Thursday, April 28, 2011

Spamvertised "Successfull Order 977132" Leads to Scareware

A currently ongoing malware campaign is impersonating Bobijou Inc for malware-serving purposes.

Sample subject: "Successfull Order 977132"
Sample message: "Thank you for ordering from Bobijou Inc.This message is to inform you that your order has been received and is currently being processed.

Your order reference is 901802. You will need this in all correspondence. This receipt is NOT proof of purchase. We will send a printed invoice by mail to your billing address.

You have chosen to pay by credit card. Your card will be charged for the amount of 262.00 USD and “Bobijou Inc.” will appear next to the charge on your statement.You will receive a separate email confirming your order has been despatched.Your purchase and delivery information appears below in attached file.

Thanks again for shopping at Bobijou Inc.
"
Sample attachments: Order_details.zip

Detection rates:
Order details.exe - Trojan.FakeAV - Result: 24/40 (60.0%)
MD5   : 7c810cbb47c9f937b5f663b51ab7ee50
SHA1  : b4faf8c724727381abb11c44b71605ff6e65cbbf
SHA256: 0bda3bdcffdda0fee31fe35cfea2fb644ff8e549a0a83632faa19cd43e02b904

Upon execution phones back to :
kkojjors.net/f/g.php - 95.64.9.15 - Email: admin@firtryt.biz
variantov.com/pusk.exe - 94.63.149.26 - Email: admin@variantov.com

Detection rate for the scareware variant pusk.exe
pusk.exe - Suspicious.Cloud.5 - Result: 4/41 (9.8%)
MD5   : bbd466a67586003776e295eaf3d2976c
SHA1  : 6a8e1d84157c76b4c9238fc23d28686244f6650f
SHA256: ee008f9039534f062bd277860060461064e760bdaa90a36595b9780be54a5a05


Upon execution phones back to:
jyluzovunevu.com - 209.160.45.33 - Email: gray@fxmail.net
sesokiqufikeg.com - 209.160.45.34 - Email: gray@fxmail.net
qyqinisope.com - 64.46.38.207 - Email: gray@fxmail.net
hijocyragap.com - 64.46.38.81 - Email: robin@cutemail.org
puhigygapyhi.com - 64.46.38.81 - Email: gray@fxmail.net
zavewuzykubo.com - 64.46.38.80 - Email: robin@cutemail.org
fepigixypo.com - 64.46.38.29 - Email: pyre@cutemail.org
tozibapah.com - 76.73.16.182 - Email: lays@fxmail.net
qebinehuh.com - 76.73.14.182 - Email: lays@fxmail.net
gygipikalyn.com - 76.73.17.242 - Email: ss@cutemail.org
xygorinazecit.com - 76.73.17.70 - Email: ss@cutemail.org
walireqoxyxyt.com - 64.46.39.185 - Email: orbit@fxmail.net
moririnejuf.com - 64.46.39.184 - Email: purse@mail13.com
jydosucin.com - 64.46.39.200 - Email: arm@fxmail.net
libynozegokido.com - 64.46.39.186 - Email: orbit@fxmail.net
zidacofodafur.com - 64.46.39.212 - Email: gown@cutemail.org
fequxukovo.com - 67.196.15.136 - Email: arm@fxmail.net
gyxyqimacik.com - 67.196.15.138 - Email: purse@mail13.com
wizyvopyla.com - 67.196.15.137 - Email: arm@fxmail.net
gyricehagupy.com - 67.196.15.139 - Email: purse@mail13.com
punemipaqatyc.com - 67.196.15.141 - Email: ulcer@mailae.com
gehotigyry.com - 67.196.15.140 - Email: hp@mail13.com
vufekihoto.com - 67.196.15.105 - Email: arm@fxmail.net
huzomohidid.com - 67.196.15.104 - Email: arm@fxmail.net
posufejez.com - 67.196.15.107 - Email: purse@mail13.com
gewexyvunokyk.com - 67.196.15.106 - Email: purse@mail13.com
fowyqypacytucy.com - 209.160.45.32 - Email: soup@fastermail.ru
koduzuwobow.com - 209.160.45.130 - Email: pyre@cutemail.org
ciluvekypomow.com - 78.46.105.205 - Email: hips@cutemail.org
7hitaxodupi.com - 64.46.38.30

Monitoring of the campaign is ongoing.

Related posts:
Spamvertised "Reqest Rejected" Campaign Serving Scareware
Spamvertised DHL Notifications Scareware Campaign
Spamvertised Post Office Express Mail (USPS) Emails Serving Malware
Spamvertised United Parcel Service notifications serve malware
Spamvertised FedEx Notifications Spread Malware
Spamvertised DHL Notification Malware Campaign
More Spamvertised DHL Notifications Spread Malware

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Tuesday, April 12, 2011

Spamvertised "Reqest Rejected" Campaign Serving Scareware


A currently spamvertised scareware-serving campaign is enticing end users into downloading and executing a malicious binary, which drops a scareware variant.

Sample subject: Reqest rejected
Sample message: "Dear Sirs, Thank you for your letter! Unfortunately we can not confirm your request! More information attached in document below. Thank you Best regards."
Sample attachments: EX-38463.pdf.zip; EX-38463.pdf.exe

Detection rate:
EX-38463.pdf.exe - TrojanDownloader:Win32/Chepvil.J - Result: 11/41 (26.8%)
MD5   : 5085794e6c283ebcfa3878805b9e7be7
SHA1  : 1fbd8d3b0a3479274d8f09543452bf724bcb245c
SHA256: c03711dbafae9b296daed8720f997d84caa5e5a5407a689926050a061d67b932

Upon execution downloads hdjfskh.net/ pusk.exe - 208.43.90.48 - Email: admin@firtryt.biz

Detection rate:
pusk.exe - FakeAlert-CN.gen.aa - Result: 13/42 (31.0%)
MD5   : a50a91176b5aeb96b8b77b99d587c485
SHA1  : c56b7ab2123dbd49902446ffcc0cf59d6a865857
SHA256: c912a975e3c2fc911d6550d86e8fd89dbd30e3d1e07d788b45aac0d6cf61e83c

Upon execution phones back to the following domains and ASs:


Phones back to : AS19875; AS8001; AS24940; AS32475; AS32097; AS19875
2bemojewedowigo.com - 78.46.105.205
bemolaqijicy.com - 99.198.114.206 - Email: vista@free-id.ru
celisesuho.com - 99.198.114.202 - Email: hush@bz3.ru
cixovatywo.com - 78.46.105.205 - Email: frenzy@ca4.ru
fytypoqywu.com - 64.46.38.94 - Email: fy4371215910301@domainidshield.com
gicyxepomer.com - 78.46.105.205 - Email: tabs@yourisp.ru
gopilezavyxiro.com - 78.46.105.205 - Email: hush@bz3.ru
hivanedak.com - 188.95.54.242 - Email: steps@ppmail.ru
hotilosire.com - 208.110.67.122 - Email: lathe@maillife.ru
jerakidukojoz.com - 78.46.105.205 - Email: wrap@cheapbox.ru
kupeqobujohaq.com - 64.46.38.145 - Email: soup@fastermail.ru
kytevaviqopoci.com - 78.46.105.205 - Email: fs@free-id.ru
pikilokykizanu.com - 65.254.54.77 - Email: dawn@free-id.ru
punajytapaci.com - 209.97.213.105 - Email: mire@maillife.ru
qisacugugu.com - 64.46.38.129 - Email: as@free-id.ru
qupajubica.com - 78.46.105.205 - Email: heard@bz3.ru
reruravobosila.com - 67.196.13.96 - Email: mon@ppmail.ru
rorodarof.com - 99.198.114.204 - Email: hush@bz3.ru
ruqydahec.com - 67.196.13.97 - Email: mon@ppmail.ru
sakafiduzipame.com - 78.46.105.205 - Email: build@ca4.ru
sykobodyducib.com - 208.110.67.102 - Email: lathe@maillife.ru
tetagyjaj.com - 78.46.105.205 - Email: kilt@bz3.ru
tibehewuk.com - 209.97.213.102 - Email: mon@ppmail.ru
tisatosyhimidy.com - 188.95.54.243 - Email: jan@free-id.ru
tyhiqymiwufuj.com - 208.110.67.121 - Email: dawn@free-id.ru
vakyditefo.com - 99.198.114.203 - Email: vista@free-id.ru
wamojafadezy.com - 78.46.105.205 - Email: acts@free-id.ru
wetotyger.com - 78.46.105.205 - Email: acts@free-id.ru
wixecyhobovy.com - 64.46.38.130 - Email: soup@fastermail.ru
wolycunanoqe.com - 72.9.233.98 - Email: lathe@maillife.ru
zajatimibuj.com - 208.110.67.119 - Email: bark@cheapbox.ru
zequcitamado.com - 99.198.114.205 - Email: vista@free-id.ru
punajytapaci.com/1017000412 - 209.97.213.105 - Email: mire@maillife.ru
tibehewuk.com/1017000412 - 209.97.213.102 - Email: mon@ppmail.ru

Monitoring of the campaign is ongoing.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Monday, April 11, 2011

Don't Play Poker on an Infected Table - Part Four


A currently spamvertised campaign is enticing users into downloading and executing a fraudulent online gambling application known as VegasVIP_setup.exe.

Detection rate:
VegasVIP_setup.exe - Win32/CazinoSilver - Result:16/42 (38.1%)
MD5   : 8680fa2868dd068f3c1d3995df105243
SHA1  : 4f3ecd72c223cf6e130377a3ecd9149232dc848b
SHA256: 68ded50bf7c9b7f6961e6334b25fdad5d2369e461051d5a9fa1f1ebaadeb1d0e

Upon execution, the sample phones back to:
www.onlinevegas.com/download/update.php?dl=0af374526b7b6eb6c54bf92cb1d1a236&status=10

The spammers are earning revenue by participating in the BestCasinoPartner.com Affiliate Program. More details:
"Turn Your Traffic Into BIG Monthly Cash! Join the BestCasinoPartner.com Affiliate Program and from the very start you will earn a HUGE 30% of ALL player GROSS losses EVERY month, no matter what your volume is! That’s ALL player GROSS losses for the life of your referred players, with No Loss Carry-Forward!

Refer an Affiliate: Get Even More. Earn 7% override on the Casino Gross Revenue payment made to the referred Affiliate for all players referred by your directly referred Affiliates - for the life of the player! Earn 5% override on the Casino Gross Revenue payment made from your Web masters’ referrals! AND…we even go One Step Further — a THIRD tier!

Here are the THREE levels that will earn you profits for the life EACH player:

  • Tier 1: 7% override on the Casino Gross Revenue
  • Tier 2: 5% override on the Casino Gross Revenue
  •  Tier 3: 3% override on the Casino Gross Revenue"

Participating affiliate domains are: OnlineVegas.com; GoCasino.com; CrazySlots.com and GrandVegas.com

Related fraudulent online gambling domains part of the campaign:
777fashionplays.ru
777playsfashion.ru
bankpremiumplays.ru
bank-premium-plays.ru
bestfortuneplays.ru
best-fortune-plays.ru
bestplaysfortune.ru
best-plays-fortune.ru
bingobonusplays.ru
bonus-bingo-plays.ru
bonusplaysbingo.ru
bonus-plays-bingo.ru
class-plays-world.ru
class-world-plays.ru
crazyplaysroulette.ru
crazy-plays-roulette.ru
crazyrouletteplays.ru
crazy-roulette-plays.ru
elit-grand-games.ru
elit-plays-king.ru
fashion-plays-vegas.ru
fashion-vegas-plays.ru
fiveplaysstar.ru
fortunebestplays.ru
fortune-best-plays.ru
fortuneplaysbest.ru
fortune-plays-best.ru
fortune-plays-land.ru
fortuneplaysparty.ru
fortune-plays-party.ru
games-elit-king.ru
games-king-elit.ru
gamespremiumbank.ru
jokerplaysvegas.ru
online-games-luxory.ru
palaceplayscrystal.ru
playsbankpremium.ru
plays-bank-premium.ru
playsbestfortune.ru
plays-best-fortune.ru
plays-bingo-bonus.ru
playsbonusbingo.ru
plays-bonus-bingo.ru
playsclassworld.ru
playscrazyroulette.ru
plays-crazy-roulette.ru
playscrystalpalace.ru
plays-crystal-palace.ru
playsfashion777.ru
playsfivestar.ru
playsfortunebest.ru
plays-fortune-party.ru
playsonlineextra.ru
plays-plaza-west.ru
playspremiumbank.ru
playsroulettecrazy.ru
plays-roulette-crazy.ru
plays-royal-classic.ru
plays-star-five.ru
playsvegasjoker.ru
playswestplaza.ru
plays-world-win.ru
plaza-plays-west.ru
plazawestplays.ru
plaza-west-plays.ru
premium-bank-plays.ru
premiumplaysbank.ru
roulette-crazy-plays.ru
starfiveplays.ru
star-five-plays.ru
starplaysfive.ru
vegas-fashion-plays.ru
vegasjokergames.ru
vegasjokerplays.ru
vegas-joker-plays.ru
vegas-plays-joker.ru
westplaysplaza.ru
west-plays-plaza.ru
westplazaplays.ru
west-plaza-plays.ru
win-plays-world.ru
winworldplays.ru
win-world-plays.ru
world-class-plays.ru
world-plays-class.ru


Related posts:
Don't Play Poker on an Infected Table - Part Three
Don't Play Poker on an Infected Table - Part Two
Don't Play Poker on an Infected Table

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Monday, April 04, 2011

Summarizing Zero Day's Posts for March


The following is a brief summary of all of my posts at ZDNet's Zero Day for March. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

Recommended reading:
01. Spamvertised 'You have received a gift from one of our members!' malware campaign
02. Report: malicious PDF files becoming the attack vector of choice
03. Ashton Kutcher's Twitter account hacked
04. Google tops comparative review of malicious search results -- again
05. Report: 3 million malvertising impressions served per day
06. Dear ISP, it's time to quarantine your malware-infected customers
07. SpyEye gets new DDoS functionality
08. Spamvertised DHL notifications lead to malware
09. Spamvertised FedEx notifications lead to malware
10. Rustock botnet's operations disrupted
11. Malicious Japan quake spam leads to scareware
12. Spamvertised United Parcel Service notifications lead to malware
13. Researchers release details on 34 SCADA vulnerabilities
14. Zombie PC Prevention Bill to make security software mandatory
15. Spamvertised Post Office Express Mail (USPS) emails lead to malware
16. New GpCode ransomware encrypts files, demands $125 for decryption
17. Mass SQL injection attack leads to scareware

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Spamvertised DHL Notifications Scareware Campaign

Yet another currently spamvertised campaign is impersonating DHL for scareware serving purposes.

Sample subjects: DHL notification #random number
Sample message: Dear customer! The parcel was send your home address. And it will arrice within 7 bussness day. More information and the tracking number are attached in document below. Thank you. 2011 DHL International GmbH. All rights reserverd.
Sample filenames: DHL_tracking.zip; doc.zip; dhl.zip

Detection rates:
dhl.exe - Backdoor:Win32/Hostil.gen!A - Result: 22/40 (55.0%)
MD5   : 87d778169ae14d934b92ce628b5cfde4
SHA1  : 20787fde3b7fde64cc3892c4df9a4eb2a2515830
SHA256: 6b54ff520fa6ff504f5f2f0c33af8b92424f0b538a760f4eb983d76007d3fe54

