For general info about the Ponmocup malware / botnet please see: http://www9.dyndns-server.com:8080/pub/botnet-links.html ------------------------------------------------------------------------ updated: 2011-10-22 (newer domains / IPs on top of each section) ------------------------------------------------------------------------ Malware Domains/IP's hosting "r.cgi" malware: (infection step / redirection server) Thanks Jason for reporting these new domains: germanattention.org lewisentitled.com philosophymercer.com watchingsquare.com luckyhosting.org 94.63.149.246 reportedtechniques.org yespicture.org 62.212.74.226 84.16.234.150 94.63.149.246 94.63.149.247 allintercom.net everybodynames.org handsexual.com interestingchapter.net teethalong.org 77.79.11.98 argumenthistorical.org formedtouch.com thousandmilitary.com 78.159.118.142 77.79.11.98 earlyanswered.com 95.168.177.141 underbuild.net formedtouch.com travelmeant.net allinoneprogmon.net apartliberal.com bonusforall.net capitalinformer.com checkforsec.com costslaid.com gamecomes.org gtracking.org herocopter.com hybridenforum.com iamprotectedfrom.net indanetwall.net infernomag.com intronetech.com jesusonlynet.org luckyhosting.org metromanias.com protechere.com reportedtechniques.org severalcamp.com sslabssys.com trackallnet.com trafficsources.org trialworld.net twiceseparate.com twowayserf.com virtualmapping.org voictoall.com 68.178.232.100 84.16.234.150 84.16.234.151 85.17.132.193 85.17.132.194 85.17.136.121 85.17.136.122 85.17.139.68 85.17.19.210 95.168.173.202 95.168.173.236 95.168.177.103 95.168.177.141 ------------------------------------------------------------------------ Malware hosting Domains/IP's: (infector) sit4.therealityglove.com press7.therealityglove.com reasonable6.therealityglove.com protection1.therealityglove.com 95.168.177.142 ------------------------------------------------------------------------ Malware Domains/IP's used for C2 traffic: (phone home of infected hosts) Thanks Jason for reporting these new domains: msdmvdata.net mastertraffic.org postdone.com truenetseach.com bombastiknet.com fundsufficient.org 94.75.201.35 94.75.201.34 70.105.249.131 assistancebeside.com middlechrist.com professoractions.com teethalong.com 78.159.100.32 surfacechicago.net 96.126.106.156 AS8001 NAC Net Access Corp, US 78.159.100.32 imagehut4.cn (DNS lookup only) vertumag.net missingsync.net masterproweb.net typessubject.com concetpwow.com 85.17.20.246 85.17.20.248 85.17.20.249 94.75.201.35 94.75.201.36 94.75.207.74 94.75.207.75 abccornet.com imagesharehost.com 85.17.20.247 94.75.207.72 94.75.207.73 95.211.7.48 omniwebpro.org 94.75.201.35 85.17.139.239 rapidstream.biz 85.17.139.238 intermediacorp.org 85.17.188.195 94.75.201.36 amegatech.net 94.75.234.98 marksandco.net 94.75.234.98 inetspeedup.com 94.75.234.98 94.75.234.107 amegatech.net inetspeedup.com marksandco.net 174.36.82.151 mtuconnectwall.org ------------------------------------------------------------------------ Suspicious traffic / possibly (likely) C2: http://dnupdates.cc/update.php?v=2 dnupdates.cc --> 80.87.199.17 --> AS8219 (EXPERT-TELECOM-AS "IC"Expert" Company Limited) --> http://www.robtex.com/ip/80.87.199.17.html --> shared domains: assadral.cn auto-virus-check.net av-check.org followme.name freesoftware.us.to mail.auto-virus-check.net merdokshket.cn mkrosoft.in msessenciale.co.cc peregrev.net rapidhost.in update-drivers.cc videofacker.com www.auto-virus-check.net www.dnupdates.cc ------------------------------------------------------------------------