Tuesday, May 04, 2010

U.S. Treasury Site Compromise Linked to the NetworkSolutions Mass WordPress Blogs Compromise

UPDATED: Saturday, May 08, 2010: 5 new domains have been introduced by the same gang, once again parked at, AS49981, WorldStream.

jumpsearches.com - - Email: alex1978a@bigmir.net
ingeniosearch.net - - Email: alex1978a@bigmir.net
searchnations.com - - Email: alex1978a@bigmir.net
mainssearch.com - - Email: alex1978a@bigmir.net
bigsearchinc.com - - Email: alex1978a@bigmir.net

Sample exploitation structure:
- jumpsearches.com/bing.com /load.php?spl=mdac
    - jumpsearches.com/bing.com /error.js.php
        - jumpsearches.com/bing.com /pdf.php
            - jumpsearches.com/bing.com /?spl=2&br=MSIE&vers=7.0&s=
                - jumpsearches.com/bing.com /load.php?spl=pdf_2030
                    - jumpsearches.com/bing.com /load.php?spl=MS09-002

UPDATED: Thursday, May 06, 2010: The cybercriminals behind this ongoing campaign continue introducing new domains -- all of which are currently in a cover-up phrase pointing to -- over the past 24 hours. What's particularly interesting, is that all of them reside within AS49981, WorldStream = Transit Imports = -CAIW-, Netherlands.

- twcorps.com/tv/ - - Email: alex1978a@bigmir.net, Prokopenko Aleksey
    - MD5: ebcfaa2f595ccea81176f6f125b31ac7
- jobsatdoor.com/plain/ - - Email: alex1978a@bigmir.net, Prokopenko Aleksey
    - MD5: ebcfaa2f595ccea81176f6f125b31ac7
- oficla.com/plain/ - - Email: alex1978a@bigmir.net, Prokopenko Aleksey
    - MD5: ebcfaa2f595ccea81176f6f125b31ac7
- organization-b.com/mail/ - - Email: alex1978a@bigmir.net, Prokopenko Aleksey
- dilingdiling.com/router/ - - Email: alex1978a@bigmir.net, Prokopenko Aleksey

All the samples phone back to mazcostrol.com/inst.php?aid=blackout now responding to, AS49770, SERVERCONNECT-AS ServerConnect Sweden AB, from the previously known IP 

mazcostrol.com is not just a phone back location. It's also actively serving client-side exploits. Sample update obtained from the same domain:
- update4303.exe - Trojan.Win32.VBKrypt - Result: 5/41 (12.2%)

Not surprisingly, AS44565 and AS49770 where mazcostrol.com was hosted, are also the home of currently active ZeuS crimeware C&Cs.

AS49770 (SERVERCONNECT-AS ServerConnect Sweden AB)


UPDATED: A researcher just pinged me with details on something that I should be flattered with. Apparently grepad.com /in.cgi?4 redirects to /in_t.php which then redirects to my Blogger profile.

In fact, the IP of the client-side exploit serving domains also redirects there, with the actual campaign in a cover-up phrase, with the original domain now responding

Let's see for how long, until then, The Beatles - You Know My Name seems to be the appropriate music choice.

AVG and PandaLabs are reporting that the web sites of the U.S. Bureau of Engraving and Printing (bep.treas.gov; moneyfactory.gov) are serving client-side vulnerabilities that ultimately expose the visitor to scareware (The Ultimate Guide to Scareware Protection).

What's particularly interesting about this campaign is that, it's part of last month's NetworkSolutions mass WordPress blogs compromise, in the sense that not only is the iFrame-d domain registered using the same email as the client-side exploits serving domains from the NetworkSolutions campaign -- alex1978a@bigmir.net -- but also, the dropped scareware's phone back location -- mazcostrol.com/inst.php?aid=blackout - - Email: alex1978a@bigmir.net -- is identical to the one used in the same campaign, including the affiliate ID used by the original cybercriminal.

The client-side exploit serving domain used in the the U.S Treasury site compromise, has also been reported by a large number of NetworkSolutions customers in the most recent campaign affecting WordPress blogs.

The exploit-serving structure, including the detection rates for the dropped scareware and exploits used in the U.S Treasury compromise campaign, is as follows:

- grepad.com /in.cgi?3 -, AS44565, VITAL TEKNOLOJI - Email: alex1978a@bigmir.net
    - thejustb.com /just/ - (dyndon.com), AS49981 - Email: alex1978a@bigmir.net
        - thejustb.com /just/pdf.php
            - thejustb.com /just/1.pdf
                - thejustb.com /just/load.php?spl=javas
                    - thejustb.com /just/j1_893d.jar
                        - thejustb.com /just/j2_079.jar

- 1.pdf - Exploit.PDF-JS.Gen (v) - Result: 1/41 (2.44%)
- j1_893d.jar - Trojan-Downloader:Java/Agent.DJDN - Result: 5/41 (12.20%)
- j2_079.jar - EXP/Java.CVE-2009-3867.C.2; Exploit.Java.Agent.a - Result: 9/41 (21.96%)
- grepad.exe - Trojan.Generic.KD.10339; a variant of Win32/Injector.BNG - Result: 8/41 (19.51%)

Upon successful exploitation the dropped grepad.exe, phones back to to mazcostrol.com/inst.php?aid=blackout -, AS44565, VITAL TEKNOLOJI - Email: alex1978a@bigmir.net, with the same phone back location also used in the NetworkSolutions mass compromise campaign. 

Known MD5's used by the same campaigner from previous campaigns, phoning back to the same domain+identical affiliate ID:

Attempting to interact with the campaign's directories often results in a "nice try, idiot." message. Lovely!

Related posts:
GoDaddy's Mass WordPress Blogs Compromise Serving Scareware
Dissecting the WordPress Blogs Compromise at Network Solutions

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.