Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams

Wednesday, January 13, 2010

Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams

UPDATED, Friday, 15, 2010: The gang continues rotating the campaigns by targeting different brands. Over the 24 hours they've spamming the well known "Notice of Underreported Income" theme this time targeting HM Revenue and Customs (HMRC), and have also introduced new portfolios of typosquatted domains next to changing the client-side exploits serving iFrame embedded on each and every page.

- Sample message: "Filing and paying your federal taxes correctly and on time is an important part of living and working in the United Kingdom. Please review (download and execute) your tax statement. If the statement is incorrect, contact our Taxpayer Advocate Service."
- Sample URL: online.hmrc.gov.uk.olpiku5v .com.pl/SecurityWebApp/httpsmode/statement.php

Detection rates for tax-statement.exe (Trojan-Spy.Win32.Zbot.gen) and file.exe (Trojan-Spy.Win32.Zbot.gen). Upon execution, the samples attempt to connect to elnasa .ru/asd/elnasa.ble (109.95.114 .71/asd/elnasa.ble).

The structure of the iFrame, now using an IP address instead of a domain name, remains the same:
- 109.95.114.251 /uks1/in.php - 109.95.114.251 - AS50369 - VISHCLUB-as Kanyovskiy Andriy Yuriyovich - akanyovskiy@troyak.org
    - 109.95.114.251 /uks1/jquery.jxx
            - 109.95.114.251 /uks1/xd/pdf.pdf
                - 109.95.114.251 /uks1/load.php
                    - 109.95.114.251 /uks1/file.exe

DNS servers of notice:
ns1.pds-properties .com - 89.238.165.195
ns1.noeproperties .com - 84.243.201.159
ns1.densondatabase .com - 94.23.177.147
ns1.dogsgrem .net - 89.238.165.195 - Email: glonders@gmail.com - Email seen in previous domain registrations

Typosquatted domains spammed over the past 24 hours:
olpiku5a .com.pl
olpiku5b .com.pl
olpiku5c .com.pl
olpiku5d .com.pl
olpiku5e .com.pl
olpiku5f .com.pl
olpiku5g .com.pl
olpiku5q .com.pl
olpiku5r .com.pl
olpiku5s .com.pl
olpiku5t .com.pl
olpiku5v .com.pl
olpiku5w .com.pl
olpiku5x .com.pl
olpiku5z .com.pl

ujo9ia .com.pl
ujo9id .com.pl
ujo9ie .com.pl
ujo9if .com.pl
ujo9ig .com.pl
ujo9ih .com.pl
ujo9im .com.pl
ujo9in .com.pl
ujo9iq .com.pl
ujo9ir .com.pl
ujo9is .com.pl
ujo9it .com.pl
ujo9iw .com.pl
ujo9iy .com.pl
ujo9iz .com.pl

t111ut .me.uk
t111uy .me.uk
t111uz .me.uk
t111uk .org.uk
t111ut .org.uk
t111uz .org.uk
t111uk .co.uk
t111uy .co.uk

okio1h .ne.kr
okio1w .ne.kr
okio1h .kr
okio1h .co.kr
okio1u .co.kr
okio1v .co.kr
okio1w .co.kr
okio1h .or.kr
okio1u .or.kr
okio1v .or.kr
okio1w .or.kr
okio1u .kr
okio1v .kr
okio1w .kr

proterp1 .im
virtdit1 .im
virtdit2 .im
virtdit3 .im
virtdit4 .im
virtdit5 .im
virtdit6 .im
virtdit7 .im
virtdit8 .im

UPDATED: Gary Warner offers additional insights into the latest campaigns - This Week in Avalanche / Zbot / Zeus Bot: HSBC & eBay.

What the botnet masters forget is that with each and every campaign, based on a number of factors, they reveal more about themselves and their affiliations within the cybercrime ecosystem. The degree of monetization is proportional with the loss of OPSEC (operational security), and this remains valid for any fraudulent campaign, botnet or cybercrime community in general.

UPDATED: To clarify, in this campaign Pushdo acts as the spam platform for the Avalanche/MS-Redirect botnet.

In need of a good example why you shouldn't be interacting with spam/phishing emails in any other way but reporting/deleting them, unless of course you're in the business of analyzing them?

Last week's OWA-themed Zeus-serving spam campaign courtesy of the Pushdo botnet, has not just resumed, but is continuing to serve client-side exploits (CVE-2007-5659; CVE-2008-2992; CVE-2009-0927) to anyone visiting the spammed web sites through an iFrame embedded on all of them. Such traffic optimization tactics are nothing new, since the botnet master is anticipating the fact that the visitor that clicked on the link, may not be that stupid the next time, so attempting to serve the malware without any kind of interaction on his behalf through client-side exploits is the tactic of choice.

Let's dissect the campaign, list all of the currently active fast-fluxed domains, the name servers of notice, the client-side exploit serving structure, and the Russian Brides scam domains spamvertised over the last few days.

Active fast-fluxed domains part of the campaign:
leptprs.co .kr - Email: wawddhaepny@yahoo.com
leptprs .kr - Email: wawddhaepny@yahoo.com
leptprs.ne .kr - Email: wawddhaepny@yahoo.com
leptprs.or .kr - Email: wawddhaepny@yahoo.com
oki8uuu.co .kr - Email: wawddhaepny@yahoo.com
ui7772.co .kr - Email: jn.hadler@jkh.org.uk
ui7772 .kr - Email: jn.hadler@jkh.org.uk
ui7772.ne .kr - Email: jn.hadler@jkh.org.uk
ui7772.or .kr - Email: jn.hadler@jkh.org.uk
ui777f .kr - Email: jn.hadler@jkh.org.uk
ui777f.ne .kr - Email: jn.hadler@jkh.org.uk
ui777f.or .kr - Email: jn.hadler@jkh.org.uk
ui777fne .kr - Email: jn.hadler@jkh.org.uk
ui777l.co .kr - Email: jn.hadler@jkh.org.uk
ui777p.co .kr - Email: jn.hadler@jkh.org.uk
ui777p .kr - Email: jn.hadler@jkh.org.uk
ui777p.ne .kr - Email: jn.hadler@jkh.org.uk
ui777p.or .kr - Email: jn.hadler@jkh.org.uk

DNS servers of notice:
ns1.raddoor .com - Email: figarro77@gmail.com
ns1.snup-up .net - Email: dietsnak@socialworker.net
ns1.aj-realty .net - Email: support@aj-realty.net
ns1.aj-administration .com - Email: manager@mack.net
ns1.aj-talentsearch .com - Email: supp@mail.net
ns1.eurobankfinance .net - Email: termer@counsellor.com
ns1.hetn91 .com - Email: astrix@aol.com
ns1.personnel-aj .com - Email: KimMIngram@aol.com
ns1.nitroexcel .net
ns1.fredoms .com
ns1.ajstaffing .net
ns1.angel-death .net
ns1.aj-estate .com
ns1.aj-realtors .com
ns1.pdsproperties .com
ns1.groupswat .com

Upon execution, settings-file.exe (Trojan-Spy.Win32.Zbot.adsy), phones back to 109.123.70 .97/fh3245sq/config.bin. Detection rate for pdf.pdf (Exploit-PDF.ac) and file.exe (Trojan.Win32.Riern). The structure of the iFrame is as follows:
- atthisstage .com/uksp/in.php - 84.45.45.135 - Email: soakes@soakes.com
    - atthisstage .com/uksp/jquery.jxx
        - atthisstage .com/uksp/xd/pdf.pdf
            - atthisstage .com/uksp/load.php
                - atthisstage .com/uksp/file.exe

Russian Brides spamvertised domains part of an affiliate network:
toolbarsunited .com - Email: soft.tj@gmail.com
2006jubilee .com - Email: soft.tj@gmail.com
avtofo .org - Email: flarnes@gmail.com
lovesexdatings .com - Email: kauplus@li.ru
stars-dating .com - Email: kauplus@li.ru
avtofo.com .ua
dinenyc .net

cid-f5f40ef1f5210d08.spaces .live.com
cid-c1b015ffe1b44573.spaces .live.com
cid-b78f4f23e27d2b45.spaces .live.com
cid-8d3413073f537740.spaces .live.com
cid-205046cf66900102.spaces .live.com

If you want to know more the inner workings of the Pushdo/Cutwail botnet, consider going through the Pushdo / Cutwail - An Indepth Analysis report.

Related posts:
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

This post has been reproduced from Dancho Danchev's blog.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Wednesday, January 13, 2010

Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams

No comments:

Post a Comment