Monday, November 12, 2007

Targeted Spamming of Bankers Malware

This particular incident is interesting mostly because we have a good example that once a site gets compromised the potential for abusing the access for malware distribution becomes very realistic, this is in fact what happened with autobroker.com.pl, as the following URLs were active as of yesterday, now down due to notification. Basically, the compromised host, compromised in an automatic and efficient way for sure, started acting as the foundation for the campaign, which as it looks like was spammed in a targetted manner. A tiny php file at autobroker.com.pl/l.php was launching the downloader :

TROJ.BANLOAD
Result: 18/31 (58.07%)
File size: 46080 bytes
MD5: 690e71077c9d78347368c6cf8752741e
SHA1: 7dedad0778a24c69d6df4c8ceedc94f20292473e

the downloader then drops the following bankers that are strangely hosted on the French site Opus Citatum, and are still active :

opuscitatum.com/modules/PHP%20Files/__steampw12318897_.exe

Trojan-Spy.Win32.Banker.ciy
Result: 9/32 (28.13%)
File size: 2498560 bytes
MD5: cee1fdea650487e0865a1b8831db1e73
SHA1: ad55ff3e5519d88b930d6a0a695e71fcc253351e

opuscitatum.com/modules/PHP%20Files/Ivete_Sangalo.scr

Trojan.PWS.Banker
Result: 13/32 (40.63%)
File size: 2505216 bytes
MD5: 1bdb0d3e13b93c76e50b93db1adeed3e
SHA1: f472693da81202f4322425b952ec02cbff8d72bc

The campaign was originally spammed with the messages : "Chegou 1 vivo foto torpedo" and "Vivo torpedo foi enviado de um celular para seu e" by using the web based spammer you can see in the attached screenshot.

More info about banking malware, comments on a recently advertised metaphisher malware kit with banker trojans infected hosts only showcasing the malicious economies of scale botnet masters mentality, as well as related posts on targeted malware attacks.