TDL Variant (Backdoor.Pihar) Clickfraud Traffic

Use these to help find infected hosts on your network…

Clickfraud domains

4dj-and-zorro.com
a-dom24.net
achernar-ab.net
andersongibson.net
ankunding.biz
arcturus7a.info
batznolan.info
beierlehner.org
bepettones.net
betelgeuse-xl.com
block27.biz
blockcollins.biz
brandom-what.org
canopus23.com
capella15a.com
cronawalter.org
cummings-west3.net
deep-free.org
delta-club777.com
dereban16.net
dolchernalt.com
ebertlittle.com
emardkunze.info
ernestr45.com
feestkuhic.com
fernaldorte.net
framinicolas.net
gemord5.org
gleichner.name
gorzentas.org
greenholt.info
grenn-ggord.org
gulgowski.org
gusikowski.info
haxhoxhex.net
hudson-secnd.biz
jewe.biz
kemmerbrekke.net
kerlukerobel.com
labadie-xz.org
larson17.net
lebsacklakin.net
mann-grn.biz
marvinstark.org
medhurst.biz
moenhauck.biz
mosciskiprosacco.com
nerrtor-dep.net
oconner.biz
peaseof16.com
procyon-q4.info
rabbertiro.com
rander-east3.info
redest-om.net
reftorro6.com
rigel-al2.org
rigil-kentaurus5.biz
rongty6.net
runtemetz.info
rutherfordleannon.name
sawaynturner.name
schoen17.net
sirees42.org
sirius-beta7.net
sky-blue45.com
spencerhermann.com
stantasisrt.com
streichhills.net
stromanbraun.info
swaniawski.com
torphy.net
torportiz.info
tortoller5.net
vailendon.org
vega-beta2.net
wittingkiehn.name
yatzza7.net
zentost88.com
zibbringelds.net

Clickfraud “search engine” domains

yuppy-search.com
yabadabadu-search.com
web-searcher.net
searchtheplanet.net
mega-searcher.net
keyword-search.net
global-searcher.net
gblsearch.net
websearchones.com
searcherones.com
masssearchone.com

Possible Regexes for these include the below, but legitimate sites use them as well.

\/\?query=
\/\?q=

Involved IP Addresses

5.45.64.158
5.45.64.159
5.45.64.160
5.45.65.190
5.45.65.232
5.45.65.233
5.45.65.234
5.45.66.181
5.45.66.208
5.45.68.199
5.45.67.216
5.45.65.190
5.45.64.145
46.249.42.197
46.249.42.196
46.249.42.195
46.249.42.194
46.249.42.193
46.249.42.192
46.249.42.191
46.249.42.190
46.249.42.189
46.249.42.188
46.249.42.187
46.249.42.186
46.249.42.185
46.249.42.184
5.199.138.89
50.7.228.170
50.7.228.171
50.7.228.172
50.7.228.173
50.7.228.174

Often these are using a specific UA (not always):

Mozilla/5.0 (compatible; MSIE 1.0; Windows NT; 57473847)

Clickfraud Redirects

HTTP Method = GET
Content-Type = text/html
HTTP URI = \/(f|k|task)\/(6|24|25|26|27)(\/)?$

Examples:

rigil-kentaurus5.biz/k/27
nerrtor-dep.net/f/25
sirius-beta7.net/f/27
ebertlittle.com/task/25
rutherfordleannon.name/task/27/

Base64-like Clickfraud Requests

HTTP Method = GET
Content-Type = text/html
HTTP URI = \/[a-z]\/[a-zA-Z0-9%]{50,}(%3d){1,2}\/$

Examples:

http://torphy.net/c/eTBsMGdlbmVyYXRpbmd5MGwwVEhJU3RyYWZmaWN0aGlzaXNOT1R3aG%2fF0dGhlYWNUVUFMYmFzZTY0eTBsMFcwdWxkRGVjMEQzVDAF0dGhlYWNUVUFMYmFzZTY0eTBsMFcwdWxkRGVjMEQzVDA%3d%3d/

http://dolchernalt.com/d/RoaXNJTmhlcmVzb2FzdG9OT1Rna%2bXZlYXdheW FueXRoaW5ndG9USEVIMHN0c3RoYXRXM1JF%3d/

http://procyon-q4.info/d/aGV5bG9va3kwbDB0aGlzaXNKVVN%2bUYWJ1bmNob2ZiYXNlNjRtYXRjaGluZ3kwbDB0ZXh0aVBVVH%3d/

Comments are closed.