Mobile and print friendly view | Contagio Exchange - Contagio community malware dump

Wednesday, April 11, 2012

OSX Flashback URLs, Domains, etc


Dr.Web image
I have been tracking infections too and will be posting the domains I come across. I don't have the DGA script or list of domains to date, but even if I had, I think the best way to find them is via User Agent followed by the id:  I posting URLs and domains below and will add more soon.


Since it generates new domains every day, the full list would be much much longer but I will post those that I run across below in case it helps anyone. These below appear to be a variant of v.39/K



GET /statistics.html HTTP/1.1
Host: cuojshtbohnt.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:2; id: 1A698BE9-0211-5EB4-AFDC-644AA479D972) Gecko/20100101 Firefox/9.0.1


Ger requests, domains incl. Update - April 11, 2012 (UUIDs were slightly edited)


104 domains ( I think they are all sinkholed by now, if you check the IPs they are registered to, you will see only security firms and AV companies)




ET signature using User Agent (also in the previous posts)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OSX/Flashback.K/I User-Agent"; flow:established,to_server; content:" WOW64|3b| rv|3a|9.0.1|3b| sv|3a|"; http_header; content:" id|3a|"; http_header; within:6; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,vms.drweb.com/virus/?i=1816029; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; classtype:trojan-activity; sid:2014534; rev:3;)


4 comments:

  1. Again no AAAA records found
    Reputation checked thanks to:
    # Alienvault IP Reputation Database
    # reputation.alienvault.com

    cdqwwkndatvt.com
    cdqwwkndatvt.in
    cdqwwkndatvt.info
    cdqwwkndatvt.kz
    cdqwwkndatvt.net
    cuojshtbohnt.com
    91.233.244.102
    91.233.244.102 # C&C;Malicious Host;Malware Domain;Malware IP ,,26.1214008331,-80.1390991211
    cuojshtbohnt.kz
    stxeapbewbblp.com
    82.141.230.155
    stxeapbewbblp.in
    208.86.225.38
    stxeapbewbblp.info
    50.116.35.158
    vxvhwcixcxqxd.com
    91.233.244.102
    91.233.244.102 # C&C;Malicious Host;Malware Domain;Malware IP ,,26.1214008331,-80.1390991211
    vxvhwcixcxqxd.com
    91.233.244.102
    91.233.244.102 # C&C;Malicious Host;Malware Domain;Malware IP ,,26.1214008331,-80.1390991211
    vxvhwcixcxqxd.net
    74.207.249.7
    74.207.249.7 # C&C;Malicious Host;Malware IP;Malware Domain US,Absecon,39.4898986816,-74.4773025513
    vyqhdtnsfrie.com
    vyqhdtnsfrie.in
    vyqhdtnsfrie.info
    vyqhdtnsfrie.kz
    vyqhdtnsfrie.net
    xntppwufabzsr.com
    127.0.0.1
    cdqwwkndatvt.com
    cdqwwkndatvt.in
    cdqwwkndatvt.info
    cdqwwkndatvt.kz
    cdqwwkndatvt.net
    cuojshtbohnt.com
    91.233.244.102
    91.233.244.102 # C&C;Malicious Host;Malware Domain;Malware IP ,,26.1214008331,-80.1390991211
    cuojshtbohnt.kz
    stxeapbewbblp.com
    82.141.230.155
    stxeapbewbblp.in
    208.86.225.38
    stxeapbewbblp.info
    50.116.35.158
    vxvhwcixcxqxd.com
    91.233.244.102
    91.233.244.102 # C&C;Malicious Host;Malware Domain;Malware IP ,,26.1214008331,-80.1390991211
    vxvhwcixcxqxd.net
    74.207.249.7
    74.207.249.7 # C&C;Malicious Host;Malware IP;Malware Domain US,Absecon,39.4898986816,-74.4773025513
    vyqhdtnsfrie.com
    vyqhdtnsfrie.in
    vyqhdtnsfrie.info
    vyqhdtnsfrie.kz
    vyqhdtnsfrie.net
    xntppwufabzsr.com
    127.0.0.1

    ReplyDelete
  2. one domain i didn't see in either of these sets:
    sandra.prichaonica.com

    ReplyDelete
    Replies
    1. (Which I think has hits for all of those IPs)

      Delete
  3. And two style appears almost especially ergo infant insert identical pattern dongling circumstance grain

    joining collectively Pliage bag, in fact antiparasitage a is planned of genuine leather-

    based joining collectively of of all types and become,ergo carriers one other is in fact a extremely

    realistic PI cao printing design.

    ReplyDelete