Saturday, September 11, 2010

Summarizing 3 Years of Research Into Cyber Jihad


From the "been there, actively researched that" department.
  1. Tracking Down Internet Terrorist Propaganda
  2. Arabic Extremist Group Forum Messages' Characteristics
  3. Cyber Terrorism Communications and Propaganda
  4. A Cost-Benefit Analysis of Cyber Terrorism
  5. Current State of Internet Jihad
  6. Analysis of the Technical Mujahid - Issue One
  7. Full List of Hezbollah's Internet Sites
  8. Steganography and Cyber Terrorism Communications
  9. Hezbollah's DNS Service Providers from 1998 to 2006
  10. Mujahideen Secrets Encryption Tool
  11. Analyses of Cyber Jihadist Forums and Blogs
  12. Cyber Traps for Wannabe Jihadists
  13. Inshallahshaheed - Come Out, Come Out Wherever You Are
  14. GIMF Switching Blogs
  15. GIMF Now Permanently Shut Down
  16. GIMF - "We Will Remain"
  17. Wisdom of the Anti Cyber Jihadist Crowd
  18. Cyber Jihadist Blogs Switching Locations Again
  19. Electronic Jihad v3.0 - What Cyber Jihad Isn't
  20. Electronic Jihad's Targets List
  21. Teaching Cyber Jihadists How to Hack
  22. A Botnet of Infected Terrorists?
  23. Infecting Terrorist Suspects with Malware
  24. The Dark Web and Cyber Jihad
  25. Cyber Jihadist Hacking Teams
  26. Two Cyber Jihadist Blogs Now Offline
  27. Characteristics of Islamist Websites
  28. Cyber Traps for Wannabe Jihadists
  29. Mujahideen Secrets Encryption Tool
  30. An Analysis of the Technical Mujahid - Issue Two
  31. Terrorist Groups' Brand Identities
  32. A List of Terrorists' Blogs
  33. Jihadists' Anonymous Internet Surfing Preferences
  34. Sampling Jihadists' IPs
  35. Cyber Jihadists' and TOR
  36. A Cyber Jihadist DoS Tool
  37. GIMF Now Permanently Shut Down
  38. Mujahideen Secrets 2 Encryption Tool Released
  39. Terror on the Internet - Conflict of Interest
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Wednesday, September 08, 2010

Historical OSINT: Celebrities Death, Fedex Invoices, Office-Themed Malware Campaigns

As promised, this would be a pretty short historical OSINT post -- catching up is in progress -- detailing the structure of several campaigns that took place throughout July-August, 2010, and (as always) try to emphasize on the connection with historical malware campaigns profiled on my personal blog.

Campaigns of notice include: spamvertised "Celebrities death-themed emails", "Fedex shipment status themed invoices", and "Office-themed documents".

Sample subjects:
Angelina Jolie died; Gwen Stefani died; Oprah Winfrey died; Tom Cruise died; Application; Thursday Journal Club; End Of Rotation; Abstracts; Project Declaration; Residency Happy Hour: SOP_POLICIES; Fwd: Updated Journal Club Handout

Sample attachments:
journal club articles.zip; Rotation Input Sheet.zip; ppi and c dif.zip; MSpeck.zip; ResidencyPrep.zip; speck Case presentation draft.zip; journal club template.zip

Detection rates, phone back URLs, and connections with previously profiled campaigns:
- news.exe - Trojan.Bredolab-993 - 40/ 43 (93.0%)
MD5: 44522def7cf2a42aa26f59c2ac4ced58
SHA1: 2f60531b6e33d842eba505f3c3cb81a3ff6e3e6a

- journal club articles.exe - Backdoor/Bredolab.edb - 41/ 43 (95.3%)
MD5: 72e90fd1264e731109d1b6b977b2c744
SHA1: 0a36b882d1b4d8b42cc466ec286e95bbb2e77d49

Upon execution, the samples phone back to:
188.65.74.161 /mrmun_sgjlgdsjrthrtwg.exe - AS42473 - DOWN
194.28.112.3 /outlook.exe - AS48691 - ACTIVE

- outlook.exe - TrojanSpy:Win32/Fitmu.A - 17/ 43 (39.5%)
MD5: 8f4eca49b87e36daae14b8549071dece
SHA1: 1d390e9f8d6e744ead58dd6c424581419f732498

Upon execution, the dropped sample phones back to:
cuscuss.com - 188.65.74.164 - Email: info@blackry.com


Responding to 188.65.74.164 at AS42473 are also:
wiggete.com - Email: info@blackry.com
depenam.com - Email: info@blackry.com
fishum.com - Email: info@blackry.com
blackry.com - Email: info@blackry.com

Two of the domains are know to have been serving client-side exploits, but the redirection is currently returning an error "Connect to 188.40.232.254 on port 80 ... failed".

- depenam .com/count22.php
- blackry .com/count21.php
    - vseohuenno .com/trans/b3/ - 188.40.232.254 - Email: latertrans@gmail.com

Responding to 188.40.232.254, AS24940 are also the following command and control, client-side exploit serving domains:
gurgamer.com - (New IP: 86.155.172.30) Email: latertrans@gmail.com
moneybeerers.com - Email: latertrans@gmail.com
daeshnew.com - (New IP: 86.145.158.90) Email: latertrans@gmail.com
volosatyhren.com - Email: latertrans@gmail.com
vyebyvglaz.com - Email: latertrans@gmail.com
---------------------------------------------------------------------------------

- FedexInvoice_EE776129.exe - Win32/Oficla.LK - 41/ 43 (95.3%)
MD5: d4e2875127f5cbdf797de7f1417f96a7
SHA1: c2df8d8c178142ba7bee48dbf9a9f68c32a14f5e

Upon execution, the sample phones back to:
ilovelasvegas .ru/web/St/bb.php?v=200&id=636608811&b=24augNEW&tm= - 109.196.134.44, AS39150 - Email: vadim.rinatovich@yandex.ru with x5vsm5.ru - Email: vadim.rinatovich@yandex.ru also parked there.

