Tuesday, April 28, 2009

Malicious URLs *28-April-09*

Malicious link

Level 0>http://www.izhangye.com/
Level 1>http://www.izhangye.com/data/js/config.js
Level 2>http://bbg2.cn
Level 1>http://www.izhangye.com/include/js/common.js
Level 2>http://www.yiwucnc.com/xixi/coimg/t.js
Level 3>http://www.yiwucnc.com/xixi/coimg/tt.htm
Level 3>http://xyq.nge68.cn/1/09/index.htm?48
Level 4>http://count7.51much.com/cnt.php?uid=ua-1-12128&style=text&text=网站统计
Level 4>http://xyq.nge68.cn/1/09/index2.htm
Level 5>http://xyq.nge68.cn/1/09/js.css 9 (o)
Level 6>http://xyq.nge68.cn/1/09/r8122121.htm
Level 7>http://xyq.nge68.cn/1/09/real1.css (o)
Level 7>http://xyq.nge68.cn/1/09/real.css (o)
Level 7>http://xyq.nge68.cn/1/09/turl.css (o)
Level 8>http://s11.uwb4.com/1/ex.exe
Level 6>http://xyq.nge68.cn/1/09/r8bf.htm
Level 6>http://xyq.nge68.cn/1/09/r8xxz.htm
Level 6>http://xyq.nge68.cn/1/09/r8ff.htm
Level 6>http://xyq.nge68.cn/1/09/r8vod.htm
Level 6>http://xyq.nge68.cn/1/09/r8fl.htm
Level 6>http://xyq.nge68.cn/1/09/r814.htm
Level 5>http://xyq.nge68.cn/1/09/ccqm.htm
Level 6>http://s11.uwb4.com/1/activex.exe (o)

Level 1>http://www.izhangye.com/include/js/prototype.js
Level 1>http://www.izhangye.com/include/js/time.js
Level 1>http://www.izhangye.com/data/js.php?id=1
Level 1>http://www.izhangye.com/data/js.php?id=13
Level 1>http://www.izhangye.com/images/product2007sp6-1.swf (o)
Level 1>http://www.izhangye.com/data/js.php?id=14
Level 1>http://www.izhangye.com/data/js.php?id=15
Level 1>http://www.izhangye.com/data/js.php?id=16
Level 1>http://www.izhangye.com/data/js.php?id=17
Level 1>http://www.izhangye.com/data/js.php?id=11
Level 1>http://www.izhangye.com/data/js.php?id=18
Level 1>http://www.izhangye.com/data/js.php?id=19
Level 1>http://www.izhangye.com/data/js.php?id=20
Level 1>http://www.izhangye.com/ad.htm
Level 1>http://s37.cnzz.com/stat.php?id=998801&web_id=998801
Level 1>http://www.izhangye.com/include/js/std_stranjf.js

Reference: http://bbs.kafan.cn/thread-470278-1-1.html
at 9:32 AM 0 comments
Labels: ,

Sunday, April 26, 2009

Panda Security Quaterly Report (Jan-March 09)

Hi, if you want to know what is happening for the security trend and threat for Q1 09. Get a free report from Panda Security. This is another good report to read while having snack during tea break.

Most significiant malicous code for Q1:
Conflicker
Waledac in Valentine's day

2009 Q1 Trends:
Sality.AO
Social Networks
Conflicker
USB VACCINE
and AMTSO

Free PDF link:
http://www.pandasecurity.com/img/enc/Quarterly_Report_PandaLabs_Q1_2009.pdf


Note:If you think the information benefit to you, click on advertisement column to support me in order pay for domain fees.
at 11:48 PM 0 comments
Labels:

Malicious URLs * 27-April-09*

Malicious Link
The malicious host.jpg actually is host file
hxxp: //ohyes88.com/xin/host.jpg

