Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Friday, April 09, 2010

Keeping Money Mule Recruiters on a Short Leash - Part Four

UPDATED: Saturday, April 10, 2010: Some of the mule recruitment sites appear to be interested in something else, rather than recruiting mules -- must be the oversupply of people unknowingly participating in the cybercrime ecosystem.

Several of the domains (for instance ortex-gourpinc.tw and augmentgroupinc.tw) are not accepting registrations, instead, but are attempting to trick the visitor into downloading and executing a bogus psychological test.

"Below is a test prepared by professional psychologists and is required in order to be considered a competent candidate for the offered position. After successful completion of your test, you will be asked to register on our web site. If you are not ready to register right away, please wait to take the test at a later point. To REGISTER, simply run the test and you will be prompted to click on the "Register Now" button at any time and you will be redirected to the login page, without having to take the test again.

*This test is under development and we are grateful for all comments and suggestions." *If you are having trouble running the test and your computer is requesting administrative rights, download the test and simply right-click on the Test icon and select "Run As Administrator" from the menu."

- testAugmentInc.exe - Result: 3/38 (7.9%) - Trojan/Win32.Chifrax.gen; Reser.Reputation.1
- testOrtexGroup.exe - Result: 3/39 (7.7%) - Trojan/Win32.Chifrax.gen; Reser.Reputation.1

UPDATED: AS34305, EUROACCESS has taken down the IPs within their network. The money mule recruiters naturally have a contingency plan in place, and have migrated to AS38356 - TimeNet (222.35.143.112; 222.35.143.234; 222.35.143.235; 222.35.143.237) and AS21793 - GOGAX (76.76.100.2; 76.76.100.4; 76.76.100.5).

Based on the already established patterns of this group, it was only a matter of time until they re-introduced yet another portfolio of money mule recruitment domains, combining them with spamvertised recruitment messages, and forum postings.

Just like their campaign from last month (Keeping Money Mule Recruiters on a Short Leash - Part Three) the current one is once again interacting exclusively with AS34305, EUROACCESS Global Autonomous System, including the newly introduced name servers.

What has changed? It's the migration towards the use of fast-flux infrastructure for ZeuS crimeware serving campaigns, and in an isolated incident profiled in this post, a money mule recruitment campaign that's also sharing the same fast-flux infrastructure. Combined with the BIZCN.COM, INC. domain registrar's practice of accepting domain registrations using example.com emails, next to ignoring domain suspension requests - you end up with the perfect safe haven for a cybercrime operation.

In March, 2010, it took EUROACCESS less then 10 minutes to undermine their campaigns, including ones residing within the AS of a cyber-crime friendly customer known as 193.104.22.0/24 KratosRoute. However, it's interesting to observe their return to the same ISP, given that they were within a much more cybercrime-friendly neighborhood once EUROACCESS kicked them out last month.

Although the take down activities from last month may seem to have a short-lived effect, now that they're not only back, but are once again abusing EUROACCESS, the loss of OPSEC (operational security) did happen, just like it happened in the wake of the TROYAK-AS takedown.

Let's dissect the currently ongoing campaign, and emphasize on a second money mule recruitment campaign, that's not just using a fast-flux infrastructure, but is also connected to hilarykneber@yahoo.com (The Kneber botnet - FAQ).

Spamvertised, and parked domains on 85.12.46.3; 85.12.46.2; 193.104.106.30 - AS34305, EUROACCESS Global Autonomous System are as follows:
altitudegroupinc.tw - Email: weds@fastermail.ru
altitude-groupli.com - Email: mylar@5mx.ru
altitude-groupmain.tw - Email: gutsy@qx8.ru
amplitude-groupmain.net - Email: tabs@5mx.ru
arvina-groupco.tw - Email: hv@qx8.ru
arvina-groupinc.tw - Email: jerks@5mx.ru
arvina-groupnet.cc - Email: mat.mat@yahoo.com
asperity-group.com - Email: okay@qx8.ru
asperitygroup.net - Email: cde@freenetbox.ru
asperitygroupinc.tw - Email: ti@fastermail.ru
asperity-groupmain.tw - Email: gutsy@qx8.ru
astra-groupnet.tw - Email: logic@qx8.ru
astra-groupinc.tw - Email: gv@fastermail.ru
augment-group.com - Email: mylar@5mx.ru
augmentgroup.net - Email: glean@fastermail.ru
augmentgroupinc.tw - Email: weds@fastermail.ru
augment-groupmain.tw - Email: gutsy@qx8.ru
celerity-groupmain.net - Email: cde@freenetbox.ru
celerity-groupmain.tw - Email: weds@fastermail.ru
excel-groupco.tw - Email: thaws@bigmailbox.ru
excel-groupsvc.com - Email: carlo@qx8.ru
fincore-groupllc.tw - Email: jerks@5mx.ru
fecunda-group.com - Email: okay@qx8.ru
fecundagroupllc.tw - Email: omega@fastermail.ru
fecunda-groupmain.net - Email: mylar@5mx.ru
fecunda-groupmain.tw - Email: ti@fastermail.ru
foreaim-group.com - Email: cde@freenetbox.ru
foreaimgroup.net - Email: glean@fastermail.ru

