Sponsored by..

Showing posts with label Zbot. Show all posts
Showing posts with label Zbot. Show all posts

Tuesday 16 September 2014

"inovice 0293991 September" spam

This spam mis-spells "invoice" in the subject line, and has an .arj file attached that contains a malicious binary.

Example subjects:
inovice 8958508 September
inovice 7682161 September
inovice 4868431 September
inovice 0293991 September

Body text:
This email contains an invoice file attachment

The name of the attachment varies, but is in the format invoice_8958508.arj which contains a malicious executable invoice_38898221_spt.exe which has a VirusTotal detection rate of just 3/54. The ThreatTrack report [pdf] and Anubis report show a series a DGA domains [pastebin]
 that are characteristic of Zbot, although none of these domains are currently resolving.

If your organisation can block .arj files at the mail perimeter then it is probably a good idea to do so.


Tuesday 5 November 2013

"ACH Notification : ACH Process End of Day Report" spam / ACAS1104201336289204PARA7747.zip

This fake ACH (or is it Paychex?) email has a malicious attachment:

Date:      Tue, 5 Nov 2013 08:28:30 -0500 [08:28:30 EST]
From:      "Paychex, Inc" [paychexemail@paychex.com]
Subject:      ACH Notification : ACH Process End of Day Report

Attached is a summary of Origination activity for 11/04/2013 If you need assistance
please contact us via e-mail at paychexemail@paychex.com during regular business hours.

Thank you for your cooperation.  
Attached is a file ACAS1104201336289204PARA7747.zip which in turn contains an executable ACAS11042013.exe which has a VirusTotal detection rate of 7/46. Automated analysis [1] [2] shows an attempted connection to slowdating.ca on 69.64.39.215 (Hosting Solutions International, US). There are several legitimate sites on this server, however it is possible that the server itself is compromised.

The malware drops several files, including this one with a detection rate of 4/46 that also calls home to the same domain [1] [2]  and a payload file with another low detection rate of 5/46 that rummages through the system [1] [2]. The payload appears to be a Zbot variant.



Monday 29 July 2013

"Key Secured Message" spam / SecureMessage.zip

This spam has a malicious attachment:

Date:      Mon, 29 Jul 2013 06:08:44 -0800 [10:08:44 EDT]
From:      "Marcia_Manning@key.com" [Marcia_Manning@key.com]
Subject:      Key Secured Message

You have received a Secured Message from:

Marcia_Manning@key.com

The attached file contains the encrypted message that you have received. To decrypt the
message use the following password -  nC4WR706

To read the encrypted message, complete the following steps:

-  Double-click the encrypted message file attachment to download the file to your
computer.
-  Select whether to open the file or save it to your hard drive. Opening the file
displays the attachment in a new browser window.
-  The message is password-protected, enter your password to open it. This e-mail and any
attachments are confidential and intended solely for the addressee and may also be
privileged or exempt from
disclosure under applicable law. If you are not the addressee, or have received this
e-mail in error, please notify the sender
immediately, delete it from your system and do not copy, disclose or otherwise act upon
any part of this e-mail or its attachments.

If you have concerns about the validity of this message, please contact the sender
directly. For questions about Key's e-mail encryption service, please contact technical
support at 888.764.5844.

Copyright © 2013 KeyCorp®. All Rights Reserved

The attachment SecureMessage.zip contains an executable SecureMessage.exe which has to be unencrypted with the password supplied in the email (which is kind of stupid for a supposedly secure mail), and this has a VirusTotal detection rate of just 6/46.

The Malwr analysis shows that this is a pony/gate downloader, first downloading from [donotclick]webmail.alsultantravel.com/ponyb/gate.php on 198.57.130.34 (Unified Layer / Bluehost, US) and then downloading one of the following:

[donotclick]a1bridaloutlet.co.uk/aiswY6.exe (5/45)
[donotclick]www.giftedintuitive.com/kQYjoPqY.exe (11/46)
[donotclick]198.61.134.93/MM75.exe (5/45)
[donotclick]paulalfrey.com/guBwFA.exe (5/46)

Recommended blocklist:
198.57.130.34
198.61.134.93
webmail.alsultantravel.com
alsultantravel.com
webmail.alsultantravel.info
a1bridaloutlet.co.uk
giftedintuitive.com
paulalfrey.com

Friday 26 July 2013

Bank of America "Your transaction is completed" spam / payment receipt 26-07-2013.zip

This fake Bank of America spam has a malicious attachment:

Date:      Fri, 26 Jul 2013 15:50:32 +0200 [09:50:32 EDT]
From:      impairyd04@gmail.com
Subject:      Your transaction is completed

Transaction is completed. $09681416 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Payment receipt is attached.

*** This is an automatically generated email, please do not reply ***
Bank of America, N.A. Member FDIC. Equal Housing Lender Opens in new window
© 2013 Bank of America Corporation. All rights reserved  

There is an attachment payment receipt 26-07-2013.zip which in turn contains the executable file payment receipt 26-07-2013.exe. This appears to be a Zbot variant with a pretty low detection rate of 9/46 at VirusTotal.

The Malwr report is the most detailed for this sample, and Anubis also has some useful information. Of note is that there is network traffic to the following IPs that seem to be pretty common for this Zbot / Zeus variant:

14.97.179.244
46.48.148.147
67.140.85.16
71.43.167.82
77.242.55.214
89.40.177.36
93.126.38.211
99.72.61.142
99.116.158.19
99.120.1.3
107.217.117.139
178.238.233.29
183.11.30.252
184.147.56.198
186.136.173.245
186.59.228.111
187.214.26.20
190.36.95.118
190.239.109.160
194.36.163.54
201.153.236.237
208.115.110.218
210.213.137.50
217.92.30.173
219.92.103.31
220.246.38.109
223.204.40.170

UPDATE: 
In the first version of this list I accidentally included the following Google IPs. Don't block these:
173.194.70.94
173.194.70.103

Monday 13 May 2013

Something evil on 188.241.86.33

188.241.86.33 (Megahost, Romania) is a malware server currently involved in injection attacks, serving up the Blackhole exploit kit, Zbot and a side order of Cdorked [1] [2].

This IP hosts a variety of domains, some of which are purely malicious, some of which are hijacked subdomains of legitimate ones. Blocking the IP address is the easiest approach, else I would recommend blocking all the domains that are being abused:

01libertynet.fr.fo
0-film.com
100girlsfree.com
365conseils.net
4unblock.info
5becquet.fr.fo
6x0.fr
7eebr.com
8-cents.com
8cents.fr.fo
a2smadagascar.mg
abc-maroc.com
abcm-jeanpetit.eu
aberkane.org
abjworld.com
abkari.fr
abkaribrahem.com
abousajid.net
abshore.com
acabimport.fr
acajb.org
acgl-congo.com
acgl-congo.fr
achacunsoncartable.com
acl-africa.com
actionalternance.fr
activbold.com
acts42.fr
actu-assurance.com
actubuntu.fr.fo
actu-minecraft.com
garmonyoy.eu
gmzuwr.ru
harmonyoy.eu
hrgvrl.ru
kinyng.ru
luiwmt.ru
ntdsapi.com
ntimage.net
ntmsapi.net
olpnso.ru
pastaoyto.eu
piparse.com
plustab.net
polstore.net
puntooy.eu
pvzvnp.ru
rvwwko.ru
tpxhpz.ru
trlnps.ru
zuihwg.ru
zuknsr.ru

