Monday, April 12, 2010

Dissecting Northwestern Bank's Client-Side Exploits Serving Site Compromise


It's one thing to indirectly target a bank's reputation by brand-jacking it for phishing or malware servince purposes, and entirely another when the front page of the bank (NorthWesternBankOnline.com) itself is embedded with an iFrame leading to client-side exploits, to ultimately serve a copy of Backdoor.DMSpammer.
This is exactly what happened on Friday, with the front page of the Northwestern Bank of Orange City and Sheldon, Iowa acting as an infection vector. And although the site is now clean, the compromise offers some interesting insights into the multitasking on behalf of some of the most prolific malware spreaders for Q1, 2010.
How come? The iFrame domain used in the Northwestern Bank's campaign, is parked on the very same IP (59.53.91.192 - AS4134, CHINA-TELECOM China Telecom) that is still active, and was profiled in last month's spamvertised "Zeus Crimeware/Client-Side Exploits Serving Campaign in the Wild" campaign.


The iFrame embedded on the front page of Northwestern Bank's web site, mumukafes.net /trf/index.php - 59.53.91.192 - Email: mated@freemailbox.ru, redirects through the following directories, to ultimately attempt to serve client-side exploits through the copycat Phoenix Exploit Kit web malware exploitation kit:

- mumukafes.net /trf/index.php - 59.53.91.192 - Email: mated@freemailbox.ru
    - sobakozgav.net /index.php - 59.53.91.192
        - sobakozgav.net /tmp/newplayer.pdf - CVE-2009-4324
            - sobakozgav.net /l.php?i=16
                - sobakozgav.net /statistics.php

Parked on the same IP (59.53.91.192) are also the following domains, all of which have been seen serving client-side exploits in previous campaigns:
aaa.fozdegen.com - Email: mated@freemailbox.ru
bbb.fozdegen.com - Email: mated@freemailbox.ru
cogs.trfafsegh.com - Email: maple@qx8.ru
countrtds.ru - Email: thru@freenetbox.ru
dogfoog.net - Email: drier@qx8.ru
eee.fozdegen.com - Email: mated@freemailbox.ru
fff.sobakozgav.net - Email: mated@freemailbox.ru
fozdegen.com - Email: mated@freemailbox.ru
lll.sobakozgav.net - Email: mated@freemailbox.ru
mumukafes.net - Email: mated@freemailbox.ru
sobakozgav.net - Email: mated@freemailbox.ru
trfafsegh.com - Email: maple@qx8.ru


Moreover, there are also active ZeuS C&Cs on the same IP - 59.53.91.192, with the following detection rates for the currently active binaries:
- exe1.exe - Trojan/Win32.Zbot.gen; Trojan-Spy.Win32.Zbot - Result: 32/38 (84.22%)
- exe.exe - Backdoor.DMSpammer - Result: 23/39 (58.97%)
- svhost.exe - Trojan.Win32.Swisyn; Trojan.Win32.Swisyn.acfo - Result: 33/38 (86.85%)
- vot.exe - Trojan.Spy.ZBot.EOR; TSPY_ZBOT.SMG - Result: 15/38 (39.48%)

Detection rates for the campaign files obtained through Northwestern Bank's client-side exploit serving campaign:
- js.js - Mal/ObfJS-CT; JS/Crypted.CV.gen - Result: 3/39 (7.7%)
- newplayer.pdf - Exploit.PDF-JS.Gen; Exploit:Win32/Pdfjsc.EP - Result: 22/39 (56.42%)
- update.exe - Backdoor.DMSpammer - Result: 24/39 (61.54%)

The sampled update.exe phones back to the following locations: 
usrdomainn.net /n2/checkupdate.txt - 122.70.149.12, AS38356, TimeNet - Email: paulapruyne13@gmail.com
usrdomainn.net /n2/tuktuk.php
usrdomainn.net /n2/getemails.php
usrdomainnertwesar.net /n2/getemails.php
usrdomainnertwesar.net /n2/checkupdate.txt
usrdomainnertwesar.net /n2/tuktuk.php
 

AS38356, TimeNet is most recently seen in the migration of the money mule recruiters "Keeping Money Mule Recruiters on a Short Leash - Part Four", with tuktuk.php literally translated as herehere.php.

The site is now clean, however, the iFrame domains and ZeuS C&Cs remain active.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

No comments:

Post a Comment