Phishing Emails Generating Botnet Scaling

A bigger and much more detailed picture is starting to emerge, with yet another spammed malware campaign courtesy of the botnet that is so far responsible for a massive flood of fake Windows updates, phishing emails targeting the usual diverse set of brands, fake yahoo greeting cards, and most recently delivering "executable news items", through Backdoor.Agent.AJU malware infected hosts.

Within the first five minutes, thirty three (33) phishing emails attempted to be delivered out of a sample infected host, all of them targeting NatWest or The National Westminster Bank Plc. Here are some samples, that of course never made it out to their recipient :

- Sender Address: "NatWest Internet Banking '2008" to Recipient: <@fs1.ge.man.ac.uk>Subject: Natwest Bank Bankline: Confirm Your Login Email Content: //ver2.natwest-commercial3.com/customerupdate?tag=3D19ecygtKZDzrozrznhOzn These directives are to be sent and followed by all members of the NatWest Private and Corporate Natwest does apologize for any problems caused, and is very thankful for your cooperation. If you are not client of Natwest OnLine Banking please ignore this notice! *** This is robot generated message please do not reply *** (C) 2008 Natwest Bankline. All Rights Reserved. Attached File: "ods096.gif" (image/gif)

- Sender Address: "NatWest Bank On-line Banking'2008" to Recipient: <@bbc.co.uk> Subject: Natwest OnLine Banking Important Notice From Technical Department Id: 9044 Email Content: //ver2.natwest-commercial3.com/customerupdate?tag=3D15urOBFDffkOkhOvp These directives are to be sent and followed by all members of the NatWest Private and Corporate Natwest does apologize for any problems caused, and is very thankful for your cooperation. If you are not client of Natwest OnLine Banking please ignore this notice! *** This is robot generated message please do not reply *** (C) 2008 Natwest Bankline. All Rights Reserved. Attached File: "ods096.gif" (image/gif)

- Sender Address: "Natwest Bank Internet Banking Support" to Recipient: <@yahoo.co.uk> Subject: NatWest Private and Corporate: Confirm Your Login Password Email Content: //ver2.natwest-commercial3.com/customerupdate?tag=3D24ecyuczfscwzbDtcwhhOkhOvp These directives are to be sent and followed by all members of the NatWest Private and Corporate Natwest does apologize for any problems caused, and is very thankful for your cooperation. If you are not client of Natwest OnLine Banking please ignore this notice! *** This is robot generated message please do not reply *** (C) 2008 Natwest Bankline. All Rights Reserved.

- Sender Address: "Natwest Private and Corporate Support" to Recipient: <@yahoo.co.uk> Subject: Natwest Bankline Internet Banking Important: Submit Your Records id: 1191 Email Content: //pool32-nwolb20.com/customerupdate?cid=3D27kwszewcenzdFECKDtcwhhOkhOvp These directives are to be sent and followed by all customers of the Natwest On-line Banking NatWest Bank does apologize for the troubles caused to you, and is very thankful for your collaboration. If you are not user of NatWest Bank Digital Banking please delete this letter! *** This is automatically generated message please do not reply *** (C) 2008 Natwest Bank On-line Banking. All Rights Reserved. Attached File: "rwu909.gif" (image/gif)

- Sender Address: "Natwest Private and Corporate Support" to Recipient: <@56bridgwater.fsnet.co.uk> Subject: Natwest Internet Banking: Please Update Your Internet Banking Details Email Content: //pool32-nwolb20.com/customerupdate?cid=3D37kwszewcnnhrrDRCfszlaucndsOoerdnOkhOvp These directives are to be sent and followed by all customers of the Natwest On-line Banking NatWest Bank does apologize for the troubles caused to you, and is very thankful for your collaboration. If you are not user of NatWest Bank Digital Banking please delete this letter! *** This is automatically generated message please do not reply *** (C) 2008 Natwest Bank On-line Banking. All Rights Reserved. Attached File: "rwu909.gif" (image/gif)

What is making an impression besides the malicious economies of scale achieved on behalf of the malware infected hosts used for sending, and as we've already seen, hosting and phishing pages and the malware itslef? It's the campaing's targeted nature in respect to the segmented emails database used for achieving a better response rate. The National Westminster Bank Plcis a U.K bank, and 10 out of 15 email recepient are of U.K citizens, the rest are targeting Italian users. Malware variants signal their presence to 66.199.241.98/forum.php and try to obtain campaigns to participate in, this is a sample detection rate for the latest fake news items one, and more details on the domains and nameservers used in the latest campaign :

news_report-pdf_content.exe

Scanners result : 14/31 (45.17%)

Backdoor.Win32.Agent.gvk; Backdoor:Win32/Agent.ACG

File size: 45056 bytes

MD5...: c4849207a94d1db4a0211f88e84b0b59

SHA1..: 32ef2a074d563370f46738565ecf9bb53c75909c

SHA256: 12a124cc2352f3ef68ddf06e0ed111c617d95cffd807dc502ae474960a60411c

An internal nameservers ecosystem within the botnet, active and resolving :

ns1.ns4.ns2.ns3.id759.com

ns3.ns1.id759.com

ns1.ns2.ns1.ns4.ns2.ns3.id759.com

ns1.ns2.ns3.id759.com

ns1.ns2.ns4.id759.com

ns1.ns4.ns4.ns2.ns3.id759.com

ns2.id759.com

ns2.ns1.ns2.ns3.id759.com

ns2.ns1.ns2.ns4.id759.com

ns3.ns2.ns1.ns2.ns3.id759.com

ns4.ns1.ns1.ns2.ns3.id759.com

Yet another internal nameservers ecosystem within the botnet :

ns1.serial43.in

ns2.serial43.in

ns3.serial43.in

ns4.serial43.in

ns1.ns1.ns1.serial43.in

ns1.ns2.ns1.ns1.serial43.in

ns1.ns2.ns2.serial43.in

ns1.ns4.ns1.ns1.serial43.in

ns2.ns1.ns2.serial43.in

ns2.ns1.ns4.ns1.ns1.serial43.in

ns2.ns2.ns1.ns1.serial43.in

To sum up - these are all of the domains currently active and used for the malware/spam/phishing campaigns on behalf of this botnet :

server52.org

set45.net

site83.net

sid95.com

shell54.com

siteid64.com

setup36.com

share73.com

service28.biz

There are several scenarious related to this particular botnet. Despite that it's the same piece of malware that's successfully adding new zombies to the infected population, the diversity of the campaigns, as well as the fact that for instance share73.com is registered by casta4000 @ mail.ru and is into the "reklama uslug" business which translates to advertising services, in this case spam and phishing emails sending on demand, access to the botnet could be either offered on demand, or the service itself performed in a typical managed spamming appliance outsourced business model. Are they also vertically integrating in respect to the fast-fluxing? Yes they are, since they're achieving it without the need to hire a managed fast-flux provider, which isn't excluding the possibility that they aren't in fact one themselves, as it's evident they've got the capability to become one.

Fake Yahoo Greetings Malware Campaign Circulating

The persistence of certain botnet masters cannot remain unnoticed even if you're used to going through over a dozen active malware campaigns per day, in this case it's their persistence that makes them worth assessing and profiling. The botnet which I assesed in February, the one that was crunching out phishing emails and using the infected hosts for hosting the pages, and parking the phishing domains, is still operational this time starting a fake Yahoo Greetings malware campaign by spamming the cybersquatted domains and enticing the user into updating their flash player with a copy of Backdoor.Agent.AJU.

Upon visiting www4.yahoo.american-greeting.com.tag38.com/ecards/view.pd.htm it redirects to www3.yahoo.americangreetings.com.id759.com/ecards/view.pd.htm

id759.com is currently responding to 24.161.232.218; 24.192.140.204; 68.36.236.67; 76.230.108.105; 83.5.203.163; 85.109.42.164; 216.170.109.206 and also to set45.net; service28.biz; setup36.com and serves the Backdoor.Agent :

www3.yahoo.americangreetings.com.id759.com/ecards/get_new_flashplayer .exe

Scanners Result : 12/31 (38.71%)
Suspicious:W32/Malware!Gemini; W32/Agent.Q.gen!Eldorado
File size: 44544 bytes
MD5...: fe97eb8c0518005075fd638b33d5b165
SHA1..: d7a4258e37ce0dab0f7d770d1a9d979e921be07b
SHA256: 138d31ae1bbdec215d980c7b57be6e624c2f2e1cacd3934b77f50be8adabfb97

"Backdoor.Agent.AJU is a malicious backdoor trojan that is capable to run and open random TCP port in a multiple instances attempting to connect to its predefined public SMTP servers. It then spams itself in email with a file attached in zip and password protected format. Furthermore, the password is included in the body of the email."

tag38.com is responding to 211.142.23.21, and is a part of a scammy ecosystem of other phishing and malware related domains responding to the same IP. And these are the related subdomains impersonating Yahoo Greetings within :

american-greeting.ca.xml52.com
www5.yahoo.american-greeting.ca.xml52.com
www9.yahoo.americangreeting.ca.www05.net
yahoo.americangreetings.com.droeang.net
yahoo.americangreetings.com.s8a1.psmtp.com
yahoo.americangreetings.com.s8a2.psmtp.com
yahoo.americangreetings.com.s8b1.psmtp.com
yahoo.americangreetings.com.s8b2.psmtp.com
yahoo.americangreetings.droeang.net
yahoo.americangreeting.ca.www05.net
www6.yahoo.american-greetings.com.www05.net

What you see when in a hurry is not what you get when you got time to look at it twice. This and the previous campaign launched by the same party is a great example of risk and responsibility forwarding, in this case to the infected party, so what used to be a situation where an infected host was sending spamming and phishing emails only, is today's malicious hosting infrastructure on demand.

Web Email Exploitation Kit in the Wild

XSS exploitation within the most popular Russian, and definitely international in the long-term, web email service providers is also embracing the efficiency mindset as a process. This web based exploitation kit is great example of customization applied to publicly known XSS vulnerabilities within a segmented set of web sites, email providers in this case.

The kit's pitch automatically translated :

"Ie script contains vulnerability to 15 - not the most popular Russian postal services (except
buy), and one of the largest foreign mail servers that provide free mail - mail.com. Three of the vulnerabilities work only under Internet Explorer, all the rest - under Internet Explorer and Opera.

The system also includes a 16 ready-to-use pages feykovyh authorization to enter the mail. Thus the use of the script is that you choose a template-XSS (code obhodyaschy security filters for your desired mail server) on which the attack would take place, complete field for a minimum of sending letters (sender, recipient, the subject, message) and choose Type of stuffing: 1) your own yavaskript code (convenient option to insert malicious code with iframe) 2) code, driving the victim to a page feykovuyu authorization. In the first case, the victim is in the browser's just a matter of your own scripte but in the second case, the victim is redirected to a page with false authorization, there enters its data, which logiruyutsya you, and sent back to his box. For the script is simple and free hosting with support for sendmail, php, but nonetheless you should be aware that for more kachetvennoy work will not prevent you buy a beautiful domain. Also appearing inexpensive paid updated as closing loopholes in the mail filters."

Automating the process of phishing by using the vulnerable sites as redirectors can outpace the success of the Rock Phish kit whose key success factor relies on diversity of the brands targeted whereas all the campaigns operate on the same IP.

Moreover, as we've seen recently, highly popular and high-profile sites whose ever growing web applications infrastructure continues to grow, still remain vulnerable to XSS vulnerabilities which were used in a successful blackhat SEO poisoning campaign by injecting IFRAME redirectors to rogue security applications in between live exploit URLs. In fact, Ryan Singel is also pointing out on such existing vulnerability at the CIA.gov, showcasing that spear phishing in times when phishers, spammers and malware authors are consolidating, can be just as effective for conducting cyber espionage, just as gathering OSINT through botnets by segmenting the infected population is. Why try to malware infect the high-profile targets, when they could already be malware infected?

Furthermore, XSS vulnerabilities within banking sites are also nothing new, and as always the very latest XSS vulnerabilities will go on purposely unreported by the time phishers move onto new ones. How about the customer service aspect given that this XSS exploitation kit is yet another example of a proprietary underground tool? If the XSS vulnerabilities aren't working, custom zero day XSS vulnerabilities within the providers can be provided to the customer. Commercializing XSS vulnerabilities is one thing, embedding the exploits in a do-it-yourself type of tool another, but positioning the kit as a efficient way for running your "Request an Email Account to be Hacked" business is entirely another, which is the case with the kit.

In 2008, is the infamous quote "Hack the Planet!" still relevant, or has it changed to "XSS the Planet!" already, perhaps even "Remotely File Include the Planet!"?

Malware and Exploits Serving Girls

Descriptive domains such as beautiful-and-lonely-girl dot com, amateur homepage looking sites, a modest photo archive of different girls, apparently amateur malware spreaders think that spamming these links to as many people as possible would entice them into visting the sites, thus infecting themselves with malware.

It all started with Lonely Polina, than came lonely Ms. Polinka, and now we have Victoria. And despite that Polina and Polinka are both connected in terms of the malware served, and the natural RBN connection in face of HostFresh, as well as the site template used, Victoria is an exception. Some details on the recently spammed campaign :

voena.net (199.237.229.158) is also responding to prettyblondywoman.com, where the exploit (WebViewFolderIcon setSlice) and the malware (Trojan-Spy.Win32.Goldun) are served from voena.net/incoming.php and voena.net/get.php, both with a high detection rate 27/32 (84.38%).

Individual homepages are dead, and this is perhaps where the social engineering aspect of the attack fails, all these girls for sure have their MySpace profiles up and running already, in between taking advantage of a popular photo sharing service.

Localized Fake Security Software

Would you believe that in times when top tier antivirus vendors are feeling the heat from the malware authors' DoS attacks on their honeyfarms, and literally cannot keep up with their releases, someone out there is using an antivirus scanner that doesn't really exist? It's one thing to promote fake security software in a one-to-many communication channel by using a single language in a combination with cybersquatted domains, and entirely another to do the same in different languages. Localization for anything malicious is already taking place, as originally anticipated as an emerging trend back in 2006. The following currently active fake security software scams are promoted in Dutch, French, German, Italian, and you don't get to download them until you hand out your credit card details, and once you do so, you'll end up in the same situation just like many other people did in the past. Some sample fake brands :

SpyGuardPro; PCSecureSystem; AntiWorm2008; WinSecureAv; MenaceRescue; PCVirusless; LifeLongPC; NoChanceForVirus; MenaceMonitor; TrojansFilter; TrojansFilter; LongLifePC; KnowHowProtection; BestsellerAntivirus; PCVirusSweeper; AVSystemCare; AVSecurityPlus; AVSecurityPlus; PCAssertor; PoseidonAntivirus; TrustedAntivirus; PCBoosterPro; DefensiveSystem; GoldenAntiSpy; AntiSpywareSuite; AntiMalwareShield; AntivirusPCSuite; AntivirusForAll; TrustedProtection; NoWayVirus; AntiSpywareConductor; AntiSpywareMaster; TurnkeyAntiVirus; YourSystemGuard;

Portfolio one :

alfaantivirus.com
antivirusalmassimo.com
farrevirus.com
fomputervagt.com
figitalerschutz.com
flmejorcuidado.com
ferramentantivirus.com
filterprogram.com
filtredevirus.com
geeninfectie.com
harddrivefilter.com
keineinfektionen.com
longueviepc.com
maseg.net
nonstopantivirus.com
pcantivirenloesung.com
pcsystemschutz.com
plutoantivirus.com
psbeveiligingssysteem.com
riendevirus.com
securepcguard.com
sekyuritikojo.com
sistemadedefensa.com
sumejorantivirus.com
totaltrygghet.com
viruscontrolleuer.com
viruswacht.com
votremeilleurantivirus.com
zeusantivirus.com

Portfolio two :

advancedcleaner.com
alltiettantivirus.com
antispionage.com
antispionagepro.com
antispypremium.com
antispywarecontrol.com
antispywaresuite.com
antiver2008.com
antivirusaskeladd.com
antivirusfiable.com
antivirusforall.com
antivirusforalla.com
antivirusfueralle.com
antivirusgenial.com
antivirusmagique.com
antivirusordi.com
antivirusparatodos.com
antiviruspcpakke.com
antiviruspcsuite.com
antiviruspertutti.com
antivirusscherm.com
antiworm2008.com
antiwurm2008.com
archivoprotector.com
avsystemcare.com
avsystemshield.com
barrevirus.com
bastioneantivirus.com
bestsellerantivirus.com
bortmedvirus.com
cerovirus.com
debellaworm2008.com
defensaantimalware.com
defensaantivirus.com
drivedefender.com
exterminadordevirus.com
fiksdinpc.com
mijnantivirus.com
mobileantiviruspro.com
norwayvirus.com
nowayvirus.com
pcantivirenloesung.com
plutoantivirus.com
viruscontrolleuer.com
zebraantivirus.com
zeusantivirus.com

Portfolio three :

pcsecuresystem.com
antiworm2008.com
winsecureav.com
menacerescue.com
pcvirusless.com
lifelongpc.com
nochanceforvirus.com
menacemonitor.com
trojansfilter.com
longlifepc.com
knowhowprotection.com
bestsellerantivirus.com
pcvirussweeper.com
antiespiadorado.com
avsecurityplus.com
apolloantivirus.com
pcassertor.com
menacesecure.com
poseidonantivirus.com
trustedantivirus.net
pcboosterpro.com
defensivesystem.com
goldenantispy.com
avsystemcare.com
trustedantivirus.com
antimalwareshield.com
avsystemcare.com
antiviruspcsuite.com
antivirusforall.com
trustedprotection.com
nowayvirus.com
pcantiviruspro.com
antispywareconductor.com
antispywaremaster.com
turnkeyantivirus.com
yoursystemguard.com

Just like a previous proactive incident response where I pointed out that these fake security applications are starting to appear as the final output in malicious campaigns injected
at high profile sites, ensuring that your customers or infrastructure cannot connect to these, will render current and upcoming massive IFRAME injected or embedded attacks pointless at least from the perspective of serving the rogue software.

ICQ Messenger Controlled Malware

IM me a command, master - part two. Diversifying the command and control channels of malware is always in a permanent development phrase, with malware authors trying to adapt their releases in order for them to bypass popular detection mechanisms. IM controlled malware is a great example of such a development, and now that I've already covered a Yahoo Messenger controlled malware in previous post, it would be logical to come up with more evidence on alternative IM networks used as a main C&C interface, such as ICQ in this case. The ICQ controlled malware's pitch :


"With this program, you will always be able to access the necessary functions of your computer using ordinary ICQ. It has the opportunity to add their scripts and commands, thus becoming a universal tool for controlling the computer - it all depends on your imagination and skills. Through the program operations like the following can be run by default - viewing directories, displaying messages, lauching programs, killing processes, shutdown, view active windows, and much more."


Released primarily as a Proof of Concept, its source code is freely available which as we've already seen in the past results in more innovation added on behalf of those using the idea as a foundation for achieving their own malicious purposes.


The whole concept of abusing third-party communication applications for malware purposes, has always been there, in fact two years ago, there were even speculations that Skype could be used to control botnets. A fad or a trend? The lone malware author who's not embracing malicious economies of scale and looking for reliable and efficient ways to infect and control as many hosts as possible, is taking advantage of this, the rest are always looking for ways to port their botnets to a different C&C without loosing a single host in order to benefit from what a web application C&C can provide in respect to the old-fashioned IRCd command line commands.