Tuesday, January 26, 2010

Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits


Continuing the Pushdo coverage from last week, the "Your AOL Instant Messenger account is flagged as inactive" "or the latest update for the AIM" themed campaign from the weekend, has once again returned to a well known theme, namely, the "Facebook Update Tool" spam campaign.

The botnet masters have introduced several new name servers -- domain suspension is pending -- but continue using the same IP embedded on all the pages, for serving the client-side exploits, with a slight change in the directory structure.

- Sample subject: Facebook Update Tool
- Sample body: "Dear Facebook user, In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security. Before you are able to use the new login system, you will be required to update your account. Click here to update your account online now. If you have any questions, reference our New User Guide. Thanks, The Facebook Team"
- Sample URL: facebook.com.ddeassrq .vc/usr/LoginFacebook.php?ref
- Detection rates for scripts/crimeware/exploits: File.exe (phones back to the currently down nekovo .ru/cbd/nekovo.bri); IE.js; IE2.js; nowTrue.swf; pdf.pdf
- Sample iFrame exploitation structure: 109.95.114 .251/us01d/in.php
    - 109.95.114 .251/us01d/jquery.jxx
        - 109.95.114 .251/us01d/xd/pdf.pdf
            - 109.95.114 .251/us01d/load.php
                - 109.95.114 .251/us01d/file.exe

- Sample typosquatted and currently active domains: 
ddeasaeq .vc - Email: mspspaceki@mad.scientist.com
ddeasuqq .vc - Email: mspspaceki@mad.scientist.com
ddeassrq .vc - Email: mspspaceki@mad.scientist.com
ddeasutq .vc - Email: mspspaceki@mad.scientist.com
ddeasauq .vc - Email: mspspaceki@mad.scientist.com
ddeasqwq .vc - Email: mspspaceki@mad.scientist.com
ddeasqyq .vc - Email: mspspaceki@mad.scientist.com

reeesassf .la - Email: palatalizefxt@popstar.com
ukgedsa.com .hn - Email: zmamarc689@witty.com
ukgedsc.com .vc - Email: zmamarc689@witty.com
ukgedse.com .hn - Email: zmamarc689@witty.com
ukgedsg.com .vc - Email: zmamarc689@witty.com
ukgedsh.com .vc - Email: zmamarc689@witty.com
ukgedsi .hn - Email: zmamarc689@witty.com

ukgedsq.com .hn - Email: zmamarc689@witty.com
ukgedsr.com .sc - Email: zmamarc689@witty.com
ukgedst.com .sc - Email: zmamarc689@witty.com
ukgedsu.com .vc - Email: zmamarc689@witty.com
ukgedsv.com .vc - Email: zmamarc689@witty.com
ukgedsy.com .vc - Email: zmamarc689@witty.com

- Name servers of notice:
ns1.availname .net - 204.12.229.89 - Email: Larimore@yahoo.com
ns1.sorbauto .com - 204.12.229.89 - Email: xtrai@email.com
ns1.worldkinofest .com - Email: tolosa1965@snail-mail.net
ns1.pdsproperties .net - 92.84.23.138 - Email: PDSProperties@yahoo.com
ns1.drinckclub .com - 94.23.177.147 - Email: excins@iname.com
ns1.transsubmit .net - 94.23.177.147 - Email: Alaniz@gmail.com
ns1.theautocompany .net - suspended
ns1.24stophours .com - suspended
ns1.disksilver .net - suspended

Thankfully, quality assurance is not taken into consideration in this campaign - the iFrame's IP is already heavily blacklisted, and the crimeware sample itself attempts to phone back to a C&C that has been down for several days.

The gang's activities will be updated as they happen.

Related posts:
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

This post has been reproduced from Dancho Danchev's blog.

Monday, January 18, 2010

Follow Me on Twitter!


Are you on Twitter? If so, consider following my tweets, or if you're not using it you can always subscribe to the RSS feed.

Wednesday, January 13, 2010

Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams


UPDATED, Friday, 15, 2010: The gang continues rotating the campaigns by targeting different brands. Over the 24 hours they've spamming the well known "Notice of Underreported Income" theme this time targeting HM Revenue and Customs (HMRC), and have also introduced new portfolios of typosquatted domains next to changing the client-side exploits serving iFrame embedded on each and every page.

- Sample message: "Filing and paying your federal taxes correctly and on time is an important part of living and working in the United Kingdom. Please review (download and execute) your tax statement. If the statement is incorrect, contact our Taxpayer Advocate Service."
- Sample URL: online.hmrc.gov.uk.olpiku5v .com.pl/SecurityWebApp/httpsmode/statement.php

Detection rates for tax-statement.exe (Trojan-Spy.Win32.Zbot.gen) and file.exe (Trojan-Spy.Win32.Zbot.gen). Upon execution, the samples attempt to connect to elnasa .ru/asd/elnasa.ble (109.95.114 .71/asd/elnasa.ble).

The structure of the iFrame, now using an IP address instead of a domain name, remains the same:
- 109.95.114.251 /uks1/in.php - 109.95.114.251 - AS50369 - VISHCLUB-as Kanyovskiy Andriy Yuriyovich - akanyovskiy@troyak.org
    - 109.95.114.251 /uks1/jquery.jxx
            - 109.95.114.251 /uks1/xd/pdf.pdf
                - 109.95.114.251 /uks1/load.php
                    - 109.95.114.251 /uks1/file.exe

DNS servers of notice:
ns1.pds-properties .com - 89.238.165.195
ns1.noeproperties .com - 84.243.201.159
ns1.densondatabase .com - 94.23.177.147
ns1.dogsgrem .net - 89.238.165.195 - Email: glonders@gmail.com - Email seen in previous domain registrations

Typosquatted domains spammed over the past 24 hours:
olpiku5a .com.pl
olpiku5b .com.pl
olpiku5c .com.pl
olpiku5d .com.pl
olpiku5e .com.pl
olpiku5f .com.pl
olpiku5g .com.pl
olpiku5q .com.pl
olpiku5r .com.pl
olpiku5s .com.pl
olpiku5t .com.pl
olpiku5v .com.pl
olpiku5w .com.pl
olpiku5x .com.pl
olpiku5z .com.pl


ujo9ia .com.pl
ujo9id .com.pl
ujo9ie .com.pl
ujo9if .com.pl
ujo9ig .com.pl
ujo9ih .com.pl
ujo9im .com.pl
ujo9in .com.pl
ujo9iq .com.pl
ujo9ir .com.pl
ujo9is .com.pl
ujo9it .com.pl
ujo9iw .com.pl
ujo9iy .com.pl
ujo9iz .com.pl


t111ut .me.uk
t111uy .me.uk
t111uz .me.uk
t111uk .org.uk
t111ut .org.uk
t111uz .org.uk
t111uk .co.uk
t111uy .co.uk


okio1h .ne.kr
okio1w .ne.kr
okio1h .kr
okio1h .co.kr
okio1u .co.kr
okio1v .co.kr
okio1w .co.kr
okio1h .or.kr
okio1u .or.kr
okio1v .or.kr
okio1w .or.kr
okio1u .kr
okio1v .kr
okio1w .kr


proterp1 .im
virtdit1 .im
virtdit2 .im
virtdit3 .im
virtdit4 .im
virtdit5 .im
virtdit6 .im
virtdit7 .im
virtdit8 .im


UPDATED: Gary Warner offers additional insights into the latest campaigns - This Week in Avalanche / Zbot / Zeus Bot: HSBC & eBay.

What the botnet masters forget is that with each and every campaign, based on a number of factors, they reveal more about themselves and their affiliations within the cybercrime ecosystem. The degree of monetization is proportional with the loss of OPSEC (operational security), and this remains valid for any fraudulent campaign, botnet or cybercrime community in general.

UPDATED: To clarify, in this campaign Pushdo acts as the spam platform for the Avalanche/MS-Redirect botnet.

In need of a good example why you shouldn't be interacting with spam/phishing emails in any other way but reporting/deleting them, unless of course you're in the business of analyzing them?

Last week's OWA-themed Zeus-serving spam campaign courtesy of the Pushdo botnet, has not just resumed, but is continuing to serve client-side exploits (CVE-2007-5659; CVE-2008-2992; CVE-2009-0927) to anyone visiting the spammed web sites through an iFrame embedded on all of them. Such traffic optimization tactics are nothing new, since the botnet master is anticipating the fact that the visitor that clicked on the link, may not be that stupid the next time, so attempting to serve the malware without any kind of interaction on his behalf through client-side exploits is the tactic of choice.

Let's dissect the campaign, list all of the currently active fast-fluxed domains, the name servers of notice, the client-side exploit serving structure, and the Russian Brides scam domains spamvertised over the last few days.

Active fast-fluxed domains part of the campaign:
leptprs.co .kr - Email: wawddhaepny@yahoo.com
leptprs .kr - Email: wawddhaepny@yahoo.com
leptprs.ne .kr - Email: wawddhaepny@yahoo.com
leptprs.or .kr - Email: wawddhaepny@yahoo.com
oki8uuu.co .kr - Email: wawddhaepny@yahoo.com
ui7772.co .kr - Email: jn.hadler@jkh.org.uk
ui7772 .kr - Email: jn.hadler@jkh.org.uk
ui7772.ne .kr - Email: jn.hadler@jkh.org.uk
ui7772.or .kr - Email: jn.hadler@jkh.org.uk
ui777f .kr - Email: jn.hadler@jkh.org.uk
ui777f.ne .kr - Email: jn.hadler@jkh.org.uk
ui777f.or .kr - Email: jn.hadler@jkh.org.uk
ui777fne .kr - Email: jn.hadler@jkh.org.uk
ui777l.co .kr - Email: jn.hadler@jkh.org.uk
ui777p.co .kr - Email: jn.hadler@jkh.org.uk
ui777p .kr - Email: jn.hadler@jkh.org.uk
ui777p.ne .kr - Email: jn.hadler@jkh.org.uk
ui777p.or .kr - Email: jn.hadler@jkh.org.uk

DNS servers of notice:
ns1.raddoor .com - Email: figarro77@gmail.com
ns1.snup-up .net - Email: dietsnak@socialworker.net
ns1.aj-realty .net - Email: support@aj-realty.net
ns1.aj-administration .com - Email: manager@mack.net
ns1.aj-talentsearch .com - Email: supp@mail.net
ns1.eurobankfinance .net - Email: termer@counsellor.com
ns1.hetn91 .com - Email: astrix@aol.com
ns1.personnel-aj .com - Email: KimMIngram@aol.com
ns1.nitroexcel .net
ns1.fredoms .com
ns1.ajstaffing .net
ns1.angel-death .net
ns1.aj-estate .com
ns1.aj-realtors .com
ns1.pdsproperties .com
ns1.groupswat .com


Upon execution, settings-file.exe (Trojan-Spy.Win32.Zbot.adsy), phones back to 109.123.70 .97/fh3245sq/config.bin. Detection rate for pdf.pdf (Exploit-PDF.ac) and file.exe (Trojan.Win32.Riern). The structure of the iFrame is as follows:
- atthisstage .com/uksp/in.php - 84.45.45.135 - Email: soakes@soakes.com
    - atthisstage .com/uksp/jquery.jxx
        - atthisstage .com/uksp/xd/pdf.pdf
            - atthisstage .com/uksp/load.php
                - atthisstage .com/uksp/file.exe

Russian Brides spamvertised domains part of an affiliate network:
toolbarsunited .com - Email: soft.tj@gmail.com
2006jubilee .com - Email: soft.tj@gmail.com
avtofo .org - Email: flarnes@gmail.com
lovesexdatings .com - Email: kauplus@li.ru
stars-dating .com - Email: kauplus@li.ru
avtofo.com .ua
dinenyc .net

cid-f5f40ef1f5210d08.spaces .live.com
cid-c1b015ffe1b44573.spaces .live.com
cid-b78f4f23e27d2b45.spaces .live.com
cid-8d3413073f537740.spaces .live.com
cid-205046cf66900102.spaces .live.com


If you want to know more the inner workings of the Pushdo/Cutwail botnet, consider going through the Pushdo / Cutwail - An Indepth Analysis report.

Related posts:
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

This post has been reproduced from Dancho Danchev's blog.

Friday, January 08, 2010

Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware


UPDATED: Sunday, January 10, 2010 - The post has been updated with the latest domains spammed within the past 24 hours.

UPDATED: Saturday, January 09, 2010 - The post has been updated with the latest domains spammed within the past 24 hours. The spam campaign is ongoing.

A currently ongoing spam campaign is using the "Your default mailbox settings have changed" theme, in order to infect gullible users into executing Trojan-Spy.Win32.Zbot (settings-file.exe).

Sample message:
"The default settings of your mailbox were automatically changed. Please download and launch a file with a new set of settings for your e-mail account:fx-settings-file.exe.

We constantly work on the quality level of our service, as well as on the development of its security and protection. During the last upgrade several essential improvements were adopted, such as new ports for the POP3 & SMTP protocols, plus the SMTP autentification. The new settings are necessary for those who use the mailings clients (for ex. Microsoft Outlook, The Bat!, Mozilla Thunderbird etc.) or those who use our service via the web-interface."

Sample campaign structure: molendf.co .kr/owa/service_directory/settings.php?email=fx@yahoo.com&from=yahoo.com&fromname=fx

Fast-fluxed seed IPs:
61.64.170.232
77.126.141.142
188.56.139.174
189.110.244.68
189.179.13.36
190.82.217.255
195.174.109.241
200.169.71.144
201.232.187.200
201.236.48.117
210.106.80.90
218.153.64.25
221.26.184.25
59.92.58.166
61.20.133.88

DNS servers of notice:
ns1.moorcargo .net
ns1.aj-realtors .com - Email: support@ajr.com
ns1.groupswat .com
ns1.elkins-realty .net - Email: BO.la@yahoo.com
ns1.nocksold .com - Email: termer@counsellor.com
ns1.seldomservice .net - 89.238.165.195 - Email: pp0271@gmail.com
ns1.viking-gave .net - 89.238.165.195 - Email: glonders@gmail.com
ns1.controlpanellsolutions .com - 212.95.50.175 - Email: jobwes@clerk.com

Hundreds of typosquatted subdomains reside within the following currently active domains:
ujjiks.co .im
ujjiks.com .im
ujjiks.org .im
ujjikx.co .im
ujjikx.com .im
ujjikx.org .im
molendf.co .kr
molendf .com
molendf .kr
molendf.ne .kr
molendf.or .kr
vcrssd1 .cc
vcrssd1 .eu
vfrtssd .com
vsmprot.co .uk
vsmprot .com
vsmprot .eu
vsmprot.me .uk
vsmprot.org .uk

ikuu8a .com - Email: bjnjnsls@technologist.com
ikuu8d .com - Email: bjnjnsls@technologist.com
ikuu8e .com - Email: bjnjnsls@technologist.com
ikuu8q .com - Email: bjnjnsls@technologist.com
ikuu8s .com - Email: bjnjnsls@technologist.com
ikuu8w .com - Email: bjnjnsls@technologist.com
ikuu8x .com - Email: bjnjnsls@technologist.com
ikuu8z .com - Email: bjnjnsls@technologist.com
ikuu8a .net - Email: bjnjnsls@technologist.com
ikuu8e .net - Email: bjnjnsls@technologist.com
ikuu8q .net - Email: bjnjnsls@technologist.com
ikuu8s .net - Email: bjnjnsls@technologist.com
ikuu8w .net - Email: bjnjnsls@technologist.com
ikuu8x .net - Email: bjnjnsls@technologist.com
ikuu8z .net - Email: bjnjnsls@technologist.com

yhuttte.ne .kr - Email: scepterpdg@chemist.com
yhuttti.ne .kr - Email: scepterpdg@chemist.com
yhutttu.ne .kr - Email: scepterpdg@chemist.com
yhuttte .kr - Email: scepterpdg@chemist.com
yhuttti .kr - Email: scepterpdg@chemist.com
yhuttte.co .kr - Email: scepterpdg@chemist.com
yhuttti.co .kr - Email: scepterpdg@chemist.com
yhutttr.co .kr - Email: scepterpdg@chemist.com
yhutttu.co .kr - Email: scepterpdg@chemist.com
yhuttte.or .kr - Email: scepterpdg@chemist.com
yhuttti.or .kr - Email: scepterpdg@chemist.com
yhutttr.or .kr - Email: scepterpdg@chemist.com
yhutttu.or .kr - Email: scepterpdg@chemist.com
yhutttr .kr - Email: scepterpdg@chemist.com
yhutttu .kr - Email: scepterpdg@chemist.com

ujyhl.ne .kr - Email: combinetct@financier.com
ujyho.ne .kr - Email: combinetct@financier.com
ujyhf .kr - Email: combinetct@financier.com
ujyhl .kr - Email: combinetct@financier.com
ujyhf.co .kr - Email: combinetct@financier.com
ujyhl.co .kr - Email: combinetct@financier.com
ujyho.co .kr - Email: combinetct@financier.com
ujyhs.co .kr - Email: combinetct@financier.com
ujyho .kr - Email: combinetct@financier.com
ujyhf.or .kr - Email: combinetct@financier.com
ujyhl.or .kr - Email: combinetct@financier.com
ujyho.or .kr - Email: combinetct@financier.com
ujyhs.or .kr - Email: combinetct@financier.com
ujyhs .kr - Email: combinetct@financier.com

Seen within the past 24 hours, now offline domains part of the campaign:
yhe3essa .com.pl
yhe3essd .com.pl
yhe3esse .com.pl
yhe3essf .com.pl
yhe3essg .com.pl
yhe3essi .com.pl
yhe3esso .com.pl
yhe3essp .com.pl
yhe3essq .com.pl
yhe3essr .com.pl
yhe3esss .com.pl
yhe3esst .com.pl
yhe3essu .com.pl
yhe3essw .com.pl
yhe3essy .com.pl
ok9iio1 .com
ok9iio2 .com
ok9iio3 .com
ok9iio4 .com
ok9iio5 .com
ok9iio6 .com
ok9iio7 .com
ok9iio8 .com
ok9iio1 .net
ok9iio2 .net
ok9iio3 .net
ok9iio4 .net
ok9iio5 .net
ok9iio6 .net
ok9iio7 .net

Upon execution the sample phones back to the already blacklisted by the Zeus Tracker nekovo .ru:
nekovo .ru/cbd/nekovo.bri; nekovo .ru/ip.php - 109.95.114.70 - Email: kievsk@yandex.ru - AS50215 - Troyak-as Starchenko Roman Fedorovich.

Related Zeus crimeware name servers respond to the same IP:
- ns1.trust-service .cn - (domain itself responds to 193.104.41.133) - Email: olezhiosapiel@yahoo.es
- ns1.elnasa .ru - (domain itself responds to 91.200.164.12) - Email: kievsk@yandex.ru
- ns1.recessa .ru - (domain itself responds to 193.104.41.69) - Email: kievsk@yandex.ru
- ns1.stomaid .ru - (domain itself responds to 91.200.164.10) - Email: kievsk@yandex.ru

Parked withn the same AS, are also the following currently active Zeus crimeware serving domains:
web-information-services .com - 91.198.109.69 - Email: pita@bigmailbox.ru
erthjuyt44u .com - 91.198.109.19 - Email: rails@qx8.ru
excellenthostingservice .com - 91.198.109.48 - Email: xm@qx8.ru
goldhostingservice .com - 91.198.109.32 - Email: clod@qx8.ru

Pretty much your typical cybercrime-friendly virtual neighborhood.

Related posts:
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

This post has been reproduced from Dancho Danchev's blog.

