Monday, April 04, 2011

Summarizing Zero Day's Posts for March


The following is a brief summary of all of my posts at ZDNet's Zero Day for March. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

Recommended reading:
01. Spamvertised 'You have received a gift from one of our members!' malware campaign
02. Report: malicious PDF files becoming the attack vector of choice
03. Ashton Kutcher's Twitter account hacked
04. Google tops comparative review of malicious search results -- again
05. Report: 3 million malvertising impressions served per day
06. Dear ISP, it's time to quarantine your malware-infected customers
07. SpyEye gets new DDoS functionality
08. Spamvertised DHL notifications lead to malware
09. Spamvertised FedEx notifications lead to malware
10. Rustock botnet's operations disrupted
11. Malicious Japan quake spam leads to scareware
12. Spamvertised United Parcel Service notifications lead to malware
13. Researchers release details on 34 SCADA vulnerabilities
14. Zombie PC Prevention Bill to make security software mandatory
15. Spamvertised Post Office Express Mail (USPS) emails lead to malware
16. New GpCode ransomware encrypts files, demands $125 for decryption
17. Mass SQL injection attack leads to scareware

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Spamvertised DHL Notifications Scareware Campaign

Yet another currently spamvertised campaign is impersonating DHL for scareware serving purposes.

Sample subjects: DHL notification #random number
Sample message: Dear customer! The parcel was send your home address. And it will arrice within 7 bussness day. More information and the tracking number are attached in document below. Thank you. 2011 DHL International GmbH. All rights reserverd.
Sample filenames: DHL_tracking.zip; doc.zip; dhl.zip

Detection rates:
dhl.exe - Backdoor:Win32/Hostil.gen!A - Result: 22/40 (55.0%)
MD5   : 87d778169ae14d934b92ce628b5cfde4
SHA1  : 20787fde3b7fde64cc3892c4df9a4eb2a2515830
SHA256: 6b54ff520fa6ff504f5f2f0c33af8b92424f0b538a760f4eb983d76007d3fe54

Downloads additional binary from puskovayaustanovka.ru/pusk2.exe - 46.161.20.66 - Email: admin@puskovayaustanovka.ru

pusk2.exe - Trojan.Fakealert.20509 - Result: 11/41 (26.8%)
MD5   : a9be091eedea947f8626d11042e0d9be
SHA1  : 9c1d399d47a6ef6081553a101ab48fca61859db4
SHA256: d4f5802a392c0851d5e19118d56cc8b578f1a07085aa5772cbdcf484608ed094


Upon execution phones back to the following domains:
kynugypenihyf.com - Email: v8@ca4.ru
cylakydugudi.com - Email: acts@free-id.ru
fevahanybyvu.com - Email: fs@free-id.ru
gicyxepomer.com - Email: tabs@yourisp.ru
bemojewedowigo.com - Email: fs@free-id.ru
sakafiduzipame.com - Email: build@ca4.ru
wetotyger.com - Email: acts@free-id.ru
kytevaviqopoci.com - Email: fs@free-id.ru
wamojafadezy.com - Email: kilt@bz3.ru
tetagyjaj.com - Email: kilt@bz3.ru
jerakidukojoz.com - Email: wrap@cheapbox.ru
cixovatywo.com - Email: frenzy@ca4.ru
jafybobik.com - Email: force@ca4.ru
nizokatahinery.com - Email: foxy@cheapbox.ru
cujicaraso.com - Email: beret@ca4.ru
zuzosahule.com - Email: only@free-id.ru
gokuzajylot.com - Email: silks@ca4.ru
jumonevetode.com - Email: silks@ca4.ru
dafatesomyz.com - Email: zq@bz3.ru
lukofymela.com - Email: silks@ca4.ru
jebuponip.com - Email: lost@free-id.ru
quxovasuced.com - Email: hp@ppmail.ru
laqoduhisegu.com - Email: shot@bz3.ru
xyseditacif.com - Email: hart@free-id.ru
wylyxaqunowy.com - Email: mows@bz3.ru
qepovexidysopy.com - Email: byob@yourisp.ru
bebecebyt.com - Email: mows@bz3.ru
dihemehypuq.com - Email: shot@bz3.ru
rumesexyzobuz.com - Email: dawn@bz3.ru
gopilezavyxiro.com - Email: hush@bz3.ru
hyvijinymut.com/1017000312 - 99.198.114.189 - returns OK


Domains are respoding to the following ASs: AS18866; AS32097:
quxovasuced.com - 69.50.209.139
laqoduhisegu.com - 69.50.209.140
wylyxaqunowy.com - 69.50.209.148
qepovexidysopy.com - 69.50.209.149
fevahanybyvu.com - 69.50.209.182
bemojewedowigo.com - 69.50.209.183
gicyxepomer.com - 69.50.209.184
sakafiduzipame.com - 69.50.209.185
wamojafadezy.com - 69.50.209.186
kytevaviqopoci.com - 69.50.209.188
jebuponip.com - 69.50.209.223
cylakydugudi.com - 69.50.209.224
wetotyger.com - 69.50.209.225
nizokatahinery.com - 69.197.161.202
cujicaraso.com - 69.197.161.203
kynugypenihyf.com - 69.197.161.204
jafybobik.com - 69.197.161.205
tetagyjaj.com - 99.198.114.98
jerakidukojoz.com - 99.198.114.99
gopilezavyxiro.com - 99.198.114.100
cixovatywo.com - 99.198.114.101
hyvijinymut.com - 99.198.114.189
zuzosahule.com - 204.12.223.170
jumonevetode.com - 204.12.223.171
dafatesomyz.com - 204.12.223.172
gokuzajylot.com - 204.12.223.173
lukofymela.com - 204.12.223.174
rumesexyzobuz.com - 204.12.223.186
xyseditacif.com - 204.12.223.187
dihemehypuq.com - 204.12.223.188
bebecebyt.com - 204.12.223.189

Monitoring of the campaign is ongoing.

Related posts:
Spamvertised Post Office Express Mail (USPS) Emails Serving Malware
Spamvertised United Parcel Service notifications serve malware
Spamvertised FedEx Notifications Spread Malware
Spamvertised DHL Notification Malware Campaign
More Spamvertised DHL Notifications Spread Malware