Following the recent post by Ivan on the legacy of the Nuclear Grabber trojan horses developed by "Corpse", I recently came across a command & control server (c&c) that "pays tribute" to this famous malware author.

This coder used for its own purposes the domains a311.com/.net/.org since 2005, in the name of its "A-311/Death" backdoor component. Someone registered in August "a311.ru", and used it (you already guessed) as c&c for old-fashioned Haxdoor (one of Nuclear Grabber aliases) trojan variants.

(example of md5 from Haxdoor-like binaries we received that connected to a311.ru between 08/23/2008 and 10/09/2008:

• 427bfed75b054c4a2f2de07f6c2cafeb
• ac0214fadb24e9526e8b85755bf1ba05
• c6d4675a69ea409a42be8887885fd5dc
• a0a78756b64bee5a45a22b8c47578480
• ...)

But it seems that days of Corpse's trojans, almost automatically detected by most AV vendors, really are counted. The pirate behind a311.ru indeed changed its tactics on October, 24th, and started using rather ZeuS (PRG) variants:

    - http://a311.ru/cfg/cfg.bin (encrypted configuration file)
    - http://a311.ru/z/z.php?1={PARAMETERS REDACTED} (c&c server)

(md5 from ZeuS variants discovered since 10/24/2008 that connect to the above URLs:

• dafd137952ed35acfb1eb427f3092e6c
• 0ffc7ed072610963ad9073d88d9c29fa
• b9557528704dc1d930d2150b63c07b1e
• ...)

And don't worry for the pirate's fraudulent activities. If that domain name was to be deactivated, the campaign would probably not stop, as the domain owner took care to register a few days ago another domain name as a backup: "a322.ru".