.wtfgang.pruszkow.pl
  55. sozia.cambridgeaudio.pruszkow.pl
  56. skare.bowl.pruszkow.pl
  57. sitem.alnatura.pruszkow.pl
  58. sibit.alnatura.pruszkow.pl
  59. shopm.musicvideoswiz.pruszkow.pl
  60. shama.fadama.pruszkow.pl
  61. sexcs.eroticsnap.pruszkow.pl
  62. satur.seligaparaiba.pruszkow.pl
  63. sarut.citybeat.pruszkow.pl
  64. salir.cambridgeaudio.pruszkow.pl
  65. saint.citybeat.pruszkow.pl
  66. sagli.ngs55.pruszkow.pl
  67. rugcm.modaskidka.pruszkow.pl
  68. rsmit.seligaparaiba.pruszkow.pl
  69. reser.musicvideoswiz.pruszkow.pl
  70. remax.musicvideoswiz.pruszkow.pl
  71. reall.wtfgang.pruszkow.pl
  72. poire.citybeat.pruszkow.pl
  73. pitch.usefulbookmarks.pruszkow.pl
  74. penny.androiduipatterns.pruszkow.pl
  75. patta.alnatura.pruszkow.pl
  76. panel.fadama.pruszkow.pl
  77. openp.modaskidka.pruszkow.pl
  78. ocean.modaskidka.pruszkow.pl
  79. numbe.eroticsnap.pruszkow.pl
  80. nosso.grippro.pruszkow.pl
  81. neomo.citybeat.pruszkow.pl
  82. moibr.citybeat.pruszkow.pl
  83. miste.musicvideoswiz.pruszkow.pl
  84. meyda.bowl.pruszkow.pl
  85. metro.seligaparaiba.pruszkow.pl
  86. mende.eroticsnap.pruszkow.pl
  87. matri.grippro.pruszkow.pl
  88. mater.modaskidka.pruszkow.pl
  89. manua.alnatura.pruszkow.pl
  90. luxeb.cambridgeaudio.pruszkow.pl
  91. ltmco.wtfgang.pruszkow.pl
  92. lrcvi.usefulbookmarks.pruszkow.pl
  93. losmi.alnatura.pruszkow.pl
  94. loanw.bowl.pruszkow.pl
  95. linea.citybeat.pruszkow.pl
  96. lifes.modaskidka.pruszkow.pl
  97. lexus.wtfgang.pruszkow.pl
  98. lewis.fadama.pruszkow.pl
  99. leigh.musicvideoswiz.pruszkow.pl
  100. labor.musicvideoswiz.pruszkow.pl
  101. ko.ngs55.pruszkow.pl
  102. kolom.cambridgeaudio.pruszkow.pl
  103. kkcom.musicvideoswiz.pruszkow.pl
  104. ionwa.citybeat.pruszkow.pl
  105. infox.wtfgang.pruszkow.pl
  106. incom.usefulbookmarks.pruszkow.pl
  107. immmc.fadama.pruszkow.pl
  108. ihote.artgrafica.pruszkow.pl
  109. igrac.usefulbookmarks.pruszkow.pl
  110. igf.ngs55.pruszkow.pl
  111. ideas.ngs55.pruszkow.pl
  112. icepo.modaskidka.pruszkow.pl
  113. huffi.seligaparaiba.pruszkow.pl
  114. hostc.grippro.pruszkow.pl
  115. homeb.bowl.pruszkow.pl
  116. hitpi.grippro.pruszkow.pl
  117. hedmo.alnatura.pruszkow.pl
  118. hasto.bowl.pruszkow.pl
  119. globa.grippro.pruszkow.pl
  120. fueng.taxidermy.pruszkow.pl
  121. fourc.grippro.pruszkow.pl
  122. fmfor.bowl.pruszkow.pl
  123. flyer.grippro.pruszkow.pl
  124. flyde.musicvideoswiz.pruszkow.pl
  125. findh.seligaparaiba.pruszkow.pl
  126. ficou.bowl.pruszkow.pl
  127. fanta.eroticsnap.pruszkow.pl
  128. famil.grippro.pruszkow.pl
  129. eroti.androiduipatterns.pruszkow.pl
  130. embed.androiduipatterns.pruszkow.pl
  131. educa.androiduipatterns.pruszkow.pl
  132. dream.artgrafica.pruszkow.pl
  133. dotne.usefulbookmarks.pruszkow.pl
  134. dinne.grippro.pruszkow.pl
  135. dialo.seligaparaiba.pruszkow.pl
  136. destr.wtfgang.pruszkow.pl
  137. confe.ngs55.pruszkow.pl
  138. comid.artgrafica.pruszkow.pl
  139. coins.ngs55.pruszkow.pl
  140. clean.alnatura.pruszkow.pl
  141. chetu.cambridgeaudio.pruszkow.pl
  142. cbssi.seligaparaiba.pruszkow.pl
  143. casin.alnatura.pruszkow.pl
  144. cares.taxidermy.pruszkow.pl
  145. cardm.bowl.pruszkow.pl
  146. bycap.citybeat.pruszkow.pl
  147. bunke.bowl.pruszkow.pl
  148. brisy.modaskidka.pruszkow.pl
  149. bbuss.cambridgeaudio.pruszkow.pl
  150. bailk.bowl.pruszkow.pl
  151. azvi.citybeat.pruszkow.pl
  152. ausla.wtfgang.pruszkow.pl
  153. asxcf.fadama.pruszkow.pl
  154. askcm.eroticsnap.pruszkow.pl
  155. apren.ngs55.pruszkow.pl
  156. anime.androiduipatterns.pruszkow.pl
  157. alwaj.wtfgang.pruszkow.pl
  158. albat.bowl.pruszkow.pl
  159. alau.wtfgang.pruszkow.pl
  160. adams.musicvideoswiz.pruszkow.pl
  161. actti.citybeat.pruszkow.pl
  162.  
  163. END
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement