Old Zeus domain still with malware?

Viruses and worms
1

See: http://www.dnsinspect.com/underddos.com/1415796469 (all OK)
ISSUE DETECTED DEFINITION INFECTED URL
Website Malware malware-entry-mwblacklisted35 htxp://underddos.com/
Website Malware malware-entry-mwblacklisted35 htxps://www.reg.ru/domain/shop/lot/underddos.com
Suspicious domain detected. Details: http://sucuri.net/malware/malware-entry-mwblacklisted35
}
No risks: http://www.domxssscanner.com/scan?url=http%3A%2F%2Funderddos.com%2F
Given as benign: http://zulu.zscaler.com/submission/show/feb74fc2f7575a96b8b3014b306b372e-1415796548
IP badness history: https://www.virustotal.com/nl/ip-address/31.31.204.59/information/
Non-malign: http://jsunpack.jeek.org/?report=056be79579fc296c4fa5e0b134f6064b38637c9f

polonus

2

Oddly enough, not blocked ? :o

Was this the really old network I had found way back when that Essexboy took a look into the Trojan itself?

Edit: Went Hunting for the old post I alerted you too. It isn’t the same domain, the thrills of that day are missed lol.

https://forum.avast.com/index.php?topic=137363.30

Edit 2: The site underddos.c0m is block, not the other one though.

3

Thanks for the comment, Michael,

Nice whenever we can see developments in a particular timeline perspective.
Migration patterns, parked domains, sinkholing in an ever changing flow.
That is the nature of the everchanging Interwebs, ;D

polonus

4

I went ahead and URLQueried it…

I found this ==> https://urlquery.net/report.php?id=1415691589766

Same ASN, different IP. The IDS alert is a strain of ZBot…

5

Probably working through Flash and Silverlight exploits.
So important for users to fully upgrade/update and patch their OS and third party software that matters.
Software Updater and important part of the avast av solution :wink:
http://stuffgate.com/95.163.18.102

polonus

6

Hi Michael,

And look at these scan results and the IDS alert: ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
for http://urlquery.net/report.php?id=1414072083762 when querying after “program/633_USB_Antivirus.htm”
Read here: http://www.symantec.com/connect/articles/windows-anti-debug-reference
HTTP Communication error
There was an unexpected error when trying to retrieve the response…-> .http://sitecheck.sucuri.net/results/yahooservices29183.com
MyWOT negatives http://www.robtex.net/en/advisory/dns/com/yahooservices29183/
Taken down because “yahooservices29183,Not in namespace,”
A domain name with the Status of “CLIENT HOLD” or “REGISTRAR-HOLD” is expired.
Was blacklisted by Eset (partnered with Sucuri’s) and Norton Safe Web.

The investigation is resulting in: http://totalhash.com/analysis/81f1dcd7c39725c5bf762dd4edb276393b91a15d
Probably long down and no longer available for analysis as that specific malcreation.
By the way avast did not have it initially: https://www.virustotal.com/nl/file/e46a1959bdd63d2653ccb04c82327c123db4ea156342b9764b6d9a0e0d0ed0ca/analysis/1414071827/
later detection was added, so also avast now flagged:
https://www.virustotal.com/nl/file/e46a1959bdd63d2653ccb04c82327c123db4ea156342b9764b6d9a0e0d0ed0ca/analysis/ ;D

polonus

7

Hi Michael,

This IP is offline: https://zeustracker.abuse.ch/monitor.php?host=95.163.121.12 *-> http://urlquery.net/report.php?id=1414072083762

polonus