Avast community forum
Home
Help
Search
Login
Register
Avast WEBforum
»
Other
»
Viruses and worms
(Moderators:
Maxx_original
,
misak
) »
Is this a Dofoil botnet controller?
« previous
next »
Print
Pages: [
1
]
Go Down
Author
Topic: Is this a Dofoil botnet controller? (Read 3360 times)
0 Members and 1 Guest are viewing this topic.
polonus
Avast Überevangelist
Probably Bot
Posts: 34065
malware fighter
Is this a Dofoil botnet controller?
«
on:
August 02, 2012, 06:09:26 PM »
Found IP as Trojan downloader Dofoil.D / Trojan Ransom Dofoil botnet controller AT178.18.244.158 (inline dot de)
See:
http://urlquery.net/report.php?id=111646
htxp://gamingofthecentury.net/redeem.php
htxp://gamingofthecentury.net/steps.php
htxp://gamingofthecentury.net/beta.htm
htxp://gamingofthecentury.net
malicious link there:
http://fileice.net/gateway/mygate.php?id%E2%89%88
45755479416869426d51553d
decodingLevel=0] found JavaScript
error: line:7: TypeError: /^\w+\:\/\/\/?[^\/]+/.exec(C) is null from fileice.net/js/LAB.min.js - (contanct module handler code)
polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.
Use NoScript, a limited user account and a virtual machine and be safe(r)!
polonus
Avast Überevangelist
Probably Bot
Posts: 34065
malware fighter
Re: Is this a Dofoil botnet controller?
«
Reply #1 on:
August 02, 2012, 11:01:35 PM »
Dofoil botnet : central role played this bulletproof server. re:
http://www.mywot.com/en/scorecard/ecatel.net
part of the botnet was brought down by authorities. Also see for servers:
http://www.malwareurl.com/ns_listing.php?ip=69.25.32.7
IDS rules for this botnet
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Dofoil.L Checkin"; flow:to_server,established; uricontent:"/index.php?cmd="; uricontent:"&login="; uricontent:"&ver="; uricontent:"&bits="; reference:url,www.threatexpert.com/report.aspx?md5=47f2b8fcc2873f4dfd573b0e8a77aaa9; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDofoil.L&ThreatID=-2147317615; classtype:trojan-activity; sid:2013917; rev:4;)
* 1:21313 <-> ENABLED <-> BOTNET-CNC W32.Dofoil variant outbound connection (botnet-cnc.rules)
* 1:21312 <-> ENABLED <-> BOTNET-CNC W32.Dofoil variant outbound connectivity check (botnet-cnc.rules)
* 1:21311 <-> ENABLED <-> BOTNET-CNC W32.Dofoil variant outbound connection (botnet-cnc.rules)
Here:
https://forums.clavister.com/securityportal/advisories/
https://forums.clavister.com/securityportal/advisories/idp70471.html
https://forums.clavister.com/securityportal/advisories/idp70470.html
https://forums.clavister.com/securityportal/advisories/idp70469.html
https://forums.clavister.com/securityportal/advisories/idp70468.html
See:
http://urlquery.net/report.php?id=106733
See:
http://urlquery.net/report.php?id=80886
polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.
Use NoScript, a limited user account and a virtual machine and be safe(r)!
Left123
There Is No Patch For Human Stupidity.
Avast Evangelist
Advanced Poster
Posts: 1048
Proud Community Member&Helper.
Re: Is this a Dofoil botnet controller?
«
Reply #2 on:
August 02, 2012, 11:33:21 PM »
Hi Pol,
Can you give me a MD5 of a Ransomware variant they (used) to serve at this site?Can be anything buy Ransomware!
Thanks in advance.
Logged
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus
polonus
Avast Überevangelist
Probably Bot
Posts: 34065
malware fighter
Re: Is this a Dofoil botnet controller?
«
Reply #3 on:
August 03, 2012, 12:01:51 AM »
Hi Left123,
Provided you with some MD5 in a PM. By the way avast Web Shield protects us from this malware as JS:ScriptPE-inf[Trj],
polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.
Use NoScript, a limited user account and a virtual machine and be safe(r)!
Print
Pages: [
1
]
Go Up
« previous
next »
Avast WEBforum
»
Other
»
Viruses and worms
(Moderators:
Maxx_original
,
misak
) »
Is this a Dofoil botnet controller?