contagio: OSX Flashback URLs, Domains, etc

Dr.Web image

I have been tracking infections too and will be posting the domains I come across. I don't have the DGA script or list of domains to date, but even if I had, I think the best way to find them is via User Agent followed by the id: I posting URLs and domains below and will add more soon.

Since it generates new domains every day, the full list would be much much longer but I will post those that I run across below in case it helps anyone. These below appear to be a variant of v.39/K

GET /statistics.html HTTP/1.1
Host: cuojshtbohnt.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:2; id: 1A698BE9-0211-5EB4-AFDC-644AA479D972) Gecko/20100101 Firefox/9.0.1

Ger requests, domains incl. Update - April 11, 2012 (UUIDs were slightly edited)

2012-Apr-10 12:38:08 10.64.113.110 -> 174.129.221.183 ip: 174.129.221.183 Host: iqkydbxjfodro.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:5; id:8F11945B-D60E-5B1D-8BEC-A61EA9FFA0C1) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:08 10.64.113.110 -> 174.129.221.183 ip: 174.129.221.183 Host: iqkydbxjfodro.net User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:5; id:8F11945B-D60E-5B1D-8BEC-A61EA9FFA0C1) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:08 10.64.113.110 -> 174.129.221.183 ip: 174.129.221.183 Host: iqkydbxjfodro.info User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:5; id:8F11945B-D60E-5B1D-8BEC-A61EA9FFA0C1) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:08 10.64.113.110 -> 174.129.221.183 ip: 174.129.221.183 Host: iqkydbxjfodro.in User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:5; id:8F11945B-D60E-5B1D-8BEC-A61EA9FFA0C1) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:08 10.64.113.110 -> 174.129.221.183 ip: 174.129.221.183 Host: iqkydbxjfodro.kz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:5; id:8F11945B-D60E-5B1D-8BEC-A61EA9FFA0C1) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:16 10.64.64.150 -> 174.129.221.183 ip: 174.129.221.183 Host: rfffnahfiywyd.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:4; id:8343DDB3-91DC-58F3-A69F-D8AAE9EC1A08) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:16 10.64.64.150 -> 174.129.221.183 ip: 174.129.221.183 Host: rfffnahfiywyd.net User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:4; id:8343DDB3-91DC-58F3-A69F-D8AAE9EC1A08) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:16 10.64.64.150 -> 174.129.221.183 ip: 174.129.221.183 Host: rfffnahfiywyd.info User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:4; id:8343DDB3-91DC-58F3-A69F-D8AAE9EC1A08) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:16 10.64.64.150 -> 174.129.221.183 ip: 174.129.221.183 Host: rfffnahfiywyd.in User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:4; id:8343DDB3-91DC-58F3-A69F-D8AAE9EC1A08) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:16 10.64.64.150 -> 174.129.221.183 ip: 174.129.221.183 Host: rfffnahfiywyd.kz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:4; id:8343DDB3-91DC-58F3-A69F-D8AAE9EC1A08) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:16 10.64.64.150 -> 174.129.221.183 ip: 174.129.221.183 Host: cvsqsmuiaaiyh.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:4; id:8343DDB3-91DC-58F3-A69F-D8AAE9EC1A08) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:16 10.64.64.150 -> 174.129.221.183 ip: 174.129.221.183 Host: cvsqsmuiaaiyh.net User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:4; id:8343DDB3-91DC-58F3-A69F-D8AAE9EC1A08) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:16 10.64.64.150 -> 174.129.221.183 ip: 174.129.221.183 Host: cvsqsmuiaaiyh.info User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:4; id:8343DDB3-91DC-58F3-A69F-D8AAE9EC1A08) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:16 10.64.64.150 -> 174.129.221.183 ip: 174.129.221.183 Host: cvsqsmuiaaiyh.in User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:4; id:4343DDB3-91DC-58F3-A69F-D8AAE9EC1A08) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:16 10.64.64.150 -> 174.129.221.183 ip: 174.129.221.183 Host: cvsqsmuiaaiyh.kz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:4; id:8343DDB3-91DC-58F3-A69F-D8AAE9EC1A08) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:16 10.64.64.150 -> 174.129.221.183 ip: 174.129.221.183 Host: scfoijdccqtmj.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:4; id:8343DDB3-91DC-58F3-A69F-D8AAE9EC1A08) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:16 10.64.64.150 -> 174.129.221.183 ip: 174.129.221.183 Host: scfoijdccqtmj.net User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:4; id:8343DDB3-91DC-58F3-A69F-D8AAE9EC1A08) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:16 10.64.64.150 -> 174.129.221.183 ip: 174.129.221.183 Host: scfoijdccqtmj.info User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:4; id:8343DDB3-91DC-58F3-A69F-D8AAE9EC1A08) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:16 10.64.64.150 -> 174.129.221.183 ip: 174.129.221.183 Host: scfoijdccqtmj.in User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:4; id:8343DDB3-91DC-58F3-A69F-D8AAE9EC1A08) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:16 10.64.64.150 -> 174.129.221.183 ip: 174.129.221.183 Host: scfoijdccqtmj.kz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:4; id:8343DDB3-91DC-58F3-A69F-D8AAE9EC1A08) Gecko/20100101 Firefox/9.0.1 ip: 74.207.249.7 Host: vxvhwcixcxqxd.net User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:2; id:9492C73D-9F16-583C-A9E3-440C8E1D037D) Gecko/20100101 Firefox/9.0.1 2012-Apr-09 15:24:55 10.64.113.160 -> 74.207.249.7 ip: 74.207.249.7 Host: cuojshtbohnt.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:2; id:9B48F357-01F6-5E19-B561-7AC17A55125C) Gecko/20100101 Firefox/9.0.1 2012-Apr-09 15:25:52 10.64.21.184 -> 91.233.244.102 ip: 91.233.244.102 Host: vxvhwcixcxqxd.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:2; id:94B3C1C2-C81C-5E0A-9C1B-3A3C374E9927) Gecko/20100101 Firefox/9.0.1 10.64.154.200 >> 165.160.15.20 GET /index.html HTTP/1.1 Request URI: /index.html Host: pcjvhrwvrielyu.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:5; id:96CEF3D7-06B3-52D8-BF45-991D0D08CCBF) Gecko/20100101 Firefox/9.0.1 10.64.117.234 >> 165.160.15.20 GET /index.html HTTP/1.1 Request URI: /index.html Host: mmpqilsbon2u.net User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:5; id:950C52B0-6D0A-5CB9-BA7C-47D6E8EF82D3) Gecko/20100101 Firefox/9.0.1 10.64.114.38 >> 165.160.15.20 GET /index.html HTTP/1.1 Request URI: /index.html Host: hzxwhzifyjewe.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:5; id:90000000-0000-1000-8000-001EC2074A1E) Gecko/20100101 Firefox/9.0.1 10.64.113.213 >> 165.160.15.20 GET /index.html HTTP/1.1 Request URI: /index.html Host: ofeogazqbxmqft.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:5; id:9A8E2680-684E-594B-A698-148E3B2BBAB5) Gecko/20100101 Firefox/9.0.1 10.64.93.162 >> 165.160.15.20 GET /index.html HTTP/1.1 Request URI: /index.html Host: rjuhnumyhderuy.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:5; id:9EEA6D20-2B92-5DB7-BA0F-1A6F6946B764) Gecko/20100101 Firefox/9.0.1 10.64.100.58 >> 50.116.35.158 GET /index.html HTTP/1.1 Request URI: /index.html Host: prbktcowpvjmr.info User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:5; id:9A4764A8-0024-5A11-A240-589D18894A22) Gecko/20100101 Firefox/9.0.1 10.64.71.61 >> 165.160.15.20 GET /index.html HTTP/1.1 Request URI: /index.html Host: hnnthosfqmdj.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:5; id:91B5F479-9B9E-55D8-9E62-601E50672A83) Gecko/20100101 Firefox/9.0.1 10.64.26.144 >> 165.160.15.20 GET /index.html HTTP/1.1 Request URI: /index.html Host: udgdgdyerdo3kd.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:5; id:90217534-2343-546C-9A25-BB0B295A6874) Gecko/20100101 Firefox/9.0.1 10.64.24.197 >> 165.160.15.20 GET /index.html HTTP/1.1 Request URI: /index.html Host: iuydfiuwiugdge.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:5; id:985DAF48-B597-5026-8D8B-CC5CBA48EF2E) Gecko/20100101 Firefox/9.0.1

