Facebook Photo Album Themed Malware Campaign, Mass SQL Injection Attacks Courtesy of AS42560

A spamvertised through Facebook personal messages, Photo Album themed campaign, with the domain IP responding to ZeuS C&Cs, combined with an indirect connection between this campaign and the "100,000+ Scareware Serving Fake YouTube Pages Campaign", followed by a domain portfolio used in a currently active mass SQL injection attack serving CVE-2007-5659 exploits, parked within the same AS as the Facebook's campaign itself.

What else is missing? The details of course.

DM spamvertised URL: online-photo-albums.org -, AS42560, BA-GLOBALNET-AS - Email: protect@privacy.com.ua

Detection rate: album.exe - Win32.DownloaderReno; Backdoor.Win32.Kbot.anj - Result: 12/41 (29.27%)
MD5: d24aa2c364d4b86f75a09362c952a838
SHA1: 3973c547b64d166ae807eec494c373efd53ac04c

Creates 1.exe; 2.exe and the self-destructing 3.exe. Detection rates:
- 1.exe - Result: 0/41 (0.00%)
MD5: fbd0a495d3409123d0e90a9a734cbbc1
SHA1: ce527267f50b433c622e5da0db5515a4d2e4ae9c

- 2.exe - Win32.DownloaderReno; Sus/UnkPacker - Result: 10/41 (24.39%)
MD5: 7a4feaf8d9acf982d0cbeb437e4f7c3d
SHA1: 39b280d0d2ec505a94415f7a9468a547fee51c66

with 3.exe phoning back to the following domain, also responding to the original campaign's IP
spmfb3309.com /ab/setup.php?act=filters&id=BWKJD0NWLt3pn2Vh6YIhhBe3&ver=2

inetnum: -
netname:        MAXIMUS-NET-SERVICES
remarks: ### in case of abuse please contact: godaccs@gmail.com ###
descr:          Maximus hosting services
country:        MD
admin-c:        JB1004
tech-c:         JB1004
status:         ASSIGNED PA
mnt-by:         BA-GLOBALNET
changed:        bosko@globalnet.ba 20100528
source:         RIPE

person:         Jerkovic Bosko
address:        Josipa Vancasa 10
address:        71000 Sarajevo
address:        Bosnia and Herzegovina
phone:          +387 33 221093
e-mail:         bosko@globalnet.ba
nic-hdl:        JB1004
mnt-by:         BA-GLOBALNET
changed:        bosko@globalnet.ba 20070309
source:         RIPE

Surprise, surprise, where do we know that godaccs@gmail.com abuse email from? From the previously profiled "Dissecting the 100,000+ Scareware Serving Fake YouTube Pages Campaign". In particular:

- AS43134, Donstroy Ltd; Emails: donstroitel@mail.com; godaccs@gmail.com
- AS42560, MAXIMUS-NET-SERVICES; Emails: godaccs@gmail.com

Responding to (online-photo-albums.org) are also the following domains:
hyporesist.com - Email: Kyle.MoodyAl@yahoo.com - Used to register ever52592g.com; miror-counter.org; mnfrekjivr.com
newsbosnia.org - Email: qggrvpvwiw@whoisservices.cn - ZeuS crimeware C&C
online-photo-albums.org - Email: protect@privacy.com.ua
search-static.org - Email: Kyle.MoodyAl@yahoo.com
spmfb2299.com - Email: laycxpqguk@whoisservices.cn
spmfb3309.com - Email: qhyfafvqyh@whoisservices.cn
vostokgear.org - Email: afgjvubuym@whoisservices.cn

Where's the mass SQL injection attack connection? Within AS42560, responding to are also the following domains, part of the campaign:

google-server09.info - Email: kit00066@gmail.com
google-server10.info - Email: kit00066@gmail.com
google-server11.info - Email: kit00066@gmail.com
google-server12.info - Email: kit00066@gmail.com
google-server14.info - Email: kit00066@gmail.com
google-server29.info - Email: kit00066@gmail.com
google-server31.info - Email: kit00066@gmail.com
jhuiuhxfgxhlfkjhjth.info - Email: kit00066@gmail.com
jhuiuhxfgxhtfkjhjth.info - Email: kit00066@gmail.com
jhuluhxfgxhlfkjhjth.info - Email: kit00066@gmail.com
top-teen-porn.info - Email: kit00066@gmail.com

Sample mass injection URLs:
google-server09.info/ urchin.js
google-server10.info/ urchin.js
google-server11.info/ urchin.js
google-server12.info/ urchin.js
google-server14.info/ urchin.js
google-server29.info/ urchin.js
google-server31.info/ urchin.js
jhuiuhxfgxhlfkjhjth.info/ urchin.js
jhuiuhxfgxhtfkjhjth.info/ urchin.js
jhuluhxfgxhlfkjhjth.info/ urchin.js

Detection rate:
- urchin.js - Trojan.JS.Redirector.ca (v); JS:Downloader-LP - Result: 4/41 (9.76%)
MD5: 3f2bc50c30ed8e7997b3de3d528d0ed5
SHA1: 66d6edef711516201f20fce676175ad16777e162

Sample exploitation structure from the mass SQL injection campaign:
- google-server31.info /urchin.js
        - Scanner-Album.com/?affid=382&subid=landing -, AS49087, Telos-Solutions-AS - Email: systemman_mk@gmail.com
            - websitecoolgo.com/cgi-bin /158 - - AS6851, BKCNET "SIA" IZZI - Email: marcomarcian@hotmailbox.com
                - websitecoolgo.com /cgi-bin/random content leading to CVE-2007-5659

Parked on (Scanner-Album.com), AS49087, Telos-Solutions-AS:
automaticsecurityscan.com - Email: robertwatkins@hotmailbox.com
bigsecurityscan.com - Email: robertwatkins@hotmailbox.com
bigsecurityscan.com - Email: robertwatkins@hotmailbox.com
blacksecurityscan.com - Email: robertwatkins@hotmailbox.com
edscorpor.com - Email: leonschmura@hotmailbox.com
edsctrum.com - Email: admin@edsfiles.com
edsfiles.com - Email: leonschmura@hotmailbox.com
edsfilles.com - Email: leonschmura@hotmailbox.com
edsletter.com - Email: leonschmura@hotmailbox.com
edslgored.com - Email: leonschmura@hotmailbox.com
edsnewter.com - Email: leonschmura@hotmailbox.com
edsogos.com - Email: leonschmura@hotmailbox.com
edsspectr.com - Email: leonschmura@hotmailbox.com
edstoox.com - Email: leonschmura@hotmailbox.com
findsecurityscan.com - Email: robertwatkins@hotmailbox.com
memory-scanner.com - Email: systemman_mk@gmail.com
onefindup.org - Email: JamesHying@xhotmail.net
scanner-album.com - Email: systemman_mk@gmail.com
scanner-definition.com - Email: rutkowski_m3@gmail.com
scanner-hardware.com - Email: systemman_mk@gmail.com
scanner-master.com - Email: systemman_mk@gmail.com
scanner-models.com - Email: systemman_mk@gmail.com
scanner-profile.com - Email: systemman_mk@gmail.com
scanner-programming.com - Email: systemman_mk@gmail.com
scanner-supplies.com - Email: rutkowski_m3@gmail.com
scanner-tips.com - Email: systemman_mk@gmail.com
searchdubles.org - Email: MerleMeisin@xhotmail.net
searchmartiup.org - Email: MerleMeisin@xhotmail.net
searchprasup.org - Email: MerleMeisin@xhotmail.net
searchprodinc.org - Email: MerleMeisin@xhotmail.net
searchprodinc.org - Email: MerleMeisin@xhotmail.net
searchtanup.org - Email: MerleMeisin@xhotmail.net

Responding to and (websitecoolgo.com) within AS6851, BKCNET "SIA" IZZI are also the following domains participation in different campaigns:
internetgotours.com - Email: marcomarcian@hotmailbox.com
mediaboomgo.com - Email: paulalameda@hotmailbox.com
mediagotech.com - Email: marcomarcian@hotmailbox.com
mediaracinggo.com - Email: paulalameda@hotmailbox.com
netgozero.com - Email: marcomarcian@hotmailbox.com
nethealthcarego.com - Email: marcomarcian@hotmailbox.com
networkget.com - Email: marcomarcian@hotmailbox.com
networksportsgo.com - Email: marcomarcian@hotmailbox.com
patricknetgo.com - Email: paulalameda@hotmailbox.com
webaliveget.com - Email: paulalameda@hotmailbox.com
webcoolgo.com - Email: paulalameda@hotmailbox.com
webgettraffic.com - Email: paulalameda@hotmailbox.com
webgetwisdom.com - Email: marcomarcian@hotmailbox.com
webgetwise.com - Email: marcomarcian@hotmailbox.com
webgoengine.com - Email: paulalameda@hotmailbox.com
webgosolutions.com - Email: paulalameda@hotmailbox.com
webmagicgo.com - Email: paulalameda@hotmailbox.com
websitecoolgo.com - Email: marcomarcian@hotmailbox.com
websiteget.com - Email: marcomarcian@hotmailbox.com

The rise of custom abuse emails, conveniently offered to cybercrime-friendly dedicated customers?

It's worth pointing out that godaccs@gmail.com a.k.a Complife, Ltd is conveniently responsible for- AS42560, BA-GLOBALNET-AS; AS43134, Donstroy Ltd; and AS42560, MAXIMUS-NET-SERVICES, followed by piotrek89@gmail.com responsible for AS6851, BKCNET "SIA" IZZI (used by the Koobface gang, also seen in the following campaigns Spamvertised iTunes Gift Certificates and CV Themed Malware Campaigns; GoDaddy's Mass WordPress Blogs Compromise Serving Scareware).

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.


Post a Comment

Note: Only a member of this blog may post a comment.

My Instagram