Closed scafroglia93 closed 3 years ago
@scafroglia93 please provide download link. We will block network for it.
I struggle to give you the site as it is a DGA; changes with each download request
We can block these domains. But what makes requests to these domains? What is DGA?
DGA Reference -> https://en.m.wikipedia.org/wiki/Domain_generation_algorithm
It's very hard to find all domain used
Il mar 13 apr 2021, 13:54 Alex @.***> ha scritto:
We can block these domains. But what makes requests to these domains? What is DGA?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/AdguardTeam/AdguardFilters/issues/80229#issuecomment-818675930, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB6YSHPWC7IOQ2KJCMMGEALTIQWFRANCNFSM42YZLXJQ .
What is the source of that domains? Which app made requests?
I need APK download link, not virustotal.
This is one but there are tons of this
Il giorno mer 14 apr 2021 alle ore 13:12 Alex @.***> ha scritto:
I need APK download link, not virustotal.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/AdguardTeam/AdguardFilters/issues/80229#issuecomment-819437473, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB6YSHPX3PN7T4MJIZYPTYLTIV2APANCNFSM42YZLXJQ .
try with mobile (android)
Il giorno mer 14 apr 2021 alle ore 14:27 Alex @.***> ha scritto:
[image: image] https://user-images.githubusercontent.com/8361299/114709984-e40fcb80-9d35-11eb-8726-3e5ca954a04d.png
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/AdguardTeam/AdguardFilters/issues/80229#issuecomment-819478822, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB6YSHMP2PLNYU4YQQ2PVZDTIWC3LANCNFSM42YZLXJQ .
That's all !
https://github.com/prodaft/malware-ioc/tree/master/FluBot
https://raw.githubusercontent.com/prodaft/malware-ioc/master/FluBot/v3.7_5000_domain.txt https://raw.githubusercontent.com/prodaft/malware-ioc/master/FluBot/v3.7_germany.txt https://raw.githubusercontent.com/prodaft/malware-ioc/master/FluBot/v3.8_domains.txt https://raw.githubusercontent.com/prodaft/malware-ioc/master/FluBot/v3.9_italy.txt
~Uh, that files are made from dead domains(at the moment)~
or they are still not used
It can happen, especially if domains generated by some algorithm are used.
This makes blocking at the dns level complicated
this is the latest update from italian cert -> https://cert-agid.gov.it/wp-content/uploads/2021/04/flubot_ioca_cert-agid_19-04-2021.json_.txt
They create one file, which contains all domains. You can add it to AdGuard home or another blocker. https://github.com/prodaft/malware-ioc/issues/1
https://flubot.mrproper.dev/ Here is a list with URLs, flubot APK is not downloaded from DGA domains AFAIK, the DGA is used once the APK is installed.
https://flubot.mrproper.dev/ Here is a list with URLs, flubot APK is not downloaded from DGA domains AFAIK, the DGA is used once the APK is installed.
The phenomenon has arrived
rather it tries to create a file containing the domains to be blocked instead of writing meaningless sentences
https://flubot.mrproper.dev/ Here is a list with URLs, flubot APK is not downloaded from DGA domains AFAIK, the DGA is used once the APK is installed.
The phenomenon has arrived
rather it tries to create a file containing the domains to be blocked instead of writing meaningless sentences
What do you mean? In the footer is a free API that lists the URL's. If you want, I can try and make this into a adblocker ready filter list, if that is what you mean?
@GewoonJaap Hi. I didn't understand your previous message. That domains are actual flubot's domains? DGA does not cover all cases?
Hey @Alex-302 , This is true. The domains used to spread flubot are mostly hacked PHP websites, once flubot is downloaded, it Will contact the command and control servers which use DGA domains.
So all the URL's you see on my website are domains used to host the .apk file for flubot
When you open inspect element/devtools, set your window to a android phone so you can visit those hacked sites
https://flubot.mrproper.dev/item
can you create a list with only domain ?
@GewoonJaap Ok. Could you please add that domains to some file which can be downloaded by AdGuard Home or another DNS filters? Are that domains not static, changed from time to time?
No response, closed
VT -> https://www.virustotal.com/gui/file/88527fb710478e1c54c6540fd15c0734bee1c4d1724abefcb84d7fa4102b8411/detection
qoisocrldvnesni.ru xawsnngjljanxof.su bdvwidxfiextwof.ru krvpsegjeukhoqk.su auqcmkubxjmeeyf.ru vloxaloyfmdqxti.ru