zBOT points to Russia

11 01 2011

One of our poor reader’s  Windows  7.0 machine is dialing back to a site in the Russian Federation!

The process logs show IP 194.63.144.81. We have flagged  the site as  a Trojan Zbot/ZeuS Attack.

The poor reader ran his favorite AV program but it is not detecting anything.

Here is the Solution: Kill the Machine and Re-image!

Malware Site: 194.63.144.81

———————-< Snip>——————

Trace IP  194.63.144.81
15   190 ms   190 ms   190 ms  tele-1-gw.sth.runnet.ru [194.85.40.242]
16   190 ms   190 ms   190 ms  tele-1-gw.sth.runnet.ru [194.85.40.174]
17   190 ms   190 ms   190 ms  b57-1-gw.spb.runnet.ru [194.85.40.129]
18   190 ms   190 ms   190 ms  m9-1-gw.msk.runnet.ru [194.85.40.133]
19   190 ms   190 ms   190 ms  m9-2-gw.msk.runnet.ru [194.85.40.214]
20   213 ms   211 ms   212 ms  vline.msk.runnet.ru [194.190.254.218]
21   211 ms   212 ms   218 ms  109.196.132.14
22   271 ms   279 ms   265 ms  194.63.144.81

Host Info:

  • inetnum:    194.63.144.0 – 194.63.147.255
  • netname:    PROMIRANET
  • descr:    LLC Promiranetru
  • country:    RU (Russian Federation)

This IP is Blacklisted

Google shows us the Malware Host “tele-1-gw.sth.runnet.ru” with a few suspicious sites!
1. http://www.Pereplet.ru

2. hxxtp://orwell.ru/a_life/lords100/russian/r_lbk 3. http://eyecenter.com.ua/doctor/virus/59.htm …. 9 tele-1-gw.sth.runnet.ru (194.85.40.174), 162.326 ms …
3. http://www.Macvspc.ru
читать дальше hxxp://www.macvspc.ru/macintosh-virus-free.html P.S.
bizinformatsiya.ru/www.macvspc.ru – Cached
3. http://www.Softogen.ru
… “Kaspersky Virus Removal Tool 900722 10122010 Portable Rus”, …
bizinformatsiya.ru/www.softogen.ru – Cached
Show more results from bizinformatsiya.ru
4. http://www.Gfxstuff.ws
-815349,gfxstuff.ws 815350,rmoms.net 815351,stop-virus-070.com 815352,granfondo.com.au 815353 …

Good Luck!


Comments : Leave a Comment »
Tags: , ,
Categories : Black List, Botnet, Trojans, Web Threats

SpamBot Open for Business in China

8 12 2010

This morning one of our readers hot-mail account got hijacked and its sending out Spam to the address book. The user tell us “I am not sure of how it happened. and some of the contacts have received the message from my email”

We look under the hood and reviewed the embedded links. Our team identifies the links to be associated with the Spam-Bots, Trojans, Fake Anti-virus, and the Z-BOT attacks that are straight out of China!

The malware is associated with 126.com that is hosted in china and lights up the DNS Entries like a Christmas Tree!

See the Graph


<Copy of the Spam Message>

<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>
From:d111___x1e@hotmail.com

To: Alluserx@AOL1.com

Dear sir/Madam: Our company  is Large-sized China foreign trade companies. We sale cellphone, computer, TV, GPS,MP3 and Motorcycle and so on. We have our warehouse and shopping centers.  we have very good price and credit. We will ensure our product 100% eligible. Hoping we can have long-time cooperation.

please contact us: (www: zlgxfc.com  E-mail: zlgxfc @ 188.com)

<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

<Malware Found>

  • Trojan.DownLoader.Based
  • Trojan Zeus/ZBOT
  • Spam Bots
  • Fake Anti-Virus /Ransomware
  • Spyware

Malicious URL:zlgxfc.com

  • ip: 216.18.23.137

Malware Files Created:

