SECOND UPDATE for Wednesday, February 24, 2010 - Another portfolio of new domains is being spamvertised, using the old PhotoArchive theme. The client-side exploits serving iFrame directory has been changed to 91.201.196.101 /usasp33/in.php currently serving CVE-2007-5659; CVE-2008-2992; CVE-2008-0015; CVE-2009-0927 and CVE-2009-4324.
Sample detection rates: update.exe - Trojan-Spy.Win32.Zbot.gen - Result: 10/42 (23.81%); file.exe - Trojan-Spy.Win32.Zbot.gen - Result: 10/42 (23.81%). Samples phone back to the same C&C where samples from previous campaigns were also phoning back to - trollar.ru /cnf/trl.jpg - 109.95.114.133 - Email: [email protected].
Domains portfolio:
reda.kr - Email: [email protected]
redb.kr - Email: [email protected]
reda.ne.kr - Email: [email protected]
redb.ne.kr - Email: [email protected]
redn.ne.kr - Email: [email protected]
redv.ne.kr - Email: [email protected]
redn.kr - Email: [email protected]
reda.co.kr - Email: [email protected]
redv.co.kr - Email: [email protected]
reda.or.kr - Email: [email protected]
redb.or.kr - Email: [email protected]
redn.or.kr - Email: [email protected]
redv.or.kr - Email: [email protected]
redv.kr - Email: [email protected]
Name server of notice:
ns1.skcstaffing.com - 87.117.245.9 - Email: [email protected]
UPDATED: Wednesday, February 24, 2010 - Another portfolio of typosquatted domains has been spamvertised. The already suspended domains are listed for historical OSINT analysis of this gang's activities.
Interestingly, their campaigns are lacking the quality assurance I'm used to see. For instance, the iFrame IP (109.95.114.251 /usa50/in.php) is currently down, with the malware itself, including the one that would have been dropped given the exploitation took place - have over 90% detectio rate, since the binaries were first analyzed a month ago - tax-statement.exe - Trojan-Spy.Win32.Zbot - 40/42 (95.24%); abs.exe - Packed:W32/Mufanom.A - Result: 38/42 (90.48%). The directory structure also remains the same - irs.gov.yrxc.kr/fraud.applications /application/statement.php
Domains portfolio, including name servers of notice are as follows:erdca.co.kr - Email: [email protected]
erdca.kr - Email: [email protected]
erdca.ne.kr - Email: [email protected]
erdca.or.kr - Email: [email protected]
erdcb.kr - Email: [email protected]
erdcd.kr - Email: [email protected]
erdce.co.kr - Email: [email protected]
erdce.kr - Email: [email protected]
erdce.ne.kr - Email: [email protected]
erdce.or.kr - Email: [email protected]
erdcq.kr - Email: [email protected]
erdcu.co.kr - Email: [email protected]
erdcu.kr - Email: [email protected]
erdcu.ne.kr - Email: [email protected]
erdcu.or.kr - Email: [email protected]
yrxc.co.kr - Email: [email protected]
yrxc.kr - Email: [email protected]
yrxc.or.kr - Email: [email protected]
yrxo.co.kr - Email: [email protected]
yrxo.kr - Email: [email protected]
yrxo.ne.kr - Email: [email protected]
yrxo.or.kr - Email: [email protected]
yrxs.co.kr - Email: [email protected]
yrxs.kr - Email: [email protected]
yrxs.ne.kr - Email: [email protected]
yrxs.or.kr - Email: [email protected]
rts1e3en.me.uk
rts1e3eq.me.uk
rts1e3ew.me.uk
rts1e3ex.me.uk
rts1e3ey.me.uk
rts1e3ez.me.uk
rts1e3eb.co.uk
rts1e3en.co.uk
rts1e3eq.co.uk
rts1e3er.co.uk
rts1e3ew.co.uk
rts1e3ex.co.uk
rts1e3ey.co.uk
rts1e3ez.co.uk
Name servers of notice:
ns1.skc-realty.com - 89.238.165.195 - Email: [email protected]
ns1.chinafromasia.com
UPDATED: Monday, February 22, 2010 - Another typosquatted domains portfolio is being spamvertised, including two new name servers, parked on the same IP where name servers from previous campaigns were hosted.
Typosquatted domains, and name servers of notice are as follows:dese.co.kr - Email: [email protected]
dese.kr - Email: [email protected]
dese.ne.kr - Email: [email protected]
dese.or.kr - Email: [email protected]
desr.co.kr - Email: [email protected]
desr.kr - Email: [email protected]
desr.or.kr - Email: [email protected]
desv.co.kr - Email: [email protected]
desv.kr - Email: [email protected]
desv.ne.kr - Email: [email protected]
desv.or.kr - Email: [email protected]
desx.co.kr - Email: [email protected]
desx.kr - Email: [email protected]
desx.ne.kr - Email: [email protected]
desx.or.kr - Email: [email protected]
edasa.co.kr
edasa.kr
edasa.ne.kr
edasa.or.kr
edase.co.kr
edase.kr
edase.ne.kr
edase.or.kr
edasn.kr
edasn.ne.kr
edasn.or.kr
edasq.co.kr
edasq.kr
edasq.ne.kr
edasq.or.kr
Name servers of notice:
ns1.silverbrend.net - 87.117.245.9 - Email: [email protected]
ns1.hourscanine.com - 87.117.245.9 - Email: [email protected]
UPDATED: Sunday, February 21, 2010 - The gang is currently spamming a phishing campaign -- no client-side serving iFrames found so far -- attempting to steal Google account and Blogspot accounting data. Given the fact that the gang is capable of generating hundreds of thousands of bogus accounts on their own, as well as buy them in bulk orders from vendors that have already built such an inventory across multiple social networking sites, the only logical reason for attempting to phish for such data would be to attempt to maliciously monetize the traffic of legitimate blogs.
The newly spamvertised domains, including a new name server are as follows:esub.co.kr - Email: [email protected]
esub.kr - Email: [email protected]
esub.ne.kr - Email: [email protected]
esug.co.kr - Email: [email protected]
esug.kr - Email: [email protected]
esug.ne.kr - Email: [email protected]
esuk.kr - Email: [email protected]
esuk.ne.kr - Email: [email protected]
esuk.or.kr - Email: [email protected]
esus.co.kr - Email: [email protected]
esus.kr - Email: [email protected]
esus.ne.kr - Email: [email protected]
esut.co.kr - Email: [email protected]
esut.kr - Email: [email protected]
esut.ne.kr - Email: [email protected]
ns1.nitroexcel.com - 89.238.165.195 (the same IP was also hosting the name server domains from previous campaigns) - Email: [email protected]
UPDATED: Saturday, February 20, 2010 - The client-side exploit serving iFrame directory has been changed to 91.201.196.101 /usasp11/in.php, with another typosquatted portfolio of domains currently being spamvertised.
Detection rates: update.exe - Trojan.Zbot - Result: 25/40 (62.5%) (phones back to trollar.ru /cnf/trl.jpg - 109.95.114.133 - Email: [email protected]); file.exe - Trojan.Spy.ZBot.12544.1 - Result: 26/41 (63.42%); ie.js - JS:CVE-2008-0015-G - Result: 14/40 (35%); ie2.js - Exploit:JS/CVE-2008-0015 - Result: 17/40 (42.5%); nowTrue.swf - Trojan.SWF.Dropper.E - Result: 24/41 (58.54%); pdf.pdf - Exploit.JS.Pdfka.bln - Result: 11/41 (26.83%); swf.swf - SWF/Exploit.Agent.BS - Result: 8/40 (20%).
Domain portfolio, name server of notice - ns1.vektoroils.net - 74.117.63.218 - Email: [email protected] :desa.co.kr - Email: [email protected]
desa.kr - Email: [email protected]
desa.ne.kr - Email: [email protected]
desa.or.kr - Email: [email protected]
desb.co.kr - Email: [email protected]
desb.kr - Email: [email protected]
desb.ne.kr - Email: [email protected]
desb.or.kr - Email: [email protected]
deso.kr - Email: [email protected]
deso.or.kr - Email: [email protected]
desv.kr - Email: [email protected]
desz.co.kr - Email: [email protected]
desz.kr - Email: [email protected]
desz.ne.kr - Email: [email protected]
desz.or.kr - Email: [email protected]
UPDATED: Wednesday, February 17, 2010 - The iFrame directory has been changed to 91.201.196.101 /usasp/in.php, detection rate for update.exe - Trojan-Spy.Win32.Zbot.gen - Result: 17/40 (42.5%).