Downloads additional binary from puskovayaustanovka.ru/pusk2.exe - 46.161.20.66 - Email: admin@puskovayaustanovka.ru

pusk2.exe - Trojan.Fakealert.20509 - Result: 11/41 (26.8%)
MD5   : a9be091eedea947f8626d11042e0d9be
SHA1  : 9c1d399d47a6ef6081553a101ab48fca61859db4
SHA256: d4f5802a392c0851d5e19118d56cc8b578f1a07085aa5772cbdcf484608ed094


Upon execution phones back to the following domains:
kynugypenihyf.com - Email: v8@ca4.ru
cylakydugudi.com - Email: acts@free-id.ru
fevahanybyvu.com - Email: fs@free-id.ru
gicyxepomer.com - Email: tabs@yourisp.ru
bemojewedowigo.com - Email: fs@free-id.ru
sakafiduzipame.com - Email: build@ca4.ru
wetotyger.com - Email: acts@free-id.ru
kytevaviqopoci.com - Email: fs@free-id.ru
wamojafadezy.com - Email: kilt@bz3.ru
tetagyjaj.com - Email: kilt@bz3.ru
jerakidukojoz.com - Email: wrap@cheapbox.ru
cixovatywo.com - Email: frenzy@ca4.ru
jafybobik.com - Email: force@ca4.ru
nizokatahinery.com - Email: foxy@cheapbox.ru
cujicaraso.com - Email: beret@ca4.ru
zuzosahule.com - Email: only@free-id.ru
gokuzajylot.com - Email: silks@ca4.ru
jumonevetode.com - Email: silks@ca4.ru
dafatesomyz.com - Email: zq@bz3.ru
lukofymela.com - Email: silks@ca4.ru
jebuponip.com - Email: lost@free-id.ru
quxovasuced.com - Email: hp@ppmail.ru
laqoduhisegu.com - Email: shot@bz3.ru
xyseditacif.com - Email: hart@free-id.ru
wylyxaqunowy.com - Email: mows@bz3.ru
qepovexidysopy.com - Email: byob@yourisp.ru
bebecebyt.com - Email: mows@bz3.ru
dihemehypuq.com - Email: shot@bz3.ru
rumesexyzobuz.com - Email: dawn@bz3.ru
gopilezavyxiro.com - Email: hush@bz3.ru
hyvijinymut.com/1017000312 - 99.198.114.189 - returns OK


Domains are respoding to the following ASs: AS18866; AS32097:
quxovasuced.com - 69.50.209.139
laqoduhisegu.com - 69.50.209.140
wylyxaqunowy.com - 69.50.209.148
qepovexidysopy.com - 69.50.209.149
fevahanybyvu.com - 69.50.209.182
bemojewedowigo.com - 69.50.209.183
gicyxepomer.com - 69.50.209.184
sakafiduzipame.com - 69.50.209.185
wamojafadezy.com - 69.50.209.186
kytevaviqopoci.com - 69.50.209.188
jebuponip.com - 69.50.209.223
cylakydugudi.com - 69.50.209.224
wetotyger.com - 69.50.209.225
nizokatahinery.com - 69.197.161.202
cujicaraso.com - 69.197.161.203
kynugypenihyf.com - 69.197.161.204
jafybobik.com - 69.197.161.205
tetagyjaj.com - 99.198.114.98
jerakidukojoz.com - 99.198.114.99
gopilezavyxiro.com - 99.198.114.100
cixovatywo.com - 99.198.114.101
hyvijinymut.com - 99.198.114.189
zuzosahule.com - 204.12.223.170
jumonevetode.com - 204.12.223.171
dafatesomyz.com - 204.12.223.172
gokuzajylot.com - 204.12.223.173
lukofymela.com - 204.12.223.174
rumesexyzobuz.com - 204.12.223.186
xyseditacif.com - 204.12.223.187
dihemehypuq.com - 204.12.223.188
bebecebyt.com - 204.12.223.189

Monitoring of the campaign is ongoing.

Related posts:
Spamvertised Post Office Express Mail (USPS) Emails Serving Malware
Spamvertised United Parcel Service notifications serve malware
Spamvertised FedEx Notifications Spread Malware
Spamvertised DHL Notification Malware Campaign
More Spamvertised DHL Notifications Spread Malware