The full list of malicious domains that I can find are below, although I would not expect these to be comprehensive:
040071c6fea7a5bb.365conseils.net
040071c6fea7a5bb01510713050515418167059c09c0824647b0d28469f9a86.365conseils.net
0433a1152ec475d801921313051101474089711298c7e6a1fd7545bc5552d41.achacunsoncartable.com
0433a1152ec475d811601613051104237096368adea8ce55a82f4544fbc01c0.achacunsoncartable.com
0488a1ee2eff75e301425213050201233048184bab90de52abca095e43c0e9e.0-film.com
04bb718dfefca5e0.5becquet.fr.fo
04bb718dfefca5e001607913050610062053256cc4d0ecce785bc8e30493292.5becquet.fr.fo
04cc71bafe5ba5470150421305111855518829847e724828b3c53aec8153583.acts42.fr
157790811f40445c.acajb.org
157790811f40445c01601013051008229123947a4ec000bad7503601a8b8345.acajb.org
157790811f40445c016138130510070780741784317a42a2bccfff6c9b9b979.acajb.org
157790811f40445c019162130510065681946385f315786814d0cea69ce8664.acajb.org
15bba06d2f1c7400.6x0.fr
15bba06d2f1c740001620213050615286119192adfefaf19e4e8a5586a6dd7e.6x0.fr
15ff3069bf78e464.01libertynet.fr.fo
15ff3069bf78e4640110311305011655920288060206a1a1261478459ff3e75.01libertynet.fr.fo
15ff3069bf78e4640142371305011633812870254adfea351ba45ccd84b6ed9.01libertynet.fr.fo
15ffa0792ff874e4.8-cents.com
15ffa0e92f18740401401013051215157128702d9606903880327e698feccbe.actu-minecraft.com
15ffa0e92f1874040141021305121800510682957d930ed7606e94e5678e741.actu-minecraft.com
15ffa0e92f187404014185130512171461299704fdc6792b87c632c2dc8ea0b.actu-minecraft.com
260093561ce747fb.abousajid.net
260093561ce747fb0140101305091529613535950ae91792a9d74ca508e99ad.abousajid.net
260093561ce747fb01603113050915274112535b852cc96df15044d0c5bab97.abousajid.net
26bb633dec4cb75001620213050607357124264d8f6315b9f394ea624df9b66.4unblock.info
26bb633dec4cb75011613913050607052045014adf4c310b3e0bdc47f2861d7.4unblock.info
26bb633dec4cb750116139130506075451302874ade020351e0c39fd5a78c27.4unblock.info
26cc33cabc2be737.actionalternance.fr
26cc33cabc2be73701612213051111086088443c09a6c2cac05c63f7129fe6a.actionalternance.fr
26cc33cabc2be73711601013051110582102074d8f6315c81c1d1cdcd96f60e.actionalternance.fr
26ff93b91cb847a4.100girlsfree.com
26ffa3892c787764019185130512123091695955dc240716cf6878a05b14ee3.actu-minecraft.com
378852cedd4f8653015013130507031910377234406e79b09f6cd6bc3f531b4.8-cents.com
3788a28e2d1f760301404913050802257090662bc33361ff65bce2fa3130839.8cents.fr.fo
40bb751dfa9ca180.8-cents.com
517794411bd040cc.100girlsfree.com
620007168887d39b0141851305072124915913454b8c0a26fb88da3bde7a868.8-cents.com
620007168887d39b01918513050722262103342525b024b1b95bf7573a67195.8-cents.com
623307c58864d378.abc-maroc.com
62333795a894f38801400913051305512080201a47fe7464fbbe561520e01bc.actu-minecraft.com
62333795a894f38801603113051303131041527adf4c310ff3253949005312c.actu-minecraft.com
62446762e8c3b3df.a2smadagascar.mg
62ff57f9c8f893e4.actu-minecraft.com
7344966219c342df.aberkane.org
73cca65a29eb72f7.abshore.com
73cca65a29eb72f701512413050919272107463ccba6e6189fc6986eb8f2d7c.abshore.com
73cca65a29eb72f701601013050919063097002c09c2522cddbf7f407171835.abshore.com
73ff2629a9d8f2c4.actu-minecraft.com
73ff2629a9d8f2c4014010130512092430878098d3a2e5e755dff1f2afa2bf8.actu-minecraft.com
73ffc65949981284.100girlsfree.com
8c443932b693ed8f11601013050822381104927d18d35b903767ba446417aca.aberkane.org
8cffe9c966783d64.abkaribrahem.com
8cffe9c966783d6401401013050909354101757b20d50dc4a53c3f60028ce42.abkaribrahem.com
8cffe9c966783d64015129130509101070859078f510042f6ec44d7e433dae2.abkaribrahem.com
9d3358f5d7848c98.7eebr.com
9d3358f5d7848c9801120213050617401078933d8645f3e106c2cfc1598a843.7eebr.com
9d7718418740dc5c.actu-minecraft.com
9d77b8b137606c7c.acgl-congo.fr
9d77b8b137606c7c01512913051017572124898c056644eb855f5a4b166d2b9.acgl-congo.fr
9d88a81e27af7cb3.abkaribrahem.com
9dbb984d17cc4cd01160101305062232917783743db39d1cf46f37b436dd266.8-cents.com
9dbbb80d37ac6cb0015186130508121671023918f51f80188036111f6dc1f72.a2smadagascar.mg
aeff6b49e4a8bfb4015258130512004781489908ea4b42446e65516bff5ab95.actu-assurance.com
aeff6b49e4a8bfb411601613051200491038674c7b4814aa786570ce3c5098f.actu-assurance.com
bf008a6605f75eeb014010130507173520947835ffc0f0fb081b68065c7e066.8-cents.com
bf008a6605f75eeb01412613050720045090345594f60a636367054ee54e604.8-cents.com
bf33fa7575d42ec8.abc-maroc.com
bf33fa7575d42ec801401013050814009075129bad428136689be7a7da2e9cb.abc-maroc.com
bf33fa7575d42ec8014086130508152020843224d40b5b7505fae9f56aea685.abc-maroc.com
bf33fa7575d42ec801510713050813215101440d61264b31e2cab4662a78b84.abc-maroc.com
bf33fa7575d42ec8016010130508150860906628cb9bce1fcee0c3f22846b31.abc-maroc.com
bf77da9155000e1c.100girlsfree.com
bfbbfaed65ec3ef0.100girlsfree.com
bfccba4a359b6e87.acgl-congo.com
bfccba4a359b6e87014075130510163331172904d4082d81aa81553b5898a2f.acgl-congo.com
bfccba9a259b7e87014010130512212151534285c4d64918e520db9a4a99c7a.actu-minecraft.com
c833cdf542641978.8-cents.com
c833cdf54264197801423713050716106092564c3e2cfb86aac81596dd164e8.8-cents.com
c833cdf542641978019037130507161140855905a1d39c59b9e2e19868866db.8-cents.com
c833fd7572942988014075130511135972133414d40dcf123ee454bb96f2478.activbold.com
c8777de1f220a93c.acajb.org
c8777de1f220a93c014237130510094241134864ffcf0d244b3e0d591c517c2.acajb.org
c8777de1f220a93c114181130510110690897115be0c137c3bfca9956675ebe.acajb.org
c8778d3102a059bc.100girlsfree.com
c8bbfd5d72ec29f0.100girlsfree.com
c8cc1d7a928bc997.actu-minecraft.com
c8cc1d7a928bc9970160931305121954723299543db39d15a4534253bd539f9.actu-minecraft.com
c8cc2deaa26bf977.8-cents.com
c8cc2deaa26bf97701112913050712338147722412926bcc5c4907c1308b240.8-cents.com
c8cc2deaa26bf9770140251305071408106561954a1b95da26542af79a4589c.8-cents.com
c8cc2deaa26bf977016185130507134131011234162579342dbc1f47b4f7fd2.8-cents.com
c8ff1d1992d8c9c4.acgl-congo.com
c8ff1d1992d8c9c401410113051011536170546863d58f33f68331b59ea7c90.acgl-congo.com
c8ff1d1992d8c9c401502213051013158117290d619001d01efd2a3e1b3f29b.acgl-congo.com
d900ac1623d778cb.acabimport.fr
d9442c22a383f89f01408613050902089060547bb26d67892ae078d34f997c1.abjworld.com
d9772c61a390f88c.100girlsfree.com
d9777cd1f360a87c.abkari.fr
d9bb3cfdb36ce870.8cents.fr.fo
d9cc9c8a137b4867.actubuntu.fr.fo
ea003fc6b017eb0b.acl-africa.com
ea003fc6b017eb0b0140551305110632611348655c9f49488e5a4ecb8292208.acl-africa.com
ea33af4520847b9811601013051002514098270cc4d0ed8f39b52f8e725fadc.acabimport.fr
ea776f71e0c0bbdc.abkari.fr
ea776f71e0c0bbdc01401013050912097090662863d2ab4a57e7f0a96b25cf1.abkari.fr
ea776f71e0c0bbdc01920213050913332090345d02caa653dae6865511b8036.abkari.fr
ea885f2ed0bf8ba301620213050804177079250c7c38ecdab30e8e836a60be8.8cents.fr.fo
ea885f2ed0bf8ba301620213050804285084005d073cf45420d7a00dd3d73a2.8cents.fr.fo
ea885f2ed0bf8ba311601013050802399148356d812e2a73d403f9c106d463c.8cents.fr.fo
ea886f6ee0efbbf3.8-cents.com
eacc6f4ae0ebbbf7.abcm-jeanpetit.eu
eacc6f4ae0ebbbf701401013050819143098587bcc05684f8eaabdbf34aacb5.abcm-jeanpetit.eu
eacc6f4ae0ebbbf7014098130508182081375786dd748438ddc6d700470919b.abcm-jeanpetit.eu
eacc6f4ae0ebbbf711601013050818299170546cc4d0ecc24766a4257413c24.abcm-jeanpetit.eu
fbbb6e6de11cba00.5becquet.fr.fo
fbbb6e6de11cba0011601013050614153074812c6661d86385ba30356756c7e.5becquet.fr.fo
garmonyoy.eu
gmzuwr.ru
harmonyoy.eu
hrgvrl.ru
kinyng.ru
luiwmt.ru
ntdsapi.com
ntimage.net
ntmsapi.net
olpnso.ru
pastaoyto.eu
piparse.com
plustab.net
polstore.net
puntooy.eu
pvzvnp.ru
rvwwko.ru
tpxhpz.ru
trlnps.ru
zuihwg.ru
zuknsr.ru

Tuesday 16 April 2013

"Fiserv Secure Email Notification" spam

This spam has an encrypted ZIP file attached that contains malware. The passwords and filenames will vary.


From: Fiserv Secure Notification [mailto:secure.notification@fiserv.com]
Sent: Tue 16/04/2013 14:02
Subject: [WARNING : MESSAGE ENCRYPTED] Fiserv Secure Email Notification - CC3DK9WJW8IG0F5


You have received a secure message

Read your secure message by opening the attachment, Case_CC3DK9WJW8IG0F5.zip.

The attached file contains the encrypted message that you have received.

To decrypt the message use the following password -  KsUs3Z921mA

To read the encrypted message, complete the following steps:

 -  Double-click the encrypted message file attachment to download the file to your computer.
 -  Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
 -  The message is password-protected, enter your password to open it.

To access from a mobile device, forward this message to mobile@res.fiserv.com to receive a mobile login URL.

If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.979.7673.

2000-2013 Fiserv Secure Systems, Inc. All rights reserved.

In the case of the sample I have seen, there is an attachment Case_CC3DK9WJW8IG0F5.zip which unzips using the supplied password to Case_Fiserv_04162013.exe (note the date is encoded into the filename).

At the time of writing, VirusTotal results are just 5/46. The Comodo CAMAS report is here, the ThreatExpert report here and the ThreatTrack sandbox report can be downloaded from here (this is the most detailed one). This seems to be a Zbot variant.


The bad IPs involved are:
50.116.15.209 (Linode, US)
62.103.27.242 (OTEnet, Greece)
78.139.187.6 (Caucasus Online Ltd, Georgia)
87.106.3.129 (1&1, Germany)
108.94.154.77 (AT&T, US)
117.212.83.248 (BSNL Internet, India)
120.61.212.73 (MTNL, India)
122.165.219.71 (ABTS Tamilnadu, India)
123.237.187.126 (Reliance Communications, India)
176.73.145.22 (Caucasus Online Ltd, Georgia)
186.134.148.36 (Telefonica de Argentina, Argentina)
190.39.197.150 (CANTV Servicios, Venezuela)
195.77.194.130 (Telefonica, Spain)
199.59.157.124 (Kyvon, US)
201.211.224.46 (CANTV Servicios, Venezuela)
212.58.4.13 (Doruknet, Turkey)

Recommended blocklist:
korbi.va-techniker.de
mail.yaklasim.com
phdsurvey.org
vbzmiami.com
user1557864.sites.myregisteredsite.com
50.116.15.209
62.103.27.242
78.139.187.6
87.106.3.129
108.94.154.77
117.212.83.248
120.61.212.73
122.165.219.71
123.237.187.126
176.73.145.22
186.134.148.36
190.39.197.150
195.77.194.130
199.59.157.124
201.211.224.46
212.58.4.13

Wednesday 13 March 2013

Zbot sites to block 13/3/13

These domains and IPs seem to be active as Zbot C&C servers. The obsolete .su (Soviet Union) domain is usually a tell-tale sign of.. something.

