Author Topic: Is this a Dofoil botnet controller?  (Read 3301 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33930
  • malware fighter
Is this a Dofoil botnet controller?
« on: August 02, 2012, 06:09:26 PM »
Found IP as Trojan downloader Dofoil.D / Trojan Ransom Dofoil botnet controller AT178.18.244.158 (inline dot de)
See: http://urlquery.net/report.php?id=111646
htxp://gamingofthecentury.net/redeem.php   
htxp://gamingofthecentury.net/steps.php
htxp://gamingofthecentury.net/beta.htm
htxp://gamingofthecentury.net
malicious link there: http://fileice.net/gateway/mygate.php?id%E2%89%88 45755479416869426d51553d
decodingLevel=0] found JavaScript
     error: line:7: TypeError: /^\w+\:\/\/\/?[^\/]+/.exec(C) is null from  fileice.net/js/LAB.min.js  -  (contanct module handler code)

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33930
  • malware fighter
Re: Is this a Dofoil botnet controller?
« Reply #1 on: August 02, 2012, 11:01:35 PM »
Dofoil botnet : central role played this bulletproof server. re: http://www.mywot.com/en/scorecard/ecatel.net
part of the botnet was brought down by authorities. Also see for servers: http://www.malwareurl.com/ns_listing.php?ip=69.25.32.7
IDS rules for this botnet
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Dofoil.L Checkin"; flow:to_server,established; uricontent:"/index.php?cmd="; uricontent:"&login="; uricontent:"&ver="; uricontent:"&bits="; reference:url,www.threatexpert.com/report.aspx?md5=47f2b8fcc2873f4dfd573b0e8a77aaa9; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDofoil.L&ThreatID=-2147317615; classtype:trojan-activity; sid:2013917; rev:4;)

 * 1:21313 <-> ENABLED <-> BOTNET-CNC W32.Dofoil variant outbound connection (botnet-cnc.rules)
 * 1:21312 <-> ENABLED <-> BOTNET-CNC W32.Dofoil variant outbound connectivity check (botnet-cnc.rules)
 * 1:21311 <-> ENABLED <-> BOTNET-CNC W32.Dofoil variant outbound connection (botnet-cnc.rules)
Here: https://forums.clavister.com/securityportal/advisories/
https://forums.clavister.com/securityportal/advisories/idp70471.html
https://forums.clavister.com/securityportal/advisories/idp70470.html
https://forums.clavister.com/securityportal/advisories/idp70469.html
https://forums.clavister.com/securityportal/advisories/idp70468.html
See: http://urlquery.net/report.php?id=106733
See: http://urlquery.net/report.php?id=80886

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Left123

  • There Is No Patch For Human Stupidity.
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1048
  • Proud Community Member&Helper.
Re: Is this a Dofoil botnet controller?
« Reply #2 on: August 02, 2012, 11:33:21 PM »
Hi Pol,
Can you give me a MD5 of a Ransomware variant they (used) to serve at this site?Can be anything buy Ransomware!
Thanks in advance.
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33930
  • malware fighter
Re: Is this a Dofoil botnet controller?
« Reply #3 on: August 03, 2012, 12:01:51 AM »
Hi Left123,

Provided you with some MD5 in a PM. By the way avast Web Shield protects us from this malware as JS:ScriptPE-inf[Trj],

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!