Facebook Photo Album Themed Malware Campaign, Mass SQL Injection Attacks Courtesy of AS42560
0
A spamvertised through Facebook personal messages, Photo Album themed campaign, with the domain IP responding to ZeuS C&Cs, combined with an indirect connection between this campaign and the "100,000+ Scareware Serving Fake YouTube Pages Campaign", followed by a domain portfolio used in a currently active mass SQL injection attack serving CVE-2007-5659 exploits, parked within the same AS as the Facebook's campaign itself.
What else is missing? The details of course.
DM spamvertised URL: online-photo-albums.org - 77.78.239.4, AS42560, BA-GLOBALNET-AS - Email: protect@privacy.com.ua
Detection rate: album.exe - Win32.DownloaderReno; Backdoor.Win32.Kbot.anj - Result: 12/41 (29.27%)
MD5: d24aa2c364d4b86f75a09362c952a838
SHA1: 3973c547b64d166ae807eec494c373efd53ac04c
Creates 1.exe; 2.exe and the self-destructing 3.exe. Detection rates:
- 1.exe - Result: 0/41 (0.00%)
MD5: fbd0a495d3409123d0e90a9a734cbbc1
SHA1: ce527267f50b433c622e5da0db5515a4d2e4ae9c
- 2.exe - Win32.DownloaderReno; Sus/UnkPacker - Result: 10/41 (24.39%)
MD5: 7a4feaf8d9acf982d0cbeb437e4f7c3d
SHA1: 39b280d0d2ec505a94415f7a9468a547fee51c66
with 3.exe phoning back to the following domain, also responding to the original campaign's IP 77.78.239.4
spmfb3309.com /ab/setup.php?act=filters&id=BWKJD0NWLt3pn2Vh6YIhhBe3&ver=2
inetnum: 77.78.239.0 - 77.78.240.255
netname: MAXIMUS-NET-SERVICES
remarks: ### in case of abuse please contact: godaccs@gmail.com ###
descr: Maximus hosting services
country: MD
admin-c: JB1004
tech-c: JB1004
status: ASSIGNED PA
mnt-by: BA-GLOBALNET
changed: bosko@globalnet.ba 20100528
source: RIPE
person: Jerkovic Bosko
address: Josipa Vancasa 10
address: 71000 Sarajevo
address: Bosnia and Herzegovina
phone: +387 33 221093
e-mail: bosko@globalnet.ba
nic-hdl: JB1004
mnt-by: BA-GLOBALNET
changed: bosko@globalnet.ba 20070309
source: RIPE
Surprise, surprise, where do we know that godaccs@gmail.com abuse email from? From the previously profiled "Dissecting the 100,000+ Scareware Serving Fake YouTube Pages Campaign". In particular:
- AS43134, Donstroy Ltd; Emails: donstroitel@mail.com; godaccs@gmail.com
- AS42560, MAXIMUS-NET-SERVICES; Emails: godaccs@gmail.com
Responding to 77.78.239.4 (online-photo-albums.org) are also the following domains:
hyporesist.com - Email: Kyle.MoodyAl@yahoo.com - Used to register ever52592g.com; miror-counter.org; mnfrekjivr.com
newsbosnia.org - Email: qggrvpvwiw@whoisservices.cn - ZeuS crimeware C&C
online-photo-albums.org - Email: protect@privacy.com.ua
search-static.org - Email: Kyle.MoodyAl@yahoo.com
spmfb2299.com - Email: laycxpqguk@whoisservices.cn
spmfb3309.com - Email: qhyfafvqyh@whoisservices.cn
vostokgear.org - Email: afgjvubuym@whoisservices.cn
Where's the mass SQL injection attack connection? Within AS42560, responding to 77.78.239.56 are also the following domains, part of the campaign:
google-server09.info - Email: kit00066@gmail.com
google-server10.info - Email: kit00066@gmail.com
google-server11.info - Email: kit00066@gmail.com
google-server12.info - Email: kit00066@gmail.com
google-server14.info - Email: kit00066@gmail.com
google-server29.info - Email: kit00066@gmail.com
google-server31.info - Email: kit00066@gmail.com
jhuiuhxfgxhlfkjhjth.info - Email: kit00066@gmail.com
jhuiuhxfgxhtfkjhjth.info - Email: kit00066@gmail.com
jhuluhxfgxhlfkjhjth.info - Email: kit00066@gmail.com
top-teen-porn.info - Email: kit00066@gmail.com
Sample mass injection URLs:
google-server09.info/ urchin.js
google-server10.info/ urchin.js
google-server11.info/ urchin.js
google-server12.info/ urchin.js
google-server14.info/ urchin.js
google-server29.info/ urchin.js
google-server31.info/ urchin.js
jhuiuhxfgxhlfkjhjth.info/ urchin.js
jhuiuhxfgxhtfkjhjth.info/ urchin.js
jhuluhxfgxhlfkjhjth.info/ urchin.js
Detection rate:
- urchin.js - Trojan.JS.Redirector.ca (v); JS:Downloader-LP - Result: 4/41 (9.76%)
MD5: 3f2bc50c30ed8e7997b3de3d528d0ed5
SHA1: 66d6edef711516201f20fce676175ad16777e162
Sample exploitation structure from the mass SQL injection campaign:
- google-server31.info /urchin.js
- Scanner-Album.com/?affid=382&subid=landing - 91.212.127.19, AS49087, Telos-Solutions-AS - Email: systemman_mk@gmail.com
- websitecoolgo.com/cgi-bin /158 - 91.188.59.220 - AS6851, BKCNET "SIA" IZZI - Email: marcomarcian@hotmailbox.com
- websitecoolgo.com /cgi-bin/random content leading to CVE-2007-5659
Parked on 91.212.127.19 (Scanner-Album.com), AS49087, Telos-Solutions-AS:
automaticsecurityscan.com - Email: robertwatkins@hotmailbox.com
bigsecurityscan.com - Email: robertwatkins@hotmailbox.com
bigsecurityscan.com - Email: robertwatkins@hotmailbox.com
blacksecurityscan.com - Email: robertwatkins@hotmailbox.com
edscorpor.com - Email: leonschmura@hotmailbox.com
edsctrum.com - Email: admin@edsfiles.com
edsfiles.com - Email: leonschmura@hotmailbox.com
edsfilles.com - Email: leonschmura@hotmailbox.com
edsletter.com - Email: leonschmura@hotmailbox.com
edslgored.com - Email: leonschmura@hotmailbox.com
edsnewter.com - Email: leonschmura@hotmailbox.com
edsogos.com - Email: leonschmura@hotmailbox.com
edsspectr.com - Email: leonschmura@hotmailbox.com
edstoox.com - Email: leonschmura@hotmailbox.com
findsecurityscan.com - Email: robertwatkins@hotmailbox.com
memory-scanner.com - Email: systemman_mk@gmail.com
onefindup.org - Email: JamesHying@xhotmail.net
scanner-album.com - Email: systemman_mk@gmail.com
scanner-definition.com - Email: rutkowski_m3@gmail.com
scanner-hardware.com - Email: systemman_mk@gmail.com
scanner-master.com - Email: systemman_mk@gmail.com
scanner-models.com - Email: systemman_mk@gmail.com
scanner-profile.com - Email: systemman_mk@gmail.com
scanner-programming.com - Email: systemman_mk@gmail.com
scanner-supplies.com - Email: rutkowski_m3@gmail.com
scanner-tips.com - Email: systemman_mk@gmail.com
searchdubles.org - Email: MerleMeisin@xhotmail.net
searchmartiup.org - Email: MerleMeisin@xhotmail.net
searchprasup.org - Email: MerleMeisin@xhotmail.net
searchprodinc.org - Email: MerleMeisin@xhotmail.net
searchprodinc.org - Email: MerleMeisin@xhotmail.net
searchtanup.org - Email: MerleMeisin@xhotmail.net
Responding to 91.188.59.220 and 91.188.59.221 (websitecoolgo.com) within AS6851, BKCNET "SIA" IZZI are also the following domains participation in different campaigns:
internetgotours.com - Email: marcomarcian@hotmailbox.com
mediaboomgo.com - Email: paulalameda@hotmailbox.com
mediagotech.com - Email: marcomarcian@hotmailbox.com
mediaracinggo.com - Email: paulalameda@hotmailbox.com
netgozero.com - Email: marcomarcian@hotmailbox.com
nethealthcarego.com - Email: marcomarcian@hotmailbox.com
networkget.com - Email: marcomarcian@hotmailbox.com
networksportsgo.com - Email: marcomarcian@hotmailbox.com
patricknetgo.com - Email: paulalameda@hotmailbox.com
webaliveget.com - Email: paulalameda@hotmailbox.com
webcoolgo.com - Email: paulalameda@hotmailbox.com
webgettraffic.com - Email: paulalameda@hotmailbox.com
webgetwisdom.com - Email: marcomarcian@hotmailbox.com
webgetwise.com - Email: marcomarcian@hotmailbox.com
webgoengine.com - Email: paulalameda@hotmailbox.com
webgosolutions.com - Email: paulalameda@hotmailbox.com
webmagicgo.com - Email: paulalameda@hotmailbox.com
websitecoolgo.com - Email: marcomarcian@hotmailbox.com
websiteget.com - Email: marcomarcian@hotmailbox.com
The rise of custom abuse emails, conveniently offered to cybercrime-friendly dedicated customers?
It's worth pointing out that godaccs@gmail.com a.k.a Complife, Ltd is conveniently responsible for- AS42560, BA-GLOBALNET-AS; AS43134, Donstroy Ltd; and AS42560, MAXIMUS-NET-SERVICES, followed by piotrek89@gmail.com responsible for AS6851, BKCNET "SIA" IZZI (used by the Koobface gang, also seen in the following campaigns Spamvertised iTunes Gift Certificates and CV Themed Malware Campaigns; GoDaddy's Mass WordPress Blogs Compromise Serving Scareware).
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
About the author
Donec non enim in turpis pulvinar facilisis. Ut felis. Praesent dapibus, neque id cursus faucibus. Aenean fermentum, eget tincidunt.
0 Comments: