[Emerging-Sigs] Unknown(?) kit - mooo.com

frank at astralcomputing.net frank at astralcomputing.net
Sun Dec 16 03:30:28 HAST 2012


Unfortunately no pcaps. I will continue to try to capture it.

> Would love to see pcaps if you have/can share them. :-)
>
> Regards,
>
> Will
>
> On Dec 15, 2012, at 2:06 PM, frank at astralcomputing.net wrote:
>
>>
>> I am seeing a lot of information about mooo.com URLs lately (other
>> domains
>> possible). Wanted to reach out to the group to see if anyone has seen
>> this. There was alot of activity around "/newg/a.php?s=" URL from 12-06
>> to
>> 12-10, then it looks like most of the mooo.com activity switched to this
>> thing.
>>
>> There are two URL patterns I have seen so far:
>>
>> Unknown: /\w{2,8}\d{3}\_\d{4}\.php\?\w{4,10}\=
>>
>> Binary: mooo.com\/\?\w{2,9}\=[a-zA-Z0-9]{16,}
>> Without mooo.com, likely a large number of false positives.
>>
>> No pcaps on this one :(
>>
>> Here are some sample URLs
>>
>> Group 1: Unsure
>> 2012-12-14 20:11:47
>>    hxxp://www2.e77lzbgasyhun.mooo.com/udhnj106_5613.php?8tpb=XN/p2KKso9zwx9vOme7R2attqqGVi6eg0LeVj
>> (...)
>> 2012-12-14 20:11:30
>>    hxxp://www2.e77lzbgasyhun.mooo.com/zkzd106_5613.php?qamk2=lczm4W/ao6fi39bUh+jizLKjp5KgkaLOm3Sfo
>> (...)
>> 2012-12-14 20:11:01
>>    hxxp://www2.tf6qzs0witws-0.mooo.com/dxohf241_5874.php?zh2cgpfl=nt6gy92ty9rZ16mX79yUtJ6srqdToOPM
>> (...)
>> 2012-12-14 20:10:55
>>    hxxp://www2.f32w14gqqvnfax.mooo.com/owxryn107_5613.php?l4uv0n=kKfX723h3aek4ppa3NrVs6OckquSpN7ab
>> (...)
>> 2012-12-14 20:10:10
>>    hxxp://www2.id0hx24nz8.mooo.com/twp211_5613.php?wzapem=m+XV6aLa29ak0epYqdfedaywkqOL3dLIbZuek5bQ
>> (...)
>> 2012-12-14 20:10:03
>>    hxxp://www2.q04leu6wmk.mooo.com/nnxybd231_5619.php?qzgoh7=leXP26Wa0p6h14vqn9uqoKeroJXYoNVtZ5LG1
>> (...)
>> 2012-12-14 20:09:25
>>    hxxp://www2.r4qjwq40c4.mooo.com/uxm211_5613.php?te47u=mN6WobLaluLO6dWfVtid2KJpbaalWuHT265nVsSW1
>> (...)
>> 2012-12-14 20:08:35
>>    hxxp://www2.i9cofxif5uz6i7.mooo.com/vigpkh241_5688.php?9dyzjo2pw=Xdfn3eTnb+jg4KPd3ozt0spyqrBuoV
>> (...)
>> 2012-12-14 20:07:56
>>    hxxp://www2.r4qjwq40c4.mooo.com/taedi107_5613.php?11zq1=Vabf5ZWvq97N3eWtVtidlW6vp2KlWuHT265nVsS
>> (...)
>> 2012-12-14 20:07:45
>>    hxxp://www2.poqjik8iv0.mooo.com/yhxvgz106_5613.php?09rrso=VJ/o1djjrdLq193bno/rmZR2p6ikopbf2s6mn
>> (...)
>> 2012-12-14 20:07:29
>>    hxxp://www2.e77lzbgasyhun.mooo.com/bdj106_5613.php?cmlw7lm=h9jl7XTh2dWtnODniNzK17adq5+Wk9zgm6mg
>> (...)
>> 2012-12-14 20:06:23
>>    hxxp://www2.i9cofxif5uz6i7.mooo.com/fdje106_5613.php?pae5=lNjIodF2zuXL3NeMqt7ec55toZSLpdKdoKKM2
>> (...)
>>
>> Group 2: Looks like this is a binary get request (as per exploit shield)
>>
>> http://www2.g8gbbckylo8.mooo.com/?smbvs0=l9DP2rCV352N18vHqK6kp22Z4....
>> http://www2.g8gbbckylo8.mooo.com/?98d9w0=XZvRnbSV352N18vHqK6kp21fr....
>> http://www2.v-iy381t22z638.mooo.com/?xf85sj=nMmlmbDP7pKP7pycbqlpab....
>> http://www2.v-iy381t22z638.mooo.com/?0aimsen=VMTW0bDK5ttT3uKXdWara....
>> http://www2.q70atmcdewvzt4.mooo.com/?q2fvyvvkr8=lZXT2rbb7tCYrdqbbZ....
>>
>>
>> -Frank Angiolelli
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
>> Current!
>



More information about the Emerging-sigs mailing list