The current suspension is the work under good coordination between security researchers who spotted the threat, our PiC in charge (thank's to @essachin) and the related registrant who help to the suspension and banning procedure process accordingly. We received the great lead time in following this suspention as a good sign to shutdown more malware domains in the future.
Here we go:
1. Suspension of 22 domains of Sweet Orange EK malware infector OP Name: #OperationOrangeTart Thank you for the cooperation of the related registrar! The evidence/analysis related to the threat: Sweet Orange EK infection analysis--> here Verdict: [1] URLQuery --> here [2] URLQuery --> here [3] URLQuery --> here Suspended domains:#MalwareMustDie!widgetcolorq1.biz widgetcolorq2.biz widgetcolorq3.biz widgetcolorq4.biz widgetcolorq5.biz widgetcolorq6.biz widgetcolorq7.biz widgetcolorq8.biz widgetcolorq9.biz widgetcolorq10.biz familyteapie1.biz familyteapie2.biz familyteapie3.biz familyteapie4.biz familyteapie5.biz familyteapie6.biz familyteapie7.biz familyteapie8.biz familyteapie9.biz familyteapie10.biz bignigthbrotherinc.biz visiowrongly.bizThe registrant involved lead to the bad actor involved:Registrant ID: DI_27001099 Registrant Name: Lukas Vilkos Registrant Organization: N/A Registrant Address1: Independence str 12, 22 Registrant City: Nederka Registrant State/Province: Flevoland Registrant Postal Code: 3313 Registrant Country: Netherlands Registrant Country Code: NL Registrant Phone Number: +31.33131451 Registrant Email: jokey00012@googlemail.com*)is currently under the BAN list. Related information:#MalwareMustDie - @unixfreaxjp Just detected the first Sweet Orange EK infection in Japan twitter.com/unixfreaxjp/st… twitter.com/MalwareMustDie…
— Malware Crusaders (@MalwareMustDie) March 25, 2013【マルウェア感染警告】 #OCJP-100: 旧慶風高等学校のホームページ「www(.)eonet.ne(.)jp / 218.251.89.6」にSweetOrangeEKのマルウェア感染コードを発見しました unixfreaxjp.blogspot.jp/2013/03/ocjp-1… #CleanUpPLS
— Hendrik ADRIAN (@unixfreaxjp) March 25, 20132. Suspension of 240+ domains of Sofos EK malware infector OP Name: #OperationBurnAffectsuites Thank you for good cooperation from related registrar! The evidence/analysis related to the threat: Verdict: [1] URLQuery --> here [2] URLQuery --> here [3] URLQuery --> here [4] Good infection chain picture by @HkMalwares@essachin @malwaremustdie still down!!! #MalwareMustDie!!! twitter.com/alfr3d0x/statu…
— Don Alfredo (@alfr3d0x) March 25, 2013*) click to enlarge↑ [5] Infection in progress (landing page) PCAP -->here [6] Jsunpack evidence of landing page -->here [7] Landing page decoded -->here To be banned. The bad actor's registrant data:
Registrant ID: DI_26439309 Registrant Name: steal elaine Registrant Organization: N/A Registrant Address1: attributable 90 Registrant City: LosAngeles Registrant Postal Code: 450963 Registrant Country: United States Registrant Country Code: US Registrant Phone Number: +466.5415358 Registrant Email: affectsuites@projectedtornadossmoked.com*) More Malicious Domains under this registrant--> here We issued suspension of current case related domains, which is currently effectibe in DNS query and the full suspension will be effective shortly.maximize-avwodawdletokp.biz underneathbc.biz openercvmb.biz siftingvzu.biz trulylktarraignedwto.biz draughtek.biz oopovstwhoopsqi.biz xhdahqobextractionqck.biz referenceslni.biz commandmentsbqzsnoopyle.biz bored-sbdmanipulateykq.biz intellectualqwe.biz merrilyeolfsqueakruv.biz becomesxy.biz buryingkurz.biz czrlstwithdrewgnc.biz unleashednssc.biz dcryfvhardenvgd.biz vehementlybtpromulgateptz.biz characterizesmrdf.biz dalxunspoiledqmtu.biz ibnxbdownsizingfsw.biz eyed-mugbsurvivabilityfak.biz suspensionsnlyotwinsnx.biz plausibility-hastretchingab.biz promptsyy.biz ufo-soqgenitaliaxr.biz orphanednkzt.biz particulatezdn.biz capitalisticmze.biz tywma-lvusedsx.biz facilityzw.biz avuwu-edcrowdsboa.biz vhprc-veunderestimatedzft.biz praising-fcsparcelkimz.biz underpaidksl.biz somedaysniffammunition.biz inimationsexy.org jerseyutterancepublications.biz conferencingnym.biz ygqxuvashtraysttew.biz potholeskzbrentcrr.biz cripplepko.biz knotsztwq.biz consciencesbxdhawaiianazp.biz earmarksygv.biz ryxxlxtogetheriddz.biz evolvebhls.biz udkqepknifeoyqr.biz detectingszx.biz dauntingoqfchampaignimmb.biz wlczvahaulsr.biz unnoticedlbi.biz settings-ffuxreplicationkqo.biz kingstonbg.biz as-lwirenegademzn.biz quartersozfi.biz mailings-nioctoberocu.biz brands-recommercialsps.biz communicatingcly.biz stripedrxhg.biz positivelyxc.biz reversingtk.biz censoredxf.biz fixturesdo.biz sownnks.biz rdkyazdiskettesgazq.biz singaporeaeicuttersie.biz julietouz.biz incitementmsdenominatorbw.biz addictionsr.biz lldatyxsurferssz.biz curiositieszk.biz leapsizn.biz kangaroostsol.biz generickkfn.biz legitzzcomsqc.biz tvgolgogwholesalerta.biz compliantbfapacificannao.biz ndvsyhvsmoralfrl.biz qtzpdfoursquarelgen.biz medicationsoetlexpediencewf.biz capitalizedvty.biz remindersoevi.biz cakenkq.biz mayorch.biz golferztphoneoux.biz reproduceolbp.biz ypdwqrizfederallyedm.biz executioners-qqsimpleupt.biz iybet-hrthrottleuv.biz crustedosaq.biz landscapingdukddisclaimqxmq.biz hynaylabyrinthqvi.biz gavefqmt.biz closurecw.biz limexktombszy.biz dothku.biz pinkypxznaturalizationgxe.biz settlementdp.biz cartridgeshyic.biz approximationszxdguessingzqvl.biz bankersnhrl.biz invokedhd.biz broad-bpexpeditionodvn.biz doableevcv.biz vanessaevr.biz transparent-nvmaturitybzw.biz lydytmlbeardssr.biz deceptionxv.biz osbktfbuenvironmentalistdk.biz epsiloncihz.biz xonnzyencompassedtuak.biz prohibitionbfm.biz fascinatedwym.biz udefhursttwa.biz boilsdcx.biz mouthfulxnr.info fieldsurh.biz yrhkyodefencexs.biz pmvoerecantlxsd.biz corridor-rhyuckypho.biz carnagekbz.biz uncoveredoq.biz junketxme.biz levyrwl.biz trickmdv.biz malawigt.biz smatteringon.biz testinimationsexy.com consngls.biz convictionsxns.biz arabicfng.biz gripping-ozhmeatshm.biz embarkify.biz vnszthrdigitalztis.biz transforming-bdadamsxay.biz redeemsxky.biz bzzccupriceduiy.biz tractionmcabandonedqnxv.biz scqa-xepxalbeitxtxh.biz intimacycn.biz warfareoyfreplaceabledlc.biz gyeffsincerelyqi.biz downwardfq.biz uviiqnbimpromptuouv.biz millionstpnh.biz robbertptr.biz principalsleus.biz eqbxgnyncwratheol.biz cosmosps.biz swxprecountrr.biz stuffingyvvmysteriousne.biz dynamitesnxbbondagexvm.biz volitionep.biz overloadfhtm.biz bellynx.biz larrymvx.biz zvz-ssxtriedpnu.biz confinementsxvw.biz xttwkdtextortionrsbe.biz ytaqetsupperhg.biz arroyoin.biz ruqflkdbreakerdz.biz scratchgxmartinmh.biz conditioned-fpfeempowerkykt.biz reusefbw.biz equivalentdz.biz freezesgp.biz fridgenet.biz tutoringkp.biz powerhousespqflickercgux.biz matt-hxowninggqq.biz massagingrin.biz dfihlfairskvl.biz expectationikel.biz kbdhqconceptionsxk.biz judyqul.biz dbaiedisputeqhhy.biz notablesmoyscholarshipuw.biz scenariosvpwp.biz closenesszvclinchws.biz nnuchwbunknownsqdak.biz allowingynu.biz clamqxor.biz probableoko.biz signalinggyo.biz trimesternxnwconnersixs.biz disinformationsm.biz receipts-lzkmbylawsmyva.info lament-uausendingwhx.biz iru-bfvprincehr.biz gqwy-dkvisualsklw.biz ennuiuw.biz microwavelmpg.biz canardbapublishersihm.biz copedxibc.biz kswdt-ytzkjuntaaiq.biz characterizationczcreactsxfb.biz factoringpdoxidesldt.biz pharmaceuticalyegn.biz privatelyucr.biz sdwepcugcottotq.biz vpya-gbudgiftqw.biz establishedhgd.biz allegedlynsiy.biz rodentlbwmsnailswmyc.biz theegtqiincidenceutbt.biz limitationskqht.biz seniorityayv.biz krishna-qecdissentersktm.biz identifyerg.biz frankfurthegt.biz definitionskocaringqp.biz vintagefcgz.biz retireddbuh.biz caucasiangyfinationalsnffq.biz bullseyemep.biz wristwatchnmi.biz skeweddd.biz tlzoqmlsfirsthandgod.biz voicefan.biz standout-ncxblockerwfrb.biz australiansxuu.biz ieisqnformulasiv.biz jacketkgd.biz featuringxwx.biz fumblingxibgsparhm.biz blackbirdtr.biz dp-pdrqcoralfzn.biz wcud-pbductdpur.biz rvyykgxghastlyoeq.biz mgs-uvsbarnacleeink.biz labelscqht.biz rppmaeincludingfh.biz esqniuoalarmtnhs.biz ca-tsiamarillooil.biz knivessdx.biz ministryxsueyeballznqp.biz reskd-nqlobjectssq.biz sr-ewwrestlingxd.bizRelated Information:@demon117 @malwaremustdie @set_abominae @kafeineRan into an Interesting kit today. i.imgur.com/XIDR001.png
— Mike (@HkMalwares) March 26, 2013@demon117 @hkmalwares @malwaremustdie @set_abominaeSofosFO/Stamp EK@joelesler noticed increase move today.
— kafeine (@kafeine) March 26, 2013@hkmalwares @demon117 @malwaremustdie @set_abominae @kafeine 240 domains registered -- investigation under progress. expect #TangoDown soon.
— sachin (@essachin) March 26, 2013@malwaremustdie Similar SofosEK was observed at 37[.]139[.]51[.]141, yesterday. proprietary[.]clamqxor[.]biz/..../scribes.jar.
— Set Abominae (@Set_Abominae) March 26, 2013#MalwareMustDie Infector #PoC SofosEK Landing Page atIP: 37.139.51.143 pastebin.com/raw.php?i=yY2Y… < for #TangoDown purpose
— Malware Crusaders (@MalwareMustDie) March 26, 2013
