Friday, July 30, 2010

strange .info TLD domains

Looking for something that might attract my attention I found the following URL:

9-4-1-0-1-4-1-1-1-0-.0-0-0-0-0-0-0-0-0-0-0-0-0-49-0-0-0-0-0-0-0-0-0-0-0-0-0.info

If at a first look may appears like a nonsense URL, googling more I found this message on Symantec community blog where is said something  about:

http://www.symantec.com/connect/blogs/malware-infections

Seems that this kind of domains are related to a C&C domains array .As always, with Robtex is possible found something more as shown in the following screen shot:
















Also it could be found something in MalwareURL DB at the following URL:


http://www.malwareurl.com/listing.php?domain=0-0-0-0-0-0-0-0-0-0-0-0-0-50-0-0-0-0-0-0-0-0-0-0-0-0-0.info

As show seems that this domain types are linked with VB.AAG Trojan. The malicious URL appears in the form: .info/DATA but at this time the HTTP response is the following:






















I think it can reasonably understand that this could be a system to make it harder for antivirus and IDS/IPS the detection for threats that uses these domain types as well this name convention fit perfectly for javascript obfuscation.

Update (08/31/2010) Another one:


a-b-c-d-e-f-g-h-i-j-k-l-m-n-o-p-q-r-s-t-u-v-w-x-y-z.info

From Robtex:


 

Tuesday, July 27, 2010

Win32/Chymine.A

Reading something about this trojan, which use the CVE-2010-2568 as spreading vector, I found that
the binary is located at hxxxp://205.209.171.119/bin.exe. The process try to contact the following host:

imoges.dyndns.tv

From Robtex: