Thursday, May 13, 2010
What do the recently spamvertised "Thank you for buying iTunes Gift Certificate!" and the "Look at my CV!" themed malware campaigns have in common?
It's the fact that they've been launched by the same individual/gang. What's particularly interesting about the campaign, is that it's relying on a currently compromised web server, with a publicly accessible PHP based backdoor. This exact same approach is also used by the Koobface gang on a large scale, in order to efficiently control the compromised sites involved in their Facebook spreading campaigns.
Moreover, upon successful infection the campaign is not just pushing scareware, but evidence based on the binaries found within the directory indicate a ZeuS crimeware binary has been in circulation for a while. Let's dissect the campaign, and establish the obvious connection.
Detection rates, phone back locations
- iTunes_certificate_497.exe - TrojanDropper:Win32/Oficla.G - Result: 39/41 (95.12%)
Upon execution phones back to:
- davidopolko.ru/migel/ bb.php?v=200&id=554905388&b=6may&tm=3
- jaazle.com/wp-includes /js/tinymce/themes/advanced/psihi.exe
- phishi.exe - Gen:Trojan.Heur.TP.bmX@bins2Eb; Backdoor.Win32.Protector.ao - Result: 24/41 (58.54%) ultimately dropping scareware on the infected host.
Both campaigns are related, since the use the same command and control server, which is periodically updated with new URLs consisting of compromised sites. The detection rates, phone back locations for the second campaign are as follows:
- My_Resume_218.exe - W32/Oficla.O; Gen:Variant.Bredo.4 - Result: 17/41 (41.46%)
Upon executing the same phones back to the following URLs, in an attempt to drop the related binaries:
- davidopolko.ru/migel/bb.php?v=200 &id=636608811&b=12may&tm=2 - 126.96.36.199 - Email: firstname.lastname@example.org
- topcarmitsubishi.com.br /_vti_bin/_vti_adm/psi.exe - 188.8.131.52
- davidopolko.ru /psi.exe; davidopolko.ru /setupse2010.exe
topcarmitsubishi.com.br appears to be a compromised site, with an open directory allowing the easier obtaining of the rest of the binaries used by the same gang/individual.
Detection rates for the binaries within the open directory, including the dropped scareware:
- psi.exe - TrojanDownloader:Win32/Cutwail.gen!C; Backdoor.Win32.Protector.at - Result: 17/41 (41.47%)
- sofgold.exe - Trojan.Fakealert.14822; W32/Junkcomp.A - Result: 15/41 (36.59%)
- sp.exe - PWS:Win32/Zbot.gen!R; a variant of Win32/Kryptik.EGZ - Result: 5/41 (12.2%)
- ustest.exe - Net-Worm.Win32.Kolab - Result: 4/41 (9.76%)
- firewall.dll - Trojan:Win32/Fakeinit; Win32/TrojanDownloader.FakeAlert.ASI - Result: 20/40 (50%)
- SetupSE2010.exe - W32/FakeAV.AM!genr; CoreGuardAntivirus2009 - Result: 29/41 (70.74%)
Phone back locations, C&Cs of the 4 samples:
mystaticdatas.ru /base1/ess.cfg - 184.108.40.206, AS48984, VLAF-AS Vlaf Processing Ltd - Email: email@example.com - same email has been profiled before
get-money-now.net/loads.php? code=000000000048170 - 220.127.116.11, AS6851, BKCNET "SIA" IZZI - Email: firstname.lastname@example.org
mamapapalol.com/cgi-bin/get.pl? l=000000000048170 - 18.104.22.168, AS33837, PRQ-AS - Email: email@example.com
SGTSRX.jackpotmsk.ru - FAST FLUX - Email: firstname.lastname@example.org
JETIHB.piterfm1.ru - FAST FLUX - Email: email@example.com
UDUMOM.bingoforus.ru - FAST FLUX - Email: firstname.lastname@example.org
ZMOWOE.rusradio1.ru - FAST FLUX - Email: email@example.com
funnylive2010.ru - domain part of the fast flux infrastructure - Email: firstname.lastname@example.org
wapdodoit.ru - domain part of the fast flux infrastructure - Email: email@example.com
Related domains parked on 22.214.171.124 (mamapapalol.com/cgi-bin/get.pl? l=000000000048170):
buy-is2010.com - Email: firstname.lastname@example.org
buy-security-essentials.com - Email: email@example.com
for-sunny-se.com - Email: firstname.lastname@example.org
for-sunny-smile.com - Email: email@example.com
mega-scan-pc-new14.com - Email: firstname.lastname@example.org
red-xxx-tube.net - Email: email@example.com
sunny-money1.com - Email: firstname.lastname@example.org
winter-smile.com - Email: email@example.com
Updated will be posted, as soon as they switch to a new theme, introduce new monetization tactics.
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Posted by Dancho Danchev at Thursday, May 13, 2010