Monday, January 04, 2010

Top Ten Must-Read DDanchev Posts For 2009


The following ten posts have been featured due to their insightful content, comprehensiveness of the topic covered, and due to plain simple exclusivity in the time of publishing, and not necessarily based on page views.

Thank you for being a regular reader of my personal blog. Feel free to subscribe to my RSS feed, keep track of my posts at ZDNet's Zero Day, or follow me on Twitter.

01. Conficker's Scareware/Fake Security Software Business Model
02. Koobface Botnet's Scareware Business Model - Part One and Part Two
03. Inside a Money Laundering Group's Spamming Operations
04. A Peek Inside the Managed Blackhat SEO Ecosystem
05. Iranian Opposition DDoS-es pro-Ahmadinejad Sites
06. Koobface Botnet Redirects Facebook's IP Space to my Blog
07. Standardizing the Money Mule Recruitment Process
08. Koobface Botnet Starts Serving Client-Side Exploits
09. The SMS Ransomware series - SMS Ransomware Displays Persistent Inline Ads; SMS Ransomware Source Code Now Offered for Sale; 3rd SMS Ransomware Variant Offered for Sale; 4th SMS Ransomware Variant Offered for Sale; 5th SMS Ransomware Variant Offered for Sale; 6th SMS Ransomware Variant Offered for Sale
10. The Koobface Gang Wishes the Industry "Happy Holidays"

This post has been reproduced from Dancho Danchev's blog.

Top Ten Must-Read Posts at ZDNet's Zero Day for 2009



The end of the year naturally means a rush to come up with 'best of the best' top lists consisting of your finest content. However, based on personal observations, during the holidays season the short attention span of the average reader becomes even shorter with everyone looking forward to taking a well-deserved break. Therefore, the first working week of the new year appears to be the perfect moment to summarize some of my most insightful posts/analysis published at ZDNet's Zero Day for 2009.

The following ten posts have been featured due to their insightful content, comprehensiveness of the topic covered, and due to plain simple exclusivity in the time of their publishing. You will be, of course, missing the big picture if you don't keep track of Ryan Naraine's coverage.

Thank you for being a Zero Day reader!

01. Microsoft study debunks phishing profitability
02. Inside BBC's Chimera botnet
03. China's 'secure' OS Kylin - a threat to U.S offsensive cyber capabilities?
04. Microsoft study debunks profitability of the underground economy
05. Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites - Related coverage
06. The Ultimate Guide to Scareware Protection
07. 'Anonymous' group attempts DDoS attack against Australian government (Operation Didgeridie)
08. Google's CAPTCHA experiment and the human factor
09. Does software piracy lead to higher malware infection rates?
10. Koobface botnet enters the Xmas season

Related posts:
Summarizing Zero Day's Posts for January, 2009
Summarizing Zero Day's Posts for February, 2009
Summarizing Zero Day's Posts for March, 2009
Summarizing Zero Day's Posts for April, 2009
Summarizing Zero Day's Posts for May, 2009
Summarizing Zero Day's Posts for June, 2009
Summarizing Zero Day's Posts for July, 2009
Summarizing Zero Day's Posts for August, 2009
Summarizing Zero Day's Posts for September, 2009
Summarizing Zero Day's Posts for October, 2009
Summarizing Zero Day's Posts for November, 2009
Summarizing Zero Day's Posts for December, 2009

This post has been reproduced from Dancho Danchev's blog.

Summarizing Zero Day's Posts for December

The following is a brief summary of all of my posts at ZDNet's Zero Day for December, 2009.

You can also go through previous summaries, as well as subscribe to my personal RSS feed, Zero Day's main feed, or follow all of ZDNet's blogs on Twitter.

01. Koobface botnet enters the Xmas season
02. How many people fall victim to phishing attacks?
03. Zeus crimeware using Amazon's EC2 as command and control server
04. Report: Google's reCAPTCHA flawed
05. FBI: Scareware distributors stole $150M

This post has been reproduced from Dancho Danchev's blog.