Detecting TDSS Variants

These have caught some TDSS infected hosts lately.

HTTP Method = GET
Regex HTTP URI for \/[a-z]\/[0-9]{4}\/[0-9]{1,4}\/[0-9]{13}_[0-9]{13,14}\/([0-9]+\/)?$

Examples:

espeak911.com/s/1097/5005/1348834772843_32880252672854/11/
runrunfaster.com/s/1500/0/1361145743122_5741195516747/11/
novemberrainx.com/c/1600/0/1354942684608_34784241188532/
wewillrocknow.com/s/1306/0/1369426784608_34784241188532/11/

HTTP Method = GET
Regex HTTP URI for \/j\/js[1-9]$

Examples:

woohoowoo.com/j/js9
woohoowoo.com/j/js8
woohoowoo.com/j/js4
woohoowoo.com/j/js3
woohoowoo.com/j/js2
woohoowoo.com/j/js1
woohoowoo.com/j/js7
woohoowoo.com/j/js6
woohoowoo.com/j/js5

You can also look for these, potentially many FPs.

HTTP Method = GET
Regex HTTP URI for \/(x|z|d)\/$

paspartux.com/x/
crossmatchx.com/x/
85.195.92.11/x/
novemberrainx.com/z/
oleolex98.com/x/
yawszaw89.com/x/

Known Malicious Domains:

37.220.36.44
79.143.186.52
79.143.186.52
79.143.177.199
79.143.186.53
85.195.92.11
85.195.92.12
88.208.57.134
88.208.57.133
88.208.58.149
colexity777.com
crossmatchx.com
espeak911.com
fastbonitax.com
fastmasterz.com
movemovenow.com
novemberjean.com
novemberrainx.com
octoberbeer.com
oleolex98.com
paspartux.com
runrunfaster.com
wewillrocknow.com
whooyeeee.com
woohoowoo.com
yawszaw89.com

References:

http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-YVC/detailed-analysis.aspx
http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~TDSS-IY/detailed-analysis.aspx
http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~TDSS-IX/detailed-analysis.aspx
http://www.pchelpforum.com/xf/threads/espeak911-colexity777-37-220-36-44-malicious-url-sites.141526/page-5 (solved w/ TDSSKiller)

Comments are closed.