[nsp-sec] fake av on AS48841, AS36351, AS13237, AS39823, AS174, AS29073, AS24940
Brian Eckman
eckman at umn.edu
Thu Jun 11 16:46:08 EDT 2009
Rob Thomas wrote:
> ----------- nsp-security Confidential --------
>
> Hi, Niels.
>
> Thanks for the heads-up!
>
>> 91.212.65.125
>
> Also watch out for:
>
> timestamp | dns_name | ip
> --------------------- ------------------------------ ---------------
> 2009-05-06 07:04:02 | advanedpromalwarescanner.com | 91.212.65.125
> 2009-05-03 19:21:05 | brabusautomoto.cn | 91.212.65.125
> 2009-05-05 23:51:52 | updatescentralsystem.com | 91.212.65.125
> 2009-05-01 00:28:00 | worldofwarcry.cn | 91.212.65.125
>
> We have 17 samples in our malware menagerie that point to 91.212.65.125.
<snip>
For that matter, watch out for (all of) 91.212.65.0/24
nicevideo44.com 91.212.65.35 Koobface
rnw.kz 91.212.65.133 Trojan Dropper
molo.tw 91.212.65.133 Trojan Dropper
crd.tw 91.212.65.133 Trojan Dropper
bro.tw 91.212.65.133 Trojan Dropper
hd.youpornz.net 91.212.65.49 TDSS
trucount3001.com 91.212.65.29 Unidentified-Armadillo
suptullog.com 91.212.65.148 Unidentified Exploit
A couple samples I submitted to Virustotal from this network today led
to 3/40 and 2/40 detection.
http://www.virustotal.com/analisis/18c2b17568d9a0b30266c95005afb51c25beea099b09418b3f6cb922833adb6c-1244752160
(loader.exe from hXXp://trucount3001.com/cgi-bin/exe1.pl?676) seemed to
mess up Virustotal - only 19 scanners wound up scanning it.
More Fake AV @ 91.212.65.125:
antimalwareinternetproscanv3.com
anti-malware-internet-scanv3.com
bestantiviruscheck2.com
Zbot hosting in 91.212.65.0/24 , courtesy of https://zeustracker.abuse.ch/
91.212.65.11
91.212.65.12
91.212.65.13
91.212.65.58
91.212.65.64
91.212.65.74
91.212.65.75
91.212.65.97
91.212.65.145
--
Brian Eckman, Security Analyst
University of Minnesota
Office of Information Technology
Security & Assurance
More information about the nsp-security
mailing list