Where do we know the vadim.rinatovich@yandex.ru email from? From two previously profiled campaigns "Spamvertised iTunes Gift Certificates and CV Themed Malware Campaigns"; and "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign" having a direct relationship with the Asprox botnet.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Friday, August 13, 2010

Dissecting a Scareware-Serving Black Hat SEO Campaign Using Compromised .NL/.CH Sites

This summary is not available. Please click here to view the post.

Monday, August 09, 2010

Spamvertised Best Buy, Macy's, Evite and Target Themed Scareware/Exploits Serving Campaign


They are back again (Spamvertised Amazon "Verify Your Email", "Your Amazon Order" Malicious Emails; Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign) for a fresh start of the week, with a currently ongoing spam campaign, serving scareware and client-side exploits, using a "Thank you for your payment"/"Thank you for your EXPRESS payment" themed subjects impersonating popular brands such as Best Buy, Macy's, Target and Evite.

Let's dissect the campaign, its structure, emphasize on the monetization strategy, and expose the complete portfolio of the domains involved in the campaign.

Sample email:
"Subject :Thank you for your payment Don’t miss a thing – Add support@e.macys.com to your email address book! Click here if you are unable to see images in this email.

1. Sign in on macys.com at https://www.macys.com/myinfo/index.ognc
2. Click on “My Account” – “My Profile” at https://www.macys.com/myinfo/profile/index.ognc
3. Uncheck the box Receive email notification when statements are available to view online and when payments are due.
4. Click on “Update Profile”
5. Expect the change to take place in 3 days
©2009 macys.com Inc., 685 Market Street, Suite 800, San Francisco, CA 94105. All rights reserved.
"

Compared to previous campaigns, the directory structure (fast fluxed :8080/index.php?pid=10; maliciousurl.ru /QWERTY.js; maliciousurl.ru /ODBC.js; LAN.js; Access.js; End_User.js etc.) of this one remains virtually the same, depending, of course, on the angle you choose for dissecting it.


Sample campaign structure:
- musicsgeneva.com /x.html - "PLEASE WAITING 4 SECOND..."
- opus22.org /x.html - "PLEASE WAITING 4 SECOND..."
- shamelessfreegift.com /x.html - "PLEASE WAITING 4 SECOND..."
- physicianschoiceonline.com /x.htm - "PLEASE WAITING 4 SECOND..."
    - baymediagroup .com:8080/index.php?pid=10 - client-side exploits - 188.165.95.133; 188.165.192.106; 91.121.108.61; 94.23.60.106; 178.32.5.233 - Email: fb@bigmailbox.ru
        - hoopdotami.cz .cc/scanner5/?afid=24 - 188.72.192.229 - scareware monetization

- Detection rate:
antivirus_24.exe - Trojan.Win32.FraudPack.berq - Result: 16/42 (38.1%)
File size: 166912 bytes
MD5...: b3cd297c654d3be52ffeb5f6a5ff13b4
SHA1..: bae889dd8ac7b22ec5f5649d6e0c073c8e2119d5

Upon execution, the sample phones back to:
httpsstarss.in /httpss/v=40&step=2&hostid= - 188.72.226.154 - Email: stevieksbaiz@hotmail.com
httpstatsconfig.com /getfile.php?r= - 204.12.226.173 - Email: httpstatsconfig.com@evoprivacy.com


Responding to 204.12.226.173 are also:
ns1.desktopsecurity2010ltd.com - Email: sixtakidlt2@hotmail.com
ns2.desktopsecurity2010ltd.com
www.desktopsecurity2010ltd.com
httpstatsconfig.com
ns1.httpstatsconfig.com
ns2.httpstatsconfig.com
desktopsecuritycorp.com
ns1.desktopsecuritycorp.com
ns2.desktopsecuritycorp.com


Domains using the same name server, ns1.freedomen.info - 209.85.99.32 - Email: mail@vetaxa.com
adsonlineinc.com - 66.96.239.86
picmonde.com - 94.228.220.93
bonblogger.com - 94.228.220.93
h2fastpornpics.com - 94.228.220.93
celebsfinectpics.com - 94.228.209.133 - Email: temp.for.loan@gmail.com
celebsfreeimages.com - 94.228.209.134 - Email: hannigey233@hotmail.com
picindividuals.com - 94.228.220.93
picbloggerprojet.com - 94.228.220.93
httpsstarss.in
hippocounter.info - 96.9.177.21
genesisbeta.net - 94.228.220.94


Name servers of notice:
ns1.getyourdns.com - 194.79.88.121
ns2.getyourdns.com - 77.68.52.52
ns3.getyourdns.com - 87.98.149.171
ns4.getyourdns.com - 66.185.162.248
ns1.instantdnsserver.com - 194.79.88.121 - Email: depot@infotorrent.ru
ns2.instantdnsserver.com - 77.68.52.52
ns3.instantdnsserver.com - 87.98.149.171
ns4.instantdnsserver.com - 66.185.162.248

Client-side exploits serving domains part of the campaign:
aquaticwrap.ru - Email: vibes@freenetbox.ru
aroundpiano.ru - Email: vibes@freenetbox.ru
baybear.ru - Email: vibes@freenetbox.ru
baymediagroup.com - Email: fb@bigmailbox.ru
bayjail.ru - Email: bushy@bigmailbox.ru
betaguy.ru - Email: vibes@freenetbox.ru
blockoctopus.ru - Email: semi@freenetbox.ru
budgetdude.ru - Email: totem@freenetbox.ru
chaoticice.ru - Email: vibes@freenetbox.ru
clannut.ru - Email: totem@freenetbox.ru
clockledge.ru - Email: totem@freenetbox.ru
coldboy.ru - Email: totem@freenetbox.ru
countryme.ru - Email: totem@freenetbox.ru
dayemail.ru - Email: totem@freenetbox.ru
diseasednoodle.ru - Email: vibes@freenetbox.ru
discountprowatch.com - Email: bike@fastermail.ru
dyehill.ru - Email: angles@fastermail.ru
easychurch.ru - Email: vibes@freenetbox.ru
economypoet.ru - Email: semi@freenetbox.ru
envirodollars.ru - Email: vibes@freenetbox.ru
forhomessale.ru - Email: dull@freemailbox.ru
galacticstall.ru - Email: vibes@freenetbox.ru
getyourdns.com - Email: fb@bigmailbox.ru
hairyartist.ru - Email: vibes@freenetbox.ru
lonelyzero.ru - Email: vibes@freenetbox.ru
lovingmug.ru - Email: vibes@freenetbox.ru
lowermatch.ru - Email: vibes@freenetbox.ru
luckyfan.ru - Email: vibes@freenetbox.ru
malepad.ru - Email: semi@freenetbox.ru
matchsearch.ru - Email: semi@freenetbox.ru
microlightning.ru - Email: vibes@freenetbox.ru
mindbat.ru - Email: semi@freenetbox.ru
mealpoets.ru - Email: totem@freenetbox.ru
nutcountry.ru - Email: dying@qx8.ru
obscurewax.ru - Email: vibes@freenetbox.ru
oceanobject.ru - Email: semi@freenetbox.ru
parkperson.ru - Email: semi@freenetbox.ru
penarea.ru - Email: dying@qx8.ru
ponybug.ru - Email: dying@qx8.ru
pocketbloke.ru - Email: angles@fastermail.ru
programability.ru - Email: dying@qx8.ru
rancideye.ru - Email: vibes@freenetbox.ru
rawscent.ru - Email: vibes@freenetbox.ru
recordsquare.ru - Email: totem@freenetbox.ru
rescuedtoilet.ru - Email: vibes@freenetbox.ru
riotassistance.ru - Email: angles@fastermail.ru
scarletpole.ru - Email: vibes@freenetbox.ru
secondgain.ru - Email: vibes@freenetbox.ru
shortrib.ru - Email: vibes@freenetbox.ru
slaveperfume.ru - Email: totem@freenetbox.ru
sodacells.ru - Email: dying@qx8.ru
smelldrip.ru - Email: totem@freenetbox.ru
starvingarctic.ru - Email: vibes@freenetbox.ru
stagepause.ru - Email: totem@freenetbox.ru
sweatymilk.ru - Email: vibes@freenetbox.ru
tartonion.ru - Email: vibes@freenetbox.ru
tunemug.ru - Email: tips@freenetbox.ru
wearyratio.ru - Email: vibes@freenetbox.ru
yummyeyes.ru - Email: vibes@freenetbox.ru

UPDATED: Thursday, August 12, 2010: Historical OSINT for client-side exploit serving domains part of Gumblar's campaigns for April/May 2010 using hostdnssite.com (Email: cop@qx8.ru) name server:
bestdarkman.info - Email: wwww@qx8.ru
bestwebclub.info - Email: asleep@5mx.ru
buyfootjoy.info - Email: mellow@5mx.ru
carswebnet.info - Email: mynah@freenetbox.ru
cityrealtimes.info - Email: asleep@5mx.ru
clandarkguide.info - Email: mellow@5mx.ru
clandarksky.info - Email: wwww@qx8.ru
darkangelcam.info - Email: mellow@5mx.ru
darkbluecoast.info - Email: wwww@qx8.ru
darksidenetwork.info - Email: mellow@5mx.ru
digitaljoyworld.info - Email: mellow@5mx.ru
eroomsite.info - Email: feint@qx8.ru
esunsite.info - Email: wwww@qx8.ru
extrafreeweb.info - Email: mynah@freenetbox.ru
feedandstream.info - Email: mynah@freenetbox.ru
gloomyblack.info - Email: wwww@qx8.ru
homesweetrv.info - Email: mynah@freenetbox.ru
indiawebnet.info - Email: mynah@freenetbox.ru
joylifein.info - Email: mellow@5mx.ru
joysportsworld.info - Email: mellow@5mx.ru
justroomate.info - Email: feint@qx8.ru
kenjoyworld.info - Email: mellow@5mx.ru
learnwebguide.info - Email: mynah@freenetbox.ru
luxurygenuine.info - Email: asleep@5mx.ru
myfeedsite.info - Email: feint@qx8.ru
newsuntour.info - Email: wwww@qx8.ru
oneroomhome.info - Email: feint@qx8.ru
realshoponline.info - Email: asleep@5mx.ru
redsunpark.info - Email: feint@qx8.ru
roomstoretexas.info - Email: feint@qx8.ru
suncoastatlas.info - Email: feint@qx8.ru
sunstarvideo.info - Email: feint@qx8.ru
supersunbeds.info - Email: feint@qx8.ru
superwebworld.info - Email: asleep@5mx.ru
sweetpeapots.info - Email: mynah@freenetbox.ru
sweetteenzone.info - Email: mynah@freenetbox.ru
thedarkwaters.info - Email: wwww@qx8.ru
thejoydiet.info - Email: mellow@5mx.ru
therealclamp.info - Email: drum@maillife.ru
thesunchaser.info - Email: wwww@qx8.ru
thesweetchild.info - Email: mynah@freenetbox.ru
theultimateweb.info - Email: asleep@5mx.ru
theyellowsun.info - Email: feint@qx8.ru
webguidetv.info - Email: asleep@5mx.ru
webnetenglish.info - Email: mynah@freenetbox.ru
yourprintroom.info - Email: feint@qx8.ru
yoursweetteen.info - Email: mynah@freenetbox.ru 
 

