Thứ Sáu, 28 tháng 6, 2013

MalwareMustDie, NPO, during its research activities, is following the process of suspension malware bad domains as important milestones in malware fighting steps. is also publicly releasing some of suspension domains in the "Operation Tango Down" [What is TangoDown?] as a public announcement.

The current report is a fast and successful suspension process, as a good coordination between members who spotted, analyzed & reported the threat, to our PiCs in Tango Team (thank's to ‏@S with @CL for the hard work) and the related registrars who help us with the GREAT cooperation for the swift follows and banning further registration procedure process (blacklist) accordingly. We have a much better pace in suspending process (less than 18hrs), even right before weekend, as a good lead time reference for future cases.

Following is the report detail, with noted: is not aiming for the analysis details (we have a lot of similar case analysis in our blog already) but more to be a cybercrime-evidence purpose, with all of the materials posted are to be utilized for following legal process.

Verdict of Crime

We detected the very dangerous exploit kit landing page of malware infection via browser's vulnerability exploitation pointed to the below IP/NETWORK:

"80.78.247.114 / AS43146 Agava Ltd.(Russia  Federation)"
Initially caught in the act using Blackhole Exploit Kit the "/closest/" version operated under below URL:
"h00p://toagreements.net/closest/i9jfuhioejskveohnuojfir.php
h00p://terminalspervasive.biz/closest/i9jfuhioejskveohnuojfir.php
h00p://detectedflights.org/closest/i9jfuhioejskveohnuojfir.php
h00p://samenamedpremium.biz/closest/i9jfuhioejskveohnuojfir.php
h00p://recentlyusedclings.com/closest/i9jfuhioejskveohnuojfir.php
h00p://explanationanonymized.in/closest/i9jfuhioejskveohnuojfir.php
:"
Furthermore the activity also recorded in Virus total pDNS report:
URL: https://www.virustotal.com/en/ip-address/80.78.247.114/information/
"2013-06-28 18:30:12 h00p://datapadsinspecifically.net/closest/i9jfuhioejskveohnuojfir.php
2013-06-28 18:26:43 h00p://detectedflights.org/closest/
2013-06-27 21:33:13 h00p://terminalspervasive.biz/
2013-06-27 19:52:24 h00p://datapadsinspecifically.net/closest/i9jfuhioejskveohnuojfir.php?jnlp=0c443e4262
2013-06-27 19:08:09 h00p://terminalspervasive.biz/closest/i9jfuhioejskveohnuojfir.php
2013-06-27 16:37:32 h00p://detectedflights.org/closest/i9jfuhioejskveohnuojfir.php
2013-06-27 15:38:34 h00p://recentlyusedclings.com/closest/i9jfuhioejskveohnuojfir.php
2013-06-27 15:33:21 h00p://samenamedpremium.biz/closest/i9jfuhioejskveohnuojfir.php
2013-06-26 19:28:27 h00p://toagreements.net/closest/i9jfuhioejskveohnuojfir.php
2013-06-26 00:16:13 h00p://explanationanonymized.in/closest/i9jfuhioejskveohnuojfir.php
2013-06-25 22:15:47 h00p://platformvillains.in/closest/hospital-worker.php
2013-06-25 21:40:54 h00p://platformvillains.in/
2013-06-25 21:40:35 h00p://platformvillains.in/closest/i9jfuhioejskveohnuojfir.php
"
And also monitored in the URLQuery:
URL: http://urlquery.net/search.php?q=80.78.247.114&type=string&start=2013-05-01&end=2013-06-29&max=400
"2013-06-28 21:20:51 1 /  0 h00p://datapadsinspecifically.net/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-28 16:05:21 0 / 0 h00p://detectedflights.org/closest/ [Russian Federation] 80.78.247.114
2013-06-28 11:20:30 1 / 0 h00p://detectedflights.org/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-28 11:19:03 1 / 0 h00p://recentlyusedclings.com/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 23:33:26 0 / 2 h00p://datapadsinspecifically.net/closest/i9jfuhioejskveohnuojfir.php?jnlp=0c443e4262 [Russian Federation] 80.78.247.114
2013-06-27 23:15:52 1 / 0 h00p://terminalspervasive.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 21:49:41 0 / 2 h00p://datapadsinspecifically.net/closest/i9jfuhioejskveohnuojfir.php?jnlp=0c443e4262 [Russian Federation] 80.78.247.114
2013-06-27 20:40:27 2 / 13 h00p://detectedflights.org/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 19:43:31 2 / 6 h00p://recentlyusedclings.com/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 19:39:28 2 / 21 h00p://samenamedpremium.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 19:26:24 2 / 15 h00p://terminalspervasive.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 18:49:18 2 / 14 h00p://datapadsinspecifically.net/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 15:10:13 2 / 11 h00p://detectedflights.org/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 15:01:50 2 / 9 h00p://terminalspervasive.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 14:53:14 2 / 14 h00p://samenamedpremium.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 14:11:13 2 / 49 h00p://samenamedpremium.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 14:05:27 2 / 54 h00p://samenamedpremium.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 13:08:19 2 / 26 h00p://recentlyusedclings.com/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 10:35:34 2 / 7 h00p://terminalspervasive.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 09:50:03 2 / 7 h00p://terminalspervasive.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 07:08:47 2 / 47 h00p://recentlyusedclings.com/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 01:58:39 2 / 26 h00p://toagreements.net/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-26 22:00:39 0 / 0 h00p://samenamedpremium.biz [Russian Federation] 80.78.247.114
2013-06-26 21:28:24 2 / 24 h00p://toagreements.net/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-26 20:50:53 0 / 2 h00p://samenamedpremium.biz/closest/i9jfuhioejskveohnuojfir.php?jnlp=0c443e4262 [Russian Federation] 80.78.247.114
2013-06-26 13:57:32 0 / 0 h00p://samenamedpremium.biz [Russian Federation] 80.78.247.114
2013-06-26 13:56:00 0 / 0 h00p://80.78.247.114 [Russian Federation] 80.78.247.114
2013-06-26 04:38:23 0 / 0 h00p://80.78.247.114 [Russian Federation] 80.78.247.114
2013-06-26 04:00:06 2 / 50 h00p://explanationanonymized.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-26 03:08:24 2 / 24 h00p://explanationanonymized.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-26 00:21:59 2 / 10 h00p://platformvillains.in/closest/hospital-worker.php [Russian Federation] 80.78.247.114
2013-06-25 23:52:36 2 / 14 h00p://platformvillains.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-25 23:44:57 2 / 23 h00p://platformvillains.in/closest/hospital-worker.php [Russian Federation] 80.78.247.114
2013-06-25 23:28:58 2 / 25 h00p://platformvillains.in/closest/hospital-worker.php [Russian Federation] 80.78.247.114
2013-06-25 22:00:33 2 / 7 h00p://platformvillains.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-25 21:29:13 2 / 9 h00p://platformvillains.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-25 21:27:52 1 / 0 h00p://platformvillains.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-25 18:14:20 2 / 11 h00p://appsandfundamentals.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-25 18:02:07 1 / 0 h00p://appsandfundamentals.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
"

