The distribution of Koobface through Google Blogspot continues.  Detailed information documented by Jorge Mieres of Pistus Malware Intelligence can be found here. The quick version is 39 domains using Googles Blogspot service redirect unsuspecting users to other domains which deliver Koobface using social engineering tactics.

The domains being used for delivery starting showing up in early December and can be found here. A majority of the 350+ domains are being hosted in the United States using GoDaddys web hosting service.The domains are geographically dispersed around the globe using a variety of hosting providers which helps the attackers ensure a slow takedown.

Watch out for the fake DHL emails claiming your item wasn’t shipped.

e.g.

“Hello!

Thank you,
DHL Services.”

The email contains the following attachment

“DHL_Office_Get_Your_Parcel_NR.4957.zip”

Which is detected as TrojanDownloader:Win32/Bredolab.AB. Win32/Bredolab is a downloader which is able to download and execute arbitrary files from a remote host. Additional information can be found here Currently this sample is detected by 27 out of 41 antivirus vendors.

List of Bredolab drop sites being used.

20091201:hxxp://greatmoder.cn, 125.65.110.46
20091201:hxxp://greatmoder.cn, 125.65.110.46
20091201:hxxp://statcount.cn, 218.93.205.228
20091201:hxxp://statcount.cn, 218.93.205.228
20091202:hxxp://greatmoder.cn, 125.65.110.46
20091202:hxxp://youaskedthedomain.cn, 91.213.126.93
20091203:hxxp://greatmoder.cn, 125.65.110.46
20091203:hxxp://youaskedthedomain.cn, 91.213.126.93
20091204:hxxp://greatmoder.cn, 125.65.110.46
20091204:hxxp://youaskedthedomain.cn, 91.213.126.93
20091205:hxxp://greatmoder.cn, 125.65.110.46
20091205:hxxp://youaskedthedomain.cn, 91.213.126.93
20091205:hxxp://youaskedthedomain.cn, 91.213.126.93
20091206:hxxp://91.213.126.93, 91.213.126.93
20091206:hxxp://greatmoder.cn, 125.65.110.46
20091206:hxxp://greatmoder.cn, 125.65.110.46
20091206:hxxp://greatmoder.cn, 125.65.110.46
20091206:hxxp://greatmoder.cn, 125.65.110.46
20091206:hxxp://youaskedthedomain.cn, 91.213.126.93
20091206:hxxp://youaskedthedomain.cn, 91.213.126.93
20091207:hxxp://youaskedthedomain.cn, 91.213.126.93
20091207:hxxp://youaskedthedomain.cn, 91.213.126.93
20091207:hxxp://youaskedthedomain.cn, 91.213.126.93
20091208:hxxp://mmsfoundsystem.ru, 193.104.12.20
20091208:hxxp://mmsfoundsystem.ru, 193.104.12.20
20091208:hxxp://mmsfoundsystem.ru/, 193.104.12.20
20091208:hxxp://mmsfoundsystem.ru, 193.104.12.20
20091217:hxxp://mmsfoundsystem.ru, 193.104.12.20

Over the past few months there has been a number of ongoing spam campaigns that have been distributing Zeus/Zbot. You might have read about a few of them or you may have fallen victim. A good source of information regarding the zbot/zeus spam campaigns can be found here.

When Zbot/Zeus is executed it will drop a copy of itself in the system folder (c:/windows/system32). It also modifies the registry in order to execute each time Windows starts. Examples of which registry keys are added/modified can be found here

The bot uses covert methods of injecting additional fields into online Internet banking websites, asking users to answer questions that the authentic website would not ask. This information is then forwarded to a remote database silently in the background with the victim never realizing what happened.  The image below is a graphical representation that gives you an idea how this works.

Example of injected HTML

Zbot/Zeus sends information and receives instructions by contacting specific IP’s that are hardcoded into the binary. From the samples I have seen the following file names are being used by zbot/zeus to phone home.

/rec.php
/ip.php
/config.bin
/cfg.bin
/cfg2.bin

Searching the malware database I maintain reveals a list of C&C servers geographically dispersed around the globe. The list of domains/IP’s is rather large so I just consolidated into a text file that can be found here. Converting the IP addresses to latitude and longitude generate the red dots on the map below which represent the C&C servers.

An updated list of domains distributing Zeus/Zbot can be found at the following link:  malc0de.com Zbot Domains

Looking at the past 3 days of data collected the popular web hosting company Go Daddy surfaced 36 times for being related to the distribution of malware. I have contacted [email protected] so hopefully these domains will be shut down shortly. In reality its only a drop in the bucket but every little bit helps.

**Caution All Domains Below Are Malicious**

216.69.170.12, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://aaasublet.com/.sys/?getexe=fb.75.exe, 216.69.170.12
20091201:hxxp://aaasublet.com/.sys/?getexe=get.exe, 216.69.170.12
20091201:hxxp://aaasublet.com/.sys/?getexe=go.exe, 216.69.170.12
20091201:hxxp://aaasublet.com/.sys/?getexe=pp.12.exe, 216.69.170.12
20091201:hxxp://aaasublet.com/.sys/?getexe=v2prx.exe, 216.69.170.12
97.74.156.157, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://brooksinfotech.com/.sys/?getexe=fb.75.exe, 97.74.156.157
20091201:hxxp://brooksinfotech.com/.sys/?getexe=get.exe, 97.74.156.157
20091201:hxxp://brooksinfotech.com/.sys/?getexe=pp.12.exe, 97.74.156.157
20091201:hxxp://brooksinfotech.com/.sys/?getexe=v2prx.exe, 97.74.156.157
97.74.144.168, UNITED STATES, ARIZONA, GODADDY.COM INC
20091124:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091124:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091124:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091124:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091124:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091125:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091125:hxxp://capitalbug.com/counter/exe.php?x=mdac, 97.74.144.168
20091125:hxxp://capitalbug.com/counter/exe.php?x=pdf, 97.74.144.168
20091125:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091126:hxxp://capitalbug.com/counter/exe.php?x=mdac, 97.74.144.168
20091126:hxxp://capitalbug.com/counter/exe.php?x=pdf, 97.74.144.168
20091126:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091127:hxxp://capitalbug.com/counter/exe.php?x=mdac, 97.74.144.168
20091127:hxxp://capitalbug.com/counter/exe.php?x=pdf, 97.74.144.168
20091127:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091129:hxxp://capitalbug.com/counter/exe.php?x=mdac, 97.74.144.168
20091129:hxxp://capitalbug.com/counter/exe.php?x=pdf, 97.74.144.168
20091129:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091201:hxxp://capitalbug.com/counter/exe.php?x=mdac, 97.74.144.168
20091201:hxxp://capitalbug.com/counter/exe.php?x=pdf, 97.74.144.168
20091201:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
72.167.232.200, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://counterstrikefc.com/.sys/?getexe=fb.75.exe, 72.167.232.200
20091201:hxxp://counterstrikefc.com/.sys/?getexe=ff2ie.exe, 72.167.232.200
20091201:hxxp://counterstrikefc.com/.sys/?getexe=get.exe, 72.167.232.200
20091201:hxxp://counterstrikefc.com/.sys/?getexe=pp.12.exe, 72.167.232.200
20091201:hxxp://counterstrikefc.com/.sys/?getexe=v2prx.exe, 72.167.232.200
72.167.232.191, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://customizeyourstory.com/.sys/?getexe=fb.75.exe, 72.167.232.191
20091201:hxxp://customizeyourstory.com/.sys/?getexe=get.exe, 72.167.232.191
20091201:hxxp://customizeyourstory.com/.sys/?getexe=go.exe, 72.167.232.191
20091201:hxxp://customizeyourstory.com/.sys/?getexe=pp.12.exe, 72.167.232.191
20091201:hxxp://customizeyourstory.com/.sys/?getexe=v2prx.exe, 72.167.232.191
97.74.144.118, UNITED STATES, ARIZONA, GODADDY.COM INC
20091125:hxxp://promed-net.com/css/abs.exe, 97.74.144.118
20091126:hxxp://promed-net.com/css/abs.exe, 97.74.144.118
20091127:hxxp://promed-net.com/css/abs.exe, 97.74.144.118
20091201:hxxp://facilicaresavannah.com/.sys/?getexe=fb.75.exe, 97.74.144.118
20091201:hxxp://facilicaresavannah.com/.sys/?getexe=get.exe, 97.74.144.118
20091201:hxxp://facilicaresavannah.com/.sys/?getexe=pp.12.exe, 97.74.144.118
20091201:hxxp://facilicaresavannah.com/.sys/?getexe=v2prx.exe, 97.74.144.118
20091201:hxxp://promed-net.com/css/absderce2.exe, 97.74.144.118
97.74.144.128, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://homemadesandwiches.com/.sys/?getexe=ff2ie.exe, 97.74.144.128
72.167.232.33, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://irentphotobooths.com/.sys/?getexe=fb.75.exe, 72.167.232.33
20091201:hxxp://irentphotobooths.com/.sys/?getexe=go.exe, 72.167.232.33
20091201:hxxp://irentphotobooths.com/.sys/?getexe=pp.12.exe, 72.167.232.33
20091201:hxxp://irentphotobooths.com/.sys/?getexe=v2prx.exe, 72.167.232.33
72.167.232.185, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://kickwithcolors.com/.sys/?getexe=fb.75.exe, 72.167.232.185
20091201:hxxp://kickwithcolors.com/.sys/?getexe=get.exe, 72.167.232.185
20091201:hxxp://kickwithcolors.com/.sys/?getexe=pp.12.exe, 72.167.232.185
20091201:hxxp://kickwithcolors.com/.sys/?getexe=v2prx.exe, 72.167.232.185
97.74.64.191, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://kronosagency.com/.sys/?getexe=fb.75.exe, 97.74.64.191
20091201:hxxp://kronosagency.com/.sys/?getexe=get.exe, 97.74.64.191
20091201:hxxp://kronosagency.com/.sys/?getexe=pp.12.exe, 97.74.64.191
20091201:hxxp://kronosagency.com/.sys/?getexe=v2prx.exe, 97.74.64.191
68.178.173.51, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://megabesucher.eu/.sys/?getexe=fb.75.exe, 68.178.173.51
20091201:hxxp://megabesucher.eu/.sys/?getexe=get.exe, 68.178.173.51
20091201:hxxp://megabesucher.eu/.sys/?getexe=go.exe, 68.178.173.51
20091201:hxxp://megabesucher.eu/.sys/?getexe=pp.12.exe, 68.178.173.51
20091201:hxxp://megabesucher.eu/.sys/?getexe=v2prx.exe, 68.178.173.51
97.74.144.197, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://missionoch.org/.sys/?getexe=fb.75.exe, 97.74.144.197
20091201:hxxp://missionoch.org/.sys/?getexe=get.exe, 97.74.144.197
20091201:hxxp://missionoch.org/.sys/?getexe=go.exe, 97.74.144.197
20091201:hxxp://missionoch.org/.sys/?getexe=pp.12.exe, 97.74.144.197
20091201:hxxp://missionoch.org/.sys/?getexe=tw.07.exe, 97.74.144.197
20091201:hxxp://missionoch.org/.sys/?getexe=v2prx.exe, 97.74.144.197
72.167.19.15, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://movehits.at/.sys/?getexe=fb.75.exe, 72.167.19.15
20091201:hxxp://movehits.at/.sys/?getexe=get.exe, 72.167.19.15
20091201:hxxp://movehits.at/.sys/?getexe=pp.12.exe, 72.167.19.15
20091201:hxxp://movehits.at/.sys/?getexe=v2prx.exe, 72.167.19.15
97.74.144.104, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://outtouch.org/.sys/?getexe=fb.75.exe, 97.74.144.104
20091201:hxxp://outtouch.org/.sys/?getexe=get.exe, 97.74.144.104
20091201:hxxp://outtouch.org/.sys/?getexe=go.exe, 97.74.144.104
20091201:hxxp://outtouch.org/.sys/?getexe=pp.12.exe, 97.74.144.104
20091201:hxxp://outtouch.org/.sys/?getexe=v2prx.exe, 97.74.144.104
97.74.211.187, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://patriotflag.org/.sys/?getexe=fb.75.exe, 97.74.211.187
20091201:hxxp://patriotflag.org/.sys/?getexe=get.exe, 97.74.211.187
20091201:hxxp://patriotflag.org/.sys/?getexe=go.exe, 97.74.211.187
20091201:hxxp://patriotflag.org/.sys/?getexe=pp.12.exe, 97.74.211.187
20091201:hxxp://patriotflag.org/.sys/?getexe=v2prx.exe, 97.74.211.187
72.167.232.74, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://peakgrouptravel.com/.sys/?getexe=fb.75.exe, 72.167.232.74
20091201:hxxp://peakgrouptravel.com/.sys/?getexe=get.exe, 72.167.232.74
20091201:hxxp://peakgrouptravel.com/.sys/?getexe=pp.12.exe, 72.167.232.74
20091201:hxxp://peakgrouptravel.com/.sys/?getexe=v2prx.exe, 72.167.232.74
72.167.232.186, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://pipelogicservices.com/.sys/?getexe=fb.75.exe, 72.167.232.186
20091201:hxxp://pipelogicservices.com/.sys/?getexe=go.exe, 72.167.232.186
20091201:hxxp://pipelogicservices.com/.sys/?getexe=pp.12.exe, 72.167.232.186
20091201:hxxp://pipelogicservices.com/.sys/?getexe=v2prx.exe, 72.167.232.186
97.74.144.118, UNITED STATES, ARIZONA, GODADDY.COM INC
20091125:hxxp://promed-net.com/css/abs.exe, 97.74.144.118
20091126:hxxp://promed-net.com/css/abs.exe, 97.74.144.118
20091127:hxxp://promed-net.com/css/abs.exe, 97.74.144.118
20091201:hxxp://facilicaresavannah.com/.sys/?getexe=fb.75.exe, 97.74.144.118
20091201:hxxp://facilicaresavannah.com/.sys/?getexe=get.exe, 97.74.144.118
20091201:hxxp://facilicaresavannah.com/.sys/?getexe=pp.12.exe, 97.74.144.118
20091201:hxxp://facilicaresavannah.com/.sys/?getexe=v2prx.exe, 97.74.144.118
20091201:hxxp://promed-net.com/css/absderce2.exe, 97.74.144.118
97.74.144.88, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://robertomoran.com/.sys/?getexe=fb.75.exe, 97.74.144.88
20091201:hxxp://robertomoran.com/.sys/?getexe=get.exe, 97.74.144.88
20091201:hxxp://robertomoran.com/.sys/?getexe=pp.12.exe, 97.74.144.88
20091201:hxxp://robertomoran.com/.sys/?getexe=v2captcha.exe, 97.74.144.88
20091201:hxxp://robertomoran.com/.sys/?getexe=v2googlecheck.exe, 97.74.144.88
20091201:hxxp://robertomoran.com/.sys/?getexe=v2prx.exe, 97.74.144.88
97.74.50.246, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://runningguru.com/.sys/?getexe=fb.75.exe, 97.74.50.246
20091201:hxxp://runningguru.com/.sys/?getexe=get.exe, 97.74.50.246
20091201:hxxp://runningguru.com/.sys/?getexe=pp.12.exe, 97.74.50.246
20091201:hxxp://runningguru.com/.sys/?getexe=v2prx.exe, 97.74.50.246
72.167.232.177, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://ryanscarter.com/.sys/?getexe=fb.75.exe, 72.167.232.177
20091201:hxxp://ryanscarter.com/.sys/?getexe=get.exe, 72.167.232.177
20091201:hxxp://ryanscarter.com/.sys/?getexe=pp.12.exe, 72.167.232.177
20091201:hxxp://ryanscarter.com/.sys/?getexe=v2prx.exe, 72.167.232.177
97.74.144.91, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://speedysalesletter.com/.sys/?getexe=fb.75.exe, 97.74.144.91
20091201:hxxp://speedysalesletter.com/.sys/?getexe=get.exe, 97.74.144.91
20091201:hxxp://speedysalesletter.com/.sys/?getexe=pp.12.exe, 97.74.144.91
20091201:hxxp://speedysalesletter.com/.sys/?getexe=v2prx.exe, 97.74.144.91
72.167.232.171, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://str8upent.com/.sys/?getexe=fb.75.exe, 72.167.232.171
20091201:hxxp://str8upent.com/.sys/?getexe=get.exe, 72.167.232.171
20091201:hxxp://str8upent.com/.sys/?getexe=go.exe, 72.167.232.171
20091201:hxxp://str8upent.com/.sys/?getexe=pp.12.exe, 72.167.232.171
20091201:hxxp://str8upent.com/.sys/?getexe=v2prx.exe, 72.167.232.171
72.167.232.75, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://theraymondgallery.com/.sys/?getexe=fb.75.exe, 72.167.232.75
20091201:hxxp://theraymondgallery.com/.sys/?getexe=get.exe, 72.167.232.75
20091201:hxxp://theraymondgallery.com/.sys/?getexe=pp.12.exe, 72.167.232.75
20091201:hxxp://theraymondgallery.com/.sys/?getexe=v2prx.exe, 72.167.232.75
72.167.232.70, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://travelsigna.com/.sys/?getexe=fb.75.exe, 72.167.232.70
20091201:hxxp://travelsigna.com/.sys/?getexe=get.exe, 72.167.232.70
20091201:hxxp://travelsigna.com/.sys/?getexe=pp.12.exe, 72.167.232.70
20091201:hxxp://travelsigna.com/.sys/?getexe=v2prx.exe, 72.167.232.70
72.167.232.197, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://v-questtx.net/.sys/?getexe=fb.75.exe, 72.167.232.197
20091201:hxxp://v-questtx.net/.sys/?getexe=get.exe, 72.167.232.197
20091201:hxxp://v-questtx.net/.sys/?getexe=go.exe, 72.167.232.197
20091201:hxxp://v-questtx.net/.sys/?getexe=pp.12.exe, 72.167.232.197
20091201:hxxp://v-questtx.net/.sys/?getexe=v2prx.exe, 72.167.232.197
97.74.126.232, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://www.birdystudio.com/.sys/?getexe=fb.75.exe, 97.74.126.232
20091201:hxxp://www.birdystudio.com/.sys/?getexe=get.exe, 97.74.126.232
20091201:hxxp://www.birdystudio.com/.sys/?getexe=pp.12.exe, 97.74.126.232
20091201:hxxp://www.birdystudio.com/.sys/?getexe=v2prx.exe, 97.74.126.232
72.167.232.94, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://www.conference-professionals.com/.sys/?getexe=fb.75.exe, 72.167.232.94
20091201:hxxp://www.conference-professionals.com/.sys/?getexe=get.exe, 72.167.232.94
20091201:hxxp://www.conference-professionals.com/.sys/?getexe=pp.12.exe, 72.167.232.94
20091201:hxxp://www.conference-professionals.com/.sys/?getexe=v2prx.exe, 72.167.232.94
72.167.232.198, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://www.d-dmusic.com/.sys/?getexe=fb.75.exe, 72.167.232.198
20091201:hxxp://www.d-dmusic.com/.sys/?getexe=get.exe, 72.167.232.198
20091201:hxxp://www.d-dmusic.com/.sys/?getexe=go.exe, 72.167.232.198
20091201:hxxp://www.d-dmusic.com/.sys/?getexe=pp.12.exe, 72.167.232.198
20091201:hxxp://www.d-dmusic.com/.sys/?getexe=v2prx.exe, 72.167.232.198
97.74.127.146, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://www.emeraldsunarts.com/.sys/?getexe=fb.75.exe, 97.74.127.146
20091201:hxxp://www.emeraldsunarts.com/.sys/?getexe=get.exe, 97.74.127.146
20091201:hxxp://www.emeraldsunarts.com/.sys/?getexe=pp.12.exe, 97.74.127.146
20091201:hxxp://www.emeraldsunarts.com/.sys/?getexe=v2prx.exe, 97.74.127.146
72.167.232.210, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://www.fallsmediaproductions.com/.sys/?getexe=fb.75.exe, 72.167.232.210
20091201:hxxp://www.fallsmediaproductions.com/.sys/?getexe=get.exe, 72.167.232.210
20091201:hxxp://www.fallsmediaproductions.com/.sys/?getexe=pp.12.exe, 72.167.232.210
20091201:hxxp://www.fallsmediaproductions.com/.sys/?getexe=v2prx.exe, 72.167.232.210
72.167.232.118, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://www.integrastor.com/.sys/?getexe=fb.75.exe, 72.167.232.118
20091201:hxxp://www.integrastor.com/.sys/?getexe=get.exe, 72.167.232.118
20091201:hxxp://www.integrastor.com/.sys/?getexe=pp.12.exe, 72.167.232.118
20091201:hxxp://www.integrastor.com/.sys/?getexe=v2prx.exe, 72.167.232.118
97.74.141.128, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://www.onlinepcwizard.com/.sys/?getexe=fb.75.exe, 97.74.141.128
20091201:hxxp://www.onlinepcwizard.com/.sys/?getexe=go.exe, 97.74.141.128
20091201:hxxp://www.onlinepcwizard.com/.sys/?getexe=pp.12.exe, 97.74.141.128
20091201:hxxp://www.onlinepcwizard.com/.sys/?getexe=v2prx.exe, 97.74.141.128
72.167.232.86, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://yogaramatgan.com/.sys/?getexe=fb.75.exe, 72.167.232.86
20091201:hxxp://yogaramatgan.com/.sys/?getexe=get.exe, 72.167.232.86
20091201:hxxp://yogaramatgan.com/.sys/?getexe=pp.12.exe, 72.167.232.86
20091201:hxxp://yogaramatgan.com/.sys/?getexe=v2prx.exe, 72.167.232.86
97.74.144.168, UNITED STATES, ARIZONA, GODADDY.COM INC
20091124:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091124:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091124:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091124:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091124:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091125:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091125:hxxp://capitalbug.com/counter/exe.php?x=mdac, 97.74.144.168
20091125:hxxp://capitalbug.com/counter/exe.php?x=pdf, 97.74.144.168
20091125:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091126:hxxp://capitalbug.com/counter/exe.php?x=mdac, 97.74.144.168
20091126:hxxp://capitalbug.com/counter/exe.php?x=pdf, 97.74.144.168
20091126:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091127:htxx://capitalbug.com/counter/exe.php?x=mdac, 97.74.144.168
20091127:hxxp://capitalbug.com/counter/exe.php?x=pdf, 97.74.144.168
20091127:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091129:hxxp://capitalbug.com/counter/exe.php?x=mdac, 97.74.144.168
20091129:hxxp://capitalbug.com/counter/exe.php?x=pdf, 97.74.144.168
20091129:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091201:hxxp://capitalbug.com/counter/exe.php?x=mdac, 97.74.144.168
20091201:hxxp://capitalbug.com/counter/exe.php?x=pdf, 97.74.144.168
20091201:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
72.167.232.205, UNITED STATES, ARIZONA, GODADDY.COM INC
20091126:hxxp://milantrezur.com/.sys/?getexe=pp.12.exe, 72.167.232.205
20091126:hxxp://milantrezur.com/.sys/?getexe=v2prx.exe, 72.167.232.205
20091129:hxxp://milantrezur.com/.sys/?getexe=pp.12.exe, 72.167.232.205
20091129:hxxp://milantrezur.com/.sys/?getexe=v2prx.exe, 72.167.232.205

The domain promed-net[dot]com which is currently registered/hosted with Go-Daddy has been acting as a malware distribution point for at least the past 30 days.  Malware such as Win32.Krap.ah and Trojan:Win32/Hiloti.genA. I’ve also seen this domain participating in several of the many ongoing Trojan Zeus/Zbot Spam campaigns. The latest being Fake CDC emails claiming you need to set up a H1N1 profile.

Example

“You need to create your personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website. The Vaccination is not obligatory, but every person that has reached the age of 18 has to have his personal Vaccination Profile on the cdc.gov site. This profile has to be created both for the vaccinated people and the not-vaccinated ones. This profile is used for the registering system of vaccinated and not-vaccinated people”

If you happen to click the link you now have the notorious Trojan Zbot installed on your system which will then contact promed-net[dot]com to install additional malware. One example can be seen in this ThreatExpert report. More information can be found here.