UPDATED: Friday, August 13, 2010:
The use of Yahoo Groups is still ongoing. Sample URL: groups.yahoo .com/group/nfldcsyi/message which includes a link to perfectpillcool .com:8080.

The campaign is ongoing, updates will be posted as soon as new developments emerge.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Monday, August 02, 2010

Summarizing Zero Day's Posts for July


The following is a brief summary of all of my posts at ZDNet's Zero Day for July, 2010. You can also go through previous summaries, as well as subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

Recommended reading:
01. Image Gallery: June's cyber threat landscape
02. The Pirate Bay hacked through multiple SQL injections
03. Does Microsoft's sharing of source code with China and Russia pose a security risk?
04. Report: Apple had the most vulnerabilities throughout 2005-2010
05. Malware Watch: Malicious Amazon themed emails in the wild
06. RSA: Banking trojan uses social network as command and control server
07. Middle East countries: the BlackBerry is a national security threat
08. Image Gallery: Avast! Antivirus office in Prague, Czech Republic
09. Image Gallery: Introduction to Avast! Antivirus version 5.1
10. Image Gallery: The (European) Antivirus market - current trends
11. Google tops comparative review of malicious search results

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Tuesday, July 20, 2010

ZeuS Crimeware Serving 123Greetings Ecard Themed Campaign in the Wild

Ubiquitous social engineering schemes, never fade away. ZeuS crimeware campaigners are currently using a 123greetings.com ecard-themed campaign, in an attempt to entice users to "enjoy their ecard".

Subject: "You have received an Greeting eCard"
Message: "Good day. You have received an eCard

To pick up your eCard, choose from any of the following options: Click on the following link (or copy & paste it into your web browser): matt-levine.com /ecard.exe; secondary URL offered: forestarabians.nl /ecard.exe Your card will be aviailable for pick-up beginning for the next 30 days. Please be sure to view your eCard before the days are up! We hope you enjoy you eCard. Thank You!
"

Detection rate:
- ecard.exe - Cryp_Zbot-12; Trojan/Win32.Vundo - Result: 9/42 (21.43%)
File size: 147968 bytes
MD5...: e6f3aa226bf9733b7e8c07cab339f4dc
SHA1..: e983767931900a13b88a615d6c1d3f6ff8fb6b60

Upon execution, the sample phones back to:
zephehooqu.ru /bin/koethood.bin - 77.78.240.115, AS42560 - Email: skit@5mx.ru
jocudaidie.ru /9xq/_gate.php - 118.169.173.218, AS3462 - Email: skit@5mx.ru - FAST-FLUXED

Multiple MD5s are also currently active at zephehooqu.ru.
Detection rates:
aimeenei.exe - Win32/Zbot.CJI - Result: 30/42 (71.43%)
File size: 149504 bytes
MD5...: 096b7e8c4f611f0eb69cfb776f3a0e7e
SHA1..: 909d7c2740f84599d5e30ffed7261e19ad4a962a

cahdoigu.exe - Mal/Zbot-U - Result: 27/42 (64.29%)
File size: 147968 bytes
MD5...: 11f9f96c17584a672c2a563744130a46
SHA1..: f31c40c5c766c7628023105be6f004e5322b17b6

koethood.exe - Troj/Zbot-SW - Result: 30/42 (71.43%)
File size: 147968 bytes
MD5...: da1979227141844be69577f7f31a7309
SHA1..: 5ada2c390e63ca051c9582fe723384ce52a45912

loobuhai.exe - BKDR_QAKBOT.SMB - Result: 33/42 (78.58%)
File size: 147968 bytes
MD5...: df4e19af8c356b3ff810bc52f6081ccc
SHA1..: d4a1d2f147ae0d24a3eaac66e8d2f9de50cf7a0c

oovaenai.exe - Packed.Win32.Katusha.j - Result: 32/42 (76.2%)
File size: 147456 bytes
MD5...: f0fd5579f06d5b581b5641546ae91d52
SHA1..: c81fa66c546020f3c1c34a0d1aa191b2d9578f07

quohthei.exe - Win32/Spy.Zbot.YW - Result: 33/42 (78.58%)
File size: 147968 bytes
MD5...: ffc0d66024f690e875638f4c33ba86f1
SHA1..: c958f3426a3e6fedd76b86a5aef16c90915ac539

sofeigoo.exe - Win32/Spy.Zbot.YW - Result: 31/42 (73.81%)
File size: 148992 bytes
MD5...: 45e98426fafd221ffb7d55ce8a1ae531
SHA1..: 8235b3a80ba6611779dfd4db40a48627af7374eb

teemaeko.exe - PWS:Win32/Zbot.gen!Y - Result: 32/42 (76.2%)
File size: 148992 bytes
MD5...: 9758f04d2f1bd664f37c4285a013372a
SHA1..: 4273dc48f9aeaf69cb7047c4a882af74479fb635

thaigogo.exe - Win32/Spy.Zbot.YW - Result: 34/42 (80.96%)
File size: 147968 bytes
MD5...: b667d75f5bb9f23a8ae249f7de4000a5
SHA1..: 7b57783dcf2aeaafbab3407bb608469851d342bb

ziejaing.exe - Trojan.Zbot.610 - Result: 30/42 (71.43%)
File size: 147456 bytes
MD5...: 7592e957de01e53956517097c0e9ccd8
SHA1..: e7c04d2c8c5d4a51e2615a2ee015d87d28655320


Related .ru cybercrime-friendly domains, sharing fast-flux infrastructure with this campaign's C&C:
adaichaepo.ru - Email: subtle@maillife.ru
aroolohnet.ru - Email: brawn@bigmailbox.ru
dahzunaeye.ru - Email: celia@freenetbox.ru
esvr3.ru - Email: bender@freenetbox.ru
hazelpay.ru - Email: owed@bigmailbox.ru
iesahnaepi.ru - Email: heel@bigmailbox.ru
iveeteepew.ru - Email: atomic@freenetbox.ru
jocudaidie.ru - Email: skit@5mx.ru
ohphahfech.ru - Email: warts@maillife.ru
railuhocal.ru - Email: celia@freenetbox.ru
sdlls.ru - Email: vc@bigmailbox.ru

Name servers of notice within the fast-flux infrastructure:
ns1.tophitnews.net - 74.122.197.22 - Email: worldchenell@ymail.com
ns2.tophitnews.net - 173.19.142.57
ns1.usercool.net - 74.122.197.22
ns2.usercool.net - 76.22.74.15
ns1.welcominternet.net - 74.54.82.223 - Email: admin@rangermadeira.com
ns2.welcominternet.net - 74.54.82.223
ns1.gamezoneland.com - 188.40.204.158 - Email: xtrail.corp@gmail.com
ns2.gamezoneland.com - 174.224.63.18
ns1.tropic-nolk.com - 188.40.204.158  - Email: greysy@gmx.com
ns2.tropic-nolk.com - 171.103.51.158
ns1.interaktivitysearch.net - 202.60.74.39 - Email: ssupercats@yahoo.com
ns2.interaktivitysearch.net - 202.60.74.39
ns1.openworldwhite.net - 202.60.74.39 - Email: xtrail.corp@gmail.com
ns2.openworldwhite.net - 43.125.79.23
ns1.helphotbest.net - Email: worldchenell@ymail.com

It gets even more interesting.  

greysy@gmx.com has already been profiled in an Avalanche botnet campaign using TROYAK-AS's services back then (The Avalanche Botnet and the TROYAK-AS Connection), followed by another assessment "TorrentReactor.net Serving Crimeware, Client-Side Exploits Through a Malicious Ad" where the same email was also used to register a name server part of the fast-flux infrastructure of the ZeuS crimeware's C&Cs.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Monday, July 19, 2010

Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign


Over the weekend, a "Scan from a Xerox WorkCentre Pro" themed malware campaign relying on zip archives, was actively spamvertised by cybecriminals seeking to infect gullible end/corporate users.

What's particularly interesting about this campaign, is the cocktail of malware dropped on infected hosts, including Asprox sample (Money Mule Recruiters use ASProx's Fast Fluxing Services), and two separate samples of Antimalware Doctor.

- Sample subject: Scan from a Xerox WorkCentre Pro $9721130
- Sample message: "Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.

Sent by: Guest
Number of Images: 1
Attachment File Type: ZIP [DOC]

WorkCentre Pro Location: machine location not set Device Name: XRX2090AA7ACDB45466972. For more information on Xerox products and solutions, please visit http://www.xerox.com
"

- Detection rates:
- Xerox_doc1.exe - Trojan.Win32.Jorik.Oficla.bb - Result: 34/42 (80.96%)
File size: 30926 bytes
MD5...: 1d378a6bc94d5b5a702026d31c21e242
SHA1..: 545e83f547d05664cd6792e254b87539fba24eb9

- Xerox_doc2.exe - Trojan.Win32.Jorik.Oficla.ba - Result: 34/42 (80.96%)
File size: 43520 bytes
MD5...: 829c86d4962f186109534b669ade47d7
SHA1..: 5d3d02d0f6ce87cd96a34b73dc395460d623616e

The samples then phone back to the Oficla/Sasfis C&Cs at hulejsoops.ru/images/bb.php?v=200&id=554905388&b=avpsales&tm=3 - 91.216.215.66, AS51274 - Email: mxx3@yandex.ru which periodically rotates three different executables using the following URLs:

0815.ch /pic/view.exe
curseri.ch /pictures/securedupdaterfix717.exe
regionalprodukte-beo.ch /about/cgi.exe



Backup URLS:
leeitpobbod.ru/image/bb.php - 59.53.91.195, AS4134 - Email: mxx3@yandex.ru - dead response
loloohuildifsd.ru/image/bb.php - 68.168.222.158 - Email: mxx3@yandex.ru - dead response
nemohuildifsd.ru/image/bb.php - 59.53.91.195 (nemohuildiin.ru, russianmomds.ru), AS4134 - Email: mxx3@yandex.ru - dead response

Let's take a peek at the samples found within the C&C.

view.exe - Trojan.Win32.Jorik.Aspxor.e - Result: 11/42 (26.2%)
File size: 79360 bytes
MD5...: 5d296fe1ef7bf67f36fe9adb209398ee
SHA1..: 41b45bcd241cd97b72d7866d13c4a0eb6bf6a0ee


Upon execution, the sample phones back to well known Asprox C&Cs:
cl63amgstart.ru: 80/board.php - 91.213.217.4, AS42473 - Email: ssa1@yandex.ru
hypervmsys.ru: 80/board.php - 89.149.223.232 (hostagents.ru), AS28753 - Email: vadim.rinatovich@yandex.ru


Previously, all of the following ASPRox domains used exclusively for massive SQL injections, used to respond to 91.213.217.4:

webservicesbba.ru - Email: anrnews@mail.ru
webservicelupa.ru - Email: anrnews@mail.ru
webserivcekota.ru - Email: anrnews@mail.ru
webservicesrob.ru - Email: anrnews@mail.ru
webserivcezub.ru - Email: anrnews@mail.ru
webserviceforward.ru - Email: anrnews@mail.ru
webserivcessh.ru - Email: anrnews@mail.ru
webservicesmulti.ru - Email: anrnews@mail.ru
webservicezok.ru - Email: anrnews@mail.ru
webservicebal.ru - Email: anrnews@mail.ru
webservicefull.ru - Email: anrnews@mail.ru
webservicessl.ru - Email: anrnews@mail.ru
webserviceaan.ru - Email: anrnews@mail.ru
webservicedevlop.ru - Email: anrnews@mail.ru
webserviceftp.ru - Email: anrnews@mail.ru
hypervmsys.ru - Email: anrnews@mail.ru
webserviceget.ru - Email: anrnews@mail.ru
webserviceskot.ru - Email: anrnews@mail.ru
cl63amgstart.ru - Email: ssa1@yandex.ru
ml63amgstart.ru - Email: ssa21@yandex.ru
webservicesttt.ru - Email: anrnews@mail.ru
webservicenow.ru - Email: anrnews@mail.ru
webservicekuz.ru - Email: anrnews@mail.ru

Currently, the gang's migrating this infrastructure to 109.196.134.58, AS39150, VLTELECOM-AS VLineTelecom LLC Moscow, Russia.

All of these domains+subdomains sharing the same js.js directory structure, which upon visiting loads URLs such as (accesspad.ru :8080/index.php?pid=6) with the rest of the domains sharing the same infrastructure as the ones profiled in "Spamvertised Amazon "Verify Your Email", "Your Amazon Order" Malicious Emails" post:

access.webservicebal.ru
admin.webserivcekota.ru
api.webserivcessh.ru
app.webserviceforward.ru
app.webservicesrob.ru
base.webserviceftp.ru
batch.webserviceaan.ru
batch.webservicebal.ru
bios.webservicesbba.ru
block.webserviceaan.ru
block.webservicesrob.ru
cache.webservicesbba.ru
cache.webservicesmulti.ru
chk.webservicezok.ru
cmdid.webserivcezub.ru
code.webservicesbba.ru
com.webserivcekota.ru
com.webservicedevlop.ru
ddk.webservicesrob.ru
default.webservicezok.ru
diag.webserviceftp.ru
direct.webserviceftp.ru
dll.webservicelupa.ru
drv.webservicebal.ru
drv.webservicesrob.ru

encode.webservicefull.ru
err.webserivcessh.ru
export.webservicedevlop.ru
ext.webserviceaan.ru
ext.webservicesbba.ru
file.webserivcekota.ru
file.webserivcessh.ru
filter.webservicedevlop.ru
font.webservicelupa.ru
gdi.webserviceftp.ru
get.webservicesbba.ru
go.webserivcekota.ru
go.webservicefull.ru
guid.webserivcezub.ru
hostid.webservicesbba.ru
hostid.webservicesmulti.ru



http.webserviceforward.ru
icmp.webservicesbba.ru
id.webserivcezub.ru
inf.webserviceaan.ru
info.webservicedevlop.ru
ini.webservicesrob.ru
ioctl.webservicedevlop.ru
kernel.webservicezok.ru
lan.webservicefull.ru
lan.webservicesbba.ru
lib.webservicebal.ru
lib.webserviceftp.ru
libid.webservicelupa.ru
load.webservicebal.ru
locate.webservicelupa.ru
log.webservicelupa.ru
log.webservicezok.ru
log-in.webservicessl.ru
manage.webservicesbba.ru
map.webserivcezub.ru
map.webservicedevlop.ru
media.webserviceftp.ru
mode.webservicelupa.ru
net.webservicebal.ru
netapi.webserviceaan.ru
netmsg.webserivcezub.ru
ns1.webservicelupa.ru
ns2.webservicelupa.ru
ntdll.webservicessl.ru
ntio.webservicelupa.ru
ntio.webservicezok.ru
obj.webservicesbba.ru
object.webserivcessh.ru
object.webservicesmulti.ru
oem.webservicebal.ru
offset.webservicefull.ru
ole.webservicesbba.ru
org.webservicesrob.ru
page.webserviceaan.ru
parse.webservicebal.ru
peer.webserviceaan.ru
pic.webservicesbba.ru
pool.webservicelupa.ru
port.webservicebal.ru
port.webservicesbba.ru
port.webservicessl.ru
proc.webserviceaan.ru
proc.webservicessl.ru
rdir.webserviceftp.ru
redir.webservicedevlop.ru
refer.webserivcezub.ru
reg.webserviceaan.ru
remote.webservicessl.ru
run.webserivcekota.ru
script.webserivcezub.ru
sdk.webserivcezub.ru
search.webserviceaan.ru
search.webservicedevlop.ru
setup.webserivcezub.ru
setup.webservicezok.ru
snmp.webserviceforward.ru
snmp.webservicesrob.ru
sslcom.webserivcessh.ru
sslcom.webservicesrob.ru
sslid.webserivcekota.ru
sslnet.webservicedevlop.ru
svc.webservicedevlop.ru
tag.webservicebal.ru
tag.webservicessl.ru
tid.webserviceftp.ru
time.webservicelupa.ru
udp.webserviceftp.ru
udp.webservicezok.ru
update.webserviceftp.ru
update.webservicefull.ru
url.webservicesbba.ru
url.webservicezok.ru
vba.webservicesrob.ru
vbs.webservicelupa.ru
ver.webserivcekota.ru
webserivcekota.ru
webserivcessh.ru
webserivcezub.ru
webserviceaan.ru
webservicebal.ru
webservicedevlop.ru
webserviceforward.ru
webserviceftp.ru
webservicefull.ru
webserviceget.ru
webservicelupa.ru
webservicesmulti.ru
webservicesrob.ru
webservicessl.ru
webservicezok.ru
win.webservicezok.ru
xml.webservicefull.ru



 Getting back to the samples rotated by the original campaign binary, and their detection rates, network interactions.

- Detection rates:
- securedupdaterfix717.exe - Trojan.Win32.FakeYak - Result: 22/42 (52.39%)
File size: 36864 bytes
MD5...: cd16d4c998537248e6d4d0a3d51ca6de
SHA1..: 7e36ef0ce85fac18ecffd5a82566352ce0322589

Phones back to:
s.ldwn.in/inst.php?fff=7071710000&saf=ru - 91.188.60.236 (updget.in; wordmeat.in), AS6851 - Email: feliciachappell@ymail.com
bootfree.in/ MainModule717release10000.exe - 194.8.250.207 (flowload.in; lessown.in; sstats.in), AS43134 - Email: feliciachappell@ymail.com
s.wordmeat.in/install.php?coid= - 91.188.60.236, AS6851 - Email: feliciachappell@ymail.com


- Detection rate for MainModule717release10000.exe
- MainModule717release10000.exe - Trojan:Win32/FakeYak - Result: 26/42 (61.90%)
File size: 1043968 bytes
MD5...: 3c30c62e9981bd86c5897447cb358235
SHA1...: 36bfc285a61bcb67f2867dd303ac3cefa0e490a0

Phones back to:
wordmeat.in - 91.188.60.236 - Email: feliciachappell@ymail.com
vismake.in - 91.188.60.236 - Email: keelingelizabeth@ymail.com

- Detection rate for the 3rd binary rotated in the original C&C:
- cgi.exe - Trojan.Inject.8960 - Result: 6/42 (14.29%)File size: 62976 bytes
MD5...: 45c062490e0fc262c181efc323cb83ba
SHA1..: bff90630f2064d7bcc82b7389c2b8525ff960870

Phones back to:
musiceng.ru /music/forum/index1.php - 91.212.127.40, AS49087 - Email: ol.feodosoff@yandex.ru

The whole campaign, is a great example of what cybercrime underground multitasking is all about. Moreover, it illustrates the interactions between the usual suspects, with the not so surprising appearance of the already profiled AS6851, BKCNET, Sagade Ltd.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Friday, July 16, 2010

Spamvertised Amazon "Verify Your Email", "Your Amazon Order" Malicious Emails


And they're back (Gumblar or RUmblar due to the extensive use of .ru domains) for a decent start of the weekend - switching social engineering themes one more time, this time impersonating Amazon.com
  •  NOTE: A summary of the malicious payload served will be posted at a later stage. Meanwhile, in order to facilitate quicker response, a complete list of the domains participating will be featured/disseminated across the appropriate parties.
- Sample subject: Amazon.com: Please verify your new e-mail address
- Sample message: "Dear email, You recently changed your e-mail address at Amazon.com. Since you are a subscriber of Amazon.com Delivers E-mail Subscriptions, you will need to verify your new e-mail address. Please verify that the e-mail address email belongs to you. You can click on the link below to complete the verification process. Alternatively, you can type or paste the following link into your Web browser: http://www.amazon.com"


Client-side exploitation is taking place through, for instance, crystalrobe.ru: 8080/index.php?pid=14 and hillchart.com: 8080/index.php?pid=14. As seen in previous campaigns, this one is also sharing an identical directory structure, such as:
malicious-domain.com :8080/index.php?pid=2
malicious-domain.com :8080/Notes1.pdf (Notes1-to-Notes10.pdf)
malicious-domain.com :8080/NewGames.jar
malicious-domain.com :8080/Games.jar
malicious-domain.com :8080/Applet1.html (Applet1-to-Applet10.html)
malicious-domain.com :8080/welcome.php?id=6&pid=1&hello=503


crystalrobe.ru :8080/index.php?pid=14
crystalrobe.ru :8080/jquery.jxx?v=5.3.4
crystalrobe.ru :8080/new/controller.php
crystalrobe.ru :8080/js.php
crystalrobe.ru :8080/welcome.php?id=6&pid=1&hello=503
crystalrobe.ru :8080/welcome.php?id=0&pid=1



Client-side exploits serving domains (94.23.231.140; 91.121.115.208; 94.23.11.38; 94.23.224.221; 94.23.229.220) part of the campaign:
applecorn.com - Email: es@qx8.ru
areadrum.com - Email: qx@freenetbox.ru
busyspade.com - Email: baffle@freenetbox.ru
cafemack.com - Email: soy@qx8.ru
clanday.com - Email: elope@fastermail.ru
dnsofthost.com - Email: depot@infotorrent.ru
drunkjeans.com - Email: runway@5mx.ru
earlymale.com - Email: amply@maillife.ru
galslime.com - Email: soy@qx8.ru
gigasofa.com - Email: grind@fastermail.ru
hillchart.com - Email: soy@qx8.ru
hugejar.com - Email: runway@5mx.ru
ionicclock.com - Email: kin@maillife.ru
lasteye.com - Email: amply@maillife.ru
luckysled.com - Email: kin@maillife.ru
macrotub.com - Email: dodge@5mx.ru
oldgoal.com - Email: kin@maillife.ru
outerrush.com - Email: amply@maillife.ru
quietzero.com - Email: grind@fastermail.ru
radiomum.com - Email: es@qx8.ru
roundstorm.com - Email: es@qx8.ru
sadute.com - Email: grind@fastermail.ru
sheepbody.com - Email: es@qx8.ru
shinytower.com - Email: cord@maillife.ru
splatspa.com - Email: elope@fastermail.ru
tanspice.com - Email: dodge@5mx.ru
tanyear.com - Email: grind@fastermail.ru
tightsales.com - Email: runway@5mx.ru
tuneblouse.com - Email: es@qx8.ru
validplan.com - Email: dodge@5mx.ru
waxyblock.com - Email: cord@maillife.ru


allnext.ru - Email: swipe@maillife.ru
barnsoftware.ru - Email: people@bigmailbox.ru
bestbidline.ru - Email: jody@fastermail.ru
bestexportsite.ru - Email: orphan@qx8.ru
bittag.ru - Email: tips@freenetbox.ru
boozelight.ru - Email: ole@bigmailbox.ru
brandnewnet.ru - Email: orphan@qx8.ru
cangethelp.ru - Email: liver@freenetbox.ru
chainjoke.ru - Email: ole@bigmailbox.ru
comingbig.ru - Email: swipe@maillife.ru
countypath.ru - Email: liver@freenetbox.ru
crystalrobe.ru - Email: people@bigmailbox.ru
cupjack.ru - Email: tips@freenetbox.ru
dealyak.ru - Email: people@bigmailbox.ru
eyesong.ru - Email: tips@freenetbox.ru
familywater.ru - Email: ole@bigmailbox.ru
funsitedesigns.ru - Email: orphan@qx8.ru
galneed.ru - Email: people@bigmailbox.ru
girllab.ru - Email: tips@freenetbox.ru
greedford.ru - Email: ole@bigmailbox.ru
guntap.ru - Email: tips@freenetbox.ru
heroguy.ru - Email: ole@bigmailbox.ru
homecarenation.ru - Email: orphan@qx8.ru
homesitecam.ru - Email: orphan@qx8.ru
hookdown.ru - Email: crag@maillife.ru
horsedoctor.ru - Email: ole@bigmailbox.ru
jarpub.ru - Email: ole@bigmailbox.ru
liplead.ru - Email: ole@bigmailbox.ru
livesitedesign.ru - Email: orphan@qx8.ru
mansbestsite.ru - Email: orphan@qx8.ru
marketholiday.ru - Email: people@bigmailbox.ru
metalspice.ru - Email: ole@bigmailbox.ru
mingleas.ru - Email: crag@maillife.ru
motherfire.ru - Email: people@bigmailbox.ru


musicbestway.ru - Email: jody@fastermail.ru
musicsiteguide.ru - Email: crag@maillife.ru
netbesthelp.ru - Email: liver@freenetbox.ru
netwebinternet.ru - Email: dibs@freemailbox.ru
newagedirect.ru - Email: orphan@qx8.ru
newhomelady.ru - Email: orphan@qx8.ru
newinfoworld.ru - Email: orphan@qx8.ru
newworldunion.ru - Email: orphan@qx8.ru
ourfreesite.ru - Email: orphan@qx8.ru
panlip.ru - Email: tips@freenetbox.ru
pantscow.ru - Email: ole@bigmailbox.ru
problemdollars.ru - Email: people@bigmailbox.ru
raceobject.ru - Email: people@bigmailbox.ru
silencepill.ru - Email: ole@bigmailbox.ru
sisterqueen.ru - Email: ole@bigmailbox.ru
slaveday.ru - Email: ole@bigmailbox.ru
stareastwork.ru - Email: next@fastermail.ru
superblenderworld.ru - Email: crag@maillife.ru
superhoppie.ru - Email: soft@bigmailbox.ru
supertruelife.ru - Email: edsel@fastermail.ru
superwestcoast.ru - Email: crag@maillife.ru
theantimatrix.ru - Email: ole@bigmailbox.ru
tintie.ru - Email: swipe@maillife.ru
topmediasite.ru - Email: tips@freenetbox.ru
treecorn.ru - Email: tips@freenetbox.ru
trueblueally.ru - Email: soft@bigmailbox.ru
trueblueberyl.ru - Email: soft@bigmailbox.ru
tunemug.ru - Email: tips@freenetbox.ru
ushead.ru - Email: crag@maillife.ru
westbendonline.ru - Email: edsel@fastermail.ru
yaktrack.ru - Email: ole@bigmailbox.ru
yournewonline.ru - Email: orphan@qx8.ru
yourtolltag.ru - Email: orphan@qx8.ru
yourtruecrime.ru - Email: soft@bigmailbox.ru
zooneed.ru - Email: ole@bigmailbox.ru


Name servers of notice:
ns1.dnsofthost.com - 81.2.210.98
ns2.dnsofthost.com - 194.79.88.121
ns3.dnsofthost.com - 67.223.233.101
ns4.dnsofthost.com - 85.214.29.9

The NAUNET-REG-RIPN domain registrar, although, having already registered over a 100 ZeuS crimeware friendly domains, there's little chance they'll take action. Updates, including take down/remediation actions will be posted as soon as they emerge.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.