3322.org
Sunday, December 17. 2006
The Internet Storm Center had recently an article about a botnet that uses the SAV remote exploit ("sav worm and its cc"). The botnet uses ftpd.3322.org to download the binary to the infected machines. 3322.org seems to be a rather gray domain, I saw it a couple of times used this year in different malware binaries. At least the following subdomains of 3322.org were used for either botnet C&C traffic or to download additional malware to compromised machines:
So watching your borders and taking a look at whether machines from within your network access these domains could be a good opportuntity to detect infected machines...
NameLess.3322.org
viviandan.go.3322.org
googlehk.3322.org
applehu.3322.org
cnjacks.3322.org
myth998.3322.org
yxrgaa.3322.org
a1860.3322.org
qinqin1.3322.org
shanben.3322.org
panguwy.3322.org
et47.3322.org
So watching your borders and taking a look at whether machines from within your network access these domains could be a good opportuntity to detect infected machines...
".
