Thursday, May 13, 2010

Spamvertised iTunes Gift Certificates and CV Themed Malware Campaigns


What do the recently spamvertised "Thank you for buying iTunes Gift Certificate!" and the "Look at my CV!" themed malware campaigns have in common?

It's the fact that they've been launched by the same individual/gang. What's particularly interesting about the campaign, is that it's relying on a currently compromised web server, with a publicly accessible PHP based backdoor. This exact same approach is also used by the Koobface gang on a large scale, in order to efficiently control the compromised sites involved in their Facebook spreading campaigns.

Moreover, upon successful infection the campaign is not just pushing scareware, but evidence based on the binaries found within the directory indicate a ZeuS crimeware binary has been in circulation for a while. Let's dissect the campaign, and establish the obvious connection.

Detection rates, phone back locations
- iTunes_certificate_497.exe - TrojanDropper:Win32/Oficla.G - Result: 39/41 (95.12%)

Upon execution phones back to:
- davidopolko.ru/migel/ bb.php?v=200&id=554905388&b=6may&tm=3
    - jaazle.com/wp-includes /js/tinymce/themes/advanced/psihi.exe

- phishi.exe - Gen:Trojan.Heur.TP.bmX@bins2Eb; Backdoor.Win32.Protector.ao - Result: 24/41 (58.54%) ultimately dropping scareware on the infected host.

Both campaigns are related, since the use the same command and control server, which is periodically updated with new URLs consisting of compromised sites. The detection rates, phone back locations for the second campaign are as follows:


- My_Resume_218.exe - W32/Oficla.O; Gen:Variant.Bredo.4 - Result: 17/41 (41.46%)

Upon executing the same phones back to the following URLs, in an attempt to drop the related binaries:
- davidopolko.ru/migel/bb.php?v=200 &id=636608811&b=12may&tm=2 - 195.78.108.201 - Email: vadim.rinatovich@yandex.ru
    - topcarmitsubishi.com.br /_vti_bin/_vti_adm/psi.exe - 201.76.146.215
    - davidopolko.ru /psi.exe; davidopolko.ru /setupse2010.exe

topcarmitsubishi.com.br appears to be a compromised site, with an open directory allowing the easier obtaining of the rest of the binaries used by the same gang/individual.

Detection rates for the binaries within the open directory, including the dropped scareware:
- psi.exe - TrojanDownloader:Win32/Cutwail.gen!C; Backdoor.Win32.Protector.at - Result: 17/41 (41.47%)
- sofgold.exe - Trojan.Fakealert.14822; W32/Junkcomp.A - Result: 15/41 (36.59%)
- sp.exe - PWS:Win32/Zbot.gen!R; a variant of Win32/Kryptik.EGZ - Result: 5/41 (12.2%)
- ustest.exe - Net-Worm.Win32.Kolab - Result: 4/41 (9.76%)
- firewall.dll - Trojan:Win32/Fakeinit; Win32/TrojanDownloader.FakeAlert.ASI - Result: 20/40 (50%)
- SetupSE2010.exe - W32/FakeAV.AM!genr; CoreGuardAntivirus2009 - Result: 29/41 (70.74%)


Phone back locations, C&Cs of the 4 samples:
mystaticdatas.ru /base1/ess.cfg - 195.88.144.63, AS48984, VLAF-AS Vlaf Processing Ltd - Email: mail2businessman@gmail.com - same email has been profiled before
get-money-now.net/loads.php? code=000000000048170 - 91.188.59.211, AS6851, BKCNET "SIA" IZZI - Email: noxim@maidsf.ru
get-money-now.net/ firewall.dll
get-money-now.net/cgi-bin/ware.cgi? adv=000000000048170
mamapapalol.com/cgi-bin/get.pl? l=000000000048170 - 88.80.4.19, AS33837, PRQ-AS - Email: security2guard@gmail.com
SGTSRX.jackpotmsk.ru - FAST FLUX - Email: alskudryav@yandex.ru
JETIHB.piterfm1.ru - FAST FLUX - Email: alskudryav@yandex.ru
UDUMOM.bingoforus.ru - FAST FLUX - Email: alskudryav@yandex.ru
ZMOWOE.rusradio1.ru - FAST FLUX - Email: alskudryav@yandex.ru
funnylive2010.ru - domain part of the fast flux infrastructure - Email: kurk@sovbiz.net
wapdodoit.ru - domain part of the fast flux infrastructure - Email: sharan812@yandex.ru


Related domains parked on 88.80.4.19 (mamapapalol.com/cgi-bin/get.pl? l=000000000048170):
buy-is2010.com - Email: vasya@mail.ru
buy-security-essentials.com - Email: noxim@maidsf.ru
for-sunny-se.com - Email: noxim@maidsf.ru
for-sunny-smile.com - Email: vasya@mail.ru
mega-scan-pc-new14.com - Email: noxim@maidsf.ru 
red-xxx-tube.net - Email: noxim@maidsf.ru
sunny-money1.com - Email: noxim@maidsf.ru
winter-smile.com - Email: vasya@mail.ru
megahosting10.com

Updated will be posted, as soon as they switch to a new theme, introduce new monetization tactics.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.