Thursday, July 25, 2013

Suspension announcement of 97 .RU domains (registered in REGGI.RU) used by Kelihos Crime Group to spread payload via Red Kit Exploit Pack

MalwareMustDie, NPO, during its research activities, is following the process of suspension malware bad domains as important milestones in malware fighting steps. is also publicly releasing some of suspension domains in the "Operation Tango Down" [What is TangoDown?] as a public announcement.

This time we are shutting down the Kelihos Trojan payload download server's used 97 .RU domains, which was distrubuted by the Red Kit Exploit Kit. All of the detected payload URL we registered them into URLQuery and summarize the URL used for infection by automation after all of the data finished to be registered. We thank you URLQuery for providing a good service that is helpful as evidence of crime for the further legal process. In this case we detected 150 URLs infection, under 97 .RU domains, some of the URLs are served under a subdomains. The usage of the DGA-like randomisation for the domain used for the payload is the MO of this distribution.

The Kelihos Trojan were distributed in (mainly) East European (Ukrainian, Latvia, Belarus, Russia) and Asia servers (Japan, Korea, Taiwan and Hongkong) as the secondary layers, with also using the scattered world wide hacked machines.

Verdict of Crime

The current report is a systematic process of a successful suspension process, as a good coordination between MalwareMustDie members and supporters who help spotted, analysed & reported the threat, our PiCs in Tango Team (thank's to ‏@DL for the hard work during holiday time) and the GroupIB who was performing an excellent coordination on dismantling the related domains to the related Russia registrar (REGGI.RU) suspension process. Overall time took 4d+ for the communication and confirmation process taken.

This wave of Red Kit Exploit Kit campaign using Kelihos as payload was spotted infecting world wide, with the help from our Japan team we have a strong evidence of this infection effort as per published in Operation Clean-up Japan (OCJP) in case #113 here-->>[OCJP-013] , on five domestic sites.

Those infection payload is as per below real sample captured below:

RedKit Redirection PoC Snapshot:
[1] [2] [3] [4] [5]

Based on the payloads above we seek and collected all of the payload servers for this shutdown purpose.

Tango Information

The payload URL is as per below long list, which will be followed by another long list of 97 dismantled domains:

Infection URL data:

// #MalwareMustDie! Kelihos payload URL via RedKit EK Infection
// Reference: http://unixfreaxjp.blogspot.jp/2013/07/ocjp-113redkit-exploit-kitkelihosvia.html
// Detection range: July 1st, 2013 - July 16, 2013
// 

// grep rasta*

0 / 3 [7]hxxp://131.155.81.158/rasta01.exe Netherlands 131.155.81.158
0 / 6 [8]hxxp://fuhxodyz.ru/rasta01.exe Belarus 93.125.67.95
0 / 0 [9]hxxp://www.philchor-nb.de/demo/rasta01.exe Germany
0 / 2 [10]hxxp://ikqydkod.ru/rasta01.exe Ukraine 109.251.141.23
0 / 2 [11]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Russian Federation
0 / 6 [12]hxxp://bopefidi.ru/rasta01.exe Russian Federation 2.94.27.238
0 / 2 [13]hxxp://ycsycxyd.ru/rasta01.exe Ukraine 46.119.193.89
0 / 2 [14]hxxp://sojouvyc.ru/rasta01.exe Ukraine 31.128.74.7
0 / 2 [15]hxxp://vadlubiq.ru/rasta01.exe Ukraine 109.162.84.6
0 / 2 [16]hxxp://kazlyjva.ru/rasta01.exe Malaysia 58.26.182.98
0 / 2 [17]hxxp://funfubap.ru/rasta01.exe Taiwan 114.35.239.185
0 / 2 [18]hxxp://goryzcob.ru/rasta01.exe Ukraine 109.87.254.247
0 / 2 [19]hxxp://motbajsi.ru/rasta01.exe Ukraine 91.196.61.56
0 / 6 [20]hxxp://xymkapaq.ru/rasta01.exe Latvia 89.201.53.86
0 / 2 [21]hxxp://hupjiwuc.ru/rasta01.exe Ukraine 195.114.156.254
0 / 6 [22]hxxp://runevfoh.ru/rasta01.exe Ukraine 5.248.34.57
0 / 2 [23]hxxp://virerceb.ru/rasta01.exe Argentina 190.227.181.203
0 / 6 [24]hxxp://xatzyjha.ru/rasta01.exe Taiwan 1.172.233.239
0 / 2 [25]hxxp://makgivus.ru/rasta01.exe Canada 99.250.218.131
0 / 2 [26]hxxp://avryjpet.ru/rasta01.exe Belarus 91.215.178.83
0 / 2 [27]hxxp://kyjaqcoz.ru/rasta01.exe Ukraine 213.231.52.44
0 / 2 [28]hxxp://bopefidi.ru/rasta01.exe Taiwan 111.255.72.1
0 / 6 [29]hxxp://ycsycxyd.ru/rasta01.exe Japan 118.104.77.165
0 / 2 [30]hxxp://gazgowry.ru/rasta01.exe Ukraine 77.122.55.112
0 / 2 [31]hxxp://vetarwep.ru/rasta01.exe Kazakhstan 176.222.169.243
0 / 6 [32]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Bulgaria 95.43.87.30
0 / 6 [33]hxxp://gulaxxax.ru/rasta01.exe Ukraine 31.42.69.61
0 / 6 [34]hxxp://onhugxic.ru/rasta01.exe Kazakhstan 109.239.45.48
0 / 2 [35]hxxp://ahfamzyk.ru/rasta01.exe Ukraine 178.150.33.194
0 / 6 [36]hxxp://sykevked.ru/rasta01.exe Ukraine 151.0.44.52
0 / 6 [37]hxxp://ydhicdor.ru/rasta01.exe Ukraine 78.30.249.126
0 / 1 [38]hxxp://qeisybyg.ru/rasta01.exe Ukraine 109.87.7.53
0 / 2 [39]hxxp://ycsycxyd.ru/rasta01.exe Ukraine 188.231.173.99
0 / 6 [40]hxxp://kifectah.ru/rasta01.exe Japan 61.27.109.166
0 / 2 [41]hxxp://busasxyv.ru/rasta01.exe Belarus 37.215.87.61
0 / 6 [42]hxxp://yjnaqwew.ru/rasta01.exe Ukraine 93.77.96.252
0 / 6 [43]hxxp://xuktalez.ru/rasta01.exe Ukraine 176.106.211.135
0 / 2 [44]hxxp://ybtoptag.ru/rasta01.exe Latvia 89.191.110.59
0 / 2 [45]hxxp://lygyucce.ru/rasta01.exe Ukraine 94.178.78.102
0 / 6 [46]hxxp://taykenid.ru/rasta01.exe Ukraine 212.92.227.111
0 / 2 [47]hxxp://qeisybyg.ru/rasta01.exe Ukraine 109.251.2.33
0 / 6 [48]hxxp://taykenid.ru/rasta01.exe Ukraine 176.8.183.90
