betstarwager.cn/in.cgi?cocacola | Analysis |
bestlotron.cn/in.cgi?cocacola | Analysis |
denverfilmdigitalmedia.cn/in.cgi?cocacola | Analysis |
diettopseek.cn/in.cgi?cocacola | Analysis |
filmlifemusicsite.cn/in.cgi?cocacola | Analysis |
filmlifemusicsite.cn/ | Analysis |
filmtypemedia.cn/in.cgi?cocacola | Analysis |
litedownloadseek.cn/in.cgi?cocacola | Analysis |
litetopfindworld.cn/in.cgi?cocacola | Analysis |
litetoplocatesite.cn/in.cgi?cocacola | Analysis |
nanotopfind.cn/in.cgi?cocacola | Analysis |
promixgroup.cn/in.cgi?cocacola | Analysis |
yourliteseek.cn/in.cgi?cocacola | Analysis |
| |
ghrgt.hostindianet.com/index.php | Analysis |
lieliteautobody.cn/load.php?id=4 [94.247.3.151] | Anubis - VirusTotal
Botnet C&C: 213.155.4.82 Anubis Family 1175580
|
| |
ghrgt.hostindianet.com/cache/readme.pdf | Analysis |
zzzz.hostindianet.com/load.php?id=4 | Anubis - VirusTotal Botnet C&C: 213.155.4.80 78.109.30.224 |
| |
Also cited on Dancho Danchv's blog here in the serie of embassies websites iframed. (11 of them - including hostindianet[.]com)
|
hxxp://bigtopescorts.cn/in.cgi?id1000 (dead) | |
hxxp://cheapslotplay.cn/in.cgi?income48 | Redirect to exploit hxxp://hyperliteautoservices.cn/index.php (dead) but the trojan is still available on hyperliteautoservices.cn/load.php VirusTotal - Anubis |
hxxp://daddybigtop.cn | Load trojan on hxxp://freeonlinehostguide.com/load.php VirusTotal - Redirection Analysis - Anubis Detection: Trojan-Downloader.Win32.Bredolab!IK TR/Crypt.ZPACK.Gen Trojan-Downloader.Win32.Bredolab Trojan:Win32/Meredrop
Using a stack overflow in adobe reader 8.1.2 CVE-2008-2992 |
hxxp://educationbigtop.cn | VirusTotal Report (Brebolab) |
hxxp://freehostinternet.com | Load trojan on hxxp://daddybigtop.cn/load.php VirusTotal - Anubis Detection: Trojan-Downloader.Win32.Bredolab Connect to botnet: 213.155.6.33
|
hxxp://freeonlinehostguide.com/ index.php | Load trojan on hxxp://zzz.free.hostindianet.com/load.php?id=4 VirusTotal - Javascript Analysis - Anubis Detection: TR/Crypt.XPACK.Gen Win32:Walpak Win32/Kryptik.LI Trojan.Waledac.Gen!Pac.8
It connect to a URL and drop the file "digiwet.dll" Botnets C&C: turokgame.cn [74.50.98.156] 94.247.2.95 and 78.109.30.224
|
hxxp://freewebhostguide.com | Symantec |
hxxp://greatbethere.cn | Load trojan on hxxp://greatbethere.cn/load.php?id=4 VirusTotal - Javascript Analysis - Anubis Detection: TR/Crypt.XPACK.Gen Win32:Walpak Win32/Kryptik.LI Trojan.Waledac.Gen!Pac.8
Using a stack overflow in adobe reader 8.1.1 CVE-2007-5659
It connect to a URL and drop the file "digiwet.dll" Botnets C&C: 213.155.6.32 78.109.30.224
|
hxxp://hugetopnonfat.cn | dead |
hxxp://mediahomenamemartvideo.cn/ in.cgi?income | Botnet C&C / redirect to exploit hxxp://hyperliteautoservices.cn/index.php (dead) but the trojan is still available on hyperliteautoservices.cn/load.php VirusTotal - Redirection Analysis - Anubis |
hxxp://hyperliteautoservices.cn | Redirect to exploit hxxp://hyperliteautoservices.cn/index.php but the trojan is still available on hyperliteautoservices.cn/load.php VirusTotal - Redirection Analysis - Anubis Flash exploit is also live:
Flash Analysis Botnet C&C: 78.109.29.112
|
hxxp://lieliteautobody.cn (dead) | |
hxxp://liteautofinestsite.cn/load.php | Exploit not found but trojan still there hxxp://liteautofinestsite.cn/load.php
|
hxxp://liteautogreatest.cn | Exploits hxxp://liteautogreatest.cn/cache/readme.pdf hxxp://liteautogreatest.cn/cache/flash.swf to load trojan on hxxp://liteautogreatest.cn/load.php VirusTotal - Redirection Analysis - Anubis Flash exploit is also live: Flash Analysis - VirusTotal Botnet C&C: 78.109.29.112 |
hxxp://liteautorepair.cn | Exploit to load trojan on zzzz.hostindianet.com/load.php?id=4 VirusTotal - Redirection Analysis - Anubis
Detection: Trojan-Downloader.Win32.Bredolab
Botnet controller: 213.155.4.82 |
hxxp://litedownloadfinest.cn | Exploit to load trojan on zzzz.hostindianet.com/load.php?id=4 VirusTotal - Redirection Analysis - Anubis
Detection: TrojanDownloader:Win32/Bredolab.B
Previous botnet controller: 78.109.29.112 |
hxxp://litehitscar.cn/index.php | Exploit to load trojan on hyperliteautoservices.cn/load.php?id=4 VirusTotal - Redirection Analysis - Anubis
Detection: Trojan.Botnetlog.3
Botnets: 78.109.29.112 - 78.109.30.224 74.54.77.82 |
hxxp://lieliteautobody.cn/load.php | Exploit not found but trojan still there lieliteautobody.cn/load.php
|
hxxp://liteautofinestsite.cn/load.php | Exploit not found but trojan still there liteautofinestsite.cn/load.php
|
hxxp://liteupyourride.cn/ | Exploits hxxp://liteupyourride.cn/cache/readme.pdf hxxp://liteupyourride.cn/cache/flash.swf to load trojan on hxxp://litehitscar.cn/load.php VirusTotal - Anubis
PDF exploit is also live: PDF Analysis - VirusTotal
Botnet C&C: 78.109.29.112 |
hxxp://yournonfatbest.cn | Exploit to load trojan on farm-en-12san.hostindianet.com/load.php?id=4 VirusTotal - Redirection Analysis - Anubis
Detection: TrojanDownloader:Win32/Bredolab.G
Botnets: 213.155.4.82 78.109.30.224 |
hxxp://lotbetsite.cn | Exploit to load trojan on casinoslotbet.cn/load.php - Analysis VirusTotal - Anubis - Flash Exploit Analysis
Detection: Trojan-Downloader.Win32.Bredolab
Botnet: 213.155.6.33
|
| |
hxxp://hugetopnonfat.cn/in.cgi?id1000 | Javascript Analysis |
hxxp://PremiumNonfat.cn/all/
| dead |
hxxp://autobestwestern.cn/ cache/readme.pdf | Exploit to load trojan on litehitscar.cn/load.php?id=5 - Analysis VirusTotal - Anubis - Flash Exploit Analysis
Detection: TrojanDownloader:Win32/Bredolab.Q
Botnet: 78.109.29.112
|
hxxp://coolnameshop.cn/in.cgi?income | |
hxxp://cutlot.cn/in.cgi?income | Botnet C&C / Exploits to hxxp:// liteautogreatest.cn/index.php Analysis then load trojan located hxxp://litehitscar.cn/load.php?id=5 VirusTotal - Anubis Botnets: 78.109.29.112 - 78.109.30.224 |
hxxp://dotcomnameshop.cn | Botnet C&C |
hxxp://lotante.cn | Botnet C&C / Exploits to litehitscar.cn/index.php Analysis then load trojan located hyperliteautoservices.cn/load.php?id=4 VirusTotal - Anubis Botnets: 78.109.29.112 - 78.109.30.224 74.54.77.82
|
hxxp://lotbetworld.cn/in.cgi?income | Botnet C&C / Exploits to litehitscar.cn/index.php [94.247.3.151] Analysis then load trojan located hyperliteautoservices.cn/load.php?id=4 VirusTotal - Anubis Botnets: 78.109.29.112 - 78.109.30.224 74.54.77.82
|
hxxp://homenameregistration.cn | Botnet C&C / Exploits to 78.41.207.196/vertu/?t=5 Analysis then load trojan located 78.41.207.196 Analysis
|
hxxp://hugetopnonfat.cn | Botnet C&C |
hxxp://dotcomnameshop.cn/ in.cgi?income | Botnet C&C / Redirect to exploits hxxp://litehitscar.cn/index.php [94.247.3.151] Redirection Analysis - Exploit analysis then load trojan located hxxp://hyperliteautoservices.cn/load.php?id=4 VirusTotal - Anubis Botnets: 78.109.29.112 - 78.109.30.224 74.54.77.82
|
hxxp://japanhostnet.com/ in.cgi?income | Botnet C&C / Redirect to exploits litehitscar.cn/index.php [94.247.3.151] Redirection Analysis - Exploit analysis then load trojan located hyperliteautoservices.cn/load.php?id=4 VirusTotal - Anubis Botnets: 78.109.29.112 - 78.109.30.224 74.54.77.82
|
hxxp://internetnamestore.cn/ in.cgi?income18 | hyperliteautoservices.cn/index.php [94.247.3.151] Analysis |
hxxp://lotmachinesguide.cn/ in.cgi?income | Redirects to exploits hxxp://liteautogreatest.cn/cache/readme.pdf hxxp://liteautogreatest.cn/cache/flash.swf to load trojan on hxxp://liteautogreatest.cn/load.php VirusTotal - Redirection Analysis - Anubis
Botnet C&C: 78.109.29.112 |
hxxp://mainnameshop.cn | Redirect to exploits sdfi.hostindianet.com/index.php (dead) Detection: Win32/Bredolab.B
|
hxxp://mediahomenamemartvideo.cn | Botnet C&C down (TS v3.2) |
hxxp://mediahousenameshopfilm.cn | |
hxxp://nameashop.cn/in.cgi?income | On 2009-03-21 01:40:07 - Analysis Redirect to exploit on hxxp://sadcwed.hostindianet.com/index.php On 2009-04-05 13:22:58 - Analysis Redirect to exploit on freeonlinehostguide.com/index.php Analysis - VirusTotal - Anubis Detection: Waledac - Kryptik.LI - Win32:Walpak Trojan.Crypt.XPACK.Gen It connect to a botnet and drop the file "digiwet.dll" Botnets: turokgame.cn [74.50.98.156] 94.247.2.95 and 78.109.30.224
|
hxxp://namebrandmart.cn/in.cgi ?income18 | litehitscar.cn/load.php Analysis |
hxxp://namebuyline.cn | Analysis |
hxxp://namebuypicture.cn/ in.cgi?income31 | Botnet C&C / redirect to exploit hyperliteautoservices.cn/index.php (dead) but the trojan is still available on hyperliteautoservices.cn/load.php VirusTotal - Anubis - Analysis |
hxxp://namesupermart.cn | Botnet C&C |
hxxp://namestorefilmlife.cn/ in.cgi?income | Botnet C&C / Exploits to litehitscar.cn Analysis then load trojan located hyperliteautoservices.cn/load.php?id=4 VirusTotal - Anubis |
hxxp://perfectnamestore.cn /in.cgi?income8 | Redirect to exploit hyperliteautoservices.cn/index.php (dead) but the trojan is still available on hyperliteautoservices.cn/load.php VirusTotal - Anubis [94.247.3.151] |
hxxp://playbetwager.cn/in.cgi?income | freeonlinehostguide.com/index.php |
hxxp://superbetfair.cn/in.cgi?income | Botnet C&C / Exploits to litehitscar.cn Analysis then load trojan located hyperliteautoservices.cn/load.php?id=4 VirusTotal - Anubis - Redirection Analysis Detection: Trojan.Botnetlog.3
|
hxxp://thelotbet.cn | |
hxxp://yourfilmmovie.cn | Botnet C&C |