127.0.0.1 v.onondown.com.cn
127.0.0.2 ymsdasdw1.cn
127.0.0.3 h96b.info
127.0.0.0 fuck.zttwp.cn
127.0.0.0 www.hackerbf.cn
127.0.0.0 zzz.2008wyt.net
127.1.1.1 999.2005wyt.com
127.1.1.1 219.152.120.240
127.0.0.0 ww.popdm.cn
127.1.1.1 bbt.etimes888.com
127.1.1.1 219.147.13.53
127.1.1.1 a1.xxoozjz.com:56868
127.1.1.1 a1.xxoozjz.com
127.1.1.1 ddown.xxoozjz.com:56868
127.1.1.1 ddown.xxoozjz.com
127.1.1.1 dnl-13.geo.kaspersky.com
127.1.1.1 dl.360safe.com
127.1.1.1 www.sunlight.org.cn
127.1.1.1 w.wonthe.cn
127.1.1.1 20068080.cn
127.1.1.1 l.neter888.cn
127.1.1.1 stat.untang.com
127.1.1.1 www.ikdy.cn
127.0.0.0 geekbyfeng.cn
127.0.0.0 121.14.101.68
127.0.0.0 ppp.etimes888.com
127.0.0.0 www.bypk.com
127.0.0.0 CSC3-2004-crl.verisign.com
127.0.0.1 va9sdhun23.cn
127.0.0.0 udp.hjob123.com
127.1.1.1 999.hfdy2828.com
127.1.1.1 www.hfdy2929.com
127.1.1.1 www.xiazaide1.cn
127.1.1.1 www.vuf51579.cn
127.1.1.1 wm.eo2q.cn
127.1.1.1 d.www-263.com
127.1.1.1 www.ssy1688.cn
127.1.1.1 121.12.173.218
127.1.1.1 qq.18i16.net
127.1.1.1 a.baidu-6661.com
127.1.1.1 www.vuf51579.cn
127.1.1.1 www.1079223105.cn
127.1.1.1 home.xzx6.cn
127.1.1.1 top.fgc3.cn
127.1.1.1 165.246.44.228
127.1.1.1 wwww.ttfafa.com
127.1.1.1 pa.tt-09.com
127.0.0.2 bnasnd83nd.cn
127.0.0.0 www.gamehacker.com.cn
127.0.0.0 gamehacker.com.cn
127.1.1.1 www.cctv-100008.cn
127.1.1.1 222.73.208.141
127.0.0.3 adlaji.cn
127.1.1.1 aiyyw.com
127.0.0.1 858656.com
127.1.1.1 bnasnd83nd.cn
127.0.0.1 my123.com
127.0.0.0 user1.12-27.net
127.0.0.1 8749.com
127.0.0.0 fengent.cn
127.0.0.1 4199.com
127.0.0.1 user1.16-22.net
127.0.0.1 7379.com
127.0.0.1 2be37c5f.3f6e2cc5f0b.com
127.0.0.1 7255.com
127.0.0.1 user1.23-12.net
127.0.0.1 3448.com
127.0.0.1 www.guccia.net
127.0.0.1 7939.com
127.0.0.1 a.o1o1o1.nEt
127.0.0.1 8009.com
127.0.0.1 user1.12-73.cn
127.0.0.1 piaoxue.com
127.0.0.1 3n8nlasd.cn
127.0.0.1 kzdh.com
127.0.0.0 www.sony888.cn
127.0.0.1 about.blank.la
127.0.0.0 user1.asp-33.cn
127.0.0.1 6781.com
127.0.0.0 www.netkwek.cn
127.0.0.1 7322.com
127.0.0.0 ymsdkad6.cn
127.0.0.1 localhost
127.0.0.0 www.lkwueir.cn
127.0.0.1 06.jacai.com
127.0.1.1 user1.23-17.net
127.0.0.1 1.jopenkk.com
127.0.0.0 upa.luzhiai.net
127.0.0.1 1.jopenqc.com
127.0.0.0 www.guccia.net
127.0.0.1 1.joppnqq.com
127.0.0.0 4m9mnlmi.cn
127.0.0.1 1.xqhgm.com
127.0.0.0 mm119mkssd.cn
127.0.0.1 100.332233.com
127.0.0.0 61.128.171.115:8080
127.0.0.1 121.11.90.79
127.0.0.0 www.1119111.com
127.0.0.1 121565.net
127.0.0.0 win.nihao69.cn
127.0.0.1 125.90.88.38
127.0.0.1 16888.6to23.com
127.0.0.1 2.joppnqq.com
127.0.0.0 puc.lianxiac.net
127.0.0.1 204.177.92.68
127.0.0.0 pud.lianxiac.net
127.0.0.1 210.74.145.236
127.0.0.0 210.76.0.133
127.0.0.1 219.129.239.220
127.0.0.0 61.166.32.2
127.0.0.1 219.153.40.221
127.0.0.0 218.92.186.27
127.0.0.1 219.153.46.27
127.0.0.0 www.fsfsfag.cn
