[Emerging-Sigs] Unknown(?) kit - mooo.com

Will Metcalf wmetcalf at emergingthreatspro.com
Sat Dec 15 19:48:22 HAST 2012


Would love to see pcaps if you have/can share them. :-)

Regards,

Will

On Dec 15, 2012, at 2:06 PM, frank at astralcomputing.net wrote:

> 
> I am seeing a lot of information about mooo.com URLs lately (other domains
> possible). Wanted to reach out to the group to see if anyone has seen
> this. There was alot of activity around "/newg/a.php?s=" URL from 12-06 to
> 12-10, then it looks like most of the mooo.com activity switched to this
> thing.
> 
> There are two URL patterns I have seen so far:
> 
> Unknown: /\w{2,8}\d{3}\_\d{4}\.php\?\w{4,10}\=
> 
> Binary: mooo.com\/\?\w{2,9}\=[a-zA-Z0-9]{16,}
> Without mooo.com, likely a large number of false positives.
> 
> No pcaps on this one :(
> 
> Here are some sample URLs
> 
> Group 1: Unsure
> 2012-12-14 20:11:47
>    hxxp://www2.e77lzbgasyhun.mooo.com/udhnj106_5613.php?8tpb=XN/p2KKso9zwx9vOme7R2attqqGVi6eg0LeVj
> (...)
> 2012-12-14 20:11:30
>    hxxp://www2.e77lzbgasyhun.mooo.com/zkzd106_5613.php?qamk2=lczm4W/ao6fi39bUh+jizLKjp5KgkaLOm3Sfo
> (...)
> 2012-12-14 20:11:01
>    hxxp://www2.tf6qzs0witws-0.mooo.com/dxohf241_5874.php?zh2cgpfl=nt6gy92ty9rZ16mX79yUtJ6srqdToOPM
> (...)
> 2012-12-14 20:10:55
>    hxxp://www2.f32w14gqqvnfax.mooo.com/owxryn107_5613.php?l4uv0n=kKfX723h3aek4ppa3NrVs6OckquSpN7ab
> (...)
> 2012-12-14 20:10:10
>    hxxp://www2.id0hx24nz8.mooo.com/twp211_5613.php?wzapem=m+XV6aLa29ak0epYqdfedaywkqOL3dLIbZuek5bQ
> (...)
> 2012-12-14 20:10:03
>    hxxp://www2.q04leu6wmk.mooo.com/nnxybd231_5619.php?qzgoh7=leXP26Wa0p6h14vqn9uqoKeroJXYoNVtZ5LG1
> (...)
> 2012-12-14 20:09:25
>    hxxp://www2.r4qjwq40c4.mooo.com/uxm211_5613.php?te47u=mN6WobLaluLO6dWfVtid2KJpbaalWuHT265nVsSW1
> (...)
> 2012-12-14 20:08:35
>    hxxp://www2.i9cofxif5uz6i7.mooo.com/vigpkh241_5688.php?9dyzjo2pw=Xdfn3eTnb+jg4KPd3ozt0spyqrBuoV
> (...)
> 2012-12-14 20:07:56
>    hxxp://www2.r4qjwq40c4.mooo.com/taedi107_5613.php?11zq1=Vabf5ZWvq97N3eWtVtidlW6vp2KlWuHT265nVsS
> (...)
> 2012-12-14 20:07:45
>    hxxp://www2.poqjik8iv0.mooo.com/yhxvgz106_5613.php?09rrso=VJ/o1djjrdLq193bno/rmZR2p6ikopbf2s6mn
> (...)
> 2012-12-14 20:07:29
>    hxxp://www2.e77lzbgasyhun.mooo.com/bdj106_5613.php?cmlw7lm=h9jl7XTh2dWtnODniNzK17adq5+Wk9zgm6mg
> (...)
> 2012-12-14 20:06:23
>    hxxp://www2.i9cofxif5uz6i7.mooo.com/fdje106_5613.php?pae5=lNjIodF2zuXL3NeMqt7ec55toZSLpdKdoKKM2
> (...)
> 
> Group 2: Looks like this is a binary get request (as per exploit shield)
> 
> http://www2.g8gbbckylo8.mooo.com/?smbvs0=l9DP2rCV352N18vHqK6kp22Z4....
> http://www2.g8gbbckylo8.mooo.com/?98d9w0=XZvRnbSV352N18vHqK6kp21fr....
> http://www2.v-iy381t22z638.mooo.com/?xf85sj=nMmlmbDP7pKP7pycbqlpab....
> http://www2.v-iy381t22z638.mooo.com/?0aimsen=VMTW0bDK5ttT3uKXdWara....
> http://www2.q70atmcdewvzt4.mooo.com/?q2fvyvvkr8=lZXT2rbb7tCYrdqbbZ....
> 
> 
> -Frank Angiolelli
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


More information about the Emerging-sigs mailing list