76.185.101.239
77.74.197.190
89.202.183.27
89.253.234.247
201.236.78.182
218.249.154.140
aesssbacktrack.pl
beveragerefine.su
dinitrolkalor.com
dugsextremesda.su
establishingwi.su
eurasianpolicy.net
euroscientists.at
ewebbcst.info
fireinthesgae.pl
girdiocolocai.com
machinelikeleb.su
mixedstorybase.su
satisfactorily.su
smurfberrieswd.su
sputtersmorele.pl
suggestedlean.com
trashinesscro.com
upkeepfilesyst.su

URLs seen:
[donotclick]beveragerefine.su/hjz/file.php
[donotclick]euroscientists.at/hjz/file.php
[donotclick]machinelikeleb.su/fiv/gfhk.php
[donotclick]mixedstorybase.su/hjz/file.php
[donotclick]satisfactorily.su/hjz/file.php
[donotclick]smurfberrieswd.su/hjz/file.php

And for the record, those IPs belong to:
76.185.101.239 (Road Runner, US)
77.74.197.190 (UK Dedicated Servers, UK)
89.202.183.27 (Interoute / PSI, UK)
89.253.234.247 (Rusonyx, Russia)
201.236.78.182 (Municipalidad De Quillota, Chile)
218.249.154.140 (Beijing Zhongbangyatong Telecom, China)

Monday 28 January 2013

Zbot sites to block 28/1/13

These domains and IPs are currently acting as C&C and distribution servers for Zbot. I would advise blocking these IPs and domains if you can.

There are three parts to the list: IPs with hosting company names, plain IPs for copy-and-pasting and domains identified on these servers.

5.45.181.164 (Bradler & Krantz, Germany)
5.175.148.207 (GHOSTnet, Germany)
24.126.203.109 (Comcast, US)
31.170.106.13 (Bradler & Krantz, Germany)
37.26.244.86 (Digicube, France)
37.59.76.3 (OVH, Netherlands)
42.96.136.158 (Alibaba, China)
43.101.119.123 (Kokusai-kougyou-kanda Bldg., Japan)
46.249.46.182 (Serverius, Netherlands)
50.19.77.237 (Amazon, US)
50.31.99.126 (Steadfast Networks, US)
59.90.147.31 (BSNL Internet, India)
59.167.120.210 (Internode, Australia)
64.221.210.108 (XO Communications, US)
69.65.47.245 (Bodhost, US)
69.85.92.155 (Hostigation, US)
72.66.16.146 (Verizon, US)
73.123.5.128 (Comcast, US)
80.152.149.121 (Deutsche Telekom, Germany)
84.253.2.244 (Cybernet, Switzerland)
85.93.219.253 (Visual Online, Luxembourg)
88.88.101.162 (Telenor Norge, Norway)
91.121.248.127 (OVH, Spain)
92.21.156.70 (TalkTalk, UK)
92.146.246.96 (France Telecom, France)
93.92.207.86 (Saint-Petersburg Computer Networks Ltd, Russia)
94.76.234.163 (Simply Transit, UK)
95.225.161.106 (Telecom Italia, Italy)
99.169.151.134 (SBC Internet Services, US)
101.89.80.132 (China Telecom, China)
115.153.226.65 (China Telecom, China)
118.41.184.73 (Kornet, Korea)
119.252.162.18 (Comnets Plus, Indonesia)
123.224.196.84 (Open Computer Network, Japan)
125.63.91.52 (Spectra ISP, India)
128.32.149.121 (University Of California, US)
141.0.176.155 (Avantel, Russia)
141.0.176.231 (Avantel, Russia)
159.253.20.217 (FastVPS, Estonia)
166.111.143.248 (Tsinghua University, China)
173.213.112.245 (Eonix Corporation, US)
176.56.229.201 (RouteLabel, Netherlands)
184.82.187.181 (HostNOC, US)
189.75.96