Wednesday, April 16, 2008

Fake Yahoo Greetings Malware Campaign Circulating

The persistence of certain botnet masters cannot remain unnoticed even if you're used to going through over a dozen active malware campaigns per day, in this case it's their persistence that makes them worth assessing and profiling. The botnet which I assesed in February, the one that was crunching out phishing emails and using the infected hosts for hosting the pages, and parking the phishing domains, is still operational this time starting a fake Yahoo Greetings malware campaign by spamming the cybersquatted domains and enticing the user into updating their flash player with a copy of Backdoor.Agent.AJU.

Upon visiting it redirects to is currently responding to;;;;;; and also to;; and serves the Backdoor.Agent : .exe

Scanners Result : 12/31 (38.71%)
Suspicious:W32/Malware!Gemini; W32/Agent.Q.gen!Eldorado
File size: 44544 bytes
MD5...: fe97eb8c0518005075fd638b33d5b165
SHA1..: d7a4258e37ce0dab0f7d770d1a9d979e921be07b
SHA256: 138d31ae1bbdec215d980c7b57be6e624c2f2e1cacd3934b77f50be8adabfb97

"Backdoor.Agent.AJU is a malicious backdoor trojan that is capable to run and open random TCP port in a multiple instances attempting to connect to its predefined public SMTP servers. It then spams itself in email with a file attached in zip and password protected format. Furthermore, the password is included in the body of the email." is responding to, and is a part of a scammy ecosystem of other phishing and malware related domains responding to the same IP. And these are the related subdomains impersonating Yahoo Greetings within :

What you see when in a hurry is not what you get when you got time to look at it twice. This and the previous campaign launched by the same party is a great example of risk and responsibility forwarding, in this case to the infected party, so what used to be a situation where an infected host was sending spamming and phishing emails only, is today's malicious hosting infrastructure on demand.