Monday, February 25, 2008

Inside a Botnet's Phishing Activities

The following incident response assessment will demonstrate how a botnet's infected hosts can not only be used as stepping stones, but also for the purpose of sending out phishing emails, and hosting the domains used in the scams themselves, thereby forwarding the responsibility for the scams to the infected parties, in between remaining relatively untraceable. The malware variants are still in the wild, and the ecosystem itself is currently active as well. Upon receiving and sandboxing the malware detected as BKDR_AGENT.AKJZ, Backdoor.Agent.AJU, Proxy-Agent.af.gen and Proxy-Agent.af.gen, BKDR_AGENT.AKJZ, both binaries attempt to connect to several IPs, one's that's resolving to the entire ecosystem's name servers, namely 72.46.130.154. This KISS strategy allows us to quickly expand the entire domain portfolio and the associated phishing campaigns already in the wild. Here are the domains serving the phishing pages that are actually hosted on the botnet's infected hosts :


asp29.com
asp63.net
aspx77.in
aspx83.in
aspx94.in
bank45.us
boa23.com
cfm83.net
com94.net
info23.in
net18.in
net73.net
net94.us
pid83.net
ref34.us
sec26.net
sec94.in
sid45.com
site17.in
site37.in
ssd47.com
ssl18.net
ssl19.com
ssl62.net
web42.in
web59.net
web636.com
www84.in

It's quite obvious that their descriptive nature, just like the ones I've discussed before, is to be used in phishing attacks in order to visually social engineer the receipts. And as you can see in the attached graphs, the IPs resolving to the domains are the typical home based infected end users, who would from a theoretical perspective be sending phishing emails to themselves at a later stage. And so once infected the hosts phone back home to receive instructions on participating in the malicius ecosystem by temporarily serving the phishing domains. Upon infection the hosts try to connect to 72.46.129.154; 72.46.130.154; 72.46.136.50 and ns.uk2.net, where for the time being there're twenty different variants that are known to have been using ns.uk2.net for DNS resolving purposes. All of these domains are using the same nameservers indicating their connection. Here are some of the subdomains in the already running, and spammed phishing campaigns :

direct-certs9.bankofamerica.com.ssl36.net
www1.update.microsoft.com.ssl36.net
www7.nationalcity.com.asp29.com/consultnc/form.asp
microsoft.com.sec94.in
direct-certs1.bankofamerica.com.asp63.net
update.microsoft.com.web72.us
bankofamerica.com.web42.in
direct-certs0.bankofamerica.com.web42.in
update.microsoft.com.web72.us
www5.update.microsoft.com.sec94.in
www7.update.microsoft.com.web72.us

Now that the botnet's phishing activities are exposed, it's also important to mention the fact that besides the phishing activities, this is the botnet that's been sending out the recent fake Microsoft Critical Live Update emails.