Thursday, December 27, 2012

Announce of Multiple Malware Domains Deactivation Progress - The "Operation Tango Down"

To all friends in Malware fighting area and all of the supporter and readers to our MalwareMustDie blog. We have a good news. Our fight against malwares leaps into a next brighter stage. Since all of posted malware cases in MalwareMustDie was not only analyzed, decoded, exposed its infectors layers to its CnC, but through the persistent dedication of our members, we also reported our cases to the authority accordingly and gain a good collaboration with them to receive a cooperation for deactivating of malware domains and its related CnC and infectors .

The established cooperation are well resulted. Herewith, from now on, we are releasing regular series of posts for the malware domains deactivation result upon cases we investigate and follow. The report will contain the list of blocked/suspended Domain Names, IPs, Malicious DNS servers, the bad actor's Registration ID, etc.

We called this operation as "Tango Down", managed by several project leaders. And here is the first official post of this series report.

In this report we'd like to announce two achievements we had during Christmas. The report will be continued in the second part with next detail on the currently on-going process of "Tango Down".

Here's the details:

1. Deactivation of severe .RU malware infector domains

Based on the posted analysis on below posted links (click the numbers to see details) [1] Analysis of Fake Facebook Notification redirect to BHEK & infecting Cridex Malware [2] Spam "You have been sent a file" + WordPress Redirector ... [3] ake Facebook Notification Leads to Cridex/PasswordStealer [4] "More" Spam to BHEK to Cridex; How they define, grab & send the credentials [5] Getting more "Personal" & Deeper into Cridex... [6] The Crime Still Goes On: Trojan Fareit Credential Stealer
We really appreciated the wonderful cooperation received from CERT-GIB - Computer Security Incident Response Team by Group-IB, the effort resulted to a successful deactivated below listed 32 infector domains, which are verdict-ed and proved its relation to the Blackhole Exploit Kit crime users who infect the victims using the Cridex Trojan to drop credentials stealer by using Trojan Fareit.:
genevaonline.ru
pelamutrika.ru  
aliamognoa.ru  
ahiontota.ru    
anifkailood.ru  
podarunoki.ru  
aseniakrol.ru  
publicatorian.ru
pitoniamason.ru
amnaosogo.ru    
aviaonlolsio.ru
dimarikanko.ru  
adanagenro.ru  
awoeionfpop.ru  
aofngppahgor.ru
aviaonlolsio.ru
ganalionomka.ru
publicatorian.ru
francese.ru
cinemaallon.ru
leberiasun.ru
somaliaonfloor.ru
panamechkis.ru  
apendiksator.ru
angelaonfl.ru
adanagenro.ru
antariktika.ru
aliamognoa.ru
apensiona.ru
anifkailood.ru
apolinaklsit.ru
sectantes-x.ru
Following the above achievement, we again thank you for the wonderful collaboration of CERT-GIB, with our front member @it4sec, the other cases posted as per below (click the number for details):
[1] On Daily Basis: DNS switch as anti-forensics feature in Malware
[2] VT Comment: FakeAV's (SUPERAntiSpyware.com) trojan downloader 
After being analyzed & proved as malware with PseudoRandom Domain/DGA callback to motherships which lead to a total 92 of .RU domains, the below list of domains was also successfully suspended, and I just confirmed its deactivation:
