The botnet masters have introduced several new name servers -- domain suspension is pending -- but continue using the same IP embedded on all the pages, for serving the client-side exploits, with a slight change in the directory structure.
- Sample subject: Facebook Update Tool
- Sample body: "Dear Facebook user, In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security. Before you are able to use the new login system, you will be required to update your account. Click here to update your account online now. If you have any questions, reference our New User Guide. Thanks, The Facebook Team"
- Sample URL: facebook.com.ddeassrq .vc/usr/LoginFacebook.php?ref
- Detection rates for scripts/crimeware/exploits: File.exe (phones back to the currently down nekovo .ru/cbd/nekovo.bri); IE.js; IE2.js; nowTrue.swf; pdf.pdf
- Sample iFrame exploitation structure: 109.95.114 .251/us01d/in.php
- 109.95.114 .251/us01d/jquery.jxx
- 109.95.114 .251/us01d/xd/pdf.pdf
- 109.95.114 .251/us01d/load.php
- 109.95.114 .251/us01d/file.exe
- Sample typosquatted and currently active domains: ddeasaeq .vc - Email: mspspaceki@mad.scientist.com
ddeasuqq .vc - Email: mspspaceki@mad.scientist.com
ddeassrq .vc - Email: mspspaceki@mad.scientist.com
ddeasutq .vc - Email: mspspaceki@mad.scientist.com
ddeasauq .vc - Email: mspspaceki@mad.scientist.com
ddeasqwq .vc - Email: mspspaceki@mad.scientist.com
ddeasqyq .vc - Email: mspspaceki@mad.scientist.com
reeesassf .la - Email: palatalizefxt@popstar.com
ukgedsa.com .hn - Email: zmamarc689@witty.com
ukgedsc.com .vc - Email: zmamarc689@witty.com
ukgedse.com .hn - Email: zmamarc689@witty.com
ukgedsg.com .vc - Email: zmamarc689@witty.com
ukgedsh.com .vc - Email: zmamarc689@witty.com
ukgedsi .hn - Email: zmamarc689@witty.com
ukgedsq.com .hn - Email: zmamarc689@witty.comukgedsr.com .sc - Email: zmamarc689@witty.com
ukgedst.com .sc - Email: zmamarc689@witty.com
ukgedsu.com .vc - Email: zmamarc689@witty.com
ukgedsv.com .vc - Email: zmamarc689@witty.com
ukgedsy.com .vc - Email: zmamarc689@witty.com
- Name servers of notice:
ns1.availname .net - 204.12.229.89 - Email: Larimore@yahoo.com
ns1.sorbauto .com - 204.12.229.89 - Email: xtrai@email.com
ns1.worldkinofest .com - Email: tolosa1965@snail-mail.net
ns1.pdsproperties .net - 92.84.23.138 - Email: PDSProperties@yahoo.com
ns1.drinckclub .com - 94.23.177.147 - Email: excins@iname.com
ns1.transsubmit .net - 94.23.177.147 - Email: Alaniz@gmail.com
ns1.theautocompany .net - suspended
ns1.24stophours .com - suspended
ns1.disksilver .net - suspended
Thankfully, quality assurance is not taken into consideration in this campaign - the iFrame's IP is already heavily blacklisted, and the crimeware sample itself attempts to phone back to a C&C that has been down for several days.
The gang's activities will be updated as they happen.
Related posts:
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You
This post has been reproduced from Dancho Danchev's blog.
No comments:
Post a Comment