search

Ultimate-Hosts-Blacklist / Ultimate.Hosts.Blacklist

The Ultimate Unified Hosts file for protecting your network, computer, smartphones and Wi-Fi devices against millions of bad web sites. Protect your children and family from gaining access to bad web sites and protect your devices and pc from being infected with Malware or Ransomware.
MIT License
1.28k stars 156 forks source link

Block various domains accessed by trojan #538

Closed Somebodyisnobody closed 4 years ago

Somebodyisnobody commented 4 years ago

After executing a trojan on an isolated host system I got following domains on my dns-server: lodddd01.info jload01.info rifat01.info Some other requested domains were already blocked, I assume they are here in the list. Attached a traffic capture where you can see which files are being downloaded (e.g. stream 3 where "jload01.info/downfiles/1.exe" is called or stream 0 where a zip with

 ....I^..I^..I^{.{?.PK..........PP................Browsers/_FileForms.txtUT
....I^..I^..I^{.{?.PK..........PP................Browsers/_FilePasswords.txtUT
....I^..I^..I^{.{?.PK..........PP................_FilePasswords.txtUT
....I^..I^..I^{.{?.PK..........PP............   ..._Info.txtUT

is being uploaded to rifat01.info. The zip attached is extracted from the stream)

trojan_filtered.zip (wireshark capture file) index.php.zip trojan.zip (only download if you know how to handle a trojan, password "trojan")

spirillen commented 4 years ago

May I suggest you to add a password to the trojan.zip rather than just redistribute it as is and at the same time ensuring people not execute it by mistakes?

ghost commented 4 years ago

This issue was moved by funilrys to Ultimate-Hosts-Blacklist/blacklist#1.