Friday, July 30, 2010

strange .info TLD domains

Looking for something that might attract my attention I found the following URL:

If at a first look may appears like a nonsense URL, googling more I found this message on Symantec community blog where is said something  about:

Seems that this kind of domains are related to a C&C domains array .As always, with Robtex is possible found something more as shown in the following screen shot:

Also it could be found something in MalwareURL DB at the following URL:

As show seems that this domain types are linked with VB.AAG Trojan. The malicious URL appears in the form: .info/DATA but at this time the HTTP response is the following:

I think it can reasonably understand that this could be a system to make it harder for antivirus and IDS/IPS the detection for threats that uses these domain types as well this name convention fit perfectly for javascript obfuscation.

Update (08/31/2010) Another one:

From Robtex:


Tuesday, July 27, 2010


Reading something about this trojan, which use the CVE-2010-2568 as spreading vector, I found that
the binary is located at hxxxp:// The process try to contact the following host:

From Robtex: