MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

28.1.09

Danmec Bot, Fast-Flux networks and recruitment of Zombies PCs

Danmec or Asprox, is the name of a trojan designed to recruit zombie machines while collecting confidential information from each of the victims it infects.

While the emergence of this trojan isn't new, now uses more complex strategies than those usually used by other malicious code, including its early variants, as techniques Fast-Flux to avoid detection by blocking programs and infect as many computers aspossible.

Currently, the networks Fast-Flux and massively exploited actively by thousands of Russian origin domains, activating again as that created by botnets Danmec.

google-analitycs.lijg. ru
fmkopswuzhj. biz
fnygfr. com

fvwugekf. info

fwkbt. info

gbrpn. org

gbxpxugx. org

ghtileh. biz

gnyluuxneo. com

fuougcdv. org

www. dbrgf. ru

www. bnmd. kz

www. nvepe. ru

www. mtno. ru

www. wmpd. ru

www. msngk6. ru

www. vjhdo. com

www. aspx37. I
google-analitycs.dbrgf. ru

www. advabnr. com

www. lijg. ru

www. dft6s. kz


Each of these domains hosting the following script, written in JavaScript, called script.js (MD5:ccec2c026a38ce139c16ae97065ccd91), from which runs a Drive-by-Download:

This call through the iframe tag is made to a URL that is part of a network active Fast-Flux.

; google-analitycs.lijg.ru. IN A

;; ANSWER SECTION:
google-analitycs.lijg.ru. 600 IN A 68.119.39.129
google-analitycs.lijg.ru. 600 IN A 69.176.46.57
google-analitycs.lijg.ru. 600 IN A 71.12.89.233
google-analitycs.lijg.ru. 600 IN A 76.73.237.59
google-analitycs.lijg.ru. 600 IN A 97.104.40.246
google-analitycs.lijg.ru. 600 IN A 98,194,180,179
google-analitycs.lijg.ru. 600 IN A 146.57.249.100
google-analitycs.lijg.ru. 600 IN A 151,118,186,131
google-analitycs.lijg.ru. 600 IN A 165.166.236.74
google-analitycs.lijg.ru. 600 IN A 173.16.99.131
google-analitycs.lijg.ru. 600 IN A 173.17.180.79
google-analitycs.lijg.ru. 600 IN A 24,107,209,119
google-analitycs.lijg.ru. 600 IN A 24,170,188,201
google-analitycs.lijg.ru. 600 IN A 68.93.61.194

;; AUTHORITY SECTION:
lijg.ru. 339,897 IN NS ns3.lijg.ru.
lijg.ru. 339,897 IN NS ns2.lijg.ru.
lijg.ru. 339,897 IN NS ns1.lijg.ru.
lijg.ru. 339,897 IN NS ns5.lijg.ru.
lijg.ru. 339,897 IN NS ns4.lijg.ru.

;; Query time: 263 msec
;; SERVER: 192.168.240.2 # 53 (192.168.240.2)
;; WHEN: Sun Jan 25 20:31:57 2009
;; MSG SIZE rcvd: 356


While each of the lines set out above web addresses are a new farm networks Fast-Flux with IP group mirrors.

Fast-Flux is an advanced technique used for malicious purposes, together with others, for the propagation of hazards. This forces them to be cautious at all times.

Jorge Mieres

0 comentarios:

Post a Comment