Wednesday, February 03, 2010

PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild


Pushdo/Cutwail's customers, or perhaps the botnet masters themselves, continue rotating the malware campaigns, with the very latest one using a "Photo Archive #2070735" theme, and continuing to server client-side exploits hosted within crimeware-friendly networks it's time we profile and expose.
Photo Archives Hosting describes itself as:
"Photos Archives Hosting has a zero-tolerance policy against ILLEGAL content. All archives and links are provided by 3rd parties. We have no control over the content of these pages. We take no responsibility for the content on any website which we link to, please use your own discretion while surfing the links. © 2007-2009, Photos Archives Hosting Group, Inc.- ALL RIGHTS RESERVED."

- Sample URL: photoshock.MalwareDomain/id1073bv/get.php?email=
- Sample iFrame from this week's campaign: 109.95.115.36 /usasp22/in.php 
- Sample iFrame from last week: 109.95.114 .251 /us01d/; 109.95.115.36 /usasp/in.php 
- Sample iFrame used two weeks ago: 109.95.114 .251/uks1/in.php
- Detection rate: PhotoArchive.exe (Trojan-Spy.Win32.Zbot); dropped file.exe (Trojan-Spy.Win32.Zbot)

Upon execution, it drops C:\WINDOWS\system32\sdra64.exe; C:\WINDOWS\system32\lowsec\user.ds.lll and phones back to the Zeus-crimeware serving: horosta .ru/cbd/nekovo.bri ; horosta .ru/ip.php - 109.95.115.19 Email: bernardo_pr@inbox.ru

Who's offering the hosting infrastructure for the actual domains/malware binaries and nameservers?
- AS50215 (TROYAK-AS Starchenko Roman Fedorovich) - profiled here
- 109.95.112.0/22 - AS50369 - VISHCLUB-as Kanyovskiy Andriy Yuriyovich
- 193.104.41.0/24 - AS49934 - VVPN-AS PE Voronov Evgen Sergiyovich
- 91.200.164.0/22 - AS47560 - VESTEH-NET-as Vesteh LLC

What's worth pointing out is that "TROYAK-AS Starchenko Roman Fedorovich" is positioning itself as Ethernet,home,LAN,net,provider,ISP,Homenet provider at ctlan.net. Just like the "Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot" and "GazTranzitStroyInfo - a Fake Russian Gas Company Facilitating Cybercrime"

All of the involved domains have already been blacklisted by the Zeus Tracker. However, with the campaigners at large, what's TROYAK-AS today, will be yet another cybecrime-friendly AS tomorrow. 

Related posts:
Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.