Wednesday, April 16, 2008

Fake Yahoo Greetings Malware Campaign Circulating

The persistence of certain botnet masters cannot remain unnoticed even if you're used to going through over a dozen active malware campaigns per day, in this case it's their persistence that makes them worth assessing and profiling. The botnet which I assesed in February, the one that was crunching out phishing emails and using the infected hosts for hosting the pages, and parking the phishing domains, is still operational this time starting a fake Yahoo Greetings malware campaign by spamming the cybersquatted domains and enticing the user into updating their flash player with a copy of Backdoor.Agent.AJU.

Upon visiting www4.yahoo.american-greeting.com.tag38.com/ecards/view.pd.htm it redirects to www3.yahoo.americangreetings.com.id759.com/ecards/view.pd.htm

id759.com is currently responding to 24.161.232.218; 24.192.140.204; 68.36.236.67; 76.230.108.105; 83.5.203.163; 85.109.42.164; 216.170.109.206 and also to set45.net; service28.biz; setup36.com and serves the Backdoor.Agent :

www3.yahoo.americangreetings.com.id759.com/ecards/get_new_flashplayer .exe

Scanners Result : 12/31 (38.71%)
Suspicious:W32/Malware!Gemini; W32/Agent.Q.gen!Eldorado
File size: 44544 bytes
MD5...: fe97eb8c0518005075fd638b33d5b165
SHA1..: d7a4258e37ce0dab0f7d770d1a9d979e921be07b
SHA256: 138d31ae1bbdec215d980c7b57be6e624c2f2e1cacd3934b77f50be8adabfb97

"Backdoor.Agent.AJU is a malicious backdoor trojan that is capable to run and open random TCP port in a multiple instances attempting to connect to its predefined public SMTP servers. It then spams itself in email with a file attached in zip and password protected format. Furthermore, the password is included in the body of the email."

tag38.com is responding to 211.142.23.21, and is a part of a scammy ecosystem of other phishing and malware related domains responding to the same IP. And these are the related subdomains impersonating Yahoo Greetings within :

american-greeting.ca.xml52.com
www5.yahoo.american-greeting.ca.xml52.com
www9.yahoo.americangreeting.ca.www05.net
yahoo.americangreetings.com.droeang.net
yahoo.americangreetings.com.s8a1.psmtp.com
yahoo.americangreetings.com.s8a2.psmtp.com
yahoo.americangreetings.com.s8b1.psmtp.com
yahoo.americangreetings.com.s8b2.psmtp.com
yahoo.americangreetings.droeang.net
yahoo.americangreeting.ca.www05.net
www6.yahoo.american-greetings.com.www05.net

What you see when in a hurry is not what you get when you got time to look at it twice. This and the previous campaign launched by the same party is a great example of risk and responsibility forwarding, in this case to the infected party, so what used to be a situation where an infected host was sending spamming and phishing emails only, is today's malicious hosting infrastructure on demand.