Comments on: Major Stealthy Malware Campaign – 711 Domains Taken Down http://www.martinsecurity.net/2009/12/08/major-stealthy-malware-campaign-711-domains-taken-down/ Viewing InfoSec from the trenches (formerly Real Security) Mon, 14 Dec 2009 07:06:01 +0000 hourly 1 http://wordpress.org/?v= By: Andrew from Vancouver http://www.martinsecurity.net/2009/12/08/major-stealthy-malware-campaign-711-domains-taken-down/comment-page-1/#comment-14142 Andrew from Vancouver Mon, 14 Dec 2009 07:06:01 +0000 http://www.martinsecurity.net/?p=427#comment-14142 The wgetdream.com is parked at GoDaddy after all, somehow. DNS cacheing, perhaps. The TLD servers return NXDOMAIN when queried. fk0.info and oy7.info are both registered with GoDaddy but have not been suspended. They are currently active. The wgetdream.com is parked at GoDaddy after all, somehow. DNS cacheing, perhaps. The TLD servers return NXDOMAIN when queried.

fk0.info and oy7.info are both registered with GoDaddy but have not been suspended. They are currently active.

]]> By: Andrew from Vancouver http://www.martinsecurity.net/2009/12/08/major-stealthy-malware-campaign-711-domains-taken-down/comment-page-1/#comment-14140 Andrew from Vancouver Mon, 14 Dec 2009 05:44:57 +0000 http://www.martinsecurity.net/?p=427#comment-14140 At least some of these are still active. Still active: hxxp://us.fk0.info/f/f.exe hxxp://us.oy7.info/f/1/cosplay.swf hxxp://goodfriend.wgreatdream.com/show.php The last update stamp in WHOIS for wgreatdream.com is December 7th 2009. There may have been several updates but the last result was certainly not GoDaddy suspending it. The .exe file above is a binary file but is not an executable. The .swf file is listed by Wepawet as malicious, but according to VirusTotal, only Microsoft detects it. http://wepawet.iseclab.org/view.php?hash=8e2a2167a9f34c1c0b9d7ac456aff807&type=swf http://www.virustotal.com/analisis/6804d14c311fc8a4b02a2b466b1e25fbd47a8cf87ae260e76972e486bcc72759-1260767519 At least some of these are still active. Still active:

hxxp://us.fk0.info/f/f.exe
hxxp://us.oy7.info/f/1/cosplay.swf
hxxp://goodfriend.wgreatdream.com/show.php

The last update stamp in WHOIS for wgreatdream.com is December 7th 2009. There may have been several updates but the last result was certainly not GoDaddy suspending it.

The .exe file above is a binary file but is not an executable. The .swf file is listed by Wepawet as malicious, but according to VirusTotal, only Microsoft detects it.

http://wepawet.iseclab.org/view.php?hash=8e2a2167a9f34c1c0b9d7ac456aff807&type=swf

http://www.virustotal.com/analisis/6804d14c311fc8a4b02a2b466b1e25fbd47a8cf87ae260e76972e486bcc72759-1260767519

]]>