Thursday, October 14, 2010

Some domains for the LICAT / Murofet / Trojan/ZBOT.B threat

Update (2 November): A deep and very itneresting analysis from Trend Micro:

Update (15 October):  ThreatExpert has release the domain name generation algorithm for MUROFET/Licat

(14 October)
I have found some new domains involved in this threat as you can see in the following list:

The 333 value for “s” URL parameter permit to download what is recognized as Trojan/ZBot.B (Symantec name). While the 111 stand for , “get Zeus 2.1 (as named by Zeustracker) config fil"e”. The drop zone is requested with the following syntax:


This malware seem use a C&C domain name generation approach similar to that used by conficker.  For example, the latest domain ( ) seem registered for the 14th of October 2010 malware activity as reported by

The following Anubis Binary Analaysis submission show the behavioral of this malware:

and the ThreatExpert analysis with detection engine info:

The domains above seems hosted by the following IP address:

The following Robtex table permits to retrieve other domains involved:

No comments:

Post a Comment