Tuesday, May 04, 2010

U.S. Treasury Site Compromise Linked to the NetworkSolutions Mass WordPress Blogs Compromise

UPDATED: Saturday, May 08, 2010: 5 new domains have been introduced by the same gang, once again parked at 217.23.14.14, AS49981, WorldStream.

jumpsearches.com - 217.23.14.14 - Email: alex1978a@bigmir.net
ingeniosearch.net - 217.23.14.14 - Email: alex1978a@bigmir.net
searchnations.com - 217.23.14.14 - Email: alex1978a@bigmir.net
mainssearch.com - 217.23.14.14 - Email: alex1978a@bigmir.net
bigsearchinc.com - 217.23.14.14 - Email: alex1978a@bigmir.net

Sample exploitation structure:
- jumpsearches.com/bing.com /load.php?spl=mdac
    - jumpsearches.com/bing.com /error.js.php
        - jumpsearches.com/bing.com /pdf.php
            - jumpsearches.com/bing.com /?spl=2&br=MSIE&vers=7.0&s=
                - jumpsearches.com/bing.com /load.php?spl=pdf_2030
                    - jumpsearches.com/bing.com /load.php?spl=MS09-002

UPDATED: Thursday, May 06, 2010: The cybercriminals behind this ongoing campaign continue introducing new domains -- all of which are currently in a cover-up phrase pointing to 127.0.0.1 -- over the past 24 hours. What's particularly interesting, is that all of them reside within AS49981, WorldStream = Transit Imports = -CAIW-, Netherlands.

- twcorps.com/tv/ - 217.23.14.15 - Email: alex1978a@bigmir.net, Prokopenko Aleksey
    - MD5: ebcfaa2f595ccea81176f6f125b31ac7
- jobsatdoor.com/plain/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Aleksey
    - MD5: ebcfaa2f595ccea81176f6f125b31ac7
- oficla.com/plain/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Aleksey
    - MD5: ebcfaa2f595ccea81176f6f125b31ac7
- organization-b.com/mail/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Aleksey
- dilingdiling.com/router/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Aleksey

All the samples phone back to mazcostrol.com/inst.php?aid=blackout now responding to 95.143.193.61, AS49770, SERVERCONNECT-AS ServerConnect Sweden AB, from the previously known IP 188.124.16.134. 

mazcostrol.com is not just a phone back location. It's also actively serving client-side exploits. Sample update obtained from the same domain:
- update4303.exe - Trojan.Win32.VBKrypt - Result: 5/41 (12.2%)

Not surprisingly, AS44565 and AS49770 where mazcostrol.com was hosted, are also the home of currently active ZeuS crimeware C&Cs.

AS49770 (SERVERCONNECT-AS ServerConnect Sweden AB)
brunongino.com
slavenkad.com
frondircass.cn
pradsuyz.cn


AS44565 (VITAL VITAL TEKNOLOJI)
spacebuxer.com
odboe.info
212.252.32.69
jokersimson.net
whoismak.net
188.124.7.247
www.bumagajet.net
barmatuxa.info
barmatuxa.net


UPDATED: A researcher just pinged me with details on something that I should be flattered with. Apparently grepad.com /in.cgi?4 redirects to 217.23.14.14 /in_t.php which then redirects to my Blogger profile.

In fact, 217.23.14.14 the IP of the client-side exploit serving domains also redirects there, with the actual campaign in a cover-up phrase, with the original domain now responding 127.0.0.1.

Let's see for how long, until then, The Beatles - You Know My Name seems to be the appropriate music choice.


AVG and PandaLabs are reporting that the web sites of the U.S. Bureau of Engraving and Printing (bep.treas.gov; moneyfactory.gov) are serving client-side vulnerabilities that ultimately expose the visitor to scareware (The Ultimate Guide to Scareware Protection).

What's particularly interesting about this campaign is that, it's part of last month's NetworkSolutions mass WordPress blogs compromise, in the sense that not only is the iFrame-d domain registered using the same email as the client-side exploits serving domains from the NetworkSolutions campaign -- alex1978a@bigmir.net -- but also, the dropped scareware's phone back location -- mazcostrol.com/inst.php?aid=blackout - 188.124.16.134 - Email: alex1978a@bigmir.net -- is identical to the one used in the same campaign, including the affiliate ID used by the original cybercriminal.

The client-side exploit serving domain used in the the U.S Treasury site compromise, has also been reported by a large number of NetworkSolutions customers in the most recent campaign affecting WordPress blogs.

The exploit-serving structure, including the detection rates for the dropped scareware and exploits used in the U.S Treasury compromise campaign, is as follows:

- grepad.com /in.cgi?3 - 188.124.16.133, AS44565, VITAL TEKNOLOJI - Email: alex1978a@bigmir.net
    - thejustb.com /just/ - 217.23.14.14 (dyndon.com), AS49981 - Email: alex1978a@bigmir.net
        - thejustb.com /just/pdf.php
            - thejustb.com /just/1.pdf
                - thejustb.com /just/load.php?spl=javas
                    - thejustb.com /just/j1_893d.jar
                        - thejustb.com /just/j2_079.jar

- 1.pdf - Exploit.PDF-JS.Gen (v) - Result: 1/41 (2.44%)
- j1_893d.jar - Trojan-Downloader:Java/Agent.DJDN - Result: 5/41 (12.20%)
- j2_079.jar - EXP/Java.CVE-2009-3867.C.2; Exploit.Java.Agent.a - Result: 9/41 (21.96%)
- grepad.exe - Trojan.Generic.KD.10339; a variant of Win32/Injector.BNG - Result: 8/41 (19.51%)

Upon successful exploitation the dropped grepad.exe, phones back to to mazcostrol.com/inst.php?aid=blackout - 188.124.16.134, AS44565, VITAL TEKNOLOJI - Email: alex1978a@bigmir.net, with the same phone back location also used in the NetworkSolutions mass compromise campaign. 

Known MD5's used by the same campaigner from previous campaigns, phoning back to the same domain+identical affiliate ID:
MD5=4734162bb33eff7af7e18243821b397e
MD5=1c9ce1e5f4c2f3ec1791554a349bf456
MD5=d11d76c6ecf6a9a87dcd510294104a66
MD5=c33750c553e6d6bdc7dac6886f65b51d
MD5=74cdadfb15181a997b15083f033644d0
MD5=3c7d8cdc73197edd176167cd069878bd

Attempting to interact with the campaign's directories often results in a "nice try, idiot." message. Lovely!

Related posts:
GoDaddy's Mass WordPress Blogs Compromise Serving Scareware
Dissecting the WordPress Blogs Compromise at Network Solutions

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.