This morning I see that the malicious software purveyors are still in fine form. It would be nice if they would take a weekend off (or longer, much longer). The UK government CERT has put out an alert at the end of last week regarding a domain originating from Hotfresh ISP, Hong Kong, that is distributing malware. This seems to have first appeared on the 15th of this month. No word at this point as to the nature of the malicious code or whether AV vendors have detection available for it.
From Gov CertUK:
GovCertUK have detected a number of systems downloading malicious software from the IP address 58.65.238.59. The malware can be detected by analysing web traffic logs for outbound traffic to this IP address. Evidence of the IP address 58.65.238.59 within web traffic logs may indicate an infected computer on the network. Other identifying features of this malware include:
•On occasion the IP address may resolve to the domain name of dorifora(dot)com.
•The HTTP GET request to the IP/domain in question will not have an initial referrer listed.
•Once the malware is present on the network, it beacons out to the domain here4search(dot)biz – this domain may also be present within the web logs.
GovCertUK recommend that the IP address 58.65.238.59 is blocked on the network as well as the domains dorifora(dot)com and here4search(dot)biz.
GovCertUK would like to hear from anyone that discovers evidence of this malware on their system. GovCertUK can be contacted on the details provided at the end of this advisory.
Check your logs for outbound traffic to the aforementioned IP address.
(thx fuzzE1 for the tip)
Article Link (.pdf)
[tags]GovCertUK, dorifora, searchmeup, here4search, Malware, Trojan[/tags]