0 / 2 [49]hxxp://qeisybyg.ru/rasta01.exe Ukraine 77.87.156.180
0 / 2 [50]hxxp://bysjyhuf.ru/rasta01.exe Taiwan 1.173.164.63
0 / 6 [51]hxxp://najniner.ru/rasta01.exe Taiwan 114.40.130.52
0 / 4 [52]hxxp://193.105.134.189/rasta01.exe Sweden 193.105.134.189
0 / 6 [53]hxxp://dakacdyn.ru/rasta01.exe Ukraine 178.158.82.158
0 / 6 [54]hxxp://higrikpy.ru/rasta01.exe Belgium 85.26.38.155
0 / 2 [55]hxxp://dipteqna.ru/rasta01.exe Ukraine 109.87.32.180
0 / 6 [56]hxxp://kykywpik.ru/rasta01.exe Ukraine 5.1.13.86
0 / 2 [57]hxxp://cimmitic.ru/rasta01.exe Japan 118.237.85.238
0 / 2 [58]hxxp://ybtoptag.ru/rasta01.exe Belarus 91.215.178.235
0 / 6 [59]hxxp://suyzerew.ru/rasta01.exe Kazakhstan 178.91.37.180
0 / 6 [60]hxxp://ycsycxyd.ru/rasta01.exe Ukraine 93.77.68.69
0 / 2 [61]hxxp://ynhazcel.ru/rasta01.exe Kazakhstan 2.133.226.218
0 / 6 [62]hxxp://aflyzkac.ru/rasta01.exe Ukraine 93.77.28.43
0 / 2 [63]hxxp://giktyxvu.ru/rasta01.exe Ukraine 188.190.42.32
0 / 4 [64]hxxp://193.105.134.89/rasta01.exe Sweden 193.105.134.89
0 / 2 [65]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Ukraine 31.133.38.207
0 / 2 [66]hxxp://aflyzkac.ru/rasta01.exe Japan 210.148.165.67
0 / 6 [67]hxxp://giktyxvu.ru/rasta01.exe Ukraine 178.159.231.99
0 / 6 [68]hxxp://ybtoptag.ru/rasta01.exe Ukraine 89.252.33.161
0 / 6 [69]hxxp://dyvgigim.ru/rasta01.exe Ukraine 37.229.35.234
0 / 4 [70]hxxp://193.105.134.89/rasta01.exe Sweden 193.105.134.89
0 / 6 [71]hxxp://jehrecyp.ru/rasta01.exe Ukraine 188.230.9.64
0 / 2 [72]hxxp://aro0eq.hozfezbe.ru/rasta01.exe[/code] Ukraine
0 / 6 [73]hxxp://cyrkapov.ru/rasta01.exe Ukraine 176.8.183.90
0 / 6 [74]hxxp://niqtasoz.ru/rasta01.exe Ukraine 46.172.147.122
0 / 2 [75]hxxp://ginkyvub.ru/rasta01.exe Ukraine 93.77.84.22
0 / 2 [76]hxxp://tejjetzo.ru/rasta01.exe Moldova, Republic of
0 / 6 [77]hxxp://fafehwiz.ru/rasta01.exe Ukraine 178.150.115.215
0 / 2 [78]hxxp://yhzelbyp.ru/rasta01.exe Ukraine 37.57.24.238
0 / 2 [79]hxxp://ihurvyun.ru/rasta01.exe Ukraine 178.158.198.249
0 / 6 [80]hxxp://adtyuhuz.ru/rasta01.exe Russian Federation 128.73.7.18
0 / 2 [81]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Hong Kong 118.141.33.46
0 / 6 [82]hxxp://jehrecyp.ru/rasta01.exe Ukraine 91.200.138.241
0 / 7 [83]hxxp://tejjetzo.ru/rasta01.exe Ukraine 94.153.63.166
0 / 3 [84]hxxp://fafehwiz.ru/rasta01.exe Ukraine 81.163.152.32
0 / 3 [85]hxxp://yhzelbyp.ru/rasta01.exe Chile 186.36.204.152
0 / 7 [86]hxxp://adtyuhuz.ru/rasta01.exe Argentina 190.107.122.36
0 / 7 [87]hxxp://aggaxsef.ru/rasta01.exe Taiwan 1.173.221.95
0 / 3 [88]hxxp://bomuxvis.ru/rasta01.exe Taiwan 1.172.231.167
0 / 7 [89]hxxp://jehrecyp.ru/rasta01.exe Ukraine 178.150.57.167
0 / 7 [90]hxxp://xejabfom.ru/rasta01.exe Belarus 176.118.159.88
0 / 3 [91]hxxp://sapigrys.ru/rasta01.exe Ukraine 93.77.97.98
0 / 3 [92]hxxp://sodkanxo.ru/rasta01.exe Ukraine 77.122.55.156
0 / 7 [93]hxxp://aggaxsef.ru/rasta01.exe Ukraine 178.150.169.180
0 / 3 [94]hxxp://fafehwiz.ru/rasta01.exe Ukraine 89.162.163.66
0 / 3 [95]hxxp://zyvjofat.ru/rasta01.exe Taiwan 36.239.213.101
0 / 2 [96]hxxp://paxgeqjo.ru/rasta01.exe Israel 46.121.221.173
0 / 6 [97]hxxp://zyvjofat.ru/rasta01.exe Ukraine 46.211.95.246
0 / 2 [98]hxxp://hiznizoc.ru/rasta01.exe Korea, Republic of
0 / 2 [99]hxxp://lysopzoh.ru/rasta01.exe Ukraine 46.118.218.45
0 / 2 [100]hxxp://zyvjofat.ru/rasta01.exe Ukraine 178.150.192.214
0 / 2 [101]hxxp://xoqhozaz.ru/rasta01.exe Ukraine 109.162.96.64
0 / 2 [102]hxxp://hiznizoc.ru/rasta01.exe Ukraine 176.112.20.187
0 / 6 [103]hxxp://lysopzoh.ru/rasta01.exe Ukraine 93.175.234.62
0 / 6 [104]hxxp://zyvjofat.ru/rasta01.exe Ukraine 46.211.227.0
0 / 6 [105]hxxp://pywudcoz.ru/rasta01.exe Japan 180.14.61.59
0 / 6 [106]hxxp://izytexuf.ru/rasta01.exe Taiwan 123.194.247.85
0 / 6 [107]hxxp://izytexuf.ru/rasta01.exe Kazakhstan 2.132.145.189
0 / 6 [108]hxxp://usfezhyk.ru/rasta01.exe Ukraine 176.98.15.73
0 / 6 [109]hxxp://hipahsah.ru/rasta01.exe Belarus 134.17.112.99
0 / 6 [110]hxxp://talozzum.ru/rasta01.exe Ukraine 93.78.126.109
0 / 6 [111]hxxp://yrupxyen.ru/rasta01.exe Ukraine 5.105.21.178
0 / 6 [112]hxxp://nacwoman.ru/rasta01.exe Ukraine 109.251.74.37
0 / 2 [113]hxxp://libcikak.ru/rasta01.exe Japan 219.102.110.98
0 / 6 [114]hxxp://uphinjaq.ru/rasta01.exe Ukraine 151.0.5.20
0 / 6 [115]hxxp://aziwolge.ru/rasta01.exe Ukraine 151.0.38.74
0 / 6 [116]hxxp://kosnutef.ru/rasta01.exe Ukraine 93.79.38.73
0 / 6 [117]hxxp://kiyvryhy.ru/rasta01.exe Ukraine 80.77.44.150
0 / 2 [118]hxxp://oktizsez.ru/rasta01.exe Ukraine 91.227.207.89
0 / 6 [119]hxxp://uphinjaq.ru/rasta01.exe Ukraine 31.170.137.75
0 / 6 [120]hxxp://xaplovav.ru/rasta01.exe Ukraine 93.79.113.101
0 / 6 [121]hxxp://aziwolge.ru/rasta01.exe Ukraine 93.79.2.115
0 / 6 [122]hxxp://uphinjaq.ru/rasta01.exe Taiwan 114.25.156.106
0 / 6 [123]hxxp://xaplovav.ru/rasta01.exe Japan 123.225.106.205
0 / 6 [124]hxxp://oktizsez.ru/rasta01.exe Taiwan 111.252.191.134
0 / 6 [125]hxxp://kiyvryhy.ru/rasta01.exe Taiwan 124.11.195.73
0 / 2 [126]hxxp://sisvizub.ru/rasta01.exe Belarus 178.124.179.118
0 / 2 [127]hxxp://lymimnib.ru/rasta01.exe Ukraine 37.229.38.92
0 / 6 [128]hxxp://fugegwyf.ru/rasta01.exe Ukraine 159.224.94.242
0 / 2 [129]hxxp://fugegwyf.ru/rasta01.exe Russian Federation
0 / 2 [130]hxxp://urxibzep.ru/rasta01.exe Latvia 79.135.142.166
0 / 6 [131]hxxp://cibowjuv.ru/rasta01.exe Japan 219.173.80.25
0 / 6 [132]hxxp://pedtokid.ru/rasta01.exe Ukraine 188.231.173.99
0 / 2 [133]hxxp://bawoxgud.ru/rasta01.exe Ukraine 188.231.173.99

