Tuesday, March 26, 2013

Announce of Multiple Malware Domains Deactivation March, 2013 - The "Operation Tango Down"

We are releasing announce of the suspension of 263 malware domains as latest result of Operation Tango Down [What is TangoDown?] as per below details.

The current suspension is the work under good coordination between security researchers who spotted the threat, our PiC in charge (thank's to ‏@essachin) and the related registrant who help to the suspension and banning procedure process accordingly. We received the great lead time in following this suspention as a good sign to shutdown more malware domains in the future.

Here we go:


1. Suspension of 22 domains of Sweet Orange EK malware infector
   OP Name: #OperationOrangeTart
   Thank you for the cooperation of the related registrar!

The evidence/analysis related to the threat:

Sweet Orange EK infection analysis--> here

Verdict:
[1] URLQuery --> here
[2] URLQuery --> here
[3] URLQuery --> here

Suspended domains:
widgetcolorq1.biz
widgetcolorq2.biz
widgetcolorq3.biz
widgetcolorq4.biz
widgetcolorq5.biz
widgetcolorq6.biz
widgetcolorq7.biz
widgetcolorq8.biz
widgetcolorq9.biz
widgetcolorq10.biz
familyteapie1.biz
familyteapie2.biz
familyteapie3.biz
familyteapie4.biz
familyteapie5.biz
familyteapie6.biz
familyteapie7.biz
familyteapie8.biz
familyteapie9.biz
familyteapie10.biz
bignigthbrotherinc.biz
visiowrongly.biz
The registrant involved lead to the bad actor involved:
Registrant ID:             DI_27001099
Registrant Name:           Lukas Vilkos
Registrant Organization:   N/A
Registrant Address1:       Independence str 12, 22
Registrant City:           Nederka
Registrant State/Province: Flevoland
Registrant Postal Code:    3313
Registrant Country:        Netherlands
Registrant Country Code:   NL
Registrant Phone Number:   +31.33131451
Registrant Email:          jokey00012@googlemail.com
*)is currently under the BAN list. Related information: 2. Suspension of 240+ domains of Sofos EK malware infector OP Name: #OperationBurnAffectsuites Thank you for good cooperation from related registrar! The evidence/analysis related to the threat: Verdict: [1] URLQuery --> here [2] URLQuery --> here [3] URLQuery --> here [4] Good infection chain picture by @HkMalwares *) click to enlarge↑ [5] Infection in progress (landing page) PCAP -->here [6] Jsunpack evidence of landing page -->here [7] Landing page decoded -->here To be banned. The bad actor's registrant data:
Registrant ID:            DI_26439309
Registrant Name:          steal elaine
Registrant Organization:  N/A
Registrant Address1:      attributable 90
Registrant City:          LosAngeles
Registrant Postal Code:   450963
Registrant Country:       United States
Registrant Country Code:  US
Registrant Phone Number:  +466.5415358
Registrant Email:         affectsuites@projectedtornadossmoked.com
*) More Malicious Domains under this registrant--> here We issued suspension of current case related domains, which is currently effectibe in DNS query and the full suspension will be effective shortly.
maximize-avwodawdletokp.biz
underneathbc.biz
openercvmb.biz
siftingvzu.biz
trulylktarraignedwto.biz
draughtek.biz
oopovstwhoopsqi.biz
xhdahqobextractionqck.biz
referenceslni.biz
commandmentsbqzsnoopyle.biz
bored-sbdmanipulateykq.biz
intellectualqwe.biz
merrilyeolfsqueakruv.biz
becomesxy.biz
buryingkurz.biz
czrlstwithdrewgnc.biz
unleashednssc.biz
dcryfvhardenvgd.biz
vehementlybtpromulgateptz.biz
characterizesmrdf.biz
dalxunspoiledqmtu.biz
ibnxbdownsizingfsw.biz
eyed-mugbsurvivabilityfak.biz
suspensionsnlyotwinsnx.biz
plausibility-hastretchingab.biz
promptsyy.biz
ufo-soqgenitaliaxr.biz
orphanednkzt.biz
particulatezdn.biz
capitalisticmze.biz
tywma-lvusedsx.biz
facilityzw.biz
avuwu-edcrowdsboa.biz
vhprc-veunderestimatedzft.biz
praising-fcsparcelkimz.biz
underpaidksl.biz
somedaysniffammunition.biz
inimationsexy.org
jerseyutterancepublications.biz
conferencingnym.biz
ygqxuvashtraysttew.biz
potholeskzbrentcrr.biz