foreaimgroupinc.tw - Email: gutsy@qx8.ru
foreaim-groupmain.tw - Email: weds@fastermail.ru
impact-groupinc.net - Email: cde@freenetbox.ru
impact-groupnet.com - Email: okay@qx8.ru
luxor-groupco.tw - Email: logic@qx8.ru
luxor-groupinc.cc - Email: mat.mat@yahoo.com
luxor-groupinc.tw - Email: gv@fastermail.ru
magnet-groupco.tw - Email: gv@fastermail.ru
magnet-groupinc.cc - Email: mat.mat@yahoo.com
millennium-groupco.tw - Email: thaws@bigmailbox.ru
millennium-groupsvc.tw - Email: thaws@bigmailbox.ru
optimusgroupnet.cc - Email: mat.mat@yahoo.com
optimus-groupsvc.tw - Email: jerks@5mx.ru
ortex-gourpinc.tw - Email: clad@bigmailbox.ru
ortex-groupinc.cc - Email: mat.mat@yahoo.com
pacer-groupnet.tw - Email: omega@fastermail.ru
point-groupco.tw - Email: wxy@qx8.ru
point-groupinc.cc - Email: mat.mat@yahoo.com
spark-groupco.tw - Email: clad@bigmailbox.ru
spark-groupsv.tw - Email: clad@bigmailbox.ru
spark-groupsvc.com - Email: trim@freenetbox.ru
synapse-groupfine.net - Email: okay@qx8.ru
synapse-groupinc.tw - Email: omega@fastermail.ru
synapsegroupli.com - Email: tabs@5mx.ru
target-groupinc.cc - Email: mat.mat@yahoo.com
tnm-group.tw - Email: troop@bigmailbox.ru
tnmgroupinc.com - Email: tabs@5mx.ru
tnmgroupsvc.net - Email: tabs@5mx.ru
starlingbusinessgroup.com - 212.150.164.201 - Email: tahli@yahoo.com (spamvertised separately from the campaign)

Newly introduced name servers:
ns3.sandhouse.cc - 74.118.194.82 - Email: taunt@freenetbox.ru
ns1.volcanotime.com (Parked on the same IP is also ns1.jockscreamer.net Email: free@freenetbox.ru) - 64.85.174.144 - Email: hs@bigmailbox.ru
ns2.weathernot.net - (Parked on the same IP is also ns2.worldslava.cc Email: fussy@bigmailbox.ru) 204.12.217.252 - Email: bowls@5mx.ru
ns1.uleaveit.com - 64.85.174.146 - Email: plea@qx8.ru
ns2.pesenlife.net - 204.12.217.254 - Email: erupt@qx8.ru
ns3.greezly.net - 204.124.182.151 - Email: erupt@qx8.ru

Name servers known from previous campaigns remain active, using AS34305:
ns1.chinegrowth.cc - 92.63.111.196 - Email: duly@fastermail.ru
ns1.partytimee.cn - 92.63.111.196 - Email: chunk@qx8.ru
ns1.benjenkinss.cn - 92.63.110.85 - Email: chunk@qx8.ru
ns1.translatasheep.net - 92.63.111.127 - Email: stair@freenetbox.ru
ns1.bizrestroom.cc - 92.63.110.85 - Email: hook@5mx.ru
ns2.alwaysexit.com - 85.12.46.2 - Email: sob@bigmailbox.ru
ns2.trythisok.cn - 85.12.46.2 - Emaik: chunk@qx8.ru

It's been a while, since I came across a money mule recruitment campaign using fast-flux infrastructure (Money Mule Recruiters use ASProx's Fast Fluxing Services) that's also currently being used by domains registered using the same emails as the original Hilary Kneber campaigns (Celebrity-Themed Scareware Campaign Abusing DocStoc) from December, 2009, as well as related mule recruitment campaigns (Dissecting an Ongoing Money Mule Recruitment Campaign) from February, 2010.

Moreover, one of the domains sharing the fast-flux infrastructure with the money mule recruitment site asapfinancialgroup.com - Email: admin@asapfinancialgroup.com, was also profiled in last month's "Zeus Crimeware/Client-Side Exploits Serving Campaign in the Wild".

The following ZeuS crimeware, client-side exploits service, and malware phone back C&C domains, all share the same fast-flux infrastructure:
allaboutc0ntrol.cc - Email: HilaryKneber@yahoo.com
agreement52.com - Email: Davenport@example.com
smotri123.com - Email: smot-smot@yandex.ru - C&C profiled last month
jdhyh1230jh.net - Email: None@aol.com
mabtion.cn - Email: Michell.Gregory2009@yahoo.com
wooobo.cn - Email: Michell.Gregory2009@yahoo.com
mmjl3l45lkjbdb.ru - Email: none@none.com
domainsupp.net - Email: ErnestJBooth@example.com

first-shockabsorbers.com - Email: ring.redlink@yandex.ru
this-all-clean.info - Email: ring.redlink@yandex.ru
f45rugfj98hj9hjkfrnk.com - Email: holsauto@live.com
financialdeposit.com - Email: crWright@gmail.com
connectanalyst.com - Email: Mildred44@gmail.com - NOT ACTIVE
vmnrjiknervir.com - Email: holsauto@live.com - NOT ACTIVE
longtermrelations.com - Email: admin@schumachercomeback.com - NOT ACTIVE, SUSPENDED

Name servers of the fast-fluxed domains include:
ns1.hollwear.com - 87.239.22.240 - Email: kymboll@rocketmail.com
ns1.kentinsert.net - 64.120.135.214 - Email: rackmodule@writemail.com
ns1.dimplemolar.net - 207.126.161.29 - Emaik: carruawau@gmail.com
ns1.megapricelist.net - 66.249.23.63 - Email: jobwes@clerk.com
ns1.bighelpdesk.net - 76.10.203.46 - Email: galaxegalaxe@gmail.com
ns1.linejeans.com - 95.211.86.140 - Email: palmatorz@aol.com
ns1.ceberlin.com - 204.12.210.235

EUROACCESS have been notified, an updated will be posted as soon as they take care of the campaign.

Related coverage of money laundering in the context of cybercrime:
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Thursday, April 01, 2010

Summarizing Zero Day's Posts for March

The following is a brief summary of all of my posts at ZDNet's Zero Day for March, 2010.

You can also go through previous summaries, as well as subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

Dancho Danchev

Tuesday, March 30, 2010

Money Mule Recruitment Campaign Serving Client-Side Exploits

Remember Cefin Consulting & Finance, the bogus, money mule recruitment company that ironically tried to recruit me last month?

They are back, with a currently ongoing money mule recruitment campaign, this time not just attempting to recruit gullible users, but also, serving client-side exploits (CVE-2009-1492; CVE-2007-5659) through an embedded javascript on each and every page within the recruitment site.

Let's dissect the campaign, expose the client-side exploits serving domains, the Zeus-crimeware serving domains parked within the same netblock as the mule recruitment site itself, to ultimately expose a bogus company for furniture hosting a pretty descriptive cv.exe that is dropped on the infected host.

Initial recruitment email sent from financialcefin@aol.com:
Hello, Our Company is ready to offer full and part time job in your region. It is possible to apply for a well-paid part time job from your state. More information regarding working and cooperation opportunities will be sent upon request. Please send all further correspondence ONLY to Company's email address: james.mynes.cf@gmail.com Best regards

Response received:
Greetings,

Cefin Consulting & Finanace company thanks you for being interested in our offer. All additional information about our company you may read at our official site. www.ceffincfin.com Below the details of vacancy operational scheme:

1. The payment notice and the details of the beneficiary for further payment transfer will be e-mailed to your box. All necessary instructions regarding the payment will be enclosed.
2. As a next step, you'll have to withdraw cash from our account.
3. Afterwards you shall find the nearest Western Union office and make a transfer. Important: Only your first and last names shall be mentioned in the Western Union Form! No middle name (patronymic) is written! Please check carefully the spelling of the name, as it has to correspond to the spelling in the Notice.
4. Go back home soonest possible and advise our operator on the payment details (Sender’s Name, City, Country, MTCN (Money Transfer Control Number), Transfer Amount).
5. Our operator will receive the money and send it to the customer.
6. Please be ready to accept and to make similar transfers 2-5 times a week or even more often. Therefore you have to be on alert to make a Western Union payment any time.

Should you face any problems incurred in the working process, don’t hesitate to contact our operator immediately. If you have any questions, please do not hesitate to contact us by e-mail. If you have understood the meaning of work and ready to begin working with us, please send us your INFO in the following format:

1) First name 2) Last name 3) Country 4) City 5) Zip code 6) Home Phone number, Work Phone number, Mobile Phone number 7) Bank account info: a) Bank name b) Account name c) Account number d) Sort code 8) Scan you passport or driver license

2010 © Cefin Consulting & Finance
All right reserved.

Money mule recruitment URL: ceffincfin.com - 93.186.127.252 - Email: winter343@hotmail.com - currently flagged as malicious.

Once obfuscated, the javascript attempts to load the client-side exploits serving URL click-clicker.com /click/in.cgi?3 - 195.78.109.3; 195.78.108.221 - Email: aniwaylin@yahoo.com, or click-clicker.com - 195.78.109.3 - Email: aniwaylin@yahoo.com.

Sample campaign structure:
- click-clicke.com /cgi-bin/plt/n006106203302r0009R81fc905cX409b2ddfY0a607663Z0100f055

Parked on the same IP (91.213.174.52) are also the following client-side exploit serving domains:
click-reklama.com - Email: tahli@yahoo.com
googleinru.in - Email: mirikas@gmail.com

Within AS29106, VolgaHost-as PE Bondarenko Dmitriy Vladimirovich, we also have the following client-side exploits/crimeware friendly domains:
benlsdenc.com - Email: blablaman25@gmail.com
nermdusa.com - Email: polakurt69@gmail.com
mennlyndy.com - Email: albertxxl@gmail.com
kemilsy.com - Email: VsadlusGruziuk@gmail.com
benuoska.com - Email: godlikesme44@gmail.com

Name server of notice ns1.ginserdy.com - 93.186.127.205 - Email: albertxxl@gmail.com and ns1.ndnsgw.net - 195.78.109.3 - Email: aniwaylin@yahoo.com. have been also registered using the same emails as the original client-side exploit serving domains.

Sample detection rates, and phone back locations:
- cefin.js - Troj/IFrame-DY - Result: 1/42 (2.39%)
- clicker.pdf - Exploit.PDF-JS.Gen; Exploit:Win32/Pdfjsc.EM - Result: 21/42 (50.00%)
- clicker2.exe - TR/Sasfis.akdv.1; Trojan.Sasfis.akdv.1; Trojan.Win32.Sasfis.akdv - Result: 18/42 (42.86%)
- cv.exe - Trojan.Siggen1.15304 - Result: 3/42 (7.15%)
- 1.exe - Suspicious:W32/Malware!Gemini - Result: 4/42 (9.53%)

Upon execution, the sample phones back to Oficla/Sasfis C&C at socksbot.com /isb/gate.php?magic=121412150001&ox=2-5-1-2600&tm=3&id=24905431&cache=4154905385& - 195.78.109.3 - Email: aniwaylin@yahoo.com which drops pozitiv.md/master/cv.exe - 217.26.147.24 - Email: v.pozitiv@mail.ru from the web site of a fake company for furniture (PoZITIVe SRL).

Interestingly, today the update location has been changed to tds-style.spb.ru /error/1.exe. Detection rate:
- 1.exe - Suspicious:W32/Malware!Gemini - Result: 4/42 (9.53%)

Keeping the money mules on a short leash series, are prone to expand. Stay tuned!

Related coverage of money laundering in the context of cybercrime:
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Money Mule Recruitment Campaign Serving Client-Side Exploits

Dancho Danchev

Monday, March 29, 2010

Copyright Lawsuit Filed Against You Themed Malware Campaign

Having just received a copy of what appears to be the last active domain involved in last week's "Copyright Lawsuit filed against you" themed malware campaign, it's time to conduct a brief assessment of its inner workings.

Subject used: Copyright Lawsuit filed against you
Sample message: March 24, 2010
Crosby & Higgins
350 Broadway, Suite 300
New York, NY 10013

To Whom It May Concern:
On the link bellow is a copy of the lawsuit that we filed against you in court on March 11, 2010. Currently the Pretrail Conference is scheduled for April 11th, 2010 at 10:30 A.M. in courtroom #36. The case number is 3485934. The reason the lawsuit was filed was due to a completely inadequate response from your company for copyright infrigement that our client Touchstone Advisories Inc is a victim of Copyright infrigement
www.touchstoneadvisorsonline.com /lawsuit/suit_documents.doc

Touchstone Advisories Inc has proof of multiple Copyright Law violations that they wish to present in court on April 11th, 2010.

Sincerely,
Mark R. Crosby
Crosby & Higgins LLP

Detection rates:
- complaint.doc - Downloader.Lapurd - Result: 22/39 (56.42%)
- complaint_docs.pdf - Trojan-Clicker.Win32.Cycler.odn - Result: 27/42 (64.29%)

Samples phone back to:
- 121.14.149.132 /fwq/indux.php?U=RANDOM_DATA - AS4134, CHINA-TELECOM China Telecom
- 121.14.149.132 /hia12/ter.php?u=UserName&c=COMPUTERNAME&v=RANDOM_DATA

Active C&C administration panel at: 121.14.149.132 /hia12/sca.php - returns "SSL ONLY.. USE HTTPS"

Spamvertised domains involved in the campaign:
- touchstoneadvisorsonline.com /lawsuit/suit_documents.doc - 72.167.232.84
- marcuslawcenter.com /s/r439875.doc - 173.201.145.1 - Email: info@tedvernon.com
- danilison.com/suit /complaint.doc - 72.167.183.15
- daughtersofcolumbus.com /suit/complaint.doc - ACTIVE - 173.201.97.1 - Email: charlenej@stny.rr.com

The same phone back IP was also profiled in another campaign from January, 2010.

Clearly, the cybercriminals behind it are aiming to stay beneath the radar, by relying on not so well profiled malicious infrastructure, combined with newly introduced campaigns in an attempt to make it harder to establish historical connections (Read about the "aggregate-and-forget" concept in respect to botnets/malware) between the rest of the their malicious activities.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Wednesday, March 24, 2010

Zeus Crimeware/Client-Side Exploits Serving Campaign in the Wild

UPDATED: Friday, March 26, 2010: In a typical multi-tasking fashion like the one we've seen in previous campaigns, more typosquatted domains are being introduced, this time using the well known IRS Fraud Application theme. What's worth pointing out is that, just like the "Scareware, Sinowal, Client-Side Exploits Serving Spam Campaign in the Wild" campaign from last week, the current one is also launched on Friday.

The reason? A pointless attempt by the gang to increase the lifecycle of the campaign.

- Sample URL: irs.gov.faodqt.com.pl /fraud.applications/application/statement.php
- Client-side exploits serving iFrame URL: klgs.trfafsegh.com /index.php
- Sample detection rate: tax-statement.exe - Trojan-Spy.Win32.Zbot - Result: 29/42 (69.05%), phones back to shopinfmaster .com/cnf/shopinf.jpg

Spamvertised and currently active fast-fluxed domains include:
fercca.com.pl
fercci.com.pl
ferkci.com.pl
fercki.com.pl
foodat.com.pl
foocit.com.pl
forcit.com.pl
footit.com.pl
ferckt.com.pl
forckt.com.pl
foodot.com.pl
footot.com.pl
faodqt.com.pl
foodyt.com.pl
redee3e.com
redee3e.com.pl
redee3e.pl
redee3o.com.pl

eddpiii.com.pl
eddsiii.com.pl
eddsiip.com.pl
eddsiui.com.pl
eddsiuo.com.pl
eddsiuy.com.pl
edduiip.com.pl
edduiiz.com.pl
edduyiz.com.pl
edouyiz.com.pl
ekouyiz.com.pl

Name server of notice:
ns1.globalistory.net - 87.117.245.9 - Email: tompsongand@aol.com

One of TROYAK-AS's most aggressive customers (used to host their Zeus C&Cs there) for Q1, 2010, is once again (latest campaign is from March 12th 2010 - Scareware, Sinowal, Client-Side Exploits Serving Spam Campaign in the Wild) attempting to build a crimeware botnet, by spamvertising the well known PhotoArchive theme, in between serving client-side exploits using an embedded iFrame on the domains in question.

In terms of quality assurance, the campaign is continuing to use it's proven campaign structure. The actual pages are hosting a binary for manual download, in between the iFrame which would inevitably drop the Zeus crimeware.

Just like in previous campaigns, the gang continues to exclusively registering its domains using the ALANTRON BLTD. domain registrar. Let's dissect the ongoing campaign's structure, and expose the domains, and ASs participating in it.

Sample URL/subdomain structure:
archive.pasweq.co.kr /id1007zx/get.php?email=email@mail.com
photostock.pasweq.co.kr
archives.pasweq.co.kr
letitbit.pasweq.co.kr
photobank.pasweq.co.kr
photosbank.pasweq.co.kr
photostock.pasweq.co.kr

Sample message: "Photos Archives Hosting has a zero-tolerance policy against ILLEGAL content. All archives and links are provided by 3rd parties. We have no control over the content of these pages. We take no responsibility for the content on any website which we link to, please use your own discretion while surfing the links. © 2007-2009, Photos Archives Hosting Group, Inc.- ALL RIGHTS RESERVED."
Sample iFrames embedded on the pages include: cogs.trfafsegh.com /index.php - 59.53.91.192 - Email: maple@qx8.ru; klgs.trfafsegh.com /index.php

Sample iFrame campaign structure:
- cogs.trfafsegh.com /index.php
    - cogs.trfafsegh.com /l.php
        - cogs.trfafsegh.com /statistics.php

- klgs.trfafsegh.com /index.php
    - klgs.trfafsegh.com /l.php
        - klgs.trfafsegh.com /statistics.php

Parked on the same IP where the iFrame domain is are also the following Zeus C&Cs - dogfoog.net - Email: drier@qx8.ru; countrtds.ru - Email: thru@freenetbox.ru - AS4134 (CHINANET-BACKBONE No.31,Jin-rong Street)

Detection rates: zeus.js - Trojan.JS.Agent.bik - 1/41 (2.44%) serving update.exe - PWS:Win32/Zbot.gen!R - Result: 17/42 (40.48%), PhotoArchive.exe - Trojan.Zbot - Result: 18/41 (43.91%). The client-side exploitation is relying on the Phoenix Exploit's Kit.

Samples phone back to: shopinfmaster.com /cnf/shopinf.jpg - 78.2.153.153; 75.172.92.77; 78.84.78.179; 86.106.228.77; 184.56.245.136;68.49.19.6 - Email: Duran@example.com shopinfmaster.com /shopinf/gate.php

Relying on the ns1.starwarfan.net name server, which is also connected to other Zeus crimeware C&Cs which also respond the same IPs - smotri123.com - Email: smot-smot@yandex.ru domainsupp.net - Email: ErnestJBooth@example.com
Active and fast-fluxed subdomains+domains participating in the campaign:
pasweokz.com - Email: romavesela@yahoo.com
pasweq.co.kr - Email: romavesela@yahoo.com
archive.pasweokz.com
archive.pasweq.co.kr
archives.pasweokz.com
archives.pasweq.co.kr
letitbit.pasweokz.com
letitbit.pasweq.co.kr
photobank.pasweokz.com
photobank.pasweq.co.kr
photosbank.pasweokz.com
photosbank.pasweq.co.kr
photoshock.pasweokz.com
photoshock.pasweq.co.kr
photostock.pasweokz.com
photostock.pasweq.co.kr

Name servers currently in use were also seen in February, 2010 (IRS/PhotoArchive Themed Zeus/Client-Side Exploits Serving Campaign in the Wild)
ns1.addressway.net - 87.117.192.79 - Email: poolbill@hotmail.com
ns1.skc-realty.com - 87.117.192.79 - Email: skc@realty.net

Updates will be posted as soon as new developments emerge. Consider going through the related posts, to catch up with the gang's activities for Q1, 2010.

Related posts:
Scareware, Sinowal, Client-Side Exploits Serving Spam Campaign in the Wild
TROYAK-AS: the cybercrime-friendly ISP that just won’t go away
AS50215 Troyak-as Taken Offline, Zeus C&Cs Drop from 249 to 181
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild
Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild
Keeping Money Mule Recruiters on a Short Leash - Part Two

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev