[Emerging-Sigs] Unknown(?) kit - mooo.com

frank at astralcomputing.net frank at astralcomputing.net
Sat Dec 15 10:06:40 HAST 2012


I am seeing a lot of information about mooo.com URLs lately (other domains
possible). Wanted to reach out to the group to see if anyone has seen
this. There was alot of activity around "/newg/a.php?s=" URL from 12-06 to
12-10, then it looks like most of the mooo.com activity switched to this
thing.

There are two URL patterns I have seen so far:

Unknown: /\w{2,8}\d{3}\_\d{4}\.php\?\w{4,10}\=

Binary: mooo.com\/\?\w{2,9}\=[a-zA-Z0-9]{16,}
Without mooo.com, likely a large number of false positives.

No pcaps on this one :(

Here are some sample URLs

Group 1: Unsure
2012-12-14 20:11:47
	hxxp://www2.e77lzbgasyhun.mooo.com/udhnj106_5613.php?8tpb=XN/p2KKso9zwx9vOme7R2attqqGVi6eg0LeVj
(...)
2012-12-14 20:11:30
	hxxp://www2.e77lzbgasyhun.mooo.com/zkzd106_5613.php?qamk2=lczm4W/ao6fi39bUh+jizLKjp5KgkaLOm3Sfo
(...)
2012-12-14 20:11:01
	hxxp://www2.tf6qzs0witws-0.mooo.com/dxohf241_5874.php?zh2cgpfl=nt6gy92ty9rZ16mX79yUtJ6srqdToOPM
(...)
2012-12-14 20:10:55
	hxxp://www2.f32w14gqqvnfax.mooo.com/owxryn107_5613.php?l4uv0n=kKfX723h3aek4ppa3NrVs6OckquSpN7ab
(...)
2012-12-14 20:10:10
	hxxp://www2.id0hx24nz8.mooo.com/twp211_5613.php?wzapem=m+XV6aLa29ak0epYqdfedaywkqOL3dLIbZuek5bQ
(...)
2012-12-14 20:10:03
	hxxp://www2.q04leu6wmk.mooo.com/nnxybd231_5619.php?qzgoh7=leXP26Wa0p6h14vqn9uqoKeroJXYoNVtZ5LG1
(...)
2012-12-14 20:09:25
	hxxp://www2.r4qjwq40c4.mooo.com/uxm211_5613.php?te47u=mN6WobLaluLO6dWfVtid2KJpbaalWuHT265nVsSW1
(...)
2012-12-14 20:08:35
	hxxp://www2.i9cofxif5uz6i7.mooo.com/vigpkh241_5688.php?9dyzjo2pw=Xdfn3eTnb+jg4KPd3ozt0spyqrBuoV
(...)
2012-12-14 20:07:56
	hxxp://www2.r4qjwq40c4.mooo.com/taedi107_5613.php?11zq1=Vabf5ZWvq97N3eWtVtidlW6vp2KlWuHT265nVsS
(...)
2012-12-14 20:07:45
	hxxp://www2.poqjik8iv0.mooo.com/yhxvgz106_5613.php?09rrso=VJ/o1djjrdLq193bno/rmZR2p6ikopbf2s6mn
(...)
2012-12-14 20:07:29
	hxxp://www2.e77lzbgasyhun.mooo.com/bdj106_5613.php?cmlw7lm=h9jl7XTh2dWtnODniNzK17adq5+Wk9zgm6mg
(...)
2012-12-14 20:06:23
	hxxp://www2.i9cofxif5uz6i7.mooo.com/fdje106_5613.php?pae5=lNjIodF2zuXL3NeMqt7ec55toZSLpdKdoKKM2
(...)

Group 2: Looks like this is a binary get request (as per exploit shield)

http://www2.g8gbbckylo8.mooo.com/?smbvs0=l9DP2rCV352N18vHqK6kp22Z4....
http://www2.g8gbbckylo8.mooo.com/?98d9w0=XZvRnbSV352N18vHqK6kp21fr....
http://www2.v-iy381t22z638.mooo.com/?xf85sj=nMmlmbDP7pKP7pycbqlpab....
http://www2.v-iy381t22z638.mooo.com/?0aimsen=VMTW0bDK5ttT3uKXdWara....
http://www2.q70atmcdewvzt4.mooo.com/?q2fvyvvkr8=lZXT2rbb7tCYrdqbbZ....


-Frank Angiolelli



More information about the Emerging-sigs mailing list