Tuesday, November 17, 2009

"Your mailbox has been deactivated" Spam Campaign Serving Crimeware

An ongoing "Your mailbox has been deactivated" themed spam campaign is pushing crimeware as an attached utility.zip archive.

Subject: your mailbox has been deactivated
Message: "We are contacting you in regards to an unusual activity that was identified in your mailbox. As a result, your mailbox has been deactivated. To restore your mailbox, you are required to extract and run the attached mailbox utility. Best regards, hush.com technical support."
Different signatures used: "From Webmail Help Desk; From hush.com technical support; From msmvps.com technical support; From ahnlab.com technical support; From symantec.com technical support"

Sampled obtained phones back to 193.104.27 .91/limpopo/bb.php?id=636608811&v=200&tm=2&b=4316315581; 193.104.27 .91/limpopo/bb.php?id=554275088&v=200&tm=8&b=4316315581&tid=11&r=1, from where it downloads promed-net .com/css/abs.exe (97.74.144.118; Email: ninemed@ninemedical.com ) which phones back to 231307d91138.bauhath.com/get.php?c=QPTUDBSV&d=, downloading 91.213.72 .51/ldr7.exe which phones back to 193.104.27 .42/lcc/ip2.gif which is TrojWare.Win32.TrojanSpy.Zbot.Gen

All of these IPs are not surprisingly known Zeus crimeware hosts.

Related phone-back locations parked on the same IP - 94.75.221.76:
koralda .com - Email: owner@koralda.com
antiona .com - Email: owner@antiona.com
lambrie .com - Email: owner@lambrie.com
bauhath .com - Email: owner@bauhath.com
agulhal .com - Email: owner@agulhal.com
lantzel .com - Email: owner@lantzel.com
bourgum .com - Email: owner@bourgum.com

101607d91120.koralda .com
141607d91121.koralda .com
121607d91122.koralda .com
161607d91123.koralda .com
141607d91124.koralda .com
181607d91125.koralda .com
011607d91106.koralda .com
171507d91116.koralda .com
161607d91126.koralda .com
231507d91107.koralda .com
201607d91127.koralda .com
031607d91108.koralda .com
191507d91118.koralda .com
011607d91109.koralda .com
171507d91119.koralda .com
221607d91129.koralda .com
201607d9112a.koralda .com
031607d9110b.koralda .com
191507d9111b.koralda .com
081607d9111b.koralda .com
221607d9112c.koralda .com
101607d9111d.koralda .com
081607d9111e.koralda .com
121607d9111f.koralda .com
211507d91131.antiona .com
231507d91133.antiona .com
081207d91134.antiona .com
121607d91115.antiona .com
001307d91106.antiona .com
201307d91108.antiona .com
121107d91128.antiona .com
021107d91129.antiona .com
221307d9110a.antiona .com

231107d9111a.antiona .com
230907d9111b.antiona .com
041107d9112b.antiona .com
011207d9111c.antiona .com
081307d9110d.antiona .com
061107d9112d.antiona .com
191407d9112d.antiona .com
171307d9111f.antiona .com
211407d9112f.antiona .com
042707d90914.agrigid .com
101607d91121.lambrie .com
121607d91122.lambrie .com
141607d91124.lambrie .com
161607d91126.lambrie .com
231507d91107.lambrie .com
181607d91128.lambrie .com
011607d91109.lambrie .com
171507d91119.lambrie .com
201607d9112a.lambrie .com
031607d9110b.lambrie .com
191507d9111b.lambrie .com
221607d9112c.lambrie .com
081607d9111e.lambrie .com
081607d91100.bauhath .com
071607d91130.bauhath .com
121607d91101.bauhath .com
201607d91111.bauhath .com
221307d91102.bauhath .com
051107d91122.bauhath .com
141607d91103.bauhath .com

151207d91113.bauhath .com
221607d91113.bauhath .com
221307d91104.bauhath .com
071107d91124.bauhath .com
171207d91115.bauhath .com
051007d91126.bauhath .com
091107d91126.bauhath .com
101607d91107.bauhath .com
191207d91117.bauhath .com
051207d91127.bauhath .com
071007d91128.bauhath .com
071207d91128.bauhath .com
121607d91109.bauhath .com
211207d91119.bauhath .com
091007d9112a.bauhath .com
131107d9112a.bauhath .com
091207d9112a.bauhath .com
051607d9113a.bauhath .com
231207d9111b.bauhath .com
091607d9113b.bauhath .com
141607d9110c.bauhath .com
111007d9112c.bauhath .com
111207d9112c.bauhath .com
161607d9110d.bauhath .com
071607d9112d.bauhath .com
181607d9110f.bauhath .com
181007d91132.edvehal .com
181007d91135.edvehal .com
181207d91110.agulhal .com
091007d91120.agulhal .com
211007d91130.agulhal .com
041307d91130.agulhal .com

111007d91122.agulhal .com
061307d91132.agulhal .com
131207d91123.agulhal .com
131007d91124.agulhal .com
151207d91125.agulhal .com
230907d91116.agulhal .com
151007d91126.agulhal .com
061207d91127.agulhal .com
011007d91118.agulhal .com
171007d91128.agulhal .com
031007d9111a.agulhal .com
021207d9111b.agulhal .com
121107d9113b.agulhal .com
051007d9111c.agulhal .com
011107d9110d.agulhal .com
041207d9111d.agulhal .com
191007d9112d.agulhal .com
161207d9110e.agulhal .com
071007d9111e.agulhal .com
141607d91100.lantzel .com
081607d91100.lantzel .com
221607d91110.lantzel .com
121607d91101.lantzel .com
171207d91111.lantzel .com
201607d91111.lantzel .com
071107d91121.lantzel .com
051107d91122.lantzel .com
141607d91103.lantzel .com
151207d91113.lantzel .com
191207d91113.lantzel .com
221607d91113.lantzel .com
051007d91123.lantzel .com

091107d91123.lantzel .com
051207d91123.lantzel .com
101607d91104.lantzel .com
071107d91124.lantzel .com
211207d91115.lantzel .com
171207d91115.lantzel .com
071007d91125.lantzel .com
111107d91125.lantzel .com
071207d91125.lantzel .com
121607d91106.lantzel .com
051007d91126.lantzel .com
091107d91126.lantzel .com
051207d91126.lantzel .com
101607d91107.lantzel .com
231207d91117.lantzel .com
191207d91117.lantzel .com
091007d91127.lantzel .com
131107d91127.lantzel .com
091207d91127.lantzel .com
051607d91137.lantzel .com
141607d91108.lantzel .com
071007d91128.lantzel .com
111107d91128.lantzel .com
071207d91128.lantzel .com
091607d91138.lantzel .com
121607d91109.lantzel .com
211207d91119.lantzel .com
111007d91129.lantzel .com
111207d91129.lantzel .com

071607d91139.lantzel .com
161607d9110a.lantzel .com
091007d9112a.lantzel .com
131107d9112a.lantzel .com
091207d9112a.lantzel .com
111607d9113a.lantzel .com
051607d9113a.lantzel .com
141607d9110b.lantzel .com
231207d9111b.lantzel .com
091607d9113b.lantzel .com
181607d9110c.lantzel .com
111007d9112c.lantzel .com
111207d9112c.lantzel .com
161607d9110d.lantzel .com
201607d9110e.lantzel .com
151207d9110f.lantzel .com
181607d9110f.lantzel .com
051107d9111f.lantzel .com
131507d91100.bourgum .com
231507d91130.bourgum .com
221207d91101.bourgum .com

211507d91131.bourgum .com
001307d91103.bourgum .com
231507d91133.bourgum .com
001107d91124.bourgum .com
081207d91134.bourgum .com
201307d91105.bourgum .com
121607d91115.bourgum .com
001307d91106.bourgum .com
021107d91126.bourgum .com
091207d91107.bourgum .com
221307d91107.bourgum .com
231107d91117.bourgum .com
201307d91108.bourgum .com
230907d91118.bourgum .com
121107d91128.bourgum .com
041107d91128.bourgum .com
211007d91138.bourgum .com
011207d91119.bourgum .com
021107d91129.bourgum .com

Naturally, the campaign isn't an isolated incident, with previous "Facebook updated account agreement" themed ones, using the same phone back locations as the currently ongoing one. 

Related posts:
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

This post has been reproduced from Dancho Danchev's blog.