127.0.0.1 219.153.52.123
127.0.0.0 ovo.ovovov.cn
127.0.0.1 221.195.42.71
127.0.0.0 dw.com.com
127.0.0.1 222.73.218.115
127.0.0.1 203.110.168.233:80
127.0.0.1 3.joppnqq.com
127.0.0.1 203.110.168.2280
127.0.0.1 363xx.com
127.0.0.1 www1.ip10086.com.cm
127.0.0.1 4199.com
127.0.0.1 blog.ip10086.com.cn
127.0.0.1 43242.com
127.0.0.1 www.ccji68.cn
127.0.0.1 5.xqhgm.com
127.0.0.0 t.myblank.cn
127.0.0.1 520.mm5208.com
127.0.0.0 x.myblank.cn
127.0.0.1 59.34.131.54
127.0.0.1 210.51.45.5
127.0.0.1 59.34.198.228
127.0.0.1 www.ew1q.cn
127.0.0.1 59.34.198.88
127.0.0.1 59.34.198.97
127.0.0.1 60.190.114.101
127.0.0.1 60.190.218.34
127.0.0.0 qq-xing.com.cn
127.0.0.1 60.191.124.252
127.0.0.1 61.145.117.212
127.0.0.1 61.157.109.222
127.0.0.1 75.126.3.216
127.0.0.1 220.250.64.21
127.0.0.1 75.126.3.217
127.0.0.1 75.126.3.218
127.0.0.0 59.125.231.177:17777
127.0.0.1 75.126.3.220
127.0.0.1 75.126.3.221
127.0.0.1 75.126.3.222
127.0.0.1 772630.com
127.0.0.1 832823.cn
127.0.0.1 8749.com
127.0.0.1 888.jopenqc.com
127.0.0.1 89382.cn
127.0.0.1 8v8.biz
127.0.0.1 97725.com
127.0.0.1 9gg.biz
127.0.0.1 www.9000music.com
127.0.0.1 test.591jx.com
127.0.0.1 a.topxxxx.cn
127.0.0.1 picon.chinaren.com
127.0.0.1 www.5566.net
127.0.0.1 p.qqkx.com
127.0.0.1 news.netandtv.com
127.0.0.1 z.neter888.cn
127.0.0.1 b.myblank.cn
127.0.0.1 wvw.wokutu.com
127.0.0.1 unionch.qyule.com
127.0.0.1 www.qyule.com
127.0.0.1 it.itjc.cn
127.0.0.1 www.linkwww.com
127.0.0.1 vod.kaicn.com
127.0.0.1 www.tx8688.com
127.0.0.1 b.neter888.cn
127.0.0.1 promote.huanqiu.com
127.0.0.1 www.huanqiu.com
127.0.0.1 www.haokanla.com
127.0.0.1 play.unionsky.cn
127.0.0.1 www.52v.com
127.0.0.1 www.gghka.cn
127.0.0.1 icon.ajiang.net
127.0.0.1 new.ete.cn
127.0.0.1 www.stiae.cn
127.0.0.1 o.neter888.cn
127.0.0.1 comm.jinti.com
127.0.0.1 www.google-analytics.com
127.0.0.1 hz.mmstat.com
127.0.0.1 www.game175.cn
127.0.0.1 x.neter888.cn
127.0.0.1 z.neter888.cn
127.0.0.1 p.etimes888.com
127.0.0.1 hx.etimes888.com
127.0.0.1 abc.qqkx.com
127.0.0.1 dm.popdm.cn
127.0.0.1 www.yl9999.com
127.0.0.1 www.dajiadoushe.cn
127.0.0.1 v.onondown.com.cn
127.0.0.1 www.interoo.net
127.0.0.1 bally1.bally-bally.net
127.0.0.1 www.bao5605509.cn
127.0.0.1 www.rty456.cn
127.0.0.1 www.werqwer.cn
127.0.0.1 1.360-1.cn
127.0.0.1 user1.23-16.net
127.0.0.1 www.guccia.net
127.0.0.1 www.interoo.net
127.0.0.1 upa.netsool.net
127.0.0.1 js.users.51.la
127.0.0.1 qq.gong2008.com
127.0.0.1 2008tl.copyip.com
127.0.0.1 tla.laozihuolaile.cn
127.0.0.1 www.tx6868.cn
127.0.0.1 p001.tiloaiai.com
127.0.0.1 s1.tl8tl.com
127.0.0.1 s1.gong2008.com
127.0.0.1 4b3ce56f9g.3f6e2cc5f0b.com
127.0.0.1 2be37c5f.3f6e2cc5f0b.com
222.189.238.6 biz5c.sandai.net
222.189.238.6 recommend.xunlei.com
222.189.238.6 news.51uc.com
222.189.238.6 chat.sina.com.cn
222.189.238.6 hallcenter.ourgame.com


hxxp: //ohyes88.com/xin/xx.txt

hxxp: //2009kabasiji.com/xiao/qq1.exe
...........
hxxp: //2009kabasiji.com/xiao/qq36.exe


Note:If you think the information benefit to you, click on advertisement column to support me in order pay for domain fees.
at 11:00 PM 0 comments
Labels:

Saturday, April 25, 2009

MS09-014: MSIE EMBED element race condition memory corruption

Guy from skypher disclosed PoC for the MS09-014 in their website and posted in Milw0rm too. They disclose it since after Microsoft released their April Security Bulletins few days.The PoC source code can be obtained from http://www.milw0rm.com/exploits/8479 and you may get full detail from http://skypher.com/index.php/2009/04/19/ms09-014-embed-element-memory-corruption/ as well.





Note:If you think the information benefit to you, click on advertisement column to support me in order pay for domain fees.
at 8:39 AM 0 comments
Labels: ,

PDF exploits in wild

As promised, I will posting some relates to PDF exploits. Lots of malicous websites hosting and manipulates the PDF exploits. The malicious links were planted inside some legitimate websites and users will no doubt when surfing and opening pdf file when pop up in browsers.

Few old PDF exploits were identified for vulnerability in version 9.0 and earlier version of Adobe Reader application.

Below is one of the obfuscate example JavaScript codes that inside the PDF. It take two more steps to deobfuscate in order to get the final malicious link. Only few security vendors have ability to detect for the malicous file when submitted to famous free scanning website virustotal.



I will continuing post some related to PDF exploits for coming days. Stay tune......


Note:If you think the information benefit to you, click on advertisement column to support me in order pay for domain fees.
at 8:08 AM 0 comments
Labels: , ,

Friday, April 24, 2009

Malicious URLs * 24-April-09*

Malicious URLs * 24-April-09*

URLs:
http: //lotbetsite.cn/cache/readme.pdf
http: //lotbetsite.cn/cache/flash.swf
http: //casinoslotbet.cn/load.php?id=1
http: //casinoslotbet.cn/load.php?id=2
http: //casinoslotbet.cn/load.php?id=3
http: //casinoslotbet.cn/load.php?id=4
http: //casinoslotbet.cn/load.php?id=5
http: //casinoslotbet.cn/load.php?id=6
http: //casinoslotbet.cn/load.php?id=7
http: //casinoslotbet.cn/load.php?id=8
http: //casinoslotbet.cn/load.php?id=9

http: //bigfirststopnonfat.cn/cache/readme.pdf
http: //bigfirststopnonfat.cn/cache/flash.pdf
http: //liteupyourride.cn/load.php?id=1
http: //liteupyourride.cn/load.php?id=2
http: //liteupyourride.cn/load.php?id=3
http: //liteupyourride.cn/load.php?id=4
http: //liteupyourride.cn/load.php?id=5
http: //liteupyourride.cn/load.php?id=6
http: //liteupyourride.cn/load.php?id=7
http: //liteupyourride.cn/load.php?id=8
http: //liteupyourride.cn/load.php?id=9
http: //liteupyourride.cn/load.php?id=10
http: //liteupyourride.cn/load.php?id=11
http: //liteupyourride.cn/load.php?id=12
http: //liteupyourride.cn/load.php?id=13
http: //liteupyourride.cn/load.php?id=14

Others domain that shared same IP address
http: //bigtopescorts.cn
http: //bigtopliteworld.cn
http: //casinobigtop.cn
http: //casinoslotbet.cn
http: //daddybigtop.cn
http: //educationbigtop.cn
http: //findbigthinker.cn
http: //freehostinternet.com
http: //freeonlinehostguide.com
http: //greatbethere.cn
http: //hostindianet.com
http: //hs.3-151.zlkon.lv
http: //lieliteautobody.cn
http: //liteautofinestsite.cn
http: //liteautogreatest.cn
http: //liteautorepair.cn
http: //litebest.cn
http: //litehitscar.cn
http: //liteupyourride.cn
http: //lotbetsite.cn
http: //www.bigtopescorts.cn
http: //www.bigtopliteworld.cn
http: //www.casinoslotbet.cn
http: //www.daddybigtop.cn
http: //www.educationbigtop.cn
http: //www.freeonlinehostguide.com
http: //www.freewebhostguide.com
http: //www.greatbethere.cn
http: //asdasdw.hostindianet.com
http: //asdasf.free.hostindianet.com
http: //default.whois.hostindianet.com
http: //farm-en-12san.hostindianet.com
http: //free.hostindianet.com
http: //ghrgt.hostindianet.com
http: //idiandemocratcy.hostindianet.com
http: //sadcwed.hostindianet.com
http: //sdfi.hostindianet.com
http: //turq.whois.hostindianet.com
http: //whois.hostindianet.com
http: //www.hostindianet.com
http: //zzz.free.hostindianet.com
http: //zzz.hostindianet.com
http: //zzzz.hostindianet.com
http: //www.hyperliteautoservices.cn
http: //www.lieliteautobody.cn
http: //www.liteautofinestsite.cn
http: //www.litebest.cn
http: //www.liteupyourride.cn
http: //www.lotbetsite.cn


Note:If you think the information benefit to you, click on advertisement column to support me in order pay for domain fees.
at 2:37 AM 0 comments
Labels:

Preventing from PDF exploit in Acrobat Reader

After significant quantity of pdf malicious files were found recently since last few weeks, personally feel that need to share some steps to reduce the risks to load malicous pdf files when surfing internet. These steps just an temporarily solutions while waiting new detections from your antivirus company.

Steps:
- Disable Javascript from Acrobat Reader if you are using Acrobat Reader

- Disable browsers from displaying PDFs within browsers


- Check and Update to the latest Acrobat Reader or Acrobat version


After this, I will share some deobfuscate ways to few the pdf javascript.....so please stay tune

Use other PDF reader as alternative are recommended. You may check the list from PDFreaders website . [http://pdfreaders.org/]

Note:If you think the information benefit to you, click on advertisement column to support me in order pay for domain fees.
at 1:01 AM 0 comments
Labels: ,

Wednesday, April 15, 2009

Microsoft Security Bulletin April 09 Announced

Microsoft as usual release their Tuesday Patch yesterday. New patches consists five critical patches, two important patches and one moderate patch. WordPad and Office Text Converters fall to uncommon target for this month.

MS09-009 Vulnerabilities in Microsoft Office Excel Could Cause Remote Code Execution (968557)
MS09-010 Vulnerabilities in WordPad and Office Text Converters Could Allow Remote Code Execution (960477)
MS09-011 Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (961373)
MS09-012 Vulnerabilities in Windows Could Allow Elevation of Privilege (959454)
MS09-013 Vulnerabilities in Windows HTTP Services Could Allow Remote Code Execution (960803)
MS09-014 Cumulative Security Update for Internet Explorer (963027)
MS09-015 Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (959426)
MS09-016 Vulnerabilities in Microsoft ISA Server and Forefront Threat Management Gateway (Medium Business Edition) Could Cause Denial of Service (961759)

Related reference:
http://www.microsoft.com/technet/security/bulletin/ms09-apr.mspx
http://blogs.technet.com/msrc/archive/2009/04/14/april-2009-monthly-bulletin-release.aspx
http://blogs.technet.com/srd/archive/2009/04/14/prioritizing-the-deployment-of-the-april-security-bulletins.aspx
http://www.microsoft.com/security/portal/sir.aspx
http://download.microsoft.com/download/0/c/0/0c040c8f-2109-4760-a750-96443fd14ef2/Understanding%20Malware%20Research%20and%20Response%20at%20Microsoft.pdf
http://download.microsoft.com/download/a/b/e/abefdf1c-96bd-40d6-a138-e320b6b25bd3/understandingantimalwaretechnologies.pdf
at 2:05 AM 0 comments
Labels: ,

Tuesday, April 14, 2009

Adultsite contain malware drive-by downloads

One of AdultSite which sit ~31K ranking in Alexa contain drive-by download malicious file for PDF exploit and SWF exploit. The maliciou website have timeout detection mechanism, and it make me harder to further analysis the malicous file after a period of time. Obfuscating the multiple layers to get the url link is tedious process and time consuming.

From early analysis, the js script on that adult website was suspect altered and contain malicious link after unescaped hence the malicous site contain like this. It using ActiveX object AcroPDF.pdf and PDF.PdfCtrl to detect for pdf and use Active object ShockwaveFlash.ShockwaveFlash.9 for flash swf detection.



Based on code above, it showed links to download malicous pdf file and swf file. Once pdf file was opened, javascript that contained inside pdf will pointing to same malicous website and download another malicous file and inject using shellcode.







Conclusion here is, please get the latest update for PDF reader and Flash. And remember switch to latest Firefox browser with NoScript plugin installed.
at 10:59 PM 1 comments
Labels: ,

Monday, April 13, 2009

Malware related links - 13 April

Layer 1 - http://993iie.cn/s33d301/s01.htm
Layer 2 - http://993iie.cn/s33d301/new.html
Layer 2 - http://993iie.cn/a.js
Layer 3 - http://993iie.cn/s33d301/fx.htm
Layer 4 - http://993iie.cn/s33d301/mlink.html
Layer 3 - http://993iie.cn/14.htm
Layer 4 - http://993iie.cn/14.js
Layer 5 - http://lujiji.com/ms.css
Layer 3 - http://993iie.cn/as.htm
Layer 4 - http://lujiji.com/as.css
Layer 3 - http://993iie.cn/Bfyy.htm
Layer 4 - http://993iie.cn/bff.js
Layer 4 - http://993iie.cn/bf.js
Layer 3 - http://993iie.cn/lzz.htm
Layer 4 - http://993iie.cn/lzz.js
Layer 3 - http://993iie.cn/real10.htm
Layer 3 - http://993iie.cn/real11.htm
Layer 3 - http://993iie.cn/cx.htm
Layer 4 - http://993iie.cn/xmybrx.js
Layer 4 - http://993iie.cn/s1
Layer 3 - http://993iie.cn/wewew.js

Others domain that share same IP address with 993iie.cn
->heromu.cn
->qj3344.cn
->www1.1144mu.cn
at 7:05 AM 0 comments

Finally get PDF_stream_inflater tool

When I was struggling and scratching head on how to analysis malicious pdf, I found that a tool developed by bobby help my problem. PDF_streams_inflater is a tools for extracting and decompressing zlib compressed streams from PDF documents. This tools available for different platform like Linux, Window and Mac.

This tools also available for python script

#!/usr/bin/env python
# -*- coding : utf-8 -*-
# xxx_pdf.py
# Binjo @ 2008-10-10 16:41:08
#-------------------------------------------------------------------------------
import sys, os, zlib
def main():

"""TODO
"""
fh = open( sys.argv[1], 'rb' )
xx = fh.read()
fh.close()


while True:
yy = []
pos = xx.find( 'FlateDecode' )
if pos == -1: break
xx = xx[pos+12:]
sop = xx.find( 'stream' )
yy = xx[sop+7:xx.find('endstream')]
print "\nhoooooooooooooo \n%s" % zlib.decompress(yy)
#-------------------------------------------------------------------------------
if __name__ == '__main__':
main()
#-------------------------------------------------------------------------------
# EOF


Reference:
http://www.woodmann.com/forum/archive/index.php/t-12097.html

Tools:
(Win32) http://www.mc-antivirus-test.com/modules/PDdownloads/singlefile.php?cid=6&lid=25
(Mac) http://www.mc-antivirus-test.com/modules/PDdownloads/singlefile.php?cid=7&lid=27
(Linux) http://www.mc-antivirus-test.com/modules/PDdownloads/singlefile.php?cid=5&lid=26
at 6:20 AM 0 comments
Labels:

Thursday, April 2, 2009

Botnet for Pharmaceutic and Counterfeid Goods

Below are lists of botnet that still actives to fraud users with their products and steals users personal confidential information.


IP Address: 60.248.254.175
Domain Name:
amedicalschool.com
canadapharmacymall.com
pop.medtradeonlines.com
bargainpharmacyguide.com
basecontainer.info
coolslotmachinex.info
ftp.medtradeonlines.com
healthykidsinc.com
healthyworldmed.com
jampharma.com
jilfawris.com
superdrugsworld.com
supermedicenters.com
therealpatchwork.com
www.medtradeonlines.com
wwwl.medtradeonlines.com
xud.jilfawris.com
yourlogcabins.com

IP Address: 220.248.172.38
Domain Name:
cheaprolex.net
weightlosscheap.net
mycheaprxs.org

IP Address: 212.150.123.9
Domain Name:
lowprice-meds.net
carezap.com
dividefantastic.com
gladagree.com
hardyknowhow.com
maxitiny.com
partquart.com
rightcomfy.com
spiceboost.com
spicynoble.com
treatzest.com
wowwhole.com
specialpricemeds.com
kaknedos.cn
weightlosscheap.net

IP Address: 115.126.2.170
Domain Name:
loseweights.org
addreals.com
billfave.com
cuspfled.com
knowfelt.com
www.addreals.com
www.billfave.com
www.knowfelt.com
zubegoxas.cn
lowpricewatches.net
at 11:03 AM 0 comments
Labels: ,
Subscribe to: Posts (Atom)