< Honeypot Compromise: Default FTP Login | CWSandbox vs. Banking Spyware >

3322.org

The Internet Storm Center had recently an article about a botnet that uses the SAV remote exploit ("sav worm and its cc"). The botnet uses ftpd.3322.org to download the binary to the infected machines. 3322.org seems to be a rather gray domain, I saw it a couple of times used this year in different malware binaries. At least the following subdomains of 3322.org were used for either botnet C&C traffic or to download additional malware to compromised machines:
NameLess.3322.org
viviandan.go.3322.org
googlehk.3322.org
applehu.3322.org
cnjacks.3322.org
myth998.3322.org
yxrgaa.3322.org
a1860.3322.org
qinqin1.3322.org
shanben.3322.org
panguwy.3322.org
et47.3322.org

So watching your borders and taking a look at whether machines from within your network access these domains could be a good opportuntity to detect infected machines...
This entry was posted by Thorsten Holz on Sunday, December 17. 2006 at 07:37. and is filed under malware. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

  1. digitician says:
    #1 2006-12-30 19:36 (Reply)

    Some more for your list:

    h2k3.3322.org
    gezibb.3322.org
    happy80.3322.org
    tuwa.3322.org
    tjrqyaaa.3322.org
    tjrqyaac.3322.org
    rxjhgsta.3322.org
    zuomopc.3322.org
    meng3130.3322.org
    okopen668.3322.org
    dedmazay.3322.org
    zz107110.3322.org
    tb88.3322.org
    icannnic.3322.org
    DNSPS.3322.org
    fgye008.3322.org


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.