Exploit Attack Evidence

Some snapshots of the exploit infector used:

is an evidence as per recorded in URLQuery records below:

"http://urlquery.net/report.php?id=3356618
http://urlquery.net/report.php?id=3356579
http://urlquery.net/report.php?id=3355901
http://urlquery.net/report.php?id=3352167
http://urlquery.net/report.php?id=3332078
:"

Tango Information

Dismantling detail is, although was spotted 150+ domains under various conditions registered by the same bad actor behind this scheme, we sorted to the 61 unique domains listed below which will be enough to put the related infection out of internet. Sorting was proceed by eliminating the double records, usage of sub-domains, not clearly related/in-verdicted domains. These domains is confirmed down by June 28th, 2013, 23:59(pm) GMT+9. The registrant's used individual ID/credentials is marked and spread to all registrars as blacklist for the further threat's blocking, and also passed to the regional authority for the further legal process.

The suspended malware related domain list is as per below:

"anotherfactory.biz
artificialwind.asia
automatedpersonal.biz
balloonmansards.biz
blissfullyshare.biz
builtinscrupulous.net
campgroundstexts.biz
challengingprobably.biz
cokelendino.biz
conceptuallynetra.biz
coveringtelex.org
crypticallyhits.biz
delacruse.biz
directorybasedvibration.biz
discontiguousnds.asia
enterprisespumpkin.biz
eulaschalk.biz
examplefeatures.biz
expressionssentrybay.biz
extensivemymagicjackcom.org
fingertipsync.biz
flagsreimagining.biz
forgotperson.biz
fourthdvst.org
garbleddesigns.net
hoodselectable.biz
hourswebdav.biz
humorannouncement.biz
illustrateredeemed.net
joliclouddestructive.net
klockspell.biz
laptophandextremely.biz
lookyouthful.biz
massacrehighesttiered.biz
mediumsizedacdsees.biz
metadataconverse.net
muckinghighres.net
normov.biz
ntjobs.biz
nutsprerelease.biz
obamanizererouting.biz
perdevicecategoryyoursphere.net
pkielements.biz
prohibitedhill.biz
ridspayback.asia
scriptedbecome.biz
smugmugextras.biz
snapfishletnarrator.biz
sparesaddressmanually.biz
specialtyinterpreted.biz
squirrelspremade.biz
staffsenjoyment.biz
subsystemgandhi.biz
subtractionipvcertified.biz
summarysomeplace.biz
technologiesblipping.biz
votingkasperskyequipped.biz
vsmounting.org
webcastingtyping.biz
webworkzoneibm.biz
withinstyrofoam.biz"

Public announcement by #MalwareMustDie.NPO.,All rights reserved.
Anti CyberCrime Research Group - malwaremustdie.org

0 nhận xét:

Đăng nhận xét