Saturday, July 11, 2009

Trojan-Downloader.Win32.FraudLoad

There's not a day I don't read a blog article about FraudLoad "is a new infection", "is DNS.Changer" or wrong informations...

This malware is not new. I've started collecting DNS since April 2009. It have started months before. Here is some of them (forgive me for not listing 'em all. I was a little bored sometimes...)

tubeportalsoftware2008.com,
k-softportal.com,
dbs-softportal.com,
sim-softportal.com,
fhg-softportal.com,
del-softportal.com,
kxc-softwaresportal.com,
kol-development.com,
zaq-softwares.com,
frg-softwares.com,
dec-software.com,
dia-software.com,
knr-softwares.com,
lxl-softportal.com,
kvm-softwares.com,
xxx-softwares.com,
kxc-softwaresportal.com,
cls-softwares.com,
sim-softportal.com,
down-softportal.com,
slk-softwareportal.com,
sdfv-programs.com,
sgh-topprograms.com,
rol-programms.com,
kor-programms.com,
hex-programmers.com,
kir-fileplanet.com,
arch-grandsoftarchive.com,
grandfilesstore.com,
zxc-sofftwares.com,
exe-soft-portal.com,
file-exe-2009.com,
streaming-united.com,
wile-exe.com,
exe-load-area.com,
exe-web-development.com,
groufertation.com,
exe-soft-files.com,
my-exe-profile.com,
exe-file-boom.com,
fast-exe-load.com,
go-exe-go.com,
last-exe-portal.com,
exe-xxx-file.com,
exe-box.com,
hot-exe-area.com,
zone-exe-files.com,
exe-profile.com,
load-exe-soft.com,
let-exe-2009.com,
exe-4free.com,
red-exe.com,
exe-cosmos.com,
exe-online-world.com,
zone-exe-files.com,
hot-exe-area.com,
exe-direct.com,
era-exe.com
...

Contacted hosts are also old. But changing much slower. It was first PE binaries hidden under a picture filename. Then it change to a real pic with extra data (the crypted PE added after the picture data).

imagesaudi.com,
imagesopel.com,
images-humanity.com,
imagescopyleft.com,
texasimages2009.com,
imagesmazda.com,
imagesferrar.com,
caninejoker.com,
imageempires.com,
picturesoffline.com,
imagesmonitor.com,
pictureswall.com,
coolimagepro.com,
portalpics.com,
imagescolor.com,
picturehappiness.com,
picturephotoweb.com,
thenewpic.com,
images-smile.com,
picturephotoweb.com,
theimagesstudio.com,
imageheadphones.com,
pixphotos.com,
imgesinstudioonline.com,
yourimagesstudio.com,
isyouimageshere.com

It is not a DNS.Changer infection (can't remember the blog where I read this). It's a Trojan Downloader. See the previous post about it here.