OSX Flashback URLs, Domains, etc ~ CookingFood.Org

Dr.Web image

I have been tracking infections too and will be posting the domains I come across. I don't have the DGA script or list of domains to date, but even if I had, I think the best way to find them is via User Agent followed by the id: I posting URLs and domains below and will add more soon.

Since it generates new domains every day, the full list would be much much longer but I will post those that I run across below in case it helps anyone. These below appear to be a variant of v.39/K

GET /statistics.html HTTP/1.1
Host: cuojshtbohnt.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:2; id: 1A698BE9-0211-5EB4-AFDC-644AA479D972) Gecko/20100101 Firefox/9.0.1

Ger requests, domains incl. Update - April 11, 2012 (UUIDs were slightly edited)

2012-Apr-10 12:38:08 10.64.113.110 -> 174.129.221.183 ip: 174.129.221.183 Host: iqkydbxjfodro.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:5; id:8F11945B-D60E-5B1D-8BEC-A61EA9FFA0C1) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:08 10.64.113.110 -> 174.129.221.183 ip: 174.129.221.183 Host: iqkydbxjfodro.net User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:5; id:8F11945B-D60E-5B1D-8BEC-A61EA9FFA0C1) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:08 10.64.113.110 -> 174.129.221.183 ip: 174.129.221.183 Host: iqkydbxjfodro.info User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:5; id:8F11945B-D60E-5B1D-8BEC-A61EA9FFA0C1) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:08 10.64.113.110 -> 174.129.221.183 ip: 174.129.221.183 Host: iqkydbxjfodro.in User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:5; id:8F11945B-D60E-5B1D-8BEC-A61EA9FFA0C1) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:08 10.64.113.110 -> 174.129.221.183 ip: 174.129.221.183 Host: iqkydbxjfodro.kz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:5; id:8F11945B-D60E-5B1D-8BEC-A61EA9FFA0C1) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:16 10.64.64.150 -> 174.129.221.183 ip: 174.129.221.183 Host: rfffnahfiywyd.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:4; id:8343DDB3-91DC-58F3-A69F-D8AAE9EC1A08) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:16 10.64.64.150 -> 174.129.221.183 ip: 174.129.221.183 Host: rfffnahfiywyd.net User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:4; id:8343DDB3-91DC-58F3-A69F-D8AAE9EC1A08) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:16 10.64.64.150 -> 174.129.221.183 ip: 174.129.221.183 Host: rfffnahfiywyd.info User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:4; id:8343DDB3-91DC-58F3-A69F-D8AAE9EC1A08) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:16 10.64.64.150 -> 174.129.221.183 ip: 174.129.221.183 Host: rfffnahfiywyd.in User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:4; id:8343DDB3-91DC-58F3-A69F-D8AAE9EC1A08) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:16 10.64.64.150 -> 174.129.221.183 ip: 174.129.221.183 Host: rfffnahfiywyd.kz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:4; id:8343DDB3-91DC-58F3-A69F-D8AAE9EC1A08) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:16 10.64.64.150 -> 174.129.221.183 ip: 174.129.221.183 Host: cvsqsmuiaaiyh.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:4; id:8343DDB3-91DC-58F3-A69F-D8AAE9EC1A08) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:16 10.64.64.150 -> 174.129.221.183 ip: 174.129.221.183 Host: cvsqsmuiaaiyh.net User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:4; id:8343DDB3-91DC-58F3-A69F-D8AAE9EC1A08) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:16 10.64.64.150 -> 174.129.221.183 ip: 174.129.221.183 Host: cvsqsmuiaaiyh.info User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:4; id:8343DDB3-91DC-58F3-A69F-D8AAE9EC1A08) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:16 10.64.64.150 -> 174.129.221.183 ip: 174.129.221.183 Host: cvsqsmuiaaiyh.in User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:4; id:4343DDB3-91DC-58F3-A69F-D8AAE9EC1A08) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:16 10.64.64.150 -> 174.129.221.183 ip: 174.129.221.183 Host: cvsqsmuiaaiyh.kz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:4; id:8343DDB3-91DC-58F3-A69F-D8AAE9EC1A08) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:16 10.64.64.150 -> 174.129.221.183 ip: 174.129.221.183 Host: scfoijdccqtmj.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:4; id:8343DDB3-91DC-58F3-A69F-D8AAE9EC1A08) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:16 10.64.64.150 -> 174.129.221.183 ip: 174.129.221.183 Host: scfoijdccqtmj.net User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:4; id:8343DDB3-91DC-58F3-A69F-D8AAE9EC1A08) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:16 10.64.64.150 -> 174.129.221.183 ip: 174.129.221.183 Host: scfoijdccqtmj.info User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:4; id:8343DDB3-91DC-58F3-A69F-D8AAE9EC1A08) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:16 10.64.64.150 -> 174.129.221.183 ip: 174.129.221.183 Host: scfoijdccqtmj.in User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:4; id:8343DDB3-91DC-58F3-A69F-D8AAE9EC1A08) Gecko/20100101 Firefox/9.0.1 2012-Apr-10 12:38:16 10.64.64.150 -> 174.129.221.183 ip: 174.129.221.183 Host: scfoijdccqtmj.kz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:4; id:8343DDB3-91DC-58F3-A69F-D8AAE9EC1A08) Gecko/20100101 Firefox/9.0.1 ip: 74.207.249.7 Host: vxvhwcixcxqxd.net User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:2; id:9492C73D-9F16-583C-A9E3-440C8E1D037D) Gecko/20100101 Firefox/9.0.1 2012-Apr-09 15:24:55 10.64.113.160 -> 74.207.249.7 ip: 74.207.249.7 Host: cuojshtbohnt.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:2; id:9B48F357-01F6-5E19-B561-7AC17A55125C) Gecko/20100101 Firefox/9.0.1 2012-Apr-09 15:25:52 10.64.21.184 -> 91.233.244.102 ip: 91.233.244.102 Host: vxvhwcixcxqxd.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:2; id:94B3C1C2-C81C-5E0A-9C1B-3A3C374E9927) Gecko/20100101 Firefox/9.0.1 10.64.154.200 >> 165.160.15.20 GET /index.html HTTP/1.1 Request URI: /index.html Host: pcjvhrwvrielyu.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:5; id:96CEF3D7-06B3-52D8-BF45-991D0D08CCBF) Gecko/20100101 Firefox/9.0.1 10.64.117.234 >> 165.160.15.20 GET /index.html HTTP/1.1 Request URI: /index.html Host: mmpqilsbon2u.net User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:5; id:950C52B0-6D0A-5CB9-BA7C-47D6E8EF82D3) Gecko/20100101 Firefox/9.0.1 10.64.114.38 >> 165.160.15.20 GET /index.html HTTP/1.1 Request URI: /index.html Host: hzxwhzifyjewe.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:5; id:90000000-0000-1000-8000-001EC2074A1E) Gecko/20100101 Firefox/9.0.1 10.64.113.213 >> 165.160.15.20 GET /index.html HTTP/1.1 Request URI: /index.html Host: ofeogazqbxmqft.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:5; id:9A8E2680-684E-594B-A698-148E3B2BBAB5) Gecko/20100101 Firefox/9.0.1 10.64.93.162 >> 165.160.15.20 GET /index.html HTTP/1.1 Request URI: /index.html Host: rjuhnumyhderuy.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:5; id:9EEA6D20-2B92-5DB7-BA0F-1A6F6946B764) Gecko/20100101 Firefox/9.0.1 10.64.100.58 >> 50.116.35.158 GET /index.html HTTP/1.1 Request URI: /index.html Host: prbktcowpvjmr.info User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:5; id:9A4764A8-0024-5A11-A240-589D18894A22) Gecko/20100101 Firefox/9.0.1 10.64.71.61 >> 165.160.15.20 GET /index.html HTTP/1.1 Request URI: /index.html Host: hnnthosfqmdj.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:5; id:91B5F479-9B9E-55D8-9E62-601E50672A83) Gecko/20100101 Firefox/9.0.1 10.64.26.144 >> 165.160.15.20 GET /index.html HTTP/1.1 Request URI: /index.html Host: udgdgdyerdo3kd.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:5; id:90217534-2343-546C-9A25-BB0B295A6874) Gecko/20100101 Firefox/9.0.1 10.64.24.197 >> 165.160.15.20 GET /index.html HTTP/1.1 Request URI: /index.html Host: iuydfiuwiugdge.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:5; id:985DAF48-B597-5026-8D8B-CC5CBA48EF2E) Gecko/20100101 Firefox/9.0.1

104 domains ( I think they are all sinkholed by now, if you check the IPs they are registered to, you will see only security firms and AV companies)

cvsqsmuiaaiyh.com cvsqsmuiaaiyh.in cvsqsmuiaaiyh.info cvsqsmuiaaiyh.kz cvsqsmuiaaiyh.net iqkydbxjfodro.com iqkydbxjfodro.in iqkydbxjfodro.info iqkydbxjfodro.kz iqkydbxjfodro.net rfffnahfiywyd.com rfffnahfiywyd.in rfffnahfiywyd.info rfffnahfiywyd.kz rfffnahfiywyd.net scfoijdccqtmj.com scfoijdccqtmj.in scfoijdccqtmj.info scfoijdccqtmj.kz scfoijdccqtmj.net vxvhwcixcxqxd.com vxvhwcixcxqxd.net aeddjjjsgnebr.com cdgssacqafewut.com cdqwwkndatvt.com cdqwwkndatvt.in cdqwwkndatvt.info cdqwwkndatvt.kz cdqwwkndatvt.net cfqwmwlmyuvln.com cfqwmwlmyuvln.info cuojshtbohnt.com cuojshtbohnt.info cuojshtbohnt.kz dppqqdmahihaly.com euxjnhxehfpeuy.com fhnqskxxwloxl.com fhnqskxxwloxl.in fhnqskxxwloxl.info glitjdgpamxjdlc.kz hnnthosfqmdj.com hxyyawuorwira.kz hxyyawuorwira.net hzxwhzifyjewe.com iceftkmbhrmhg.com iqkydbxjfodro.com iqkydbxjfodro.in iqkydbxjfodro.info iqkydbxjfodro.kz iqkydbxjfodro.net iuydfiuwiugdge.com juifltdlpjjva.com kksxjnvjqynfqa.com lpjwscxnwpqkaq.com lwpuwdovuvpgtf.com mi13hthdtwdfhet.com miecjlosmoliu.com miecjlosmoliu.in miecjlosmoliu.info mmpqilsbon2u.net moakzphcyysqst.com ocpyyfcaytqnpnw.kz ofeogazqbxmqft.com oyddmhuokhldd.com pcjvhrwvrielyu.com peclecgpwygqda.com prbktcowpvjmr.com prbktcowpvjmr.in prbktcowpvjmr.info prbktcowpvjmr.net prowchtogrrzq.com qfywnsimhpxbkdx.kz rfffnahfiywyd.com rfffnahfiywyd.info rfffnahfiywyd.net rjuhnumyhderuy.com scfoijdccqtmj.info shduddowhdgdu.com stxeapbewbblp.com stxeapbewbblp.in stxeapbewbblp.info tgnqheyqmfogmgt.kz tppuwrxvwbmoo.kz tygoiuoigwodd.com tygoiuoigwodd.kz tzvulcdovswll.com uaruftdirelaars.com uaruftdirelaars.kz udgdgdyerdo3kd.com vxvhwcixcxqxd.com vxvhwcixcxqxd.kz vxvhwcixcxqxd.net vyqhdtnsfrie.com vyqhdtnsfrie.in vyqhdtnsfrie.info vyqhdtnsfrie.kz vyqhdtnsfrie.net xlrlhcvcqoopk.com xlrlhcvcqoopk.kz xlrlhcvcqoopk.net xntppwufabzsr.com xsfuchkdrwfua.net zyxsjfocasugd.com

ET signature using User Agent (also in the previous posts)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OSX/Flashback.K/I User-Agent"; flow:established,to_server; content:" WOW64|3b| rv|3a|9.0.1|3b| sv|3a|"; http_header; content:" id|3a|"; http_header; within:6; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,vms.drweb.com/virus/?i=1816029; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; classtype:trojan-activity; sid:2014534; rev:3;)