Sunday, December 16, 2012

Unrecognized URL Pattern Involving Malware Binaries

In the interests of keeping FPs to a minimum, i'm including the mooo.com, but pull it out if you want to test your site for FPs. This appears to be designed to deliver malware binaries and at this point I do not have further to share. I would keep an eye out for this one and feedback any info please @fknsec #teamwork.


Pattern type 1
mooo\.com\/\w{2,8}\d{3}\_\d{4}\.php\?\w{4,10}\=

Pattern type 2 (appears to be only binaries)

mooo.com\/\?\w{2,9}\=[a-zA-Z0-9]{16,}


Pattern type 1 examples:

   hxxp://www2.e77lzbgasyhun.mooo.com/udhnj106_5613.php?8tpb=XN/p2KKso9zwx9vOme7R2attqqGVi6eg0LeVj...   
2012-12-14
    hxxp://www2.e77lzbgasyhun.mooo.com/zkzd106_5613.php?qamk2=lczm4W/ao6fi39bUh+jizLKjp5KgkaLOm3Sfo...   
2012-12-14
    hxxp://www2.tf6qzs0witws-0.mooo.com/dxohf241_5874.php?zh2cgpfl=nt6gy92ty9rZ16mX79yUtJ6srqdToOPM...   
2012-12-14
    hxxp://www2.f32w14gqqvnfax.mooo.com/owxryn107_5613.php?l4uv0n=kKfX723h3aek4ppa3NrVs6OckquSpN7ab...   
2012-12-14
    hxxp://www2.id0hx24nz8.mooo.com/twp211_5613.php?wzapem=m+XV6aLa29ak0epYqdfedaywkqOL3dLIbZuek5bQ...   
2012-12-14
    hxxp://www2.q04leu6wmk.mooo.com/nnxybd231_5619.php?qzgoh7=leXP26Wa0p6h14vqn9uqoKeroJXYoNVtZ5LG1...   
2012-12-14
    hxxp://www2.r4qjwq40c4.mooo.com/uxm211_5613.php?te47u=mN6WobLaluLO6dWfVtid2KJpbaalWuHT265nVsSW1...   
2012-12-14
    hxxp://www2.i9cofxif5uz6i7.mooo.com/vigpkh241_5688.php?9dyzjo2pw=Xdfn3eTnb+jg4KPd3ozt0spyqrBuoV...   
2012-12-14
    hxxp://www2.r4qjwq40c4.mooo.com/taedi107_5613.php?11zq1=Vabf5ZWvq97N3eWtVtidlW6vp2KlWuHT265nVsS...   
2012-12-14
    hxxp://www2.poqjik8iv0.mooo.com/yhxvgz106_5613.php?09rrso=VJ/o1djjrdLq193bno/rmZR2p6ikopbf2s6mn...   
2012-12-14
    hxxp://www2.e77lzbgasyhun.mooo.com/bdj106_5613.php?cmlw7lm=h9jl7XTh2dWtnODniNzK17adq5+Wk9zgm6mg...   
2012-12-14
    hxxp://www2.i9cofxif5uz6i7.mooo.com/fdje106_5613.php?pae5=lNjIodF2zuXL3NeMqt7ec55toZSLpdKdoKKM2...    /mxatxt241_5813.php?954u91o4yx=XZmV63af1Zvm4tPlj9uZ13KkbWemV6...   
2012-12-14
    hxxp://www2.poqjik8iv0.mooo.com/dano107_5613.php?0bqhdq36=VNDX3Myul63e2+eQ3tScpqtmYZWX2M3VcGmW0...   
2012-12-14
    hxxp://www2.poqjik8iv0.mooo.com/vqepgx107_5613.php?g9fm=i6fM4dis1eHX166P65nLdpujoaKX2tLPdZyckcm...   
2012-12-14
    hxxp://www2.e77lzbgasyhun.mooo.com/ppjdu106_5613.php?mteo6tgk=kd/e5XPp09vbnKvZoNfQxbCunqahk+TO0...   
2012-12-14



Pattern Type 2: Binary (as per Exploit Shield)

2012-12-13 17:13 http://www2.v-iy381t22z638.mooo.com/?0aimsen=VMTW0bDK5ttT3uKXdWara.... 78d5758eebe3df79ffd40efef16af944 7/45
2012-12-13 17:12 http://www2.v-iy381t22z638.mooo.com/?slwo4wee=l8%2Fk03Hc3cqcotLdcG.... 597f409a3f786a960b8683b4bb9ebdc7 12/46
2012-12-13 17:08 http://www2.v-iy381t22z638.mooo.com/?ugmrldkb=mcra1qnJ48ecotLdcG1o.... 1526a20a234749ae4cd61fa1e95e8559 12/46
2012-12-13 17:05 http://www2.v-iy381t22z638.mooo.com/?tkln=mM7Z0rOS4d5ZrZrYb2exbWle.... 70bc0edd237458587de240b8ef71a0d5 scanning...
2012-12-13 17:04 http://www2.v-iy381t22z638.mooo.com/?xl0r=nM%2Bd1rOS4d5ZrZrYb2exbW.... 337ac36ee8544e342200a85e38c88ce6 12/46
2012-12-14 13:52 http://www2.fmrmta0nhmql95.mooo.com/?4audhacuw1=WMTiyKXG29qdps%2FR.... 7261465fae1c1d0a9c776658c91da6a8 11/46
2012-12-14 13:51 http://www2.fmrmta0nhmql95.mooo.com/?hyvxj=jNzj3KfL5deT6cqUq52joaJ.... 6806bfa3b01fda85105dc265bfb625e2 11/46
2012-12-14 13:49 http://www2.fmrmta0nhmql95.mooo.com/?191lqzd=VZye0K7f3MuT59bYnmWkm.... 837b7e8a971805b33b2822677dd446a9 scanning...
2012-12-14 08:01 http://www2.g8gbbckylo8.mooo.com/?smbvs0=l9DP2rCV352N18vHqK6kp22Z4.... 49448bafc166568b3b8af8f7fc285ca5 9/45
2012-12-14 08:00 http://www2.g8gbbckylo8.mooo.com/?hgsx1=jMrg3G7MsMyI18zPtqGncJ2N5%.... e426696ef1f1b8c2814c7330cdd9a916 9/45
2012-12-14 01:33 http://www2.ie8qrahzp1jfg4.mooo.com/?uhsr2ea=mcvg1m%2FK2c6LrdrWnp2.... 42bd8297b01e1c1a50cf16a74ed8595a 16/45
Posted by at 5:36 AM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)