Wednesday, June 22, 2011

TDSS - SRVs list

I just found via pastebin (http://pastebin.com/jWDhEfGB) a domains list related to TDSS. The SRVs , in according with this analysis http://resources.infosecinstitute.com/tdss4-part-2/, are the C&C from where bots receive commands.What's sound a bit strange is that the content in the pastebin above match with the syntax used in the configuration file of the rootkit. Anyway is possible count 2514 entry (or config file ?). I simply sorted the domains reported with the following result:

https://01n02n4cx00.cc/
https://01n02n4cx00.com/
https://01n20n4cx00.com/
https://0imh17agcla.com/
https://10n02n4cx00.com/
https://178.17.164.129/
https://178.17.164.92/
https://1il1il1il.com/
https://1l1i16b0.com/
https://34jh7alm94.asia
https://34jh7alm94.asia/
https://4gat16ag100.com/
https://4tag16ag100.com/
https://61.61.20.132/
https://61.61.20.135/
https://68.168.212.20/
https://68.168.212.21/
https://68b6b6b6.com/
https://69b69b6b96b.com/
https://7gaur15eb71.com/
https://7uagr15eb71.com/
https://86b6b6b6.com/
https://86b6b96b.com/
https://91.193.194.8/
https://91.212.226.67/
https://91.216.122.250/
https://9669b6b96b.com/
https://cap01tchaa.com
https://cap01tchaa.com/
https://cap0itchaa.com/
https://countri1l.com/
https://dg6a51ja813.com/
https://gd6a15ja813.com/
https://i0m71gmak01.com/
https://ikaturi11.com/
https://jna0-0akq8x.com/
https://ka18i7gah10.com/
https://kai817hag10.com/
https://kangojim1.com/
https://kangojjm1.com/
https://kur1k0nona.com/
https://l04undreyk.com/
https://li1i16b0.com/
https://lj1i16b0.com/
https://lkaturi71.com/
https://lkaturl11.com/
https://lkaturl71.com/
https://lo4undreyk.com/
https://n16fa53.com/
https://neywrika.in/
https://nichtadden.in/
https://nl6fa53.com/
https://nyewrika.in/
https://rukkeianno.com/
https://rukkeianno.in/
https://rukkieanno.in/
https://sh01cilewk.com/
https://sho1cilewk.com/
https://u101mnay2k.com/
https://u101mnuy2k.com/
https://xx87lhfda88.com/
https://zna61udha01.com/
https://zna81udha01.com/
https://zz87ihfda88.com/
https://zz87jhfda88.com/
https://zz87lhfda88.com/

Anoter interesting Google dork is "wsrv:=http://" that shown another Pastebin link with a WSRVs domain lists. The WSRVs are the handlers of results of the search provider activity on impacted systems.

No comments:

Post a Comment