Wednesday, May 20, 2009

afcore - trying to analyze coreflood - part 0

md5:0x9054ce104254794fb0511d18bbe40ef5

VirusTotal:
http://www.virustotal.com/reanalisis.html?caf6f942e79dcaea76c2792959d52768

ThreatExpert:
http://www.threatexpert.com/report.aspx?md5=9054ce104254794fb0511d18bbe40ef5


Some net related info:

threatexpert analysis has detected HTTP requests for the following URL:
http://secure.termobite.ws/forum/f7810f/44513dd/7c2891f/4/22b332c


robtex:

whois:



netcraft:


Some notes:

At this time the URL appears as not more active. Searching with Google the URL seems active from 2008 and is present within some reports about other afcore variants.

Carrying out some tests using
URL has been identified a redirection as shown in the following (note that the following behavior is the same for browser and wget as well curl. the user-agent is not impotant):

$ wget http://secure.termobite.ws/forum/

--xx:xx:xx-- http://secure.termobite.ws/forum
=> `forum'
Resolving secure.termobite.ws... 209.85.100.7
Connecting to secure.termobite.ws|209.85.100.7|:80..
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://node3.border.znet/forum/ [following
--xx:xx:xx-- http://node3.border.znet/forum/
=> `index.html'
Resolving node3.border.znet... failed: Unknown host.

Is node3.border.znet an "internal" coreflood node
? Trying to joke with domain name and tld it's been found this: node3.border.znet obviously doesn't exist. but node3.borderz.net exist. So what about ?

An HTTP GET request for node3.borderz.net redirect at the following web site:
http://sedoparking.com/search/registrar.php?domain=borderz.net&registrar=sedopark

The log of wget:

$ wget node3.borderz.net
--xx:xx:xx-- http://node3.borderz.net/
=> `index.html'
Resolving node3.borderz.net... 82.98.86.177
Connecting to node3.borderz.net|82.98.86.177|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://sedoparking.com/search/registrar.php?domain=borderz.net&registrar=sedopark [following]
--xx:xx:xx-- http://sedoparking.com/search/registrar.php?domain=borderz.net&registrar=sedopark
=> `registrar.php@domain=borderz.net&registrar=sedopark'
Resolving sedoparking.com... 82.98.86.180
Connecting to sedoparking.com|82.98.86.180|:80... connected.
HTTP request sent, awaiting response... 200 OK
Cookie coming from sedoparking.com attempted to set domain to borderz.net
Length: unspecified [text/html]

[ <=> ] 81,810 53.44K/s

xx:xx:xx (53.34 KB/s) - `registrar.php@domain=borderz.net&registrar=sedopark' saved [81810]

sedoparking.com\search\registrar.php?domain=borderz.net&registrar=sedopark




Is coreflood related to financial stuff ? YES.
in the screen shot above we can see scam links about financial services.

too many strange coincidences. but it may be a coincidence and nothing more

feedback are welcome.

No comments:

Post a Comment