Wednesday, May 20, 2009

afcore - trying to analyze coreflood - part 0




Some net related info:

threatexpert analysis has detected HTTP requests for the following URL:




Some notes:

At this time the URL appears as not more active. Searching with Google the URL seems active from 2008 and is present within some reports about other afcore variants.

Carrying out some tests using
URL has been identified a redirection as shown in the following (note that the following behavior is the same for browser and wget as well curl. the user-agent is not impotant):

$ wget

=> `forum'
Connecting to||:80..
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://node3.border.znet/forum/ [following
--xx:xx:xx-- http://node3.border.znet/forum/
=> `index.html'
Resolving node3.border.znet... failed: Unknown host.

Is node3.border.znet an "internal" coreflood node
? Trying to joke with domain name and tld it's been found this: node3.border.znet obviously doesn't exist. but exist. So what about ?

An HTTP GET request for redirect at the following web site:

The log of wget:

$ wget
=> `index.html'
Connecting to||:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: [following]
=> `'
Connecting to||:80... connected.
HTTP request sent, awaiting response... 200 OK
Cookie coming from attempted to set domain to
Length: unspecified [text/html]

[ <=> ] 81,810 53.44K/s

xx:xx:xx (53.34 KB/s) - `' saved [81810]\search\registrar.php?

Is coreflood related to financial stuff ? YES.
in the screen shot above we can see scam links about financial services.

too many strange coincidences. but it may be a coincidence and nothing more

feedback are welcome.

No comments:

Post a Comment