Friday, January 08, 2010

Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware


UPDATED: Sunday, January 10, 2010 - The post has been updated with the latest domains spammed within the past 24 hours.

UPDATED: Saturday, January 09, 2010 - The post has been updated with the latest domains spammed within the past 24 hours. The spam campaign is ongoing.

A currently ongoing spam campaign is using the "Your default mailbox settings have changed" theme, in order to infect gullible users into executing Trojan-Spy.Win32.Zbot (settings-file.exe).

Sample message:
"The default settings of your mailbox were automatically changed. Please download and launch a file with a new set of settings for your e-mail account:fx-settings-file.exe.

We constantly work on the quality level of our service, as well as on the development of its security and protection. During the last upgrade several essential improvements were adopted, such as new ports for the POP3 & SMTP protocols, plus the SMTP autentification. The new settings are necessary for those who use the mailings clients (for ex. Microsoft Outlook, The Bat!, Mozilla Thunderbird etc.) or those who use our service via the web-interface."

Sample campaign structure: molendf.co .kr/owa/service_directory/settings.php?email=fx@yahoo.com&from=yahoo.com&fromname=fx

Fast-fluxed seed IPs:
61.64.170.232
77.126.141.142
188.56.139.174
189.110.244.68
189.179.13.36
190.82.217.255
195.174.109.241
200.169.71.144
201.232.187.200
201.236.48.117
210.106.80.90
218.153.64.25
221.26.184.25
59.92.58.166
61.20.133.88

DNS servers of notice:
ns1.moorcargo .net
ns1.aj-realtors .com - Email: support@ajr.com
ns1.groupswat .com
ns1.elkins-realty .net - Email: BO.la@yahoo.com
ns1.nocksold .com - Email: termer@counsellor.com
ns1.seldomservice .net - 89.238.165.195 - Email: pp0271@gmail.com
ns1.viking-gave .net - 89.238.165.195 - Email: glonders@gmail.com
ns1.controlpanellsolutions .com - 212.95.50.175 - Email: jobwes@clerk.com

Hundreds of typosquatted subdomains reside within the following currently active domains:
ujjiks.co .im
ujjiks.com .im
ujjiks.org .im
ujjikx.co .im
ujjikx.com .im
ujjikx.org .im
molendf.co .kr
molendf .com
molendf .kr
molendf.ne .kr
molendf.or .kr
vcrssd1 .cc
vcrssd1 .eu
vfrtssd .com
vsmprot.co .uk
vsmprot .com
vsmprot .eu
vsmprot.me .uk
vsmprot.org .uk

ikuu8a .com - Email: bjnjnsls@technologist.com
ikuu8d .com - Email: bjnjnsls@technologist.com
ikuu8e .com - Email: bjnjnsls@technologist.com
ikuu8q .com - Email: bjnjnsls@technologist.com
ikuu8s .com - Email: bjnjnsls@technologist.com
ikuu8w .com - Email: bjnjnsls@technologist.com
ikuu8x .com - Email: bjnjnsls@technologist.com
ikuu8z .com - Email: bjnjnsls@technologist.com
ikuu8a .net - Email: bjnjnsls@technologist.com
ikuu8e .net - Email: bjnjnsls@technologist.com
ikuu8q .net - Email: bjnjnsls@technologist.com
ikuu8s .net - Email: bjnjnsls@technologist.com
ikuu8w .net - Email: bjnjnsls@technologist.com
ikuu8x .net - Email: bjnjnsls@technologist.com
ikuu8z .net - Email: bjnjnsls@technologist.com

yhuttte.ne .kr - Email: scepterpdg@chemist.com
yhuttti.ne .kr - Email: scepterpdg@chemist.com
yhutttu.ne .kr - Email: scepterpdg@chemist.com
yhuttte .kr - Email: scepterpdg@chemist.com
yhuttti .kr - Email: scepterpdg@chemist.com
yhuttte.co .kr - Email: scepterpdg@chemist.com
yhuttti.co .kr - Email: scepterpdg@chemist.com
yhutttr.co .kr - Email: scepterpdg@chemist.com
yhutttu.co .kr - Email: scepterpdg@chemist.com
yhuttte.or .kr - Email: scepterpdg@chemist.com
yhuttti.or .kr - Email: scepterpdg@chemist.com
yhutttr.or .kr - Email: scepterpdg@chemist.com
yhutttu.or .kr - Email: scepterpdg@chemist.com
yhutttr .kr - Email: scepterpdg@chemist.com
yhutttu .kr - Email: scepterpdg@chemist.com

ujyhl.ne .kr - Email: combinetct@financier.com
ujyho.ne .kr - Email: combinetct@financier.com
ujyhf .kr - Email: combinetct@financier.com
ujyhl .kr - Email: combinetct@financier.com
ujyhf.co .kr - Email: combinetct@financier.com
ujyhl.co .kr - Email: combinetct@financier.com
ujyho.co .kr - Email: combinetct@financier.com
ujyhs.co .kr - Email: combinetct@financier.com
ujyho .kr - Email: combinetct@financier.com
ujyhf.or .kr - Email: combinetct@financier.com
ujyhl.or .kr - Email: combinetct@financier.com
ujyho.or .kr - Email: combinetct@financier.com
ujyhs.or .kr - Email: combinetct@financier.com
ujyhs .kr - Email: combinetct@financier.com

Seen within the past 24 hours, now offline domains part of the campaign:
yhe3essa .com.pl
yhe3essd .com.pl
yhe3esse .com.pl
yhe3essf .com.pl
yhe3essg .com.pl
yhe3essi .com.pl
yhe3esso .com.pl
yhe3essp .com.pl
yhe3essq .com.pl
yhe3essr .com.pl
yhe3esss .com.pl
yhe3esst .com.pl
yhe3essu .com.pl
yhe3essw .com.pl
yhe3essy .com.pl
ok9iio1 .com
ok9iio2 .com
ok9iio3 .com
ok9iio4 .com
ok9iio5 .com
ok9iio6 .com
ok9iio7 .com
ok9iio8 .com
ok9iio1 .net
ok9iio2 .net
ok9iio3 .net
ok9iio4 .net
ok9iio5 .net
ok9iio6 .net
ok9iio7 .net

Upon execution the sample phones back to the already blacklisted by the Zeus Tracker nekovo .ru:
nekovo .ru/cbd/nekovo.bri; nekovo .ru/ip.php - 109.95.114.70 - Email: kievsk@yandex.ru - AS50215 - Troyak-as Starchenko Roman Fedorovich.

Related Zeus crimeware name servers respond to the same IP:
- ns1.trust-service .cn - (domain itself responds to 193.104.41.133) - Email: olezhiosapiel@yahoo.es
- ns1.elnasa .ru - (domain itself responds to 91.200.164.12) - Email: kievsk@yandex.ru
- ns1.recessa .ru - (domain itself responds to 193.104.41.69) - Email: kievsk@yandex.ru
- ns1.stomaid .ru - (domain itself responds to 91.200.164.10) - Email: kievsk@yandex.ru

Parked withn the same AS, are also the following currently active Zeus crimeware serving domains:
web-information-services .com - 91.198.109.69 - Email: pita@bigmailbox.ru
erthjuyt44u .com - 91.198.109.19 - Email: rails@qx8.ru
excellenthostingservice .com - 91.198.109.48 - Email: xm@qx8.ru
goldhostingservice .com - 91.198.109.32 - Email: clod@qx8.ru

Pretty much your typical cybercrime-friendly virtual neighborhood.

Related posts:
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

This post has been reproduced from Dancho Danchev's blog.