cripplepko.biz
knotsztwq.biz
consciencesbxdhawaiianazp.biz
earmarksygv.biz
ryxxlxtogetheriddz.biz
evolvebhls.biz
udkqepknifeoyqr.biz
detectingszx.biz
dauntingoqfchampaignimmb.biz
wlczvahaulsr.biz
unnoticedlbi.biz
settings-ffuxreplicationkqo.biz
kingstonbg.biz
as-lwirenegademzn.biz
quartersozfi.biz
mailings-nioctoberocu.biz
brands-recommercialsps.biz
communicatingcly.biz
stripedrxhg.biz
positivelyxc.biz
reversingtk.biz
censoredxf.biz
fixturesdo.biz
sownnks.biz
rdkyazdiskettesgazq.biz
singaporeaeicuttersie.biz
julietouz.biz
incitementmsdenominatorbw.biz
addictionsr.biz
lldatyxsurferssz.biz
curiositieszk.biz
leapsizn.biz
kangaroostsol.biz
generickkfn.biz
legitzzcomsqc.biz
tvgolgogwholesalerta.biz
compliantbfapacificannao.biz
ndvsyhvsmoralfrl.biz
qtzpdfoursquarelgen.biz
medicationsoetlexpediencewf.biz
capitalizedvty.biz
remindersoevi.biz
cakenkq.biz
mayorch.biz
golferztphoneoux.biz
reproduceolbp.biz
ypdwqrizfederallyedm.biz
executioners-qqsimpleupt.biz
iybet-hrthrottleuv.biz
crustedosaq.biz
landscapingdukddisclaimqxmq.biz
hynaylabyrinthqvi.biz
gavefqmt.biz
closurecw.biz
limexktombszy.biz
dothku.biz
pinkypxznaturalizationgxe.biz
settlementdp.biz
cartridgeshyic.biz
approximationszxdguessingzqvl.biz
bankersnhrl.biz
invokedhd.biz
broad-bpexpeditionodvn.biz
doableevcv.biz
vanessaevr.biz
transparent-nvmaturitybzw.biz
lydytmlbeardssr.biz
deceptionxv.biz
osbktfbuenvironmentalistdk.biz
epsiloncihz.biz
xonnzyencompassedtuak.biz
prohibitionbfm.biz
fascinatedwym.biz
udefhursttwa.biz
boilsdcx.biz
mouthfulxnr.info
fieldsurh.biz
yrhkyodefencexs.biz
pmvoerecantlxsd.biz
corridor-rhyuckypho.biz
carnagekbz.biz
uncoveredoq.biz
junketxme.biz
levyrwl.biz
trickmdv.biz
malawigt.biz
smatteringon.biz
testinimationsexy.com
consngls.biz
convictionsxns.biz
arabicfng.biz
gripping-ozhmeatshm.biz
embarkify.biz
vnszthrdigitalztis.biz
transforming-bdadamsxay.biz
redeemsxky.biz
bzzccupriceduiy.biz
tractionmcabandonedqnxv.biz
scqa-xepxalbeitxtxh.biz
intimacycn.biz
warfareoyfreplaceabledlc.biz
gyeffsincerelyqi.biz
downwardfq.biz
uviiqnbimpromptuouv.biz
millionstpnh.biz
robbertptr.biz
principalsleus.biz
eqbxgnyncwratheol.biz
cosmosps.biz
swxprecountrr.biz
stuffingyvvmysteriousne.biz
dynamitesnxbbondagexvm.biz
volitionep.biz
overloadfhtm.biz
bellynx.biz
larrymvx.biz
zvz-ssxtriedpnu.biz
confinementsxvw.biz
xttwkdtextortionrsbe.biz
ytaqetsupperhg.biz
arroyoin.biz
ruqflkdbreakerdz.biz
scratchgxmartinmh.biz
conditioned-fpfeempowerkykt.biz
reusefbw.biz
equivalentdz.biz
freezesgp.biz
fridgenet.biz
tutoringkp.biz
powerhousespqflickercgux.biz
matt-hxowninggqq.biz
massagingrin.biz
dfihlfairskvl.biz
expectationikel.biz
kbdhqconceptionsxk.biz
judyqul.biz
dbaiedisputeqhhy.biz
notablesmoyscholarshipuw.biz
scenariosvpwp.biz
closenesszvclinchws.biz
nnuchwbunknownsqdak.biz
allowingynu.biz
clamqxor.biz
probableoko.biz
signalinggyo.biz
trimesternxnwconnersixs.biz
disinformationsm.biz
receipts-lzkmbylawsmyva.info
lament-uausendingwhx.biz
iru-bfvprincehr.biz
gqwy-dkvisualsklw.biz
ennuiuw.biz
microwavelmpg.biz
canardbapublishersihm.biz
copedxibc.biz
kswdt-ytzkjuntaaiq.biz
characterizationczcreactsxfb.biz
factoringpdoxidesldt.biz
pharmaceuticalyegn.biz
privatelyucr.biz
sdwepcugcottotq.biz
vpya-gbudgiftqw.biz
establishedhgd.biz
allegedlynsiy.biz
rodentlbwmsnailswmyc.biz
theegtqiincidenceutbt.biz
limitationskqht.biz
seniorityayv.biz
krishna-qecdissentersktm.biz
identifyerg.biz
frankfurthegt.biz
definitionskocaringqp.biz
vintagefcgz.biz
retireddbuh.biz
caucasiangyfinationalsnffq.biz
bullseyemep.biz
wristwatchnmi.biz
skeweddd.biz
tlzoqmlsfirsthandgod.biz
voicefan.biz
standout-ncxblockerwfrb.biz
australiansxuu.biz
ieisqnformulasiv.biz
jacketkgd.biz
featuringxwx.biz
fumblingxibgsparhm.biz
blackbirdtr.biz
dp-pdrqcoralfzn.biz
wcud-pbductdpur.biz
rvyykgxghastlyoeq.biz
mgs-uvsbarnacleeink.biz
labelscqht.biz
rppmaeincludingfh.biz
esqniuoalarmtnhs.biz
ca-tsiamarillooil.biz
knivessdx.biz
ministryxsueyeballznqp.biz
reskd-nqlobjectssq.biz
sr-ewwrestlingxd.biz
Related Information:
#MalwareMustDie!

8 comments:

  1. Freaking awesome work Brother, learning a lot by studying your work which will make me a better malware fighter #malwaremustdie

    ReplyDelete
  2. We are all lifetime learner. Thank you for your support!

    ReplyDelete
  3. Wonder, if any of them are registered by this guy?

    person: Thomas Dolezal
    address: Anastastasius Gruengasse 14/8
    address: A-1180 Vienna
    address: Austria
    e-mail: dolezal@webagentur.at
    phone: +43 1 4708278
    fax-no: +43 1 4708278
    nic-hdl: TD19-RIPE
    mnt-by: AS8447-PERSON
    changed: hostmaster@aon.at 20010928
    source: RIPE
    or
    [Tech-C]
    Type: PERSON
    Name: Thomas Dolezal
    Organisation: webagentur.at
    Address: Neustiftgasse 2
    Pcode: 2500
    City: Baden
    Country: AT
    Phone: +43.2252.259892
    Fax: +43.2252.25989244
    Email: support@webagentur.at
    Changed: 2005-09-09T18:02:34+02:00

    See http://support.clean-mx.de/clean-mx/viruses.php?netname=WEBAGENTUR-AT&sort=first%20desc&response=alive

    for all the Malware and Virus sites webagentur.at registered!

    They're hiding under several alibi addresses, Vienna, Baden or Graz. Let's hope, there might be an operation "Vienna Waltz" to get rid of them or at least most of their malware hosting sites?;-D

    ReplyDelete
    Replies
    1. We are following this lead. Keep in touch in email!

      Delete
  4. I am really interested in getting involved deeper w/ #malwaremustdie and I am excellent at researching domains and tracing down leads.

    My background is Ex-MIL and a little late to the game where your skills are at, but I learn quick and my heart is in this. I am self taught and pick things up quickly so whatever you need let me know.

    Not sure how involved with hydrawall you are but need some better OPSEC as I was not looking for it and it was pretty much handed to me. Infiltrating hacker/malware groups is something I have done a lot of so the need for opsec is always tops with me.

    My email is ibashbotnets at gmail.com

    ReplyDelete
  5. Thank you for all your wonderful work! I hope to join you soon in the quest against malware!

    ReplyDelete
    Replies
    1. Come and join us in any of your conveniences! Remember: the daily work and daily errands are your first priority. An hour of your freetime will be great to hint a new malicious infection to #MalwareMustDie!

      Delete