// grep userid*

0 / 3 [7]hxxp://131.155.81.158/userid2.exe Netherlands 131.155.81.158
0 / 6 [8]hxxp://fuhxodyz.ru/userid2.exe Ukraine 89.252.33.161
0 / 2 [9]hxxp://ikqydkod.ru/userid2.exe Ukraine 178.137.38.18
0 / 1 [10]hxxp://ikqydkod.ru/ruserid2.exe Ukraine 176.8.183.137
0 / 6 [11]hxxp://xudsahbu.ru/userid2.exe Colombia 186.99.248.89
0 / 6 [12]hxxp://dypqysro.ru/userid2.exe Ukraine 212.79.121.221
0 / 6 [13]hxxp://uhipyvob.ru/userid2.exe Ukraine 46.119.193.89
0 / 2 [14]hxxp://jyuhysdo.ru/userid2.exe Ukraine 46.119.129.244
0 / 6 [15]hxxp://runevfoh.ru/userid2.exe Ukraine 46.211.249.42
0 / 6 [16]hxxp://hupjiwuc.ru/userid2.exe Ukraine 78.30.193.176
0 / 7 [17]hxxp://busasxyv.ru/userid2.exe Russian Federation 2.94.27.238
0 / 6 [18]hxxp://cypseguv.ru/userid2.exe Taiwan 124.12.91.243
0 / 3 [19]hxxp://78.83.177.242/userid2.exe Bulgaria 78.83.177.242
0 / 7 [20]hxxp://runevfoh.ru/userid2.exe Japan 123.176.141.183
0 / 6 [21]hxxp://confikja.ru/userid2.exe Ukraine 212.2.153.131
0 / 6 [22]hxxp://runevfoh.ru/userid2.exe Belarus 93.191.99.97
0 / 6 [23]hxxp://confikja.ru/userid2.exe Belarus 37.215.114.92
0 / 2 [24]hxxp://confikja.ru/userid2.exe Ukraine 109.87.181.75
0 / 6 [25]hxxp://tofhermi.ru/userid2.exe Ukraine 109.87.83.108
0 / 1 [26]hxxp://fafehwiz.ru/userid1.exe Ukraine 178.151.63.5
0 / 6 [27]hxxp://ybtoptag.ru/userid2.exe Ukraine 94.153.63.166
0 / 2 [28]hxxp://qeisybyg.ru/userid2.exe Russian Federation
0 / 2 [29]hxxp://mihumcuf.ru/userid2.exe Ukraine 77.122.68.176
0 / 1 [30]hxxp://fafehwiz.ru/userid1.exe Ukraine 94.154.33.114
0 / 1 [31]hxxp://ollopdub.ru/userid1.exe Taiwan 114.27.25.145
0 / 1 [32]hxxp://fafehwiz.ru/userid1.exe Ukraine 159.224.8.181
0 / 1 [33]hxxp://ollopdub.ru/userid1.exe Ukraine 92.52.177.41
0 / 1 [34]hxxp://fafehwiz.ru/userid1.exe Ukraine 94.45.106.206
0 / 1 [35]hxxp://ollopdub.ru/userid1.exe Ukraine 109.162.41.226
0 / 1 [36]hxxp://fafehwiz.ru/userid1.exe India 49.206.161.32
0 / 1 [37]hxxp://pywudcoz.ru/userid1.exe Ukraine 93.78.79.28
0 / 1 [38]hxxp://ollopdub.ru/userid1.exe Hong Kong 223.19.195.162
0 / 1 [39]hxxp://ollopdub.ru/userid1.exe Ukraine 46.185.34.216
0 / 1 [40]hxxp://pywudcoz.ru/userid1.exe Russian Federation
0 / 1 [41]hxxp://hiznizoc.ru/userid1.exe Ukraine 87.244.169.104
0 / 1 [42]hxxp://ollopdub.ru/userid1.exe Macedonia 146.255.91.19
0 / 1 [43]hxxp://hiznizoc.ru/userid1.exe Ukraine 176.36.152.60
0 / 1 [44]hxxp://ollopdub.ru/userid1.exe Ukraine 37.143.93.132
0 / 1 [45]hxxp://kosnutef.ru/userid1.exe Ukraine 176.111.35.196
0 / 6 [46]hxxp://acaqizwy.ru/userid1.exe Taiwan 61.227.163.213
0 / 2 [47]hxxp://lymimnib.ru/userid1.exe Ukraine 176.103.208.105
0 / 2 [48]hxxp://sisvizub.ru/userid1.exe Ukraine 178.150.212.143
0 / 3 [49]hxxp://78.83.177.242/userid1.exe Bulgaria 78.83.177.242
0 / 3 [50]hxxp://78.83.177.242/userid1.exe Bulgaria 78.83.177.242
0 / 3 [51]hxxp://78.83.177.242/userid1.exe Bulgaria 78.83.177.242
0 / 2 [52]hxxp://ankoweco.ru/userid1.exe Poland 79.135.180.94
0 / 2 [53]hxxp://uxmadjox.ru/userid1.exe Poland 86.63.98.141

---
#MalwareMustDie! $ date
Tue Jul 16 22:14:11 JST 2013
The domain list and UP IP's as per Fri Jul 19 20:01:00 JST 2013 status during the shutdown process
uhipyvob.ru,178.150.17.118,
ollopdub.ru,176.8.3.144,
fafehwiz.ru,91.217.58.74,
fuhxodyz.ru,77.122.197.86,
ikqydkod.ru,37.229.144.253,
bopefidi.ru,118.34.132.154,
ycsycxyd.ru,95.140.214.250,
sojouvyc.ru,188.129.218.87,
vadlubiq.ru,178.93.135.94,
kazlyjva.ru,109.162.94.114,
funfubap.ru,213.37.166.193,
goryzcob.ru,213.37.166.193,
motbajsi.ru,178.158.158.182,
xymkapaq.ru,93.185.219.213,
runevfoh.ru,89.215.115.4,
virerceb.ru,94.153.36.164,
xatzyjha.ru,93.79.152.211,
makgivus.ru,79.135.211.87,
avryjpet.ru,178.211.105.168,
kyjaqcoz.ru,46.119.144.106,
hiznizoc.ru,46.250.7.179,
giktyxvu.ru,77.123.79.211,
ynhazcel.ru,178.172.246.30,
gazgowry.ru,93.89.208.202,
vetarwep.ru,5.248.164.41,
gulaxxax.ru,46.119.144.106,
onhugxic.ru,109.251.126.26,
ahfamzyk.ru,46.49.47.254,
sykevked.ru,93.77.96.252,
ydhicdor.ru,94.137.172.44,
kifectah.ru,109.122.40.111,
busasxyv.ru,77.121.199.73,
yjnaqwew.ru,77.121.255.183,
xuktalez.ru,91.123.150.115,
lygyucce.ru,94.158.74.230,
taykenid.ru,109.108.252.136,
bysjyhuf.ru,5.1.22.63,
najniner.ru,126.65.174.136,
dakacdyn.ru,109.254.67.25,
higrikpy.ru,78.154.168.74,
dipteqna.ru,188.190.75.232,
kykywpik.ru,109.122.33.79,
cimmitic.ru,153.180.71.144,
suyzerew.ru,217.196.171.35,
yhzelbyp.ru,77.123.80.174,
aflyzkac.ru,93.185.220.213,
tejjetzo.ru,93.89.208.202,
lysopzoh.ru,178.168.22.114,
dyvgigim.ru,46.211.75.123,
jehrecyp.ru,87.69.55.36,
cyrkapov.ru,190.220.70.79,
niqtasoz.ru,178.150.17.118,
ginkyvub.ru,77.123.80.174,
zyvjofat.ru,93.79.152.211,
ihurvyun.ru,94.231.190.74,
izytexuf.ru,31.192.237.101,
adtyuhuz.ru,84.252.56.59,
aggaxsef.ru,94.230.201.36,
bomuxvis.ru,84.240.19.130,
xejabfom.ru,178.158.186.24,
sapigrys.ru,95.69.187.249,
sodkanxo.ru,117.197.245.69,
paxgeqjo.ru,49.205.210.193,
xoqhozaz.ru,95.160.83.57,
usfezhyk.ru,46.119.212.183,
hipahsah.ru,109.87.200.213,
talozzum.ru,31.133.52.8,
yrupxyen.ru,91.224.168.65,
nacwoman.ru,178.150.90.223,
libcikak.ru,46.119.128.115,
uphinjaq.ru,109.162.9.212,
aziwolge.ru,178.150.17.118,
oktizsez.ru,78.139.153.169,
kiyvryhy.ru,79.133.254.238,
fugegwyf.ru,188.190.75.232,
urxibzep.ru,91.225.173.12,
cibowjuv.ru,, // down
pedtokid.ru,, // down
bawoxgud.ru,31.133.55.240,
xudsahbu.ru,195.24.155.245,
dypqysro.ru,31.170.137.75,
jyuhysdo.ru,78.154.168.74,
hupjiwuc.ru,188.121.198.247,
cypseguv.ru,176.8.249.131,
confikja.ru,93.171.77.37,
tofhermi.ru,36.224.71.20,
ybtoptag.ru,180.61.12.116,
qeisybyg.ru,77.122.124.210,
mihumcuf.ru,93.185.220.213,
pywudcoz.ru,89.201.116.227,
kosnutef.ru,79.164.250.218,
acaqizwy.ru,178.150.244.54,
lymimnib.ru,117.197.15.103,
sisvizub.ru,89.28.52.30,
ankoweco.ru,, // down
uxmadjox.ru,, // down
hozfezbe.ru,178.210.222.205,

Again, we thank you to all friends, entities and support for your great cooperation and advise. Analysis and spotting a threat is one thing, but the hardest part is to make the threat goes down, better yet to put the crime responsible individuals to pay what they deserved.

MalwareMustDie will continue every effort to dismantle malware from internet and providing every crime evidence found to the related authority. Your help and support on every investigationwill be very appreciated.

Public announcement by #MalwareMustDie, NPO., 2013. All rights reserved.
Anti CyberCrime Research Group - malwaremustdie.org