The Latest in IT Security

Very Good Malware Redirection

08
Aug
2012

Sucuri – If you look at our Labs malware dump for the last few days, you will find something odd in the name of the top domains distributing malware:

712 redirections http://moi-verygoods.ru/simmetry?6
154 redirections http://moiverygoods.ru/simmetry?6
135 redirections http://webverygoods.ru/simmetry?6
131 redirections http://moiverygoods.ru/simmetry?6
88 redirections http://24-verygoods.ru/in.cgi?9

Can you see the similarity? All of them have “very good” as part of the domain name. And this is not something that started today, but for the last few weeks we are seeing many domains following the same pattern. This type of malware acts in the same way as the Blackmuscats, redirecting users visiting a hacked site to Fake AV via .htaccess redirections.

These are some other domains we are seeing:

215 http://verygood2010.ru/in.cgi?9
204 http://2011verygood.ru/in.cgi?10
192 http://2011-verygood.ru/in.cgi?10
165 http://verygoods-2011.ru/in.cgi?10
160 http://1-verygoods.ru/in.cgi?9
146 http://verygood24.ru/in.cgi?9
138 http://2012-verygoods.ru/in.cgi?11
131 http://verygoods2014.ru/in.cgi?11
129 http://verygoods-2011.ru/in.cgi?10
111 http://verygoods2010.ru/in.cgi?9
111 http://verygood-2014.ru/in.cgi?11
107 http://24-verygoods.ru/in.cgi?9
101 http://verygood-2010.ru/in.cgi?9
100 http://verygood2014.ru/in.cgi?11
92 http://verygoods-24.ru/in.cgi?9
82 http://2013-verygoods.ru/in.cgi?11
80 http://verygoods-2014.ru/in.cgi?11
76 http://verygoods2013.ru/in.cgi?11
75 http://verygood-24.ru/in.cgi?9
64 http://verygoods2013.ru/in.cgi?11
51 http://24-verygoods.ru/in.cgi?9
43 http://verygood2013.ru/in.cgi?11
42 http://verygoods24.ru/in.cgi?9
40 http://24-verygoods.ru/in.cgi?9
39 http://24-verygoods.ru/in.cgi?9
37 http://24-verygoods.ru/in.cgi?9
32 http://1verygoods.ru/in.cgi?9
31 http://verygood2014.ru/in.cgi?11
29 http://24verygood.ru/in.cgi?9
27 http://verygoods-2011.ru/in.cgi?10
25 http://verygood-content.ru/in.cgi?9
24 http://2013-verygoods.ru/in.cgi?11
24 http://2013-verygoods.ru/in.cgi?11
.

As far as location, most of them are on 212.71.10.220 and hosted with many other malicious domains. Another interesting correlation is that all those domains were registered on July 18.

domain: VERYGOOD2011.RU
nserver: ns1.reg.ru.
nserver: ns2.reg.ru.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
registrar: REGRU-REG-RIPN
admin-contact: http://www.reg.ru/whois/admin_contact
created: 2012.07.18
paid-till: 2013.07.18
free-date: 2013.08.18
source: TCI

As always, we will post more details when we have them.

Leave a reply


Categories

TUESDAY, MARCH 19, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments