ZeuS/Eva Pharmacy overlap

A place to discuss malware of every flavor, e.g. Storm, Waledac, Conficker and Zeus

ZeuS/Eva Pharmacy overlap

Postby AlphaCentauri » Sat Feb 05, 2011 10:21 pm

The domains and nameserver hosted on 211.138.121.4 (China Mobile) are a mixture of nameservers for Eva Pharmacy domains and domains distributing the ZeuS trojan:
Code: Select all
ns1.oldssite.com    A    211.138.121.4
ns2.plainssite.com    A    211.138.121.4
ns1.pharmacypillsshop.com    A    211.138.121.4
ns1.pharmacywellnesspills.com    A    211.138.121.4
ns2.sleepingpillsfitnesspills.com    A    211.138.121.4
ns2.prescriptionmedspharmacytablets.com    A    211.138.121.4
ns1.rxpressdrugdirect.com    A    211.138.121.4
poehali002.info    A    211.138.121.4
ns1.pillshealthrxdrugs.at    A    211.138.121.4
ns1.claytabletsdrugstore.net    A    211.138.121.4
ns1.yourhealthpills.net    A    211.138.121.4
ns1.pilldrugstorepharmacycareers.net    A    211.138.121.4
ns1.rxpillstablets.net    A    211.138.121.4
ns2.tabletpillsrx.net    A    211.138.121.4
ns1.professionalpharmacyrx.net    A    211.138.121.4
ns2.sleepingpillspharmacy.net    A    211.138.121.4
espmexusa.ru    A    211.138.121.4
www.espmexusa.ru    A    211.138.121.4
www.turkeyinworld.ru    A    211.138.121.4
ns1.medspillsdrugstore.ru    A    211.138.121.4
ns1.pharmacyrxdrugstore.ru    A    211.138.121.4
ns2.pilldrugstorerxprescription.ru    A    211.138.121.4
ns1.xzbyo.ru    A    211.138.121.4
www.tunisianowar.ru    A    211.138.121.4
ns1.zfocr.ru    A    211.138.121.4
ns1.pilltabletsmeds.ru    A    211.138.121.4
ns2.drugtorespecialtypharmacymeds.ru    A    211.138.121.4
ns1.prescriptiondrugtorepharmacypills.ru    A    211.138.121.4
ns1.pillspharmacydrugstorechains.ru    A    211.138.121.4
ns1.prescriptiondrugstoretablets.ru    A    211.138.121.4
ns1.prescriptiondrugstoremedstablets.ru    A    211.138.121.4
ns2.prescriptiondrugstoremedstablets.ru    A    211.138.121.4
ns1.lensrxtablets.ru    A    211.138.121.4
ns2.pillhealthmedsplus.ru    A    211.138.121.4
ns1.yoasu.ru    A    211.138.121.4
ns1.pillprescriptiondrugstorerx.ru    A    211.138.121.4
ns1.medspharmacytechrx.ru    A    211.138.121.4
ns1.medspharmacyexamrx.ru    A    211.138.121.4
ns1.lensrx.ru    A    211.138.121.4
ns1.pillgraphictabletsrx.ru    A    211.138.121.4
ns1.rxprescriptiondrugstorepharmacy.ru    A    211.138.121.4
ns2.sleepingpillstabletspharmacy.ru    A    211.138.121.4
www.airegyptbiz.ru    A    211.138.121.4


Examples:
https://zeustracker.abuse.ch/monitor.ph ... inworld.ru
turkeyinworld.ru/turkeysman.exe = ZeuS binary

http://whois.domaintools.com/ostanauge.com
ostanauge.com = CH&CM
nameservers:
NS2.PILLPHARMACYMEDSTECHNOLOGIES.COM (shut down)
NS1.ZFOCR.RU
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

cron