Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Wednesday, March 23, 2011

Spamvertised United Parcel Service notifications serve malware

A currently ongoing spam campaign is impersonating UPS for malware-serving purposes.

Sample subject: United Parcel Service notification
Sample attachments: UPSnotify.rar; UPSnotify.exe; UnitedParcelServicedocument.exe
Sample message: Dear customer.

The parcel was sent your home address. And it will arrive within 7 business day. More information and the tracking number are attached in document below. Thank you. © 1994-2011 United Parcel Service of America, Inc.

Detection rates:

UnitedParcelServicedocument.exe - Mal/Bredo-K - Result: 7/ 41 (17.1%)
MD5   : b60e95b42106989bc39e175efcc031db
SHA1 : 0fb63dff83db643c9ee42efe617bdd539a5ffb8f
SHA256: 65f14438c3154a74767131a427fbdc50c28a6cbcdcf47f3d418b92c4c168696a

UPS notify.exe - Mal/Bredo-K - Result: 17/ 40 (42.5%)
MD5   : cc040e69121bc19f23ef4a32dbb8a80e
SHA1 : da65b7b277540b88918076949a28e8307ad7e41a
SHA256: ef5f76e1b20c2083469fbe7e4de4ec9c06689ee105274b1a79c9cadbd23d54ae

Upon execution downloads additional binaries from:
193.105.121.33/lol2.exe
193.105.121.33/pod.exe
193.105.121.33/spm.exe

Responding to 193.105.121.33 are undeardarling.com - Email: admin@undearhappydear.com and undearhappydear.com - Email: admin@undearhappydear.com

Detection rates:
lol2.exe - Trojan.FakeAV!gen39- Result: 14/ 43 (32.6%)
MD5   : 747431a2a4a29f1bfc136e674af99ad0
SHA1 : 8349fc3f5f299d0ca6473e748276ec2b50019330
SHA256: 6009e7f5cbc55e6acb060d9fb33a39a978168a32a0a8c6a24f201106056cc0db

pod.exe - Backdoor.Win32.Gbot!IK - Result: 33/ 42 (78.6%)
MD5   : f403afdbe4c4c859c8ab018a7ded694c
SHA1 : 1915a46cbb43fcaf8da90af95856d7524b24f129
SHA256: eddfff99df316669191be0b61a5ae06ee811bbd27110111e69cbd212881fa494

Upon execution phones back to:
healthylifenow.com - 208.109.223.193 - Email: HEALTHYLIFENOW.COM@domainsbyproxy.com
bigbeerclubonline.com - Email: contact@privacyprotect.org
zonetf.com - 96.9.169.85 - Email: janeob@126.com

spm.exe - W32.Pilleuz - 10/ 42 (23.8%)
MD5   : de55498b9f9195f1733df62c7026cf5f
SHA1 : 5520c1220cdd03a64f9b782c2393697ebab154b9
SHA256: dc2a797e5be968f9d36d4510988fa242c042a3e315fb50a3f9325cae6a1d779d

Upon execution phones back to:
ponel.biz - 46.4.62.17 - Email: web_raskrutka@pochta.ru
itisformebaby.biz - 46.4.10.7; 88.198.46.151; 178.63.63.208 - Email: web_raskrutka@pochta.ru
gmail.com
yahoo.com
hotmail.com

As speculated, cybercriminals have started feeding legitimate sites into their C&C communication patterns in an attempt to undermine community efforts aimed at tracking their malicious activities.

Related posts:
Spamvertised FedEx Notifications Spread Malware
Spamvertised DHL Notification Malware Campaign
More Spamvertised DHL Notifications Spread Malware

This post has been reproduced from Dancho Danchev's blog.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Wednesday, March 16, 2011

Compromised Universities Leads to Fraudulent Pharmaceutical Ads

Continuing the "Compromised University Leads to Fraudulent Pharmaceutical Ads"; "Compromised University Leads to Fraudulent Google Brand-jacked Pharmaceutical Ads" series, in this post we'll discuss two more compromised web servers of educational institutions leading to pharmaceutical ads. Affected Universities are:

Rutgets Energy Institute:
ruei.rutgers.edu/documents/chin.php?adv=cialis20-mg
ruei.rutgers.edu/documents/chin.php?adv=viagra-ratings
ruei.rutgers.edu/documents/chin.php?adv=viagra-999
ruei.rutgers.edu/documents/chin.php?adv=viagra-expired
ruei.rutgers.edu/documents/chin.php?adv=viagra-kako-se

Uploaded redirectors:
ruei.rutgers.edu/documents/chin.php
ruei.rutgers.edu/documents/roar.php
ruei.rutgers.edu/documents/ost.php

Computer Music Center at Columbia University
music.columbia.edu/cmc/pills/index.php?adv=how-to-try-viagra
music.columbia.edu/cmc/pills/index.php?adv=damaskviagra
music.columbia.edu/cmc/pills/index.php?adv=brandlevitra
music.columbia.edu/cmc/pills/index.php?adv=vegetalviagra
music.columbia.edu/cmc/pills/index.php?adv=vviagra

The sampled URLs redirect to the following fraudulent pharmaceutical sites:
pillsedonline.com - 93.170.104.53 - Email: stavros1929@hotmail.com; stavroscomodromos@yahoo.com
buyperfecthealth.com - 93.170.104.53 - Email: stavros1929@hotmail.com
safedrugstock.com - 93.170.104.53 - Email: stavros1929@hotmail.com
securedrugstock.com - 93.170.104.53 - Email: stavros1929@hotmail.com
europharmas.com - 93.170.104.53 - Email: glockner546@hotmail.com
requestpills.com - 93.170.104.53 - Email: stavros1929@hotmail.com; stavroscomodromos@yahoo.com
online-doc.us - 93.170.104.53 - Email: cool_gamer90@mail.ru
pills4sex.eu - 93.170.104.53
securetablets.com - 93.170.104.53 - Email: stavros1929@hotmail.com
alledtablets.com - 93.170.104.53 - Email: stavros1929@hotmail.com; stavroscomodromos@yahoo.com
canadian-refills.com - 178.239.60.214 - Email: privacy-829911@domainprivacygroup.com

Cybercriminals continue purchasing web shells/and stolen FTP credentials to high page rank-ed web sites such as educational institutions. Monitoring of their operations will continue.

This post has been reproduced from Dancho Danchev's blog.

Dancho Danchev

Spamvertised FedEx Notifications Spread Malware

A currently ongoing spamvertised campaign is brand-jacking FedEx for malware serving purposes.

Sample attachments: FedEx letter.zip; FedEx letter.exe
Sample subject: FedEx notification #random number
Sample message: Dear customer. The parcel was sent your home address. And it will arrive within 7 business day. More information and the tracking number are attached in document below.

Thank you.
© FedEx 1995-2011

Detection rate: FedEx letter.exe - Trojan.FakeAV - Result: 24/ 43 (55.8%)
MD5 : 90bef5dff5809682249813fd63b67da4
SHA1 : 2418c01a30a19a2d76b693474a852092e3de4a32
SHA256: a38848786528d235b51fed3adf20050f5c1906d066e0282311b8bce37d8163a0

Phones back to AS30890 (EVOLVA Evolva Telecom s.r.l.)
94.63.244.56/lol2.exe
94.63.244.56/pod.exe

with 94.63.244.56/allftp.txt; 94.63.244.56/ftp/db_grab.txt hosting the sniffed FTP credentials.

Responding to 94.63.244.56 are d34ghqarfrgad.com and erherg34gsafwe.com, phone back URLs which we've seen from last week's spamvertised DHL Notifications campaigns, with the use of the IP best described as a desperate attempt to maintain a C&C infrastructure:

This post has been reproduced from Dancho Danchev's blog.

Dancho Danchev

Friday, March 11, 2011

More Spamvertised DHL Notifications Spread Malware

Yesterday's campaign is still ongoing, with new MD5's in the wild. Here are the details.

Sample subjects: DHL notification #random number
Sample message: Dear customer! The parcel was send your home address. And it will arrice within 7 bussness day. More information and the tracking number are attached in document below. Thank you. 2011 DHL International GmbH. All rights reserverd.
Sample filenames: DHL_tracking.zip; doc.zip

doc.exe - Trojan-Spy.SpyEy!IK - Result: 18/ 43 (41.9%)
MD5: 83db662187dd7cd58fc4a368ea27775d
SHA1 : 4edb2d95c0570a36f6cb992e55111cdd7c3eda69
SHA256: 99f1e003bbf1025b0bbe257ece65d1704852fd1ba48e6cc79bd39cde6e6d14c3

DHL_tracking.exe - Win-Trojan/Spyeyes.45568 - Result: 29/ 43 (67.4%)
MD5   : 81fc09b014617bce59f678374b486512
SHA1 : 3d92a768f58b2900b98c9f97ce2753d27a4749ae
SHA256: 24b23bf7ebd03bf5feb0c637ea1e64661e27c78c66684dd49f074af2b2505bb7

Upon execution phones back to:
adobe.com/geo/productid.php
elsoplongt.com/rk`,jopbh/qwq - Email: redaccion@elsoplongt.com
accuratefiles.com/rk`,jopbh/qwq
lulango.com/rk`,jopbh/qwq - Email: lulango@gmail.com
erherg34gsafwe.com/xgate.php - AS49469, Email: admin@erherg34gsafwe.com
    - erherg34gsafwe.com/ftp/base.bin
        - erherg34gsafwe.com/ftp/ftpplug2.dll
            - erherg34gsafwe.com/ftp/base.bin

Domains responding to:
192.150.16.117
72.41.115.170
74.117.180.216
87.106.193.21
94.63.244.56

Additional malicious activity within AS49469 (SA-NOVA-TELECOM-GRUP-SRL Sa Nova Telecom Grup SRL, courtesy of the ZeusTracker and the SpyEye Tracker:

bigupdate.ru - Email: admin@hotupdaters.ru
bigupdatings.ru - Email: admin@bigupdatings.ru
bigupdater.ru - Email: admin@bigupdater.ru
bigupdates.ru - Email: admin@istuplenie.ru
bigupdating.ru - Email: admin@bigupdating.ru
bigupdaters.ru - Email: admin@bigupdaters.ru
94.63.244.30
metamphcrystal.com - Email: admin@metamphcrystal.com

Related malware-serving domains within AS49469, SA-NOVA-TELECOM-GRUP-SRL Sa Nova Telecom Grup SRL
xppclapgirl.com - 89.114.9.33
natnatraoi.com - 12.211.117.127 - Email: barbarasorber@yahoo.com
d34ghqarfrgad.com - 94.63.244.56 - Email: admin@d34ghqarfrgad.com
g3u4g.net - 89.114.9.33 - Email: G3U4G.NET@domainservice.com
suhi4hr.net - 89.114.9.60 - Email: SUHI4HR.NET@domainservice.com
mialedot.ru - 94.63.244.44 - Email: abuse@mialedot.ru
blackmemoso.com - Email: grasp@yourisp.ru

This post has been reproduced from Dancho Danchev's blog.

Dancho Danchev

Thursday, March 10, 2011

Compromised University Leads to Fraudulent Pharmaceutical Ads

Continuing the Compromised University Leads to Fraudulent Google Brand-jacked Pharmaceutical Ads series, yet another university has been compromised by pharmaceutical scammers, part of an affiliate network.

In this very latest example of this tactic, seeking to abuse the high pagerank of the web site in question, the web site of the Department of Mathematics at Rutgers University (math.rutgers.edu/mdnews/) appears to have been compromised by pharmaceutical scammers.

Included URLs:
math.rutgers.edu/mdnews/levitraline.html
math.rutgers.edu/mdnews/levitrastory.html
math.rutgers.edu/mdnews/cialis-pills.html
math.rutgers.edu/mdnews/levitradosage.html
math.rutgers.edu/mdnews/viagra-buy-online.html

Redirects to:
worldselectshop.com/?id=abamos - 95.211.1.82 - Email: worldselectshop.com@protecteddomainservices.com

The same affiliate ID is also active at:
usadrugstorenow.com/products/diflucan.htm?id=abamos - 212.117.185.19 - Email: usadrugstorenow.com@protecteddomainservices.com

This post has been reproduced from Dancho Danchev's blog.

Dancho Danchev

Spamvertised DHL Notification Malware Campaign

A currently spamvertised malware campaign is brand-jacking DHL for malware-serving purposes.

Sample filename: document.zip => DHL_notification.exe
Sample message: Dear customer. The parcel was send your home address. And it will arrice within 7 bussness day. More information and the tracking number are attached in document below. Thank you. 2011 DHL International GmbH. All rights reserverd - notice the typo.

DHL_notification.exe - Trojan-Spy.Win32.SpyEyes - Result: 27 /43 (62.8%)
MD5   : bda72e57d263241d52b1fe2ef014cba9
SHA1 : fa9dc14b100f1bf5124cd23c322c109b38a70675
SHA256: 199f2357c24e71d955a4e6c2d07645aa04d9474e0c8c914a1edd69a02e3f8a70

Upon execution phones back to:
adobe.com/geo/productid.php
elsoplongt.com/rk`,jopbh/qwq - Email: redaccion@elsoplongt.com
accuratefiles.com/rk`,jopbh/qwq
lulango.com/rk`,jopbh/qwq - Email: lulango@gmail.com
erherg34gsafwe.com/xgate.php - AS49469, Email: admin@erherg34gsafwe.com
    - erherg34gsafwe.com/ftp/base.bin
    - erherg34gsafwe.com/ftp/ftpplug2.dll
    -     erherg34gsafwe.com/ftp/base.bin

Domains responding to:
192.150.16.117
72.41.115.170
74.117.180.216
87.106.193.21
94.63.244.56

This post has been reproduced from Dancho Danchev's blog.

Dancho Danchev