104 domains ( I think they are all sinkholed by now, if you check the IPs they are registered to, you will see only security firms and AV companies)

cvsqsmuiaaiyh.com cvsqsmuiaaiyh.in cvsqsmuiaaiyh.info cvsqsmuiaaiyh.kz cvsqsmuiaaiyh.net iqkydbxjfodro.com iqkydbxjfodro.in iqkydbxjfodro.info iqkydbxjfodro.kz iqkydbxjfodro.net rfffnahfiywyd.com rfffnahfiywyd.in rfffnahfiywyd.info rfffnahfiywyd.kz rfffnahfiywyd.net scfoijdccqtmj.com scfoijdccqtmj.in scfoijdccqtmj.info scfoijdccqtmj.kz scfoijdccqtmj.net vxvhwcixcxqxd.com vxvhwcixcxqxd.net aeddjjjsgnebr.com cdgssacqafewut.com cdqwwkndatvt.com cdqwwkndatvt.in cdqwwkndatvt.info cdqwwkndatvt.kz cdqwwkndatvt.net cfqwmwlmyuvln.com cfqwmwlmyuvln.info cuojshtbohnt.com cuojshtbohnt.info cuojshtbohnt.kz dppqqdmahihaly.com euxjnhxehfpeuy.com fhnqskxxwloxl.com fhnqskxxwloxl.in fhnqskxxwloxl.info glitjdgpamxjdlc.kz hnnthosfqmdj.com hxyyawuorwira.kz hxyyawuorwira.net hzxwhzifyjewe.com iceftkmbhrmhg.com iqkydbxjfodro.com iqkydbxjfodro.in iqkydbxjfodro.info iqkydbxjfodro.kz iqkydbxjfodro.net iuydfiuwiugdge.com juifltdlpjjva.com kksxjnvjqynfqa.com lpjwscxnwpqkaq.com lwpuwdovuvpgtf.com mi13hthdtwdfhet.com miecjlosmoliu.com miecjlosmoliu.in miecjlosmoliu.info mmpqilsbon2u.net moakzphcyysqst.com ocpyyfcaytqnpnw.kz ofeogazqbxmqft.com oyddmhuokhldd.com pcjvhrwvrielyu.com peclecgpwygqda.com prbktcowpvjmr.com prbktcowpvjmr.in prbktcowpvjmr.info prbktcowpvjmr.net prowchtogrrzq.com qfywnsimhpxbkdx.kz rfffnahfiywyd.com rfffnahfiywyd.info rfffnahfiywyd.net rjuhnumyhderuy.com scfoijdccqtmj.info shduddowhdgdu.com stxeapbewbblp.com stxeapbewbblp.in stxeapbewbblp.info tgnqheyqmfogmgt.kz tppuwrxvwbmoo.kz tygoiuoigwodd.com tygoiuoigwodd.kz tzvulcdovswll.com uaruftdirelaars.com uaruftdirelaars.kz udgdgdyerdo3kd.com vxvhwcixcxqxd.com vxvhwcixcxqxd.kz vxvhwcixcxqxd.net vyqhdtnsfrie.com vyqhdtnsfrie.in vyqhdtnsfrie.info vyqhdtnsfrie.kz vyqhdtnsfrie.net xlrlhcvcqoopk.com xlrlhcvcqoopk.kz xlrlhcvcqoopk.net xntppwufabzsr.com xsfuchkdrwfua.net zyxsjfocasugd.com

ET signature using User Agent (also in the previous posts)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OSX/Flashback.K/I User-Agent"; flow:established,to_server; content:" WOW64|3b| rv|3a|9.0.1|3b| sv|3a|"; http_header; content:" id|3a|"; http_header; within:6; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,vms.drweb.com/virus/?i=1816029; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; classtype:trojan-activity; sid:2014534; rev:3;)

4 comments:

ffranzApril 11, 2012 at 9:50 AM
Again no AAAA records found
Reputation checked thanks to:
# Alienvault IP Reputation Database
# reputation.alienvault.com

cdqwwkndatvt.com
cdqwwkndatvt.in
cdqwwkndatvt.info
cdqwwkndatvt.kz
cdqwwkndatvt.net
cuojshtbohnt.com
91.233.244.102
91.233.244.102 # C&C;Malicious Host;Malware Domain;Malware IP ,,26.1214008331,-80.1390991211
cuojshtbohnt.kz
stxeapbewbblp.com
82.141.230.155
stxeapbewbblp.in
208.86.225.38
stxeapbewbblp.info
50.116.35.158
vxvhwcixcxqxd.com
91.233.244.102
91.233.244.102 # C&C;Malicious Host;Malware Domain;Malware IP ,,26.1214008331,-80.1390991211
vxvhwcixcxqxd.com
91.233.244.102
91.233.244.102 # C&C;Malicious Host;Malware Domain;Malware IP ,,26.1214008331,-80.1390991211
vxvhwcixcxqxd.net
74.207.249.7
74.207.249.7 # C&C;Malicious Host;Malware IP;Malware Domain US,Absecon,39.4898986816,-74.4773025513
vyqhdtnsfrie.com
vyqhdtnsfrie.in
vyqhdtnsfrie.info
vyqhdtnsfrie.kz
vyqhdtnsfrie.net
xntppwufabzsr.com
127.0.0.1
cdqwwkndatvt.com
cdqwwkndatvt.in
cdqwwkndatvt.info
cdqwwkndatvt.kz
cdqwwkndatvt.net
cuojshtbohnt.com
91.233.244.102
91.233.244.102 # C&C;Malicious Host;Malware Domain;Malware IP ,,26.1214008331,-80.1390991211
cuojshtbohnt.kz
stxeapbewbblp.com
82.141.230.155
stxeapbewbblp.in
208.86.225.38
stxeapbewbblp.info
50.116.35.158
vxvhwcixcxqxd.com
91.233.244.102
91.233.244.102 # C&C;Malicious Host;Malware Domain;Malware IP ,,26.1214008331,-80.1390991211
vxvhwcixcxqxd.net
74.207.249.7
74.207.249.7 # C&C;Malicious Host;Malware IP;Malware Domain US,Absecon,39.4898986816,-74.4773025513
vyqhdtnsfrie.com
vyqhdtnsfrie.in
vyqhdtnsfrie.info
vyqhdtnsfrie.kz
vyqhdtnsfrie.net
xntppwufabzsr.com
127.0.0.1
hushedfeetApril 11, 2012 at 9:17 PM
one domain i didn't see in either of these sets:
sandra.prichaonica.com
Tera Gold CheapApril 16, 2012 at 3:36 AM
And two style appears almost especially ergo infant insert identical pattern dongling circumstance grain

joining collectively Pliage bag, in fact antiparasitage a is planned of genuine leather-

based joining collectively of of all types and become,ergo carriers one other is in fact a extremely

realistic PI cao printing design.

Pages

Wednesday, April 11, 2012

OSX Flashback URLs, Domains, etc

4 comments: