Dangerous trojans on the loose

Thanks TNT.

So people get pulled in by searching for some popular words like jacket on the search engines and when they click the link....BAM!

I thought Google said recently it was going to block malicious sites.

Maybe an email to the abuse department of each search engine would help?
The way it is, the search engines are delivering irrelevant results.
And worse, they are taking part in the distribution of malware!

 

Maybe, but I wouldn't count on that. These people seem faster than the abuse department would ever be.

For sure. And lots of that.

 

updated pdf again

 

Thank you Marco.
http://www.pcalsicuro.com/gromozon.pdf

Also, TNT, what type of Subnet Calculator do you use when you formulate a subnet mask for a given IP range?

 

http://jodies.de/ipcalc

 

I have noticed a new variant of this threat, scan results are interesting.

 

Can you post them here?

 

New domain: mufxggfi.com (for example hxxp://mufxggfi.com/page.php?55000... DO NOT VISIT if you're not sure about how well protected you are).

So far:
gromozon.com
xearl.com
mioctad.com
td8eau9td.com
cvoesdjd.com
lah3bum9.com
mufxggfi.com

JavaScript loaders:
js.gbeb.cc
js.pceb.cc

On a side note, it definitely seems they're getting rid of these last two "fixed" javascript loaders, preferring to include similar dynamic ones directly on the various domains/pages.

 

mufxggfi.com
195.225.177.148

Same old IP range.

 

Yeah, the whole range should be blocked at the firewall. I can't think of a single reason why one would not want to firewall out the whole netcathost range.

 

How do I calculate the mask to block 195.225.0.0 to 195.225.255.255?

 

For these domains:
gromozon.com
xearl.com
mioctad.com
td8eau9td.com
cvoesdjd.com
lah3bum9.com

This is the IP Range:
195.225.176.0 - 195.225.179.255

Depending on your firewall, Block:
195.225.176.0/22
OR:
195.225.176.0/255.255.252.0
OR:
195.225.176.0 - 195.225.179.255

I also added these:
js.gbeb.cc
js.pceb.cc

This is the IP Range:
85.255.112.0 - 85.255.127.255

Depending on your firewall, Block:
85.255.112.0/19
OR:
85.255.112.0/255.255.224.0
OR:
85.255.112.0 - 85.255.127.255

 

http://www.symantec.com/enterprise/...g/2006/08/gromozoncom_and_italian_spaghe.html

Symantec and their Spaghetti and Gromozon....

 

Could you please tell me what do I include in my Zyxel router?


Thx in advance.

 

New domains: uv97vqm3.com, wlos.net. The first is on the same old netblock, but wlos.net is NOT!

gromozon.com
xearl.com
mioctad.com
td8eau9td.com
cvoesdjd.com
lah3bum9.com
mufxggfi.com
uv97vqm3.com
wlos.net

js.gbeb.cc
js.pceb.cc

 

Code:

<ip address/hostname>
[color=blue][b]195.225.177.148[/b][/color]
[color=red][b]uv97vqm3.com[/b][/color]
Host unreachable

<net block>
[b]195.225.176.0 - 195.225.179.255[/b]

<owner>
NetcatHosting
Ukraine
* Abuse contacts: abuse@netcathost.com *

<administrative contact>
Vsevolod Stetsinsky
01110, Ukraine, Kiev, 20Á, Solomenskaya street. room 206.
phone: +38 050 6226676

<technical contact>
Vsevolod Stetsinsky
01110, Ukraine, Kiev, 20Á, Solomenskaya street. room 206.
phone: +38 050 6226676

<additional data>
NETCATHOST
Source: whois.ripe.net

[b]*********************************************************[/b]

<ip address/hostname>
[color=red][b]66.230.175.211[/b][/color]
[color=blue][b]wlos.net[/b][/color]
Host reachable, 300 ms. average

<net block>
[b]66.230.175.0 - 66.230.175.255[/b]

<owner>
Phantographics LLC
148 Clarence St
Sydney
NSW 2000
Australia

<technical contact>
Balyukov, Dmitriy
38-050-6226676
netcat@easyxhost.com

<name servers>
NS1.EASYXHOST.COM
NS2.EASYXHOST.COM

<additional data>
NCAT-2
Created: 2004-06-04
Updated: 2004-06-04
Source: whois.arin.net

 

They're playing a lot

 

Interesting blog on the Windows Encrypting File System (EFS) exploit
hxxp://www.avertlabs.com/research/blog/?p=77

 

New domain (on new netblock): xoboe.com (hxxp://xoboe.com/get_st.php?50007 - do not open if you don't know what you're doing!):

Code:

% Information related to '85.255.112.0 - 85.255.127.255'

inetnum:        85.255.112.0 - 85.255.127.255
netname:        inhoster
descr:          Inhoster hosting company
descr:          OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine
remarks:        -----------------------------------
remarks:        Abuse notifications to: *****@inhoster.com
remarks:        Network problems to: ***@inhoster.com
remarks:        Peering requests to: *******@inhoster.com
remarks:        -----------------------------------
country:        UA
org:            ORG-EST1-RIPE
admin-c:        AK4026-RIPE
tech-c:         AK4026-RIPE
tech-c:         FWHS1-RIPE
notify:         *******@bas-net.by
notify:         *******@ydav.com
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-HM-PI-MNT
mnt-lower:      RIPE-NCC-HM-PI-MNT
mnt-by:         RECIT-MNT
mnt-routes:     RECIT-MNT
mnt-domains:    RECIT-MNT
mnt-by:         DAV-MNT
mnt-routes:     DAV-MNT
mnt-domains:    DAV-MNT
changed:        *******@bas-net.by 20050916
changed:        **********@ripe.net 20051026
source:         RIPE

organisation:   ORG-EST1-RIPE
org-name:       INHOSTER
org-type:       NON-REGISTRY
remarks:        *************************************
remarks:        * Abuse contacts: *****@inhoster.com *
remarks:        *************************************
address:        OOO Inhoster
address:        Poltavskij Shliax 24, Xarkov,
address:        61000, Ukraine
phone:          +38 066 4633621
e-mail:         *******@inhoster.com
admin-c:        AK4026-RIPE
tech-c:         AK4026-RIPE
ref-nfy:        *******@ydav.com
ref-nfy:        *******@inhoster.com
mnt-ref:        DAV-MNT
notify:         *******@ydav.com
notify:         *******@inhoster.com
mnt-by:         DAV-MNT
changed:        *******@ydav.com 20050725
source:         RIPE

person:         Andrei Kislizin
address:        OOO Inhoster,
address:        ul.Antonova 5, Kiev,
address:        03186, Ukraine
phone:          +38 044 2404332
nic-hdl:        AK4026-RIPE
notify:         *******@inhoster.com
notify:         *******@ydav.com
changed:        *******@ydav.com 20050725
source:         RIPE

person:         Fast Web Hosting Support
address:        01110, Ukraine, Kiev, 20�, Solomenskaya street. room 201.
address:        UA
phone:          +35 79 91 17 759
e-mail:         *******@fwebhost.net
nic-hdl:        FWHS1-RIPE
changed:        *******@fwebhost.net 20060813
source:         RIPE

To block:

gromozon.com
xearl.com
mioctad.com
td8eau9td.com
cvoesdjd.com
lah3bum9.com
mufxggfi.com
uv97vqm3.com
wlos.net
xoboe.com

js.gbeb.cc
js.pceb.cc

 

nothing seems to happen on that webpage TNT.(xoboe.com/get...) I set NoScript to allow all JavaScripts.

 

Use IE pykko, with Full Admin Rights and with Active Scripting and Active X enabled.

 

You need Active Scripting enabled in order to download files, but i would NOT advise having Active X enabled

Be warned, if you do anything can and will be automatically installed in you computer, with potentially damaging consequences

I would also advise having your downloads set to prompt you beforehand. This is so that you are both aware of them, and so that you can direct them into a new folder, such as on your desktop for quick and easy access and deletion, if you so wish

 

With a default browser configuration, yes. But with some tweaking here and there, you'd be surprised at what you can do to prevent installation.

 

I've tried with FF and of course Sandboxed. What tweakings are you reffering to SirMalware?

 

New trojan executables are now loaded with different names www.kpmoi.com, www.pictures.com (note that these are both executables loaded from the gromozon-related sites, not new domains). Detection of these on Virustotal is pretty awful: only KAV, Antivir, Symantec and TheHacker recognized it.