 opldkflyvlkywuec.ru
 bdprvpxdejpohqpt.ru
 ddkudnuklgiwtdyw.ru
 eefysywrvkgxuqdf.ru
 qphhsudsmeftdaht.ru
 yayfefhrwawquwcw.ru
 knauycqgsdhgbwjo.ru
 mouwwvcwwlilnxub.ru
 noqzuukouyfuyrmd.ru
 zatiscwwtipqlycd.ru
 rpckbgrziwbdrmhr.ru
 kzxrowftdocgyghs.ru
 ifrhgnqeeotnzrmz.ru
 xmwettbvtbhvrjuo.ru
 ymrhcvphevonympo.ru
 lavvckpordclbduy.ru
 sqwlonyduvpowdgy.ru
 febcbuyswmishvpl.ru
 hfveiooumeyrpchg.ru
 ifrhgnqeeotnzrmz.ru
 uqspvdwyltgcyhft.ru
 wzbdwenwshfzglwt.ru
 lccwpflcdjrdfjib.ru
 lccwpflcdjrdfjib.ru
 nvjgyermzsmynaeq.ru
 owekhoeuhmdiehrw.ru
 bkhyiqitpoxewhmt.ru
 iblpdiqdmmsbnuxb.ru
 ummxjwieppswcnrg.ru
 vmibswhnpqhqwyih.ru
 xndfbivuonkxfxrq.ru
 kbgsbqjugdqrgtdw.ru
 cldcrgtnuwvgnbfd.ru
 tykvyflnjhbnqpnr.ru
 gmokuosvnbkshdtd.ru
 imjosxuhbcdonrco.ru
 jnfrqmekhoevppvw.ru
 vygzhvfiuommkqfj.ru
 elxegvkalqvkyoxc.ru
 pwyloytoagndnrex.ru
 rxupwhkznihnxzqx.ru
 sxpskxdgoczvcjgp.ru
 flthmyjeuhdygshf.ru
 nbqypqrjiqxlfvdj.ru
 yrxysfyekjfooere.ru
 lfbovcaitdrjmkbe.ru
 mfwqdxgdpwiojrjp.ru
 ogrtlmpkqtwmweff.ru
 atsihkcljrqlzvku.ru
 fjgtmicxtlxynlpf.ru
 ifrhgnqeeotnzrmz.ru
 upmqpwyndzwzmmwy.ru
 vqhtwlshzzqsltcp.ru
 iekiyvsbtyozmmwy.ru
 ctolfpcqldrvxvml.ru
 hvuwhwqtoyidfrjg.ru
 gvztjrlasdnlbiei.ru
 uitjsdpvrfgfdhff.ru
 wiombejwxrddpkkx.ru
 jwqbrhwarzjrglbn.ru
 dujovshpvbxgrikw.ru
 pgmxykzlqomziebp.ru
 qhibjmjlnpyovmbn.ru
 shderldqiqdtdcmu.ru
 fufsbovwfzjumtle.ru
 fjgtmicxtlxynlpf.ru
 fqyyxagzkrpvxtki.ru
 rccjvgsgffokiwze.ru
 sdxkjaophbtufumx.ru
 tdsorylshsxjeawf.ru
 gqtcxunxhyujqjkf.ru
 oblcasnhxbbocpfj.ru
 bpnqmxkpxxgbdnby.ru
 cpittmwbqtjrjpql.ru
 dpewaddpoewiycnj.ru
 pchgijctfprxhnje.ru
 hrpgglxvqwjesffr.ru
 zfyafrjmmajqfvbh.ru
 lsbppxhgckolsnap.ru
 bhujzorkulhkpwob.ru
 eilqnjkoytyjuchn.ru
 qtmyeslmsoxkjbku.ru
 jrkjelzwleadyxsd.ru
 venrfhmthwpqlqge.ru
 ksgmckchdppqeicu.ru
 tmrtbcienxrbnsjc.ru
 xeeypppxswpquvrf.ru
 haqmuqqukywrcxfa.ru
 wejungvnykczyjam.ru
 fzsirujgdbvabrjm.ru
 eyxejlabqaytqmjx.ru
 rlvqmipovrqbmvqd.ru
These achievements was made by good collaboration between good guys and good communication with the people with the same strong willing to cleanup our beloved internet communication media from malwares, and ending up in a good result. We thank you very much to CERT-GIB for a tireless and wonderful work, to @it4sec his team and all of MalwareMustDie members involved to make this project runs & success.

The collaboration is continuing for the bigger portion of target for the near future. We will post the next result in the next series.

2. The shutdown of Malware Domains served by Malicious DNS

As per announced previously in the twitter, we exposed the other result of "Tango Down" operation, which aimed multiple infection of multiple scheme of malwares and exploit kit (mostly Blackhole Exploit Kits), which under lead by different member (@essachin).

The deactivated of the malware domains can be done through the collaboration between Domain Registrar related to the DNS service used for the malicious act. Previously we announced 140+ domains are suspended,


..but it looks like the list will be added by another NEW 120 domains shortly.
The current project's leader will post the analysis details in his blog which I will announce its link additionally here.
The latest result of this project is maintained here--->>[PASTEBIN]

(to be continued)

#MalwareMustDie!

No comments:

Post a Comment