------------------------------------------------------------------------ updated: 2011-07-01 (newer domains / IPs on top) ------------------------------------------------------------------------ Malware Domains/IP's hosting "r.cgi" malware: (infection step / redirection server) underbuild.net allinoneprogmon.net apartliberal.com bonusforall.net capitalinformer.com checkforsec.com costslaid.com gamecomes.org gtracking.org herocopter.com hybridenforum.com iamprotectedfrom.net indanetwall.net infernomag.com intronetech.com jesusonlynet.org luckyhosting.org metromanias.com protechere.com reportedtechniques.org severalcamp.com sslabssys.com trackallnet.com trafficsources.org trialworld.net twiceseparate.com twowayserf.com virtualmapping.org voictoall.com 68.178.232.100 84.16.234.150 84.16.234.151 85.17.132.193 85.17.132.194 85.17.136.121 85.17.136.122 85.17.139.68 85.17.19.210 95.168.173.202 95.168.173.236 95.168.177.103 95.168.177.141 ------------------------------------------------------------------------ Malware hosting Domains/IP's: (infector) protection1.therealityglove.com 95.168.177.142 ------------------------------------------------------------------------ Malware Domains/IP's used for C2 traffic: (phone home of infected hosts) vertumag.net missingsync.net masterproweb.net typessubject.com concetpwow.com 85.17.20.246 85.17.20.248 85.17.20.249 94.75.201.35 94.75.201.36 94.75.207.74 94.75.207.75 abccornet.com imagesharehost.com 85.17.20.247 94.75.207.72 94.75.207.73 95.211.7.48 omniwebpro.org 94.75.201.35 85.17.139.239 rapidstream.biz 85.17.139.238 intermediacorp.org 85.17.188.195 94.75.201.36 amegatech.net 94.75.234.98 marksandco.net 94.75.234.98 inetspeedup.com 94.75.234.98 94.75.234.107 amegatech.net inetspeedup.com marksandco.net 174.36.82.151 mtuconnectwall.org ------------------------------------------------------------------------ Suspicious traffic / possibly (likely) C2: http://dnupdates.cc/update.php?v=2 dnupdates.cc --> 80.87.199.17 --> AS8219 (EXPERT-TELECOM-AS "IC"Expert" Company Limited) --> http://www.robtex.com/ip/80.87.199.17.html --> shared domains: assadral.cn auto-virus-check.net av-check.org followme.name freesoftware.us.to mail.auto-virus-check.net merdokshket.cn mkrosoft.in msessenciale.co.cc peregrev.net rapidhost.in update-drivers.cc videofacker.com www.auto-virus-check.net www.dnupdates.cc ------------------------------------------------------------------------