  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4X23OP2B\lightbox[1].css
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GPURSX23\layout[1].css
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODM3O1U3\style[1].css
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODM3O1U3\validation[1].css
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\contentslider[1].css
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\zlgxfc[1].htm

Malicious URL: 188.com

Malware Files Created:

  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4X23OP2B\188index[1].css
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4X23OP2B\188index[2].css
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GPURSX23\flashobject[1].js
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GPURSX23\flashobject[2].js
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODM3O1U3\188[1].htm

Malicious DNS Traffic:

  • 188.com
  • 123.125.50.22  <— Spyware Found
  • 220.181.12.218
  • mimg.188.com
  • 218.107.55.85
  • 218.107.55.86
  • mailjs.163.com
  • 218.107.55.86
  • 218.107.55.85
  • vip.163.com
  • 123.125.50.199
  • Points to CNAME: mcache.idns.yeah.net

<Malware Activity>
# Can make outbound communication to other computers, IM chat rooms and other services using IRC protocols
# This Process sends MIME Email
# The Process is packed and/or encrypted using a software packing process
# The Process is polymorphic and can change its structure
# Looks at the contents of the autoexec.bat file
# Reads email address and phone book details
# Uses DNS to retrieve the IP address for web sites
# Visits web sites on your PC without you knowing
# Creates system tray popups, messages, errors and security warning

Host:    ChinaUnicom Hostmaster
nic-hdl:    CH1302-AP
e-mail:    XXXXX@chinaunicom.cn
address:    No.21,Jin-Rong Street
address:    Beijing,100140
address:    P.R.China
phone:    +86-10-66259940
fax-no:    +86-10-66259764
country:    CN

<IP 123.125.50.22  Host names sharing IP>

*.104.126.com
*.68.104.126.com
104.126.com
111.126.com
126.com
127.net
188.com
208.68.104.126.com
2274747474.yeah.net
22dns20records20for20www.yeah.net
22idns1.yeah.net
22idns2.yeah.net
22m227-137.yeah.net
22m227-138.yeah.net
22main20tab20with20summary20for20www.yeah.net
22www.yeah.net
2yan.126.com
68.104.126.com
ahxczgq.126.com
bj126app91.126.com
ccxmqq.126.com
cheng307.126.com
ckbest.126.com
cncnnix.126.com
cnjax.126.com
dingliang.126.com
dodo521.126.com
eruson.yeah.net
feel8.126.com
foryousz.126.com
gao1978108.yeah.net
gm1866.126.com
guangweimanufactory.126.com
guoqing053051.126.com
honker43.126.com
iamtourist.126.com
ipad.vip.163.com
jeily.126.com
jinglongliu.126.com
jxl415424022.126.com
lizhb.126.com
lvjunkun.126.com
m5-141.126.com
m5-144.126.com
mail.netease.com
mail.netease.split.netease.com
mcache.mail.126.net
moveage2008.126.com
njweb.yeah.net
olympic08.126.com
stylesdrops.126.com
syhua3000.126.com
tangzhineng.yeah.net
vip.188.com
yaosoutv.com
yeah.net
yeetong.126.com
yootor.net
zhanglei8312.126.com
zhoujunan.126.com

Reference: Prevx.com and Robtex Graph


Comments : Leave a Comment »
Tags: , , , , , ,
Categories : Black List, Phishing, Spyware, Trojans, Virus, Web Threats

Pharma Site is Gushing Malware!

18 11 2010

We have a user that reported that his machine was dialing out to a malicious site “174.132.129.254”. Our Team has analyzed the 174.132.129.254 site and it points to a backdoor Trojan site.

The site hxxp://174.132.129.254 is associated with the Pharma Spam Campaign and attacks. The malicious site performs quite a few malware queries when you connect to it.

The malware site is dishing about various families of malware that may include Backdoors, Fake Anti-Virus, Trojan Banker, Q-BOT – Data Stealer and the ZEUS/ZBOT!

These Cyber Crimals went all out and uploaded quite a few malware resources to these sites!

<Analyzed URL: hxxp://174.132.129.254 and it redirects to hxxp://174.132.129.30 historykillerpro.com>

Displays “History Killer Pro – Clean Windows, keep your privacy. – Microsoft Internet Explorer”

<Malware Found>

  • Backdoor.Cycbot [Symantec]
  • Backdoor-EXI [McAfee]
  • Backdoor:Win32/Cycbot.B [Microsoft]
  • Zbot/Zeus
  • Mal/Qbot-B
  • Trojan Banker
  • Fake Anti-virus

<Malware DNS Queries>

  • 88.212.196.104
  • 88.212.196.66
  • 88.212.196.69
  • 88.212.196.77
  • 88.212.196.101
  • 88.212.196.102
  • 88.212.196.103
  • 1048 to 83.96.225.142:443 <- Found Malware that includes – Illegal 3rd party exploits, including proxies, worms and Trojan exploits
  • author.brothersoft.com <– ZBOT Trojan Found on these sites!
  • 217.89.107.33
  • 217.89.107.18
  • counter.yadro.ru] <– Site Hosting the Trojan Zeus/ZBot See Previous MS Post on the Yadro.ru Site!
  • secure.avangate.com <– Trojan Exploits
  • 83.96.225.142

<Malware Files Created>

  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4X23OP2B\curvedbox-med2[1].jpg
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GPURSX23\date[1].js
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GPURSX23\windows7_compatible[1].png
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODM3O1U3\styles2[1].css
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\pcdocpro[1].htm

<Domain Names Pointing to the IP: 174.132.129.254>

  • airappoint.com
  • ancient-treasure.info
  • atlasplanet.com
  • autismtypesinchildren.com
  • bassguitarcases.info
  • becomingafinancialplanner.net
  • burgas-bulgaria.info
  • cellery.info
  • christiandebtsolutionshelp.com
  • checkserverstatux.com
  • curesforyeastinfection.org
  • curesforheartburn.net
  • cureacneproblem.com
  • debtfreeplan.org
  • determinednewbie.com
  • diet4idiots.org
  • eatingdisorderstreatments.biz
  • fatandweightcontrol.com
  • fatloss-4idiot.info
  • insomniahomeremedy.net
  • mafiastrip.com
  • metropolitancocktails.com
  • mexicanfireopal.net
  • newdallasduplexes.com
  • people-isearch.info
  • parts.am
  • pcdocpro.com
  • piggybankstoporsches.com
  • rottweilertraining.net
  • rouletterobot.info
  • sourcekings.com
  • streaming-free.info
  • tattoostardesigns.com
  • titantutorials.com
  • toothwhitening-teethbleaching.com
  • whisperingmountain.com
  • worldmusictours.info
  • worldtour2009.info
  • worldtourdates.info
  • yourolddog.com

See the full Graph!

Remote Host    Port Number

  • 174.132.129.30   80
  • 188.72.230.232   80
  • 66.96.217.165    80
  • 69.167.188.239   80
  • 174.142.104.108  80
  • 174.36.237.98    80
  • 199.80.53.93     80
  • 208.93.142.95    80
  • 64.208.241.43    80
  • 64.208.241.67    80
  • 74.125.227.15    80
  • 76.13.234.33     80
  • 83.222.126.242   80
  • 88.212.196.102   80
  • 217.20.112.85    80
  • 217.73.200.219   80
  • 77.88.21.3       80
  • 78.159.121.197   80
  • 80.68.246.110    80
  • 81.19.66.238     80
  • 81.19.66.97      80
  • 82.116.41.78     80
  • 89.149.244.81    80

<Additional Malware Sites Associated with these Criminals>

  • laserhairremoval-information.com
  • meetthebabes.com
  • IP:174.132.129.254
  • pharmacysources.net
  • 174.132.130.26
  • ferrari-355.com
  • IP:174.132.129.253
  • showbitch.net
  • IP: 174.132.129.62

Reference: ThreatExpert


Comments : Leave a Comment »
Tags: , , , , ,
Categories : Botnet, Rootkits, Scam, Spam, Trojans, Virus, Web Threats