saqwk.co.kr - Email: [email protected]
saqwk.kr - Email: [email protected]
saqwk.ne.kr - Email: [email protected]
saqwk.or.kr - Email: [email protected]
saqwm.co.kr - Email: [email protected]
saqwm.kr - Email: [email protected]
saqwm.ne.kr - Email: [email protected]
saqwq.co.kr - Email: [email protected]
saqwq.kr - Email: [email protected]
saqwq.ne.kr - Email: [email protected]
saqwq.or.kr - Email: [email protected]
saqwz.co.kr - Email: [email protected]
saqwz.kr - Email: [email protected]
saqwz.ne.kr - Email: [email protected]
saqwz.or.kr - Email: [email protected]
As anticipated, the botnet masters behind the systematically rotated campaigns dissected in previous posts, kick off the week with multiple campaigns parked on the newly introduced fast-fluxed domains.
Sample campaign URLs from the PhotoArchive, SecretArchives themed campaign:
- archive .repok.or.kr/archive0714/[email protected]
- secretarchives .renyn.kr/archive0714/[email protected]
- secretfiles .repo1it.me.uk/archive0714/[email protected]
- secretarchives .renyn.ne.kr/archive0714/[email protected]
- postcards .repo1ix.co.uk/archive0714/[email protected]
Sample sub domain structure:
anonymousfiles .repo1i2.me.uk
archive .repo1iq.me.uk
archive .repo1it.me.uk
archives .repo1i1.me.uk
filearchive .repo1i1.me.uk
files .repo1it.me.uk
files .repo1ix.me.uk
files4friends .repo1it.me.uk
secretarchives .repo1iq.me.uk
secretarchives .repo1iw.me.uk
secretarchives .repo1ix.me.uk
secretfiles .repo1iq.me.uk
sendspace .repo1i2.me.uk
archive .repo1ix.co.uk
archives .repo1iq.co.uk
archives .repo1ix.co.uk
files .repo1iq.co.uk
files4friends .repo1ix.co.uk
incognito .repo1iq.co.uk
postcard .repo1iq.co.uk
postcard .repo1iw.co.uk
secretarchives .repo1iw.co.uk
www.irs.gov .repo1ix.co.uk
Embedded iFrame - 91.201.196.101 /ukasp/in.php (AS42229 (MARIAM-AS PP Mariam) attempts to exploit CVE-2007-5659; CVE-2008-2992; CVE-2008-0015; CVE-2009-0927 and CVE-2009-4324. Upon successful exploitation, file.exe - Trojan-Spy.Win32.Zbot.gen - Result: 12/41 (29.27%) is served. Just like the original update.exe - Trojan.Zbot - Result: 13/40 (32.50%) available as a manual download from the pages, both samples phone back to the well known elnasa.ru /asd/elnasa.ble - 109.95.114.71 - Email: [email protected] - Aleksey V Kijanskiy.
Naturally, AS42229 (MARIAM-AS PP Mariam) is a cybercrime-friendly AS, with the following currently active Zeus C&Cs parked there:
91.201.196.35
91.201.196.75
91.201.196.76
91.201.196.38
91.201.196.34
91.201.196.37
Sample URL from the IRS-themed campaign:
- irs.gov .renyn.kr/fraud.applications/application/statement.php
Sample iFrame from the IRS-themed campaign - 109.95.114.251 /usa50/in.php is currently down. The same IP was used to serve client-side exploits in a previous campaign - "Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams".
Detection rate for tax-statement.exe - Trojan-Spy.Win32.Zbot.gen - Result: 37/41 (90.25%), which upon execution phones back to the well known nekovo.ru /cbd/ nekovo.br - 109.95.115.18 - Email: [email protected] - Aleksey V Kijanskiy
Active and spamvertised fast-fluxed domains part of the campaign:renya.co.kr - Email: [email protected]
renya.kr - Email: [email protected]
renya.ne.kr - Email: [email protected]
renya.or.kr - Email: [email protected]
renyn.kr - Email: [email protected]
renyn.ne.kr - Email: [email protected]
renyn.or.kr - Email: [email protected]
renyo.co.kr - Email: [email protected]
renyo.kr - Email: [email protected]
renyo.ne.kr - Email: [email protected]
renyo.or.kr - Email: [email protected]
renyx.co.kr - Email: [email protected]
renyx.kr - Email: [email protected]
renyx.ne.kr - Email: [email protected]
renyx.or.kr - Email: [email protected]
rep021.co.kr - Email: [email protected]
rep021.kr - Email: [email protected]
rep021.ne.kr - Email: [email protected]
rep021.or.kr - Email: [email protected]
rep022.co.kr - Email: [email protected]
rep022.kr - Email: [email protected]
rep022.ne.kr - Email: [email protected]
rep022.or.kr - Email: [email protected]
rep023.co.kr - Email: [email protected]
rep023.kr - Email: [email protected]
rep023.or.kr - Email: [email protected]
rep024.kr - Email: [email protected]
rep071.co.kr - Email: [email protected]
rep071.kr - Email: [email protected]
rep071.ne.kr - Email: [email protected]
rep071.or.kr - Email: [email protected]rep072.co.kr - Email: [email protected]
rep072.kr - Email: [email protected]
rep072.ne.kr - Email: [email protected]
rep072.or.kr - Email: [email protected]
rep073.co.kr - Email: [email protected]
rep073.kr - Email: [email protected]
rep073.ne.kr - Email: [email protected]
rep073.or.kr - Email: [email protected]
rep074.co.kr - Email: [email protected]
rep074.ne.kr - Email: [email protected]
rep074.or.kr - Email: [email protected]
rep1051.co.uk
rep1051.me.uk
rep1051.org.uk
rep1051.uk.com
repak.co.kr - Email: [email protected]
repak.kr - Email: [email protected]
repak.ne.kr - Email: [email protected]
repak.or.kr - Email: [email protected]
repaz.co.kr - Email: [email protected]
repaz.kr - Email: [email protected]
repaz.or.kr - Email: [email protected]
repek.co.kr - Email: [email protected]
repek.ne.kr - Email: [email protected]
repek.or.kr - Email: [email protected]
repey.co.kr - Email: [email protected]
repey.kr - Email: [email protected]
repey.ne.kr - Email: [email protected]
repey.or.kr - Email: [email protected]
repia.co.kr - Email: [email protected]
repia.kr - Email: [email protected]
repia.ne.kr - Email: [email protected]
repia.or.kr - Email: [email protected]
repik.co.kr - Email: [email protected]
repik.kr - Email: [email protected]repik.or.kr - Email: [email protected]
repok.co.kr - Email: [email protected]
repok.kr - Email: [email protected]
repok.ne.kr - Email: [email protected]
repok.or.kr - Email: [email protected]
repoy.co.kr - Email: [email protected]
repoy.kr - Email: [email protected]
repoy.ne.kr - Email: [email protected]
repoy.or.kr - Email: [email protected]
repo1i1.co.uk
repo1i1.me.uk
repo1i2.co.uk
repo1i2.me.uk
repo1i3.co.uk
repo1ie.co.uk
repo1io.co.uk
repo1iq.co.uk
repo1iq.me.uk
repo1it.me.uk
repo1iw.co.uk
repo1iw.me.uk
repo1ix.co.uk
repo1ix.me.uk
Name servers of notice:
ns1 .skcrealestate.net - 89.238.165.195 - Email: [email protected]
ns1 .addressway.net - 89.238.165.195 - Email: [email protected]
ns1 .skcpanel.com - 64.20.42.235 - Email: [email protected]
ns1 .holdinglory.com - 64.20.42.235 - Email: [email protected]
ns1 .skcres.com - 64.20.42.235 - Email: [email protected]
ns1 .x-videocovers.net - 64.20.42.235 - Email: [email protected]
Interestingly, researchers from M86 Security gained access to the web malware exploitation kit used in a previous campaign:
"It has been up and running and serving exploits for nearly a day. In this time almost 40,000 unique users have been exposed to these exploits, and the Zeus file has been downloaded over 5000 times. These downloads do not include the PhotoArchive.exe file downloads that a user may be tricked into downloading and executing themselves."
Updated will be posted as soon as new developments emerge.
Related coverage of the gang's previous campaigns:
Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild
PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild
Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
No comments:
Post a Comment