UPDATED: Friday, March 26, 2010: In a typical multi-tasking fashion like the one we've seen in previous campaigns, more typosquatted domains are being introduced, this time using the well known IRS Fraud Application theme. What's worth pointing out is that, just like the "Scareware, Sinowal, Client-Side Exploits Serving Spam Campaign in the Wild" campaign from last week, the current one is also launched on Friday.
The reason? A pointless attempt by the gang to increase the lifecycle of the campaign.
- Client-side exploits serving iFrame URL: klgs.trfafsegh.com /index.php
- Sample detection rate: tax-statement.exe - Trojan-Spy.Win32.Zbot - Result: 29/42 (69.05%), phones back to shopinfmaster .com/cnf/shopinf.jpg
Name server of notice:
ns1.globalistory.net - 126.96.36.199 - Email: email@example.com
One of TROYAK-AS's most aggressive customers (used to host their Zeus C&Cs there) for Q1, 2010, is once again (latest campaign is from March 12th 2010 - Scareware, Sinowal, Client-Side Exploits Serving Spam Campaign in the Wild) attempting to build a crimeware botnet, by spamvertising the well known PhotoArchive theme, in between serving client-side exploits using an embedded iFrame on the domains in question.
In terms of quality assurance, the campaign is continuing to use it's proven campaign structure. The actual pages are hosting a binary for manual download, in between the iFrame which would inevitably drop the Zeus crimeware.
Just like in previous campaigns, the gang continues to exclusively registering its domains using the ALANTRON BLTD. domain registrar. Let's dissect the ongoing campaign's structure, and expose the domains, and ASs participating in it.
Sample URL/subdomain structure:
Sample message: "Photos Archives Hosting has a zero-tolerance policy against ILLEGAL content. All archives and links are provided by 3rd parties. We have no control over the content of these pages. We take no responsibility for the content on any website which we link to, please use your own discretion while surfing the links. © 2007-2009, Photos Archives Hosting Group, Inc.- ALL RIGHTS RESERVED."
Sample iFrames embedded on the pages include: cogs.trfafsegh.com /index.php - 188.8.131.52 - Email: firstname.lastname@example.org; klgs.trfafsegh.com /index.php
Sample iFrame campaign structure:
- cogs.trfafsegh.com /index.php
- cogs.trfafsegh.com /l.php
- cogs.trfafsegh.com /statistics.php
- klgs.trfafsegh.com /index.php
- klgs.trfafsegh.com /l.php
- klgs.trfafsegh.com /statistics.php
Parked on the same IP where the iFrame domain is are also the following Zeus C&Cs - dogfoog.net - Email: email@example.com; countrtds.ru - Email: firstname.lastname@example.org - AS4134 (CHINANET-BACKBONE No.31,Jin-rong Street)
Detection rates: zeus.js - Trojan.JS.Agent.bik - 1/41 (2.44%) serving update.exe - PWS:Win32/Zbot.gen!R - Result: 17/42 (40.48%), PhotoArchive.exe - Trojan.Zbot - Result: 18/41 (43.91%). The client-side exploitation is relying on the Phoenix Exploit's Kit.
Samples phone back to: shopinfmaster.com /cnf/shopinf.jpg - 184.108.40.206; 220.127.116.11; 18.104.22.168; 22.214.171.124; 126.96.36.199;188.8.131.52 - Email: Duran@example.com shopinfmaster.com /shopinf/gate.php
Relying on the ns1.starwarfan.net name server, which is also connected to other Zeus crimeware C&Cs which also respond the same IPs - smotri123.com - Email: email@example.com domainsupp.net - Email: ErnestJBooth@example.com
Active and fast-fluxed subdomains+domains participating in the campaign:
pasweokz.com - Email: firstname.lastname@example.org
pasweq.co.kr - Email: email@example.com
Name servers currently in use were also seen in February, 2010 (IRS/PhotoArchive Themed Zeus/Client-Side Exploits Serving Campaign in the Wild)
ns1.addressway.net - 184.108.40.206 - Email: firstname.lastname@example.org
ns1.skc-realty.com - 220.127.116.11 - Email: email@example.com
Updates will be posted as soon as new developments emerge. Consider going through the related posts, to catch up with the gang's activities for Q1, 2010.
Scareware, Sinowal, Client-Side Exploits Serving Spam Campaign in the Wild
TROYAK-AS: the cybercrime-friendly ISP that just won’t go away
AS50215 Troyak-as Taken Offline, Zeus C&Cs Drop from 249 to 181
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild
Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild
Keeping Money Mule Recruiters on a Short Leash - Part Two
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.