For general info about the Ponmocup malware / botnet please see: http://www9.dyndns-server.com:8080/pub/botnet-links.html user@host:~$ wget -S -v --keep-session-cookies --save-cookies cookies-2 --user-agent="Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 (.NET CLR 3.5.30729)" --referer="http://www.google.ch/search?q=camping+club&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:de:official&client=firefox-a" http://www.camping-club.ch/ -O www.camping-club.ch --2011-08-03 18:25:22-- http://www.camping-club.ch/ Resolving www.camping-club.ch... 2001:1b50::82:195:224:104, 82.195.224.104 Connecting to www.camping-club.ch|2001:1b50::82:195:224:104|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 302 Found Date: Wed, 03 Aug 2011 16:22:20 GMT Server: Apache Set-Cookie: xccgtswgokoe=1; path=/; domain=www.camping-club.ch; expires=Wed, 10-Aug-2011 16:22:20 GMT Location: http://everybodynames.org/cgi-bin/r.cgi?p=10003&i=0944a8c0&j=333&m=2dc242660d36f75b50c84fef1d630acc&h=www.camping-club.ch&u=/&q=&t=20110803182220 Content-Length: 473 Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Location: http://everybodynames.org/cgi-bin/r.cgi?p=10003&i=0944a8c0&j=333&m=2dc242660d36f75b50c84fef1d630acc&h=www.camping-club.ch&u=/&q=&t=20110803182220 [following] --2011-08-03 18:25:22-- http://everybodynames.org/cgi-bin/r.cgi?p=10003&i=0944a8c0&j=333&m=2dc242660d36f75b50c84fef1d630acc&h=www.camping-club.ch&u=/&q=&t=20110803182220 Resolving everybodynames.org... 94.63.149.247 Connecting to everybodynames.org|94.63.149.247|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 302 Moved Temporarily Server: Apache/1.3.42 Date: Wed, 03 Aug 2011 16:25:24 GMT Connection: close Location: http://rain5.therealityglove.com/se/3da19bea8f9c04b53ccc49cadc9ee5a3de7112a0a9436d929d8f379ae32820262ac9ba27d95fa2c237ee5e8f2774b67f4a193da6f463244bc3c6e8addbd0b37e9619a828269fca/75401c27/camping_club.com Location: http://rain5.therealityglove.com/se/3da19bea8f9c04b53ccc49cadc9ee5a3de7112a0a9436d929d8f379ae32820262ac9ba27d95fa2c237ee5e8f2774b67f4a193da6f463244bc3c6e8addbd0b37e9619a828269fca/75401c27/camping_club.com [following] --2011-08-03 18:25:22-- http://rain5.therealityglove.com/se/3da19bea8f9c04b53ccc49cadc9ee5a3de7112a0a9436d929d8f379ae32820262ac9ba27d95fa2c237ee5e8f2774b67f4a193da6f463244bc3c6e8addbd0b37e9619a828269fca/75401c27/camping_club.com Resolving rain5.therealityglove.com... 95.168.177.142 Connecting to rain5.therealityglove.com|95.168.177.142|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: Apache/1.3.42 Date: Wed, 03 Aug 2011 16:25:25 GMT Content-Type: application/x-msdownload Connection: close Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: must-revalidate, post-check=0, pre-check=0 Cache-Control: private Content-Disposition: attachment; filename="camping_club.com" Content-Length: 228787 Content-Transfer-Encoding: binary Accept-Ranges: none Length: 228787 (223K) [application/x-msdownload] Saving to: "www.camping-club.ch" 100%[====================================================================================================================>] 228,787 1003K/s in 0.2s 2011-08-03 18:25:23 (1003 KB/s) - "www.camping-club.ch" saved [228787/228787] user@host:~$ mv www.camping-club.ch camping_club.com user@host:~$ ls -l camping_club.com -rw-r--r-- 1 user group 228787 Aug 3 18:25 camping_club.com user@host:~$ md5sum camping_club.com 99f6fa46f277dd610fed5c12c5c2bb30 camping_club.com user@host:~$ file camping_club.com camping_club.com: PE32 executable for MS Windows (GUI) Intel 80386 32-bit https://www.virustotal.com/file-scan/report.html?id=9077dca5a4396e7cc114db46c37b06abf50214ffd2ff16f329b788c93f399121-1312405553 File name: camping_club.com Submission date: 2011-08-03 21:05:53 (UTC) Result: 12/ 43 (27.9%) AhnLab-V3 2011.08.03.04 2011.08.03 Trojan/Win32.Jorik AntiVir 7.11.12.210 2011.08.03 TR/Dropper.Gen AVG 10.0.0.1190 2011.08.03 Dropper.Generic4.UHL BitDefender 7.2 2011.08.03 Gen:Trojan.Heur.RP.nmLfaWFxuAhi Emsisoft 5.1.0.8 2011.08.03 Trojan.Win32.Jorik!IK F-Secure 9.0.16440.0 2011.08.03 Gen:Trojan.Heur.RP.nmLfaWFxuAhi GData 22 2011.08.03 Gen:Trojan.Heur.RP.nmLfaWFxuAhi Ikarus T3.1.1.104.0 2011.08.03 Trojan.Win32.Jorik Jiangmin 13.0.900 2011.08.03 Trojan/Generic.hxys Kaspersky 9.0.0.837 2011.08.03 HEUR:Trojan.Win32.Generic NOD32 6348 2011.08.03 a variant of Win32/Injector.HZU Norman 6.07.10 2011.08.03 W32/Obfuscated.L ---------------------------------------------------------- Live-HTTP-Headers Log: ---------------------------------------------------------- http://www.google.ch/url?sa=T&source=web&cd=1&ved=0CCEQFjAA&url=http%3A%2F%2Fwww.camping-club.ch%2F&ei=sG05Tp65D8Of-waerNXGAg GET /url?sa=T&source=web&cd=1&ved=0CCEQFjAA&url=http%3A%2F%2Fwww.camping-club.ch%2F&ei=sG05Tp65D8Of-waerNXGAg HTTP/1.1 Host: www.google.ch User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 (.NET CLR 3.5.30729) Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: http://www.google.ch/search?q=camping-club.ch&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:de:official&client=firefox-a Cookie: PREF=ID=ff5181ad23e56281:U=17641ac839e501d8:FF=0:TM=1286201491:LM=1312386044:S=h9edKJlYCk5vlI7J; NID=49=AbYc7AojJ9l4aoDLUOanfIXhp8zd3h4tFfzJXU80rf8rqjaSYB27JXj-3YDGuSRr6JpqAcau4MEE4Kq4MjI7KI4FZrb9a8i_FPyi-vnuz5zyLeIYeIsiK8go0pTvwKLN HTTP/1.1 204 No Content Date: Wed, 03 Aug 2011 15:48:05 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: gws Content-Length: 0 X-XSS-Protection: 1; mode=block ---------------------------------------------------------- http://www.camping-club.ch/ GET / HTTP/1.1 Host: www.camping-club.ch User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 (.NET CLR 3.5.30729) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: http://www.google.ch/search?q=camping-club.ch&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:de:official&client=firefox-a HTTP/1.1 302 Found Date: Wed, 03 Aug 2011 15:45:03 GMT Server: Apache Set-Cookie: xccgtswgokoe=1; path=/; domain=www.camping-club.ch; expires=Wed, 10-Aug-2011 15:45:03 GMT Location: http://everybodynames.org/cgi-bin/r.cgi?p=10003&i=0944a8c0&j=333&m=2dc242660d36f75b50c84fef1d630acc&h=www.camping-club.ch&u=/&q=&t=20110803174503 Content-Length: 473 Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 ---------------------------------------------------------- http://everybodynames.org/cgi-bin/r.cgi?p=10003&i=0944a8c0&j=333&m=2dc242660d36f75b50c84fef1d630acc&h=www.camping-club.ch&u=/&q=&t=20110803174503 GET /cgi-bin/r.cgi?p=10003&i=0944a8c0&j=333&m=2dc242660d36f75b50c84fef1d630acc&h=www.camping-club.ch&u=/&q=&t=20110803174503 HTTP/1.1 Host: everybodynames.org User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 (.NET CLR 3.5.30729) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: http://www.google.ch/search?q=camping-club.ch&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:de:official&client=firefox-a HTTP/1.1 302 Moved Temporarily Server: Apache/1.3.42 Date: Wed, 03 Aug 2011 15:48:07 GMT Transfer-Encoding: chunked Connection: close Location: http://successful8.atdotcom.us/se/3da19bea8f9c04b53ccc49cadc9ee5a3de7112a0a9436d929d8f379ae32820262ac9ba27d95fa2c237ee5e8f2774b67f4a193da6f463244bc3c6e8addbd0b37e9619a828269fca/178def46/camping.com ---------------------------------------------------------- http://successful8.atdotcom.us/se/3da19bea8f9c04b53ccc49cadc9ee5a3de7112a0a9436d929d8f379ae32820262ac9ba27d95fa2c237ee5e8f2774b67f4a193da6f463244bc3c6e8addbd0b37e9619a828269fca/178def46/camping.com GET /se/3da19bea8f9c04b53ccc49cadc9ee5a3de7112a0a9436d929d8f379ae32820262ac9ba27d95fa2c237ee5e8f2774b67f4a193da6f463244bc3c6e8addbd0b37e9619a828269fca/178def46/camping.com HTTP/1.1 Host: successful8.atdotcom.us User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 (.NET CLR 3.5.30729) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: http://www.google.ch/search?q=camping-club.ch&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:de:official&client=firefox-a HTTP/1.1 200 OK Server: Apache/1.3.42 Date: Wed, 03 Aug 2011 15:48:07 GMT Content-Type: application/x-msdownload Connection: close Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: must-revalidate, post-check=0, pre-check=0, private Content-Disposition: attachment; filename="camping.com" Content-Length: 228792 Content-Transfer-Encoding: binary Accept-Ranges: none ---------------------------------------------------------- AS28753 LEASEWEB-DE Leaseweb Germany GmbH (previously netdirekt e. K.) *.atdotcom.us successful8.atdotcom.us 212.95.63.171