SECOND UPDATE for Wednesday, February 24, 2010 - Another portfolio of new domains is being spamvertised, using the old PhotoArchive theme. The client-side exploits serving iFrame directory has been changed to 91.201.196.101 /usasp33/in.php currently serving CVE-2007-5659; CVE-2008-2992; CVE-2008-0015; CVE-2009-0927 and CVE-2009-4324.
Sample detection rates: update.exe - Trojan-Spy.Win32.Zbot.gen - Result: 10/42 (23.81%); file.exe - Trojan-Spy.Win32.Zbot.gen - Result: 10/42 (23.81%). Samples phone back to the same C&C where samples from previous campaigns were also phoning back to - trollar.ru /cnf/trl.jpg - 109.95.114.133 - Email: bernardo_pr@inbox.ru.
Domains portfolio:
reda.kr - Email: ClarenceN62412@hotmail.com
redb.kr - Email: ClarenceN62412@hotmail.com
reda.ne.kr - Email: ClarenceN62412@hotmail.com
redb.ne.kr - Email: ClarenceN62412@hotmail.com
redn.ne.kr - Email: ClarenceN62412@hotmail.com
redv.ne.kr - Email: ClarenceN62412@hotmail.com
redn.kr - Email: ClarenceN62412@hotmail.com
reda.co.kr - Email: ClarenceN62412@hotmail.com
redv.co.kr - Email: ClarenceN62412@hotmail.com
reda.or.kr - Email: ClarenceN62412@hotmail.com
redb.or.kr - Email: ClarenceN62412@hotmail.com
redn.or.kr - Email: ClarenceN62412@hotmail.com
redv.or.kr - Email: ClarenceN62412@hotmail.com
redv.kr - Email: ClarenceN62412@hotmail.com
Name server of notice:
ns1.skcstaffing.com - 87.117.245.9 - Email: hr@department.com
UPDATED: Wednesday, February 24, 2010 - Another portfolio of typosquatted domains has been spamvertised. The already suspended domains are listed for historical OSINT analysis of this gang's activities.
Interestingly, their campaigns are lacking the quality assurance I'm used to see. For instance, the iFrame IP (109.95.114.251 /usa50/in.php) is currently down, with the malware itself, including the one that would have been dropped given the exploitation took place - have over 90% detectio rate, since the binaries were first analyzed a month ago - tax-statement.exe - Trojan-Spy.Win32.Zbot - 40/42 (95.24%); abs.exe - Packed:W32/Mufanom.A - Result: 38/42 (90.48%). The directory structure also remains the same - irs.gov.yrxc.kr/fraud.applications /application/statement.php
Domains portfolio, including name servers of notice are as follows:erdca.co.kr - Email: WeedDame16427@hotmail.com
erdca.kr - Email: WeedDame16427@hotmail.com
erdca.ne.kr - Email: WeedDame16427@hotmail.com
erdca.or.kr - Email: WeedDame16427@hotmail.com
erdcb.kr - Email: WeedDame16427@hotmail.com
erdcd.kr - Email: WeedDame16427@hotmail.com
erdce.co.kr - Email: WeedDame16427@hotmail.com
erdce.kr - Email: WeedDame16427@hotmail.com
erdce.ne.kr - Email: WeedDame16427@hotmail.com
erdce.or.kr - Email: WeedDame16427@hotmail.com
erdcq.kr - Email: WeedDame16427@hotmail.com
erdcu.co.kr - Email: WeedDame16427@hotmail.com
erdcu.kr - Email: WeedDame16427@hotmail.com
erdcu.ne.kr - Email: WeedDame16427@hotmail.com
erdcu.or.kr - Email: WeedDame16427@hotmail.com
yrxc.co.kr - Email: WeedDame16427@hotmail.com
yrxc.kr - Email: WeedDame16427@hotmail.com
yrxc.or.kr - Email: WeedDame16427@hotmail.com
yrxo.co.kr - Email: WeedDame16427@hotmail.com
yrxo.kr - Email: WeedDame16427@hotmail.com
yrxo.ne.kr - Email: WeedDame16427@hotmail.com
yrxo.or.kr - Email: WeedDame16427@hotmail.com
yrxs.co.kr - Email: WeedDame16427@hotmail.com
yrxs.kr - Email: WeedDame16427@hotmail.com
yrxs.ne.kr - Email: WeedDame16427@hotmail.com
yrxs.or.kr - Email: WeedDame16427@hotmail.com
rts1e3en.me.uk
rts1e3eq.me.uk
rts1e3ew.me.uk
rts1e3ex.me.uk
rts1e3ey.me.uk
rts1e3ez.me.uk
rts1e3eb.co.uk
rts1e3en.co.uk
rts1e3eq.co.uk
rts1e3er.co.uk
rts1e3ew.co.uk
rts1e3ex.co.uk
rts1e3ey.co.uk
rts1e3ez.co.uk
Name servers of notice:
ns1.skc-realty.com - 89.238.165.195 - Email: skc@realty.net
ns1.chinafromasia.com
UPDATED: Monday, February 22, 2010 - Another typosquatted domains portfolio is being spamvertised, including two new name servers, parked on the same IP where name servers from previous campaigns were hosted.
Typosquatted domains, and name servers of notice are as follows:dese.co.kr - Email: asondrapgt@hotmail.com
dese.kr - Email: asondrapgt@hotmail.com
dese.ne.kr - Email: asondrapgt@hotmail.com
dese.or.kr - Email: asondrapgt@hotmail.com
desr.co.kr - Email: asondrapgt@hotmail.com
desr.kr - Email: asondrapgt@hotmail.com
desr.or.kr - Email: asondrapgt@hotmail.com
desv.co.kr - Email: asondrapgt@hotmail.com
desv.kr - Email: asondrapgt@hotmail.com
desv.ne.kr - Email: asondrapgt@hotmail.com
desv.or.kr - Email: asondrapgt@hotmail.com
desx.co.kr - Email: asondrapgt@hotmail.com
desx.kr - Email: asondrapgt@hotmail.com
desx.ne.kr - Email: asondrapgt@hotmail.com
desx.or.kr - Email: asondrapgt@hotmail.com
edasa.co.kr
edasa.kr
edasa.ne.kr
edasa.or.kr
edase.co.kr
edase.kr
edase.ne.kr
edase.or.kr
edasn.kr
edasn.ne.kr
edasn.or.kr
edasq.co.kr
edasq.kr
edasq.ne.kr
edasq.or.kr
Name servers of notice:
ns1.silverbrend.net - 87.117.245.9 - Email: klincz@aol.com
ns1.hourscanine.com - 87.117.245.9 - Email: carruawau@gmail.com
UPDATED: Sunday, February 21, 2010 - The gang is currently spamming a phishing campaign -- no client-side serving iFrames found so far -- attempting to steal Google account and Blogspot accounting data. Given the fact that the gang is capable of generating hundreds of thousands of bogus accounts on their own, as well as buy them in bulk orders from vendors that have already built such an inventory across multiple social networking sites, the only logical reason for attempting to phish for such data would be to attempt to maliciously monetize the traffic of legitimate blogs.
The newly spamvertised domains, including a new name server are as follows:esub.co.kr - Email: osamplerl61@hotmail.com
esub.kr - Email: osamplerl61@hotmail.com
esub.ne.kr - Email: osamplerl61@hotmail.com
esug.co.kr - Email: osamplerl61@hotmail.com
esug.kr - Email: osamplerl61@hotmail.com
esug.ne.kr - Email: osamplerl61@hotmail.com
esuk.kr - Email: osamplerl61@hotmail.com
esuk.ne.kr - Email: osamplerl61@hotmail.com
esuk.or.kr - Email: osamplerl61@hotmail.com
esus.co.kr - Email: osamplerl61@hotmail.com
esus.kr - Email: osamplerl61@hotmail.com
esus.ne.kr - Email: osamplerl61@hotmail.com
esut.co.kr - Email: osamplerl61@hotmail.com
esut.kr - Email: osamplerl61@hotmail.com
esut.ne.kr - Email: osamplerl61@hotmail.com
ns1.nitroexcel.com - 89.238.165.195 (the same IP was also hosting the name server domains from previous campaigns) - Email: rackmodule@writemail.com
UPDATED: Saturday, February 20, 2010 - The client-side exploit serving iFrame directory has been changed to 91.201.196.101 /usasp11/in.php, with another typosquatted portfolio of domains currently being spamvertised.
Detection rates: update.exe - Trojan.Zbot - Result: 25/40 (62.5%) (phones back to trollar.ru /cnf/trl.jpg - 109.95.114.133 - Email: bernardo_pr@inbox.ru); file.exe - Trojan.Spy.ZBot.12544.1 - Result: 26/41 (63.42%); ie.js - JS:CVE-2008-0015-G - Result: 14/40 (35%); ie2.js - Exploit:JS/CVE-2008-0015 - Result: 17/40 (42.5%); nowTrue.swf - Trojan.SWF.Dropper.E - Result: 24/41 (58.54%); pdf.pdf - Exploit.JS.Pdfka.bln - Result: 11/41 (26.83%); swf.swf - SWF/Exploit.Agent.BS - Result: 8/40 (20%).
Domain portfolio, name server of notice - ns1.vektoroils.net - 74.117.63.218 - Email: admin@forsyte.info :desa.co.kr - Email: hjfeasey@yahoo.co.uk
desa.kr - Email: hjfeasey@yahoo.co.uk
desa.ne.kr - Email: hjfeasey@yahoo.co.uk
desa.or.kr - Email: hjfeasey@yahoo.co.uk
desb.co.kr - Email: hjfeasey@yahoo.co.uk
desb.kr - Email: hjfeasey@yahoo.co.uk
desb.ne.kr - Email: hjfeasey@yahoo.co.uk
desb.or.kr - Email: hjfeasey@yahoo.co.uk
deso.kr - Email: hjfeasey@yahoo.co.uk
deso.or.kr - Email: hjfeasey@yahoo.co.uk
desv.kr - Email: hjfeasey@yahoo.co.uk
desz.co.kr - Email: hjfeasey@yahoo.co.uk
desz.kr - Email: hjfeasey@yahoo.co.uk
desz.ne.kr - Email: hjfeasey@yahoo.co.uk
desz.or.kr - Email: hjfeasey@yahoo.co.uk
UPDATED: Wednesday, February 17, 2010 - The iFrame directory has been changed to 91.201.196.101 /usasp/in.php, detection rate for update.exe - Trojan-Spy.Win32.Zbot.gen - Result: 17/40 (42.5%).
saqwk.co.kr - Email: Camerc05@yahoo.com
saqwk.kr - Email: Camerc05@yahoo.com
saqwk.ne.kr - Email: Camerc05@yahoo.com
saqwk.or.kr - Email: Camerc05@yahoo.com
saqwm.co.kr - Email: Camerc05@yahoo.com
saqwm.kr - Email: Camerc05@yahoo.com
saqwm.ne.kr - Email: Camerc05@yahoo.com
saqwq.co.kr - Email: Camerc05@yahoo.com
saqwq.kr - Email: Camerc05@yahoo.com
saqwq.ne.kr - Email: Camerc05@yahoo.com
saqwq.or.kr - Email: Camerc05@yahoo.com
saqwz.co.kr - Email: Camerc05@yahoo.com
saqwz.kr - Email: Camerc05@yahoo.com
saqwz.ne.kr - Email: Camerc05@yahoo.com
saqwz.or.kr - Email: Camerc05@yahoo.com
As anticipated, the botnet masters behind the systematically rotated campaigns dissected in previous posts, kick off the week with multiple campaigns parked on the newly introduced fast-fluxed domains.
Sample campaign URLs from the PhotoArchive, SecretArchives themed campaign:
- archive .repok.or.kr/archive0714/?id=test@test.com
- secretarchives .renyn.kr/archive0714/?id=test@test.com
- secretfiles .repo1it.me.uk/archive0714/?id=test@test.com
- secretarchives .renyn.ne.kr/archive0714/?id=test@test.com
- postcards .repo1ix.co.uk/archive0714/?id=test@test.com
Sample sub domain structure:
anonymousfiles .repo1i2.me.uk
archive .repo1iq.me.uk
archive .repo1it.me.uk
archives .repo1i1.me.uk
filearchive .repo1i1.me.uk
files .repo1it.me.uk
files .repo1ix.me.uk
files4friends .repo1it.me.uk
secretarchives .repo1iq.me.uk
secretarchives .repo1iw.me.uk
secretarchives .repo1ix.me.uk
secretfiles .repo1iq.me.uk
sendspace .repo1i2.me.uk
archive .repo1ix.co.uk
archives .repo1iq.co.uk
archives .repo1ix.co.uk
files .repo1iq.co.uk
files4friends .repo1ix.co.uk
incognito .repo1iq.co.uk
postcard .repo1iq.co.uk
postcard .repo1iw.co.uk
secretarchives .repo1iw.co.uk
www.irs.gov .repo1ix.co.uk
Embedded iFrame - 91.201.196.101 /ukasp/in.php (AS42229 (MARIAM-AS PP Mariam) attempts to exploit CVE-2007-5659; CVE-2008-2992; CVE-2008-0015; CVE-2009-0927 and CVE-2009-4324. Upon successful exploitation, file.exe - Trojan-Spy.Win32.Zbot.gen - Result: 12/41 (29.27%) is served. Just like the original update.exe - Trojan.Zbot - Result: 13/40 (32.50%) available as a manual download from the pages, both samples phone back to the well known elnasa.ru /asd/elnasa.ble - 109.95.114.71 - Email: kievsk@yandex.ru - Aleksey V Kijanskiy.
Naturally, AS42229 (MARIAM-AS PP Mariam) is a cybercrime-friendly AS, with the following currently active Zeus C&Cs parked there:
91.201.196.35
91.201.196.75
91.201.196.76
91.201.196.38
91.201.196.34
91.201.196.37
Sample URL from the IRS-themed campaign:
- irs.gov .renyn.kr/fraud.applications/application/statement.php
Sample iFrame from the IRS-themed campaign - 109.95.114.251 /usa50/in.php is currently down. The same IP was used to serve client-side exploits in a previous campaign - "Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams".
Detection rate for tax-statement.exe - Trojan-Spy.Win32.Zbot.gen - Result: 37/41 (90.25%), which upon execution phones back to the well known nekovo.ru /cbd/ nekovo.br - 109.95.115.18 - Email: kievsk@yandex.ru - Aleksey V Kijanskiy
Active and spamvertised fast-fluxed domains part of the campaign:renya.co.kr - Email: Sethdc77@yahoo.co.uk
renya.kr - Email: Sethdc77@yahoo.co.uk
renya.ne.kr - Email: Sethdc77@yahoo.co.uk
renya.or.kr - Email: Sethdc77@yahoo.co.uk
renyn.kr - Email: Sethdc77@yahoo.co.uk
renyn.ne.kr - Email: Sethdc77@yahoo.co.uk
renyn.or.kr - Email: Sethdc77@yahoo.co.uk
renyo.co.kr - Email: Sethdc77@yahoo.co.uk
renyo.kr - Email: Sethdc77@yahoo.co.uk
renyo.ne.kr - Email: Sethdc77@yahoo.co.uk
renyo.or.kr - Email: Sethdc77@yahoo.co.uk
renyx.co.kr - Email: Sethdc77@yahoo.co.uk
renyx.kr - Email: Sethdc77@yahoo.co.uk
renyx.ne.kr - Email: Sethdc77@yahoo.co.uk
renyx.or.kr - Email: Sethdc77@yahoo.co.uk
rep021.co.kr - Email: DRendell3407@hotmail.com
rep021.kr - Email: DRendell3407@hotmail.com
rep021.ne.kr - Email: DRendell3407@hotmail.com
rep021.or.kr - Email: DRendell3407@hotmail.com
rep022.co.kr - Email: DRendell3407@hotmail.com
rep022.kr - Email: DRendell3407@hotmail.com
rep022.ne.kr - Email: DRendell3407@hotmail.com
rep022.or.kr - Email: DRendell3407@hotmail.com
rep023.co.kr - Email: DRendell3407@hotmail.com
rep023.kr - Email: DRendell3407@hotmail.com
rep023.or.kr - Email: DRendell3407@hotmail.com
rep024.kr - Email: DRendell3407@hotmail.com
rep071.co.kr - Email: KantuM37690@hotmail.com
rep071.kr - Email: KantuM37690@hotmail.com
rep071.ne.kr - Email: KantuM37690@hotmail.com
rep071.or.kr - Email: KantuM37690@hotmail.comrep072.co.kr - Email: KantuM37690@hotmail.com
rep072.kr - Email: KantuM37690@hotmail.com
rep072.ne.kr - Email: KantuM37690@hotmail.com
rep072.or.kr - Email: KantuM37690@hotmail.com
rep073.co.kr - Email: KantuM37690@hotmail.com
rep073.kr - Email: KantuM37690@hotmail.com
rep073.ne.kr - Email: KantuM37690@hotmail.com
rep073.or.kr - Email: KantuM37690@hotmail.com
rep074.co.kr - Email: KantuM37690@hotmail.com
rep074.ne.kr - Email: KantuM37690@hotmail.com
rep074.or.kr - Email: KantuM37690@hotmail.com
rep1051.co.uk
rep1051.me.uk
rep1051.org.uk
rep1051.uk.com
repak.co.kr - Email: limhomeslm@yahoo.co.uk
repak.kr - Email: limhomeslm@yahoo.co.uk
repak.ne.kr - Email: limhomeslm@yahoo.co.uk
repak.or.kr - Email: limhomeslm@yahoo.co.uk
repaz.co.kr - Email: Olb55768@yahoo.co.uk
repaz.kr - Email: Olb55768@yahoo.co.uk
repaz.or.kr - Email: Olb55768@yahoo.co.uk
repek.co.kr - Email: limhomeslm@yahoo.co.uk
repek.ne.kr - Email: limhomeslm@yahoo.co.uk
repek.or.kr - Email: limhomeslm@yahoo.co.uk
repey.co.kr - Email: Olb55768@yahoo.co.uk
repey.kr - Email: Olb55768@yahoo.co.uk
repey.ne.kr - Email: Olb55768@yahoo.co.uk
repey.or.kr - Email: Olb55768@yahoo.co.uk
repia.co.kr - Email: Olb55768@yahoo.co.uk
repia.kr - Email: Olb55768@yahoo.co.uk
repia.ne.kr - Email: Olb55768@yahoo.co.uk
repia.or.kr - Email: Olb55768@yahoo.co.uk
repik.co.kr - Email: limhomeslm@yahoo.co.uk
repik.kr - Email: limhomeslm@yahoo.co.ukrepik.or.kr - Email: limhomeslm@yahoo.co.uk
repok.co.kr - Email: limhomeslm@yahoo.co.uk
repok.kr - Email: limhomeslm@yahoo.co.uk
repok.ne.kr - Email: limhomeslm@yahoo.co.uk
repok.or.kr - Email: limhomeslm@yahoo.co.uk
repoy.co.kr - Email: Olb55768@yahoo.co.uk
repoy.kr - Email: Olb55768@yahoo.co.uk
repoy.ne.kr - Email: Olb55768@yahoo.co.uk
repoy.or.kr - Email: Olb55768@yahoo.co.uk
repo1i1.co.uk
repo1i1.me.uk
repo1i2.co.uk
repo1i2.me.uk
repo1i3.co.uk
repo1ie.co.uk
repo1io.co.uk
repo1iq.co.uk
repo1iq.me.uk
repo1it.me.uk
repo1iw.co.uk
repo1iw.me.uk
repo1ix.co.uk
repo1ix.me.uk
Name servers of notice:
ns1 .skcrealestate.net - 89.238.165.195 - Email: support@skrealty.net
ns1 .addressway.net - 89.238.165.195 - Email: poolbill@hotmail.com
ns1 .skcpanel.com - 64.20.42.235 - Email: support@sk.com
ns1 .holdinglory.com - 64.20.42.235 - Email: greysy@gmx.com
ns1 .skcres.com - 64.20.42.235 - Email: hr@skc.net
ns1 .x-videocovers.net - 64.20.42.235 - Email: storylink@live.com
Interestingly, researchers from M86 Security gained access to the web malware exploitation kit used in a previous campaign:
"It has been up and running and serving exploits for nearly a day. In this time almost 40,000 unique users have been exposed to these exploits, and the Zeus file has been downloaded over 5000 times. These downloads do not include the PhotoArchive.exe file downloads that a user may be tricked into downloading and executing themselves."
Updated will be posted as soon as new developments emerge.
Related coverage of the gang's previous campaigns:
Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild
PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild
Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
No comments:
Post a Comment