Tuesday, March 23, 2010

GazTransitStroy/GazTranZitStroy: From Scareware to Zeus Crimeware and Client-Side Exploits


Remember 2009's GazTransitStroy/GazTranZitStroy LLC, AS29371?

The fake Russian gas company whose motto was "In gaz we trust"? It appears that in order to stay competitive within the cybercrime ecosystem, they are now diversifying their offerings from hosting scareware domains and redirectors, to active Zeus crimeware campaigns, next to client-side exploits serving campaigns used as the infection vector.
From last's week's active Zeus C&Cs:
houstonhotelreal.com - 91.212.41.88 - Email: admin@houstonhotelreal.com
doctormiler.com - 91.212.41.14 - Email: cheburaskogro@yahoo.com
pipiskin.hk - 91.212.41.40 - Email: admin@pipiskin.hk
lopokerasandco.hk - 91.212.41.89 - Email: admin@lopokerasandco.hk
aervrfhu.ru - 91.212.41.88/109.196.143.60 - Email: samm_87@email.com
updateinfo22.com - 91.212.41.60/193.148.47.60 - Email: moonbeam@konocti.net
tumasolt.com - 91.212.41.123 - Email: stuns@5mx.ru
91.212.41.80
91.212.41.79
91.212.41.78


To this week's active Zeus campaigns:
cpadm21.cn - 91.212.41.31 - Email: Dalas_Illarionov@yahooo.com
doctormiler.com - 91.212.41.14 - Email: cheburaskogro@yahoo.com
91.212.41.80
91.212.41.79
91.212.41.78


GazTransitStroy is still in operation, acting as route for malicious activity, in the very same way it was interacting with other cyber-crime friendly ASs (EUROHOST-NET/Eurohost LLC) during 2009. Let's take a quick snapshot of malicious activity currently taking place at AS29371.

Detection rate for the Zeus crimeware phoning back to GazTransitStroy/GazTranZitStroy:
- Trojan.Zbot - Result: 8/41 (19.52%)
- TROJ_KRAP.SMDA - Result: 5/42 (11.91%)
- Packed.Win32.Krap.ae - Result: 10/42 (23.81%)

Client-side exploits (Spammer:Win32/Tedroo.AB; Win32:FakeAlert-JJ - Result: 31/42 (73.81%) serving domains/admin panels parked at 91.212.41.87:
hvcvjxcc.cn - Email: wang9619@163.com
fyyxqftc.cn - Email: wang9619@163.com
qymgeejd.cn - Email: wang9619@163.com
gjjdrgqf.cn - Email: wang9619@163.com
gdttjkug.cn - Email: wang9619@163.com
pgcnbgkk.cn - Email: wang9619@163.com
xvrlomwk.cn - Email: wang9619@163.com
bfhqrmtm.cn - Email: wang9619@163.com
cfssixsn.cn - Email: wang9619@163.com
vxoyqgcp.cn - Email: wang9619@163.com
hjwbxhqr.cn - Email: wang9619@163.com
frrszqot.cn - Email: wang9619@163.com
axaldjqt.cn - Email: wang9619@163.com
aafoocgv.cn - Email: wang9619@163.com


It's worth pointing out that fact that in February, a much more extensive portfolio of domains was parked on 195.88.190.30, with a small part of them, now responding to GazTransitStroy/GazTranZitStroy AS:
arufeudv.cn - Email: wang9619@163.com
axaldjqt.cn - Email: wang9619@163.com
bbivbblr.cn - Email: wang9619@163.com
cfssixsn.cn - Email: wang9619@163.com
dcueqzke.cn - Email: wang9619@163.com
drghzeap.cn - Email: wang9619@163.com
fqfmyvii.cn - Email: wang9619@163.com
gjjdrgqf.cn - Email: wang9619@163.com
gokzlykr.cn - Email: wang9619@163.com
gwsdwxae.cn - Email: wang9619@163.com
icnzlxyo.cn - Email: wang9619@163.com
inkqoevl.cn - Email: wang9619@163.com
izhdjcsu.cn - Email: wang9619@163.com
lsggdniu.cn - Email: wang9619@163.com
maaltsxg.cn - Email: wang9619@163.com
mdftfxek.cn - Email: wang9619@163.com
ntvftguu.cn - Email: wang9619@163.com
pgcnbgkk.cn - Email: wang9619@163.com
rbpwnrss.cn - Email: wang9619@163.com
rzwdcsey.cn - Email: wang9619@163.com
urybtnfb.cn - Email: wang9619@163.com
uzfbhofi.cn - Email: wang9619@163.com
vnvxltpr.cn - Email: wang9619@163.com
vordquyo.cn - Email: wang9619@163.com
xvrlomwk.cn - Email: wang9619@163.com
ycgezkpu.cn - Email: wang9619@163.com
ykcdffei.cn - Email: wang9619@163.com
yvuxksuk.cn - Email: wang9619@163.com
zdzhecim.cn - Email: wang9619@163.com

Fake codecs serving domains parked at 91.212.41.88:
real-time-tube.com - Email: admin@free-new-sex-video.com
myusmailservice.com 
video-chronicle.com - Email: neujelivsamomdeli@safe-mail.net
yahoo-movies-online.com - Email: admin@yahoo-movies-online.com
houstonhotelreal.com - Email: admin@houstonhotelreal.com
sex-tapes-celebs.com - Email: wnscandals@gmail.com
evertrands.com - Email: moldavimo@safe-mail.net
myusmailservices.com - Email: admin@myusmailservices.com
xplacex.com - Email: i.jahmurphy@gmail.com
xsebay.com - Email: admin@xsebay.com
exsebay.com - Email: admin@exsebay.com
video-info.info - Email: videinfo@gmail.com
partner777.net - Email: potenciallio@safe-mail.net
video-trailers.net - Email: fullhdvid@gmail.com
primusdns.ru - Email: samm_87@email.com
aervrfhu.ru - Email: samm_87@email.com

Sample redirection takes place through the following sampled domain:
- yahoo-movies-online.com/ iframe7.php
    - real-web-tube.com/ xplay.php?id=40018 - 59.53.91.124
        - multimediasupersite.com/ video-plugin.40018.exe - 62.212.66.93

Serving video-plugin.40018.exe - W32/FakeAlert.FT.gen!Eldorado - Result: 10/42 (23.81%), which phones back to:
yourartmuseum.com/fakbwq.php?q=RANDOM - 66.96.219.38 - Email: davidearhart@rocketmail.com
rareartonline.com - 64.191.44.73 - Email: fellows@nonpartisan.com
sportscararts.com - 209.159.146.234 - Email: cdaniels@pennsylvania.usa.com
expressautoarts.com - 69.10.35.253 - Email: cdaniels@pennsylvania.usa.com
zenovy.com/resolution.php - 66.96.222.198
bokwer.com/borders.php - 64.120.144.119

Domains hosting the fake codec plugin are parked at 62.212.66.93:
bestinternetmedia.com - Email: shoemaker@angelic.com
supermediaworld.com - Email: shoemaker@angelic.com
hottrackdvd.com - Email: bailey@theplate.com
multimediatoolguide.com - Email: severson@therange.com
thebettermovie.com - Email: bailey@theplate.com
movietoolonline.com - Email: severson@therange.com
movietoolvideo.com - Email: shann@techie.com
movielocationinfo.com - Email: maldonado@toke.com
bestmultimediademo.com - Email: mcchristian@ymail.com
dvddatacenter.com - Email: maldonado@toke.com
videotooldirect.com - Email: shann@techie.com

In gaz they trust, cybercriminals I don't trust.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

No comments:

Post a Comment