'[Emerging-Sigs] Traff dot Justcount dot net'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs] Traff dot Justcount dot net
From:       jonkman () jonkmans ! com (Matt Jonkman)
Date:       2008-05-19 16:48:07
Message-ID: 4831AF47.9040007 () jonkmans ! com
[Download RAW message or body]

Interesting domain we've been tracking, justcount dot net. It seems to 
be used by trojans ranging from Tibs/Zhelatin/Nuwar to some general 
downlaoders and droppers. Usually the malware hits a url of one of the 
following variations:



traff.justcount.net 
/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIG8kaUVyam9zeHk9Tn5DSgIRAkxDUU1bFx0CHQAdCQECHQYEDgdEDwgCDA0QDXF5cmUlM3tvJjwmJ2VrPC4jbGJ1MiA1PGVpfC4yNC9iUUcDAAcKEwkcVBwTXF1f/count.htm \



traff.justcount.net 
/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIG8kaUVyam9zeHk9Tn5DSgIRAkxDUU1bFxwCHQAaBwICHQUESgANDgkLGlxIAmgvNy8obGA1KTp3e2orOyw7bGJ1ITs_JmVofDo_PjEqDhVfBhxVVlY=/count.htm \



traff.justcount.net
/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIG8kaUVyam9zeHk9Tn5DSgIRAkxDUU1bFx0CHQAdCQECHQYEDgdEDwgCDA0QDXF5cmUlM3tvJjwmJ2VrPC4jbGJ1MiA1PGVpfC4yNC9iUEcDAAcKEwkcVBwTXF1f/count.htm \



traff.justcount.net
/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIG8kaUVyam9zeHk9Tn5DSgIRAkxDUU1bFx0CHQAdCQECHQYEDgdEDwgCDA0QDXF5cmUlM3tvJjwmJ2VrPC4jbGJ1MiA1PGVpfC4yNC9iUUcDAAcKEwkcVA8KCwEL/count.htm \



traff.justcount.net
/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIG8kaUVyam9zeHk9Tn5DSgIRAkxDUU1bFx0CHQAdCQECHQYEDgdEDwgCDA0QDXF5cmUlM3tvJjwmJ2VrPC4jbGJ1MiA1PGVpfC4yNC9iUUcDAAcKEwkcVBwTXF1f/count.htm \



traff.justcount.net
/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIG8kaUVyam9zeHk9Tn5DSgIRAkxDUU1bFx0CHQAdCQECHQYEDgdEDwgCDA0QDXF5cmUlM3tvJjwmJ2VrPC4jbGJ1MiA1PGVpfC4yNC9iUEcDAAcKEwkcVBwTXF1f/count.htm \



traff.justcount.net
/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIG8kaUVyam9zeHk9Tn5DSgIRAkxDUU1bFx0CHQAdCQECHQYEDgdEDwgCDA0QDXF5cmUlM3tvJjwmJ2VrPC4jbGJ1MiA1PGVofC4yNC9iUUcDAAcKEwkcVA8TXF1f/count.htm \



traff.justcount.net
/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIG8kaUVyam9zeHk9Tn5DSgIRAkxDUU1bFx0CHQAdCQECHQYEDgdEDwgCDA0QDXF5cmUlM3tvJjwmJ2VrPC4jbGJ1MiA1PGVofC4yNC9iUUcDAAcKEwkcVBwTXF1f/count.htm \



traff.justcount.net
/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIG8kaUVyam9zeHk9Tn5DSgIRAkxDUU1bFx0CHQAdCQECHQYEDgdEDwgCDA0QDXF5cmUlM3tvJjwmJ2VrPC4jbGJ1MiA1PGVofC4yNC9iUEcDAAcKEwkcVBwTXF1f/count.htm \



traff.justcount.net
/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIG8kaUVyam9zeHk9Tn5DSgIRAkxDUU1bFx0CHQAdCQECHQYEDgdEDwgCDA0QDXF5cmUlM3tvJjwmJ2VrPC4jbGJ1MiA1PGVpfC4yNC9iUUcDAAcKEwkcVA8KCwEL/count.htm \



traff.justcount.net
/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIG8kaUVyam9zeHk9Tn5DSgIRAkxDUU1bFx0CHQAdCQECHQYEDgdEDwgCDA0QDXF5cmUlM3tvJjwmJ2VrPC4jbGJ1MiA1PGVofC4yNC9iUUcDAAcKEwkcVA8TXF1c/count.htm \



traff.justcount.net
/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIG8kaUVyam9zeHk9Tn5DSgIRAkxDUU1bFx0CHQAdCQECHQYEDgdEDwgCDA0QDXF5cmUlM3tvJjwmJ2VrPC4jbGJ1MiA1PGVpfC4yNC9iUUcDAAcKEwkcVA8TXF1f/count.htm \



traff.justcount.net
/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIG8kaUVyam9zeHk9Tn5DSgIRAkxDUU1bFx0CHQAdCQECHQYEDgdEDwgCDA0QDXF5cmUlM3tvJjwmJ2VrP4jbGJ1MiA1PGVofC4yNC9iUUcDAAcKEwkcVA8KCwEL/count.htm




There is a pattern apparently, but minor variations over nearly 500 
samples. Put up signature 2008232 using the base pattern 
/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIG8kaUVyam9zeHk9Tn5DSgIRAkxDUU1b. Please let 
me know how this goes, or if anyone sees a more definitel pattern to the 
urls.



Matt
-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic