Malc0de

Malc0de Database Update

JD — Tue, 23 Mar 2010 01:20:52 +0000

Initially malc0de.com was created to link domains that were serving the same executable. What I found out in a very short period of time is the binaries are updated so frequently that this becomes almost impossible. Storing the MD5 is still useful just not as useful as I originally thought. The only purpose malc0de.com is to store and keep track of domains that host malicious binaries.

I have recently made a few adjustments to the database which should speed up the queries. I have also linked the IP addresses to a good friend of mines newly created website www.malwaregroup.com. Think of it as a robtex for malware domains.

For example here we can find a domain hosting the Neosploit exploit pack. The domain is hosted on 75.125.212.58. By searching malwaregroup.com we can see domains hosted on the same IP that are named in a similar fashion and are most likely also hosting Neosploit or being staged.

The Command Structure of the Aurora Botnet

JD — Sun, 07 Mar 2010 04:56:16 +0000

A detailed write up describing the the command and control structure of the Aurora Botnet was recently released of by a security company called Damballa. The 31 page PDF which can be found here makes some interesting connections and is definitely worth reading.

Damballa’s findings concerning Operation Aurora can be summarized by the following:

 At the time the attack was first noticed by Google in December 2009, systems within at least 7 countries had already been affected. By the time Google made the public disclosure of the attack on January 12 2010, systems in over 22 countries had been affected and were attempting to contact the CnC servers – the top five countries being the United States, China, Germany, Taiwan and the United Kingdom.

 The Trojan.Hydraq malware, which has been previously identified as the primary malware used by the attackers, is actually a later staging of a series of malware used in the attacks which consisted of at least three different malware ‘families’. Two additional families of malware (and their evolutionary variants) have been identified, and they were deployed using fake antivirus infection messages tricking the victim into installing the malicious botnet agents.

 The attacks that eventually targeted Google can be traced back to July 2009, with what appears to be the first testing of the botnet by its criminal operators. The analysis identifies the various CnC testing, deployment, management and shutdown phases of the botnet CnC channels.

 The botnets used dozens of domains in diverse Dynamic DNS networks for CnC. Some of the botnets focused on victims outside of Google, suggesting that each set of domains might have been dedicated to a distinct class or vertical of victims.

 Some of the CnC domains appear to have been dormant for a period of time after they had infected a number of victim systems. This can occur after the botnet operator has updated the botnet malware with new (more powerful) variants or when the criminal operator sells/trades a segment of the botnet to another criminal operator.

 There were network artifacts that suggest that the botnet malware operating with the US-based victims’ networks made use of email services to extract the stolen data from the breached organizations.

 There is evidence that there were multiple criminal operators involved, and that the botnet operators were of an amateur level. The botnet has a simple command topology and makes extensive use of Dynamic DNS CnC techniques. The construction of the botnet would be classed as “old-school”, and is rarely used by professional botnet criminal operators today

Past 30 Days of Malicious Activity

JD — Tue, 23 Feb 2010 00:44:26 +0000

The past 30 days of data collected and stored in the malc0de database shows the United States is the top offender when it comes to domains hosting malware. The first graph represents how much malware was collected each day between 01/21/2010 – 02/21/2010. We can see a spike around Valentines days which can probably be attributed spam/malware taking advantage of the holiday. The dip on the 9th is likely related to something breaking so ignore that.

I thought it would also be interesting to create a graph based on which countries have hosted the most malware during the previous 30 days. I was a little surprised at the results seeing the United States at the top of the list with China coming in second place.

Keep in mind that this data only represents a tiny snapshot in the overall scheme of things and is specific to malware collected by malc0de.com.

Last but not least the list below represents the top ten binaries seen during the past 30 days.

Count – MD5
251 – 7981f884202bf9f50bb5cb9bf3adbeb1
200 – 105082712e5a14db357fb9432bc9ca22
198 – eeda586b324d69ebf6b537724ad122cb
178 – 1bf3bbfa188f1b8fd0ffc498be481d53
171 – eec01f6a39e56ae3efe0a9866ba09b33
125 – 9ec690317e2109169c371c81341ec3d3
82 – 4f4a22a1391fe11be2c9c9b77ded0949
75 – a1e96a96471e08dae17d0b9b6873d726
75 – a17a76e2f0f8343bbd4c49c9eaef83a3
67 – 1620ef6bb04e2ca548f3e7951f2a8a6f

The MD5′s above are all related to Trojan Koobface. If you are interested in tracking domains and IP’s contacted by or distributing Koobface click here for an updated list.

Zief.pl And Friends Distribute Trojan Virut

JD — Sun, 31 Jan 2010 15:49:43 +0000

Zief[dot]pl and a handful of other domains hosted on the same IP address (61.235.117.71) are currently attempting to distribute Trojan W32/Virut by using various client side exploits. The Trojan W32/Virut family is particularly nasty and consists of file infecting viruses that target and infect .EXE and .SCR files accessed on infected systems. Win32/Virut also opens a backdoor by connecting to an IRC server, allowing a remote attacker to download and run files on the infected computer.

Upon execution Win32/Virut will open a connection with one of the IRC servers over a non standard IRC port. This channel is used for communication allowing the attacker to control the machine or download additional malicious components onto the system.

One example:

Server: proxima.ircgalaxy.pl
Port: 65520
Channel: &virtu

What happened when Google visited this site?

Of the 42 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-01-30, and the last time suspicious content was found on this site was on 2010-01-30.Malicious software includes 738 exploit(s), 416 virus, 320 scripting exploit(s).

This site was hosted on 3 network(s) including AS4134 (China Telecom backbone), AS9394 (CRNET), AS38356 (TIMENET).

This campaign has been going on for more then 30 days from the same IP address hosted in China (big surprise).

inetnum: 61.235.117.0 – 61.235.117.255
netname: CRGdSzS
country: CN
descr: China Railcom Guangdong Shenzhen Subbranch
descr: Telecommunication Company
descr: Shenzhen City,Guangdong Province

All activity including timeframe, domains, md5s and IP’s can be found here.

**Update 02/27/2010**
A more detailed analysis of Trojan Virut can be found here. Thanks Nicolas Brulez for bringing this to my attention.

Fake UPS spam distributes Trojan Bredolab

JD — Wed, 13 Jan 2010 04:15:51 +0000

Early December I wrote about a fake DHL spam campaign which was found to be distributing Trojan Bredolab. The new spam campaign is very similar to the last but this time appears to be from UPS.

Example

Subject: UPS Tracking Number 5845190

“Hello!
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly!

Please attention!
The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox.

Thank you.
United Parcel Service of America.

[attachment UPS_invoice_NR12944.zip"

VirusTotal results for the attachment can be found here. Domains known to be contacted by Trojan Bredolab listed below.

20091217:http://mmsfoundsystem.ru, 193.104.12.20
20091227:http://preflopp.com, 95.211.8.170
20100105:http://greatmoder.cn, 122.115.63.19
20100108:http://213.108.56.125, 213.108.56.125

BETA3 multi-format shellcode encoding tool

JD — Thu, 07 Jan 2010 01:31:41 +0000

BETA can convert raw binary shellcode into text that can be used in exploit source-code. It can convert raw binary data to a large number of encodings. It can also do the reverse: decode encoded data into binary from the same types of encodings. The official page where you can download it can be found here.

Koobface Blogspot Campaign Continues

JD — Tue, 22 Dec 2009 03:38:06 +0000

The distribution of Koobface through Google Blogspot continues. Detailed information documented by Jorge Mieres of Pistus Malware Intelligence can be found here. The quick version is 39 domains using Googles Blogspot service redirect unsuspecting users to other domains which deliver Koobface using social engineering tactics.

The domains being used for delivery starting showing up in early December and can be found here. A majority of the 350+ domains are being hosted in the United States using GoDaddys web hosting service.The domains are geographically dispersed around the globe using a variety of hosting providers which helps the attackers ensure a slow takedown.

Fake DHL Spam Distributes Bredolab

JD — Thu, 17 Dec 2009 20:20:09 +0000

Watch out for the fake DHL emails claiming your item wasn’t shipped.

e.g.

“Hello!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly.

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Services.”

The email contains the following attachment

“DHL_Office_Get_Your_Parcel_NR.4957.zip”

Which is detected as TrojanDownloader:Win32/Bredolab.AB. Win32/Bredolab is a downloader which is able to download and execute arbitrary files from a remote host. Additional information can be found here Currently this sample is detected by 27 out of 41 antivirus vendors.

List of Bredolab drop sites being used.

20091201:hxxp://greatmoder.cn, 125.65.110.46
20091201:hxxp://greatmoder.cn, 125.65.110.46
20091201:hxxp://statcount.cn, 218.93.205.228
20091201:hxxp://statcount.cn, 218.93.205.228
20091202:hxxp://greatmoder.cn, 125.65.110.46
20091202:hxxp://youaskedthedomain.cn, 91.213.126.93
20091203:hxxp://greatmoder.cn, 125.65.110.46
20091203:hxxp://youaskedthedomain.cn, 91.213.126.93
20091204:hxxp://greatmoder.cn, 125.65.110.46
20091204:hxxp://youaskedthedomain.cn, 91.213.126.93
20091205:hxxp://greatmoder.cn, 125.65.110.46
20091205:hxxp://youaskedthedomain.cn, 91.213.126.93
20091205:hxxp://youaskedthedomain.cn, 91.213.126.93
20091206:hxxp://91.213.126.93, 91.213.126.93
20091206:hxxp://greatmoder.cn, 125.65.110.46
20091206:hxxp://greatmoder.cn, 125.65.110.46
20091206:hxxp://greatmoder.cn, 125.65.110.46
20091206:hxxp://greatmoder.cn, 125.65.110.46
20091206:hxxp://youaskedthedomain.cn, 91.213.126.93
20091206:hxxp://youaskedthedomain.cn, 91.213.126.93
20091207:hxxp://youaskedthedomain.cn, 91.213.126.93
20091207:hxxp://youaskedthedomain.cn, 91.213.126.93
20091207:hxxp://youaskedthedomain.cn, 91.213.126.93
20091208:hxxp://mmsfoundsystem.ru, 193.104.12.20
20091208:hxxp://mmsfoundsystem.ru, 193.104.12.20
20091208:hxxp://mmsfoundsystem.ru/, 193.104.12.20
20091208:hxxp://mmsfoundsystem.ru, 193.104.12.20
20091217:hxxp://mmsfoundsystem.ru, 193.104.12.20

List of Zeus/Zbot Command and Control Servers

JD — Thu, 17 Dec 2009 04:26:14 +0000

Over the past few months there has been a number of ongoing spam campaigns that have been distributing Zeus/Zbot. You might have read about a few of them or you may have fallen victim. A good source of information regarding the zbot/zeus spam campaigns can be found here.

When Zbot/Zeus is executed it will drop a copy of itself in the system folder (c:/windows/system32). It also modifies the registry in order to execute each time Windows starts. Examples of which registry keys are added/modified can be found here

The bot uses covert methods of injecting additional fields into online Internet banking websites, asking users to answer questions that the authentic website would not ask. This information is then forwarded to a remote database silently in the background with the victim never realizing what happened. The image below is a graphical representation that gives you an idea how this works.

Example of injected HTML

Zbot/Zeus sends information and receives instructions by contacting specific IP’s that are hardcoded into the binary. From the samples I have seen the following file names are being used by zbot/zeus to phone home.

/rec.php
/ip.php
/config.bin
/cfg.bin
/cfg2.bin

Searching the malware database I maintain reveals a list of C&C servers geographically dispersed around the globe. The list of domains/IP’s is rather large so I just consolidated into a text file that can be found here. Converting the IP addresses to latitude and longitude generate the red dots on the map below which represent the C&C servers.

An updated list of domains distributing Zeus/Zbot can be found at the following link: malc0de.com Zbot Domains

Go Daddy Domains Serving Malware

JD — Wed, 02 Dec 2009 07:03:49 +0000

Looking at the past 3 days of data collected the popular web hosting company Go Daddy surfaced 36 times for being related to the distribution of malware. I have contacted abuse@godaddy.com so hopefully these domains will be shut down shortly. In reality its only a drop in the bucket but every little bit helps.

**Caution All Domains Below Are Malicious**

216.69.170.12, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://aaasublet.com/.sys/?getexe=fb.75.exe, 216.69.170.12
20091201:hxxp://aaasublet.com/.sys/?getexe=get.exe, 216.69.170.12
20091201:hxxp://aaasublet.com/.sys/?getexe=go.exe, 216.69.170.12
20091201:hxxp://aaasublet.com/.sys/?getexe=pp.12.exe, 216.69.170.12
20091201:hxxp://aaasublet.com/.sys/?getexe=v2prx.exe, 216.69.170.12
97.74.156.157, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://brooksinfotech.com/.sys/?getexe=fb.75.exe, 97.74.156.157
20091201:hxxp://brooksinfotech.com/.sys/?getexe=get.exe, 97.74.156.157
20091201:hxxp://brooksinfotech.com/.sys/?getexe=pp.12.exe, 97.74.156.157
20091201:hxxp://brooksinfotech.com/.sys/?getexe=v2prx.exe, 97.74.156.157
97.74.144.168, UNITED STATES, ARIZONA, GODADDY.COM INC
20091124:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091124:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091124:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091124:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091124:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091125:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091125:hxxp://capitalbug.com/counter/exe.php?x=mdac, 97.74.144.168
20091125:hxxp://capitalbug.com/counter/exe.php?x=pdf, 97.74.144.168
20091125:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091126:hxxp://capitalbug.com/counter/exe.php?x=mdac, 97.74.144.168
20091126:hxxp://capitalbug.com/counter/exe.php?x=pdf, 97.74.144.168
20091126:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091127:hxxp://capitalbug.com/counter/exe.php?x=mdac, 97.74.144.168
20091127:hxxp://capitalbug.com/counter/exe.php?x=pdf, 97.74.144.168
20091127:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091129:hxxp://capitalbug.com/counter/exe.php?x=mdac, 97.74.144.168
20091129:hxxp://capitalbug.com/counter/exe.php?x=pdf, 97.74.144.168
20091129:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091201:hxxp://capitalbug.com/counter/exe.php?x=mdac, 97.74.144.168
20091201:hxxp://capitalbug.com/counter/exe.php?x=pdf, 97.74.144.168
20091201:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
72.167.232.200, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://counterstrikefc.com/.sys/?getexe=fb.75.exe, 72.167.232.200
20091201:hxxp://counterstrikefc.com/.sys/?getexe=ff2ie.exe, 72.167.232.200
20091201:hxxp://counterstrikefc.com/.sys/?getexe=get.exe, 72.167.232.200
20091201:hxxp://counterstrikefc.com/.sys/?getexe=pp.12.exe, 72.167.232.200
20091201:hxxp://counterstrikefc.com/.sys/?getexe=v2prx.exe, 72.167.232.200
72.167.232.191, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://customizeyourstory.com/.sys/?getexe=fb.75.exe, 72.167.232.191
20091201:hxxp://customizeyourstory.com/.sys/?getexe=get.exe, 72.167.232.191
20091201:hxxp://customizeyourstory.com/.sys/?getexe=go.exe, 72.167.232.191
20091201:hxxp://customizeyourstory.com/.sys/?getexe=pp.12.exe, 72.167.232.191
20091201:hxxp://customizeyourstory.com/.sys/?getexe=v2prx.exe, 72.167.232.191
97.74.144.118, UNITED STATES, ARIZONA, GODADDY.COM INC
20091125:hxxp://promed-net.com/css/abs.exe, 97.74.144.118
20091126:hxxp://promed-net.com/css/abs.exe, 97.74.144.118
20091127:hxxp://promed-net.com/css/abs.exe, 97.74.144.118
20091201:hxxp://facilicaresavannah.com/.sys/?getexe=fb.75.exe, 97.74.144.118
20091201:hxxp://facilicaresavannah.com/.sys/?getexe=get.exe, 97.74.144.118
20091201:hxxp://facilicaresavannah.com/.sys/?getexe=pp.12.exe, 97.74.144.118
20091201:hxxp://facilicaresavannah.com/.sys/?getexe=v2prx.exe, 97.74.144.118
20091201:hxxp://promed-net.com/css/absderce2.exe, 97.74.144.118
97.74.144.128, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://homemadesandwiches.com/.sys/?getexe=ff2ie.exe, 97.74.144.128
72.167.232.33, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://irentphotobooths.com/.sys/?getexe=fb.75.exe, 72.167.232.33
20091201:hxxp://irentphotobooths.com/.sys/?getexe=go.exe, 72.167.232.33
20091201:hxxp://irentphotobooths.com/.sys/?getexe=pp.12.exe, 72.167.232.33
20091201:hxxp://irentphotobooths.com/.sys/?getexe=v2prx.exe, 72.167.232.33
72.167.232.185, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://kickwithcolors.com/.sys/?getexe=fb.75.exe, 72.167.232.185
20091201:hxxp://kickwithcolors.com/.sys/?getexe=get.exe, 72.167.232.185
20091201:hxxp://kickwithcolors.com/.sys/?getexe=pp.12.exe, 72.167.232.185
20091201:hxxp://kickwithcolors.com/.sys/?getexe=v2prx.exe, 72.167.232.185
97.74.64.191, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://kronosagency.com/.sys/?getexe=fb.75.exe, 97.74.64.191
20091201:hxxp://kronosagency.com/.sys/?getexe=get.exe, 97.74.64.191
20091201:hxxp://kronosagency.com/.sys/?getexe=pp.12.exe, 97.74.64.191
20091201:hxxp://kronosagency.com/.sys/?getexe=v2prx.exe, 97.74.64.191
68.178.173.51, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://megabesucher.eu/.sys/?getexe=fb.75.exe, 68.178.173.51
20091201:hxxp://megabesucher.eu/.sys/?getexe=get.exe, 68.178.173.51
20091201:hxxp://megabesucher.eu/.sys/?getexe=go.exe, 68.178.173.51
20091201:hxxp://megabesucher.eu/.sys/?getexe=pp.12.exe, 68.178.173.51
20091201:hxxp://megabesucher.eu/.sys/?getexe=v2prx.exe, 68.178.173.51
97.74.144.197, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://missionoch.org/.sys/?getexe=fb.75.exe, 97.74.144.197
20091201:hxxp://missionoch.org/.sys/?getexe=get.exe, 97.74.144.197
20091201:hxxp://missionoch.org/.sys/?getexe=go.exe, 97.74.144.197
20091201:hxxp://missionoch.org/.sys/?getexe=pp.12.exe, 97.74.144.197
20091201:hxxp://missionoch.org/.sys/?getexe=tw.07.exe, 97.74.144.197
20091201:hxxp://missionoch.org/.sys/?getexe=v2prx.exe, 97.74.144.197
72.167.19.15, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://movehits.at/.sys/?getexe=fb.75.exe, 72.167.19.15
20091201:hxxp://movehits.at/.sys/?getexe=get.exe, 72.167.19.15
20091201:hxxp://movehits.at/.sys/?getexe=pp.12.exe, 72.167.19.15
20091201:hxxp://movehits.at/.sys/?getexe=v2prx.exe, 72.167.19.15
97.74.144.104, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://outtouch.org/.sys/?getexe=fb.75.exe, 97.74.144.104
20091201:hxxp://outtouch.org/.sys/?getexe=get.exe, 97.74.144.104
20091201:hxxp://outtouch.org/.sys/?getexe=go.exe, 97.74.144.104
20091201:hxxp://outtouch.org/.sys/?getexe=pp.12.exe, 97.74.144.104
20091201:hxxp://outtouch.org/.sys/?getexe=v2prx.exe, 97.74.144.104
97.74.211.187, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://patriotflag.org/.sys/?getexe=fb.75.exe, 97.74.211.187
20091201:hxxp://patriotflag.org/.sys/?getexe=get.exe, 97.74.211.187
20091201:hxxp://patriotflag.org/.sys/?getexe=go.exe, 97.74.211.187
20091201:hxxp://patriotflag.org/.sys/?getexe=pp.12.exe, 97.74.211.187
20091201:hxxp://patriotflag.org/.sys/?getexe=v2prx.exe, 97.74.211.187
72.167.232.74, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://peakgrouptravel.com/.sys/?getexe=fb.75.exe, 72.167.232.74
20091201:hxxp://peakgrouptravel.com/.sys/?getexe=get.exe, 72.167.232.74
20091201:hxxp://peakgrouptravel.com/.sys/?getexe=pp.12.exe, 72.167.232.74
20091201:hxxp://peakgrouptravel.com/.sys/?getexe=v2prx.exe, 72.167.232.74
72.167.232.186, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://pipelogicservices.com/.sys/?getexe=fb.75.exe, 72.167.232.186
20091201:hxxp://pipelogicservices.com/.sys/?getexe=go.exe, 72.167.232.186
20091201:hxxp://pipelogicservices.com/.sys/?getexe=pp.12.exe, 72.167.232.186
20091201:hxxp://pipelogicservices.com/.sys/?getexe=v2prx.exe, 72.167.232.186
97.74.144.118, UNITED STATES, ARIZONA, GODADDY.COM INC
20091125:hxxp://promed-net.com/css/abs.exe, 97.74.144.118
20091126:hxxp://promed-net.com/css/abs.exe, 97.74.144.118
20091127:hxxp://promed-net.com/css/abs.exe, 97.74.144.118
20091201:hxxp://facilicaresavannah.com/.sys/?getexe=fb.75.exe, 97.74.144.118
20091201:hxxp://facilicaresavannah.com/.sys/?getexe=get.exe, 97.74.144.118
20091201:hxxp://facilicaresavannah.com/.sys/?getexe=pp.12.exe, 97.74.144.118
20091201:hxxp://facilicaresavannah.com/.sys/?getexe=v2prx.exe, 97.74.144.118
20091201:hxxp://promed-net.com/css/absderce2.exe, 97.74.144.118
97.74.144.88, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://robertomoran.com/.sys/?getexe=fb.75.exe, 97.74.144.88
20091201:hxxp://robertomoran.com/.sys/?getexe=get.exe, 97.74.144.88
20091201:hxxp://robertomoran.com/.sys/?getexe=pp.12.exe, 97.74.144.88
20091201:hxxp://robertomoran.com/.sys/?getexe=v2captcha.exe, 97.74.144.88
20091201:hxxp://robertomoran.com/.sys/?getexe=v2googlecheck.exe, 97.74.144.88
20091201:hxxp://robertomoran.com/.sys/?getexe=v2prx.exe, 97.74.144.88
97.74.50.246, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://runningguru.com/.sys/?getexe=fb.75.exe, 97.74.50.246
20091201:hxxp://runningguru.com/.sys/?getexe=get.exe, 97.74.50.246
20091201:hxxp://runningguru.com/.sys/?getexe=pp.12.exe, 97.74.50.246
20091201:hxxp://runningguru.com/.sys/?getexe=v2prx.exe, 97.74.50.246
72.167.232.177, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://ryanscarter.com/.sys/?getexe=fb.75.exe, 72.167.232.177
20091201:hxxp://ryanscarter.com/.sys/?getexe=get.exe, 72.167.232.177
20091201:hxxp://ryanscarter.com/.sys/?getexe=pp.12.exe, 72.167.232.177
20091201:hxxp://ryanscarter.com/.sys/?getexe=v2prx.exe, 72.167.232.177
97.74.144.91, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://speedysalesletter.com/.sys/?getexe=fb.75.exe, 97.74.144.91
20091201:hxxp://speedysalesletter.com/.sys/?getexe=get.exe, 97.74.144.91
20091201:hxxp://speedysalesletter.com/.sys/?getexe=pp.12.exe, 97.74.144.91
20091201:hxxp://speedysalesletter.com/.sys/?getexe=v2prx.exe, 97.74.144.91
72.167.232.171, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://str8upent.com/.sys/?getexe=fb.75.exe, 72.167.232.171
20091201:hxxp://str8upent.com/.sys/?getexe=get.exe, 72.167.232.171
20091201:hxxp://str8upent.com/.sys/?getexe=go.exe, 72.167.232.171
20091201:hxxp://str8upent.com/.sys/?getexe=pp.12.exe, 72.167.232.171
20091201:hxxp://str8upent.com/.sys/?getexe=v2prx.exe, 72.167.232.171
72.167.232.75, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://theraymondgallery.com/.sys/?getexe=fb.75.exe, 72.167.232.75
20091201:hxxp://theraymondgallery.com/.sys/?getexe=get.exe, 72.167.232.75
20091201:hxxp://theraymondgallery.com/.sys/?getexe=pp.12.exe, 72.167.232.75
20091201:hxxp://theraymondgallery.com/.sys/?getexe=v2prx.exe, 72.167.232.75
72.167.232.70, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://travelsigna.com/.sys/?getexe=fb.75.exe, 72.167.232.70
20091201:hxxp://travelsigna.com/.sys/?getexe=get.exe, 72.167.232.70
20091201:hxxp://travelsigna.com/.sys/?getexe=pp.12.exe, 72.167.232.70
20091201:hxxp://travelsigna.com/.sys/?getexe=v2prx.exe, 72.167.232.70
72.167.232.197, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://v-questtx.net/.sys/?getexe=fb.75.exe, 72.167.232.197
20091201:hxxp://v-questtx.net/.sys/?getexe=get.exe, 72.167.232.197
20091201:hxxp://v-questtx.net/.sys/?getexe=go.exe, 72.167.232.197
20091201:hxxp://v-questtx.net/.sys/?getexe=pp.12.exe, 72.167.232.197
20091201:hxxp://v-questtx.net/.sys/?getexe=v2prx.exe, 72.167.232.197
97.74.126.232, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://www.birdystudio.com/.sys/?getexe=fb.75.exe, 97.74.126.232
20091201:hxxp://www.birdystudio.com/.sys/?getexe=get.exe, 97.74.126.232
20091201:hxxp://www.birdystudio.com/.sys/?getexe=pp.12.exe, 97.74.126.232
20091201:hxxp://www.birdystudio.com/.sys/?getexe=v2prx.exe, 97.74.126.232
72.167.232.94, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://www.conference-professionals.com/.sys/?getexe=fb.75.exe, 72.167.232.94
20091201:hxxp://www.conference-professionals.com/.sys/?getexe=get.exe, 72.167.232.94
20091201:hxxp://www.conference-professionals.com/.sys/?getexe=pp.12.exe, 72.167.232.94
20091201:hxxp://www.conference-professionals.com/.sys/?getexe=v2prx.exe, 72.167.232.94
72.167.232.198, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://www.d-dmusic.com/.sys/?getexe=fb.75.exe, 72.167.232.198
20091201:hxxp://www.d-dmusic.com/.sys/?getexe=get.exe, 72.167.232.198
20091201:hxxp://www.d-dmusic.com/.sys/?getexe=go.exe, 72.167.232.198
20091201:hxxp://www.d-dmusic.com/.sys/?getexe=pp.12.exe, 72.167.232.198
20091201:hxxp://www.d-dmusic.com/.sys/?getexe=v2prx.exe, 72.167.232.198
97.74.127.146, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://www.emeraldsunarts.com/.sys/?getexe=fb.75.exe, 97.74.127.146
20091201:hxxp://www.emeraldsunarts.com/.sys/?getexe=get.exe, 97.74.127.146
20091201:hxxp://www.emeraldsunarts.com/.sys/?getexe=pp.12.exe, 97.74.127.146
20091201:hxxp://www.emeraldsunarts.com/.sys/?getexe=v2prx.exe, 97.74.127.146
72.167.232.210, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://www.fallsmediaproductions.com/.sys/?getexe=fb.75.exe, 72.167.232.210
20091201:hxxp://www.fallsmediaproductions.com/.sys/?getexe=get.exe, 72.167.232.210
20091201:hxxp://www.fallsmediaproductions.com/.sys/?getexe=pp.12.exe, 72.167.232.210
20091201:hxxp://www.fallsmediaproductions.com/.sys/?getexe=v2prx.exe, 72.167.232.210
72.167.232.118, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://www.integrastor.com/.sys/?getexe=fb.75.exe, 72.167.232.118
20091201:hxxp://www.integrastor.com/.sys/?getexe=get.exe, 72.167.232.118
20091201:hxxp://www.integrastor.com/.sys/?getexe=pp.12.exe, 72.167.232.118
20091201:hxxp://www.integrastor.com/.sys/?getexe=v2prx.exe, 72.167.232.118
97.74.141.128, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://www.onlinepcwizard.com/.sys/?getexe=fb.75.exe, 97.74.141.128
20091201:hxxp://www.onlinepcwizard.com/.sys/?getexe=go.exe, 97.74.141.128
20091201:hxxp://www.onlinepcwizard.com/.sys/?getexe=pp.12.exe, 97.74.141.128
20091201:hxxp://www.onlinepcwizard.com/.sys/?getexe=v2prx.exe, 97.74.141.128
72.167.232.86, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://yogaramatgan.com/.sys/?getexe=fb.75.exe, 72.167.232.86
20091201:hxxp://yogaramatgan.com/.sys/?getexe=get.exe, 72.167.232.86
20091201:hxxp://yogaramatgan.com/.sys/?getexe=pp.12.exe, 72.167.232.86
20091201:hxxp://yogaramatgan.com/.sys/?getexe=v2prx.exe, 72.167.232.86
97.74.144.168, UNITED STATES, ARIZONA, GODADDY.COM INC
20091124:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091124:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091124:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091124:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091124:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091125:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091125:hxxp://capitalbug.com/counter/exe.php?x=mdac, 97.74.144.168
20091125:hxxp://capitalbug.com/counter/exe.php?x=pdf, 97.74.144.168
20091125:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091126:hxxp://capitalbug.com/counter/exe.php?x=mdac, 97.74.144.168
20091126:hxxp://capitalbug.com/counter/exe.php?x=pdf, 97.74.144.168
20091126:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091127:htxx://capitalbug.com/counter/exe.php?x=mdac, 97.74.144.168
20091127:hxxp://capitalbug.com/counter/exe.php?x=pdf, 97.74.144.168
20091127:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091129:hxxp://capitalbug.com/counter/exe.php?x=mdac, 97.74.144.168
20091129:hxxp://capitalbug.com/counter/exe.php?x=pdf, 97.74.144.168
20091129:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091201:hxxp://capitalbug.com/counter/exe.php?x=mdac, 97.74.144.168
20091201:hxxp://capitalbug.com/counter/exe.php?x=pdf, 97.74.144.168
20091201:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
72.167.232.205, UNITED STATES, ARIZONA, GODADDY.COM INC
20091126:hxxp://milantrezur.com/.sys/?getexe=pp.12.exe, 72.167.232.205
20091126:hxxp://milantrezur.com/.sys/?getexe=v2prx.exe, 72.167.232.205
20091129:hxxp://milantrezur.com/.sys/?getexe=pp.12.exe, 72.167.232.205
20091129:hxxp://milantrezur.com/.sys/?getexe=v2prx.exe, 72.167.232.205