From a Chase phishing campaign, to a bogus Microsoft update, and an exploit serving spam campaign using a "Who Killed Michael Jackson?" theme prior to his death (go through related Michael Jackson malware campaigns), to a currently ongoing phishing campaign impersonating the United Services Automobile Association (USAA), the gang behind this botnet has been actively multitasking during the past two months.
The spam message is as follows:"Michael Jackson Was Killed... But Who Killed Michael Jackson? Visit X-Files to see the answer: MJackson.kilijj .com/x-files", upon clicking on it the user is redirected to two exploit serving domains - ogzhnsltk .com/plugins/index.php (94.199.200.125 Email: osaltik@windowslive.com); and dogankomurculuk .com/stil/index.php (91.191.164.100 - Email: by.yasin@msn.com).
Through the use of an Office Snapshot Viewer exploit the user is the exposed to a downloader (x-file-MJacksonsKiller.exe) which attempts to drop a copy of the Zeus malware from labormi .com/lbrc/lbr.bin (91.206.201.6). The following is an extensive list of the participating domains, as well as the currently active and fast-fluxing DNS servers part of the botnet:
List of participating domains:kilij1 .com
ilkil1 .com
ilkifi .com
kili1j .com
kil1jj .com
ki1ijj .com
kikijj .com
k1lijj .com
kilijj .com
1ilikj .com
ilki1k .com
ilk1lk .com
i1kilk .com
ilkilk .com
kilij1 .netilkil1 .net
kili1j .net
kil1jj .net
ki1ijj .net
k1lijj .net
kilijj .net
1ilikj .net
ilki1k .net
ilk1lk .net
i1kilk .net
ilkilk .net
ilifi.com .mx
1ffli.com .mx
iljihli.com .mx
hhili.com .mx
hilli.com .mx
kiffil.com .mx
Michael Jackson related subdomains:mjackson.ijjik1 .com
mjackson.ijjil1. com
mjackson.kjjil1 .com
mjackson.ikjil1 .com
mjackson.ijkil1 .com
mjackson.ijjkl1 .com
mjackson.ikilij .com
mjackson.ikklij .com
mjackson.ikilkj .com
mjackson.ikilfk .com
mjackson.ijjilk .commjackson.ijjill .com
mjackson.ijjik1 .net
mjackson.ijjil1 .net
mjackson.ikjil1 .net
mjackson.ijkil1 .net
mjackson.ijjkl1 .net
mail.ikilij .net
mjackson.ikilij .net
mjackson.ilifi .com.mx
mjackson.iljihli .com.mx
mjackson.hhili .com.mx
mjackson.hilli .com.mx
Microsoft related subdomains:
update.microsoft.com .h1hili.com
update.microsoft.com .ijlk1j.com
update.microsoft.com .hillij.com
update.microsoft.com .hillkj.com
update.microsoft.com .ikillif.net
update.microsoft.com .jikikji.net
update.microsoft.com .hillij.net
update.microsoft.com .hillik.net
update.microsoft.com .ikihill.net
update.microsoft.com .ilifi.com.mx
update.microsoft.com .iljihli.com.mx
update.microsoft.com .hilli.com.mx
update.microsoft.com .kiffil.com.mx
USAA.com related phishing subdomains:www.usaa.com.kihhif .com
www.usaa.com.kihhih .com
www.usaa.com.kihhik .com
www.usaa.com.kihhil .com
www.usaa.com.kihhik .net
www.usaa.com.kihhil .net
www.usaa.com.hilli.com .mx
www.usaa.com.frtll.com .mx
www.usaa.com.mrtll.com .mx
DNS Servers of notice:
ns1.vine-prad .com
ns2.vine-prad .com
ns1.blacklard .com
ns1.fax-multi .com
ns2.fax-multi .com
ns1.rondonman .com
ns2.rondonman .com
ns1.host-fren .com
ns2.host-fren .com
ns1.hotboxnet .com
ns2.hotboxnet .com
ns1.free-domainhost .com
ns2.free-domainhost .com
ns1.sunthemoow .com
ns2.sunthemoow .comns1.high-daily .com
ns2.high-daily .com
ns1.otorvald .net
ns1.red-bul .net
ns2.red-bul .net
ns1.footdoor .net
ns1.bestdodgeros .net
ns2.bestdodgeros .net
ns1.azdermen .com
ns2.azdermen .com
ns1.departconsult .com
ns2.departconsult .com
ns1.torentwest .com
ns2.torentwest .com
ns1.downlloadfile .net
ns2.downlloadfile .net
Due to this botnet's involvement with several other malware campaigns of notice, as well as its evident connection with the ongoing monitoring of several particular cybecrime groups, analysis and updates will be posted as soon as they emerge.
Related posts:
Money Mule Recruiters use ASProx's Fast Fluxing Services
Managed Fast Flux Provider - Part Two
Managed Fast Flux Provider
Storm Worm's Fast Flux Networks
Fast Flux Spam and Scams Increasing
Fast Fluxing Yet Another Pharmacy Spam
Obfuscating Fast Fluxed SQL Injected Domains
Storm Worm Hosting Pharmaceutical Scams
Fast-Fluxing SQL injection attacks executed from the Asprox botnet
This post has been reproduced from Dancho Danchev's blog.
No comments:
Post a Comment