[Emerging-Sigs] Traff dot Justcount dot net
Matt Jonkman
jonkman at jonkmans.com
Mon May 19 12:48:07 EDT 2008
Interesting domain we've been tracking, justcount dot net. It seems to
be used by trojans ranging from Tibs/Zhelatin/Nuwar to some general
downlaoders and droppers. Usually the malware hits a url of one of the
following variations:
traff.justcount.net
/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIG8kaUVyam9zeHk9Tn5DSgIRAkxDUU1bFx0CHQAdCQECHQYEDgdEDwgCDA0QDXF5cmUlM3tvJjwmJ2VrPC4jbGJ1MiA1PGVpfC4yNC9iUUcDAAcKEwkcVBwTXF1f/count.htm
traff.justcount.net
/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIG8kaUVyam9zeHk9Tn5DSgIRAkxDUU1bFxwCHQAaBwICHQUESgANDgkLGlxIAmgvNy8obGA1KTp3e2orOyw7bGJ1ITs_JmVofDo_PjEqDhVfBhxVVlY=/count.htm
traff.justcount.net
/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIG8kaUVyam9zeHk9Tn5DSgIRAkxDUU1bFx0CHQAdCQECHQYEDgdEDwgCDA0QDXF5cmUlM3tvJjwmJ2VrPC4jbGJ1MiA1PGVpfC4yNC9iUEcDAAcKEwkcVBwTXF1f/count.htm
traff.justcount.net
/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIG8kaUVyam9zeHk9Tn5DSgIRAkxDUU1bFx0CHQAdCQECHQYEDgdEDwgCDA0QDXF5cmUlM3tvJjwmJ2VrPC4jbGJ1MiA1PGVpfC4yNC9iUUcDAAcKEwkcVA8KCwEL/count.htm
traff.justcount.net
/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIG8kaUVyam9zeHk9Tn5DSgIRAkxDUU1bFx0CHQAdCQECHQYEDgdEDwgCDA0QDXF5cmUlM3tvJjwmJ2VrPC4jbGJ1MiA1PGVpfC4yNC9iUUcDAAcKEwkcVBwTXF1f/count.htm
traff.justcount.net
/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIG8kaUVyam9zeHk9Tn5DSgIRAkxDUU1bFx0CHQAdCQECHQYEDgdEDwgCDA0QDXF5cmUlM3tvJjwmJ2VrPC4jbGJ1MiA1PGVpfC4yNC9iUEcDAAcKEwkcVBwTXF1f/count.htm
traff.justcount.net
/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIG8kaUVyam9zeHk9Tn5DSgIRAkxDUU1bFx0CHQAdCQECHQYEDgdEDwgCDA0QDXF5cmUlM3tvJjwmJ2VrPC4jbGJ1MiA1PGVofC4yNC9iUUcDAAcKEwkcVA8TXF1f/count.htm
traff.justcount.net
/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIG8kaUVyam9zeHk9Tn5DSgIRAkxDUU1bFx0CHQAdCQECHQYEDgdEDwgCDA0QDXF5cmUlM3tvJjwmJ2VrPC4jbGJ1MiA1PGVofC4yNC9iUUcDAAcKEwkcVBwTXF1f/count.htm
traff.justcount.net
/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIG8kaUVyam9zeHk9Tn5DSgIRAkxDUU1bFx0CHQAdCQECHQYEDgdEDwgCDA0QDXF5cmUlM3tvJjwmJ2VrPC4jbGJ1MiA1PGVofC4yNC9iUEcDAAcKEwkcVBwTXF1f/count.htm
traff.justcount.net
/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIG8kaUVyam9zeHk9Tn5DSgIRAkxDUU1bFx0CHQAdCQECHQYEDgdEDwgCDA0QDXF5cmUlM3tvJjwmJ2VrPC4jbGJ1MiA1PGVpfC4yNC9iUUcDAAcKEwkcVA8KCwEL/count.htm
traff.justcount.net
/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIG8kaUVyam9zeHk9Tn5DSgIRAkxDUU1bFx0CHQAdCQECHQYEDgdEDwgCDA0QDXF5cmUlM3tvJjwmJ2VrPC4jbGJ1MiA1PGVofC4yNC9iUUcDAAcKEwkcVA8TXF1c/count.htm
traff.justcount.net
/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIG8kaUVyam9zeHk9Tn5DSgIRAkxDUU1bFx0CHQAdCQECHQYEDgdEDwgCDA0QDXF5cmUlM3tvJjwmJ2VrPC4jbGJ1MiA1PGVpfC4yNC9iUUcDAAcKEwkcVA8TXF1f/count.htm
traff.justcount.net
/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIG8kaUVyam9zeHk9Tn5DSgIRAkxDUU1bFx0CHQAdCQECHQYEDgdEDwgCDA0QDXF5cmUlM3tvJjwmJ2VrP4jbGJ1MiA1PGVofC4yNC9iUUcDAAcKEwkcVA8KCwEL/count.htm
There is a pattern apparently, but minor variations over nearly 500
samples. Put up signature 2008232 using the base pattern
/t/d2hsdWF3OzJ0OHY5Oj0,cyJtIG8kaUVyam9zeHk9Tn5DSgIRAkxDUU1b. Please let
me know how this goes, or if anyone sees a more definitel pattern to the
urls.
Matt
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list