Wednesday, April 14, 2010

iPhone Unlocking Themed Malware Campaign Spamvertised

UPDATED: Sunday, April 18, 2010: The folks at EmergingThreats pinged me on the fact that  immediately after the brief assessment went public, the cybercriminals moved to (SoftLayer Technologies Inc.) Currently responding to the same IP are also the following domains known to have been connected with previous malware campaigns - - Email:;, and

Researchers from BitDefender are reporting on a currently spamvertised malware campaign, using a "Unlock, Jailbrake and "hack"tivate iPhone 3.1.3" theme.

The spamvertised domain - - Email:, is enticing the end user into download the malware from - - Email:

Detection rate: blackra1n.exe - Trojan.BAT.AACL - Result: 10/40 (25%), with the malware itself attempting to change the default DNS settings on the infected hosts to the following IP - (, AS39443, HOTNET-AS SC Hot Net SRL Baia de Aries, Nr 3, Bl 5B, Sc A, Ap 39, Bucuresti, 6.

- Creates the following registry entry in an attempt to change default DNS settings:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5D19E473-BE30-416B-B5C7-D8A091C41D2F} "NameServer" =

- Creates Process - Filename () CommandLine: 
(C:\WINDOWS\system32\NETSH.EXE: interface ip set dns "Local Area Connection" static As User: () Creation Flags: (CREATE_DEFAULT_ERROR_MODE CREATE_SUSPENDED) interface ip set dns "wireles network connection" static As User: () Creation Flags: (CREATE_DEFAULT_ERROR_MODE CREATE_SUSPENDED)

From Romania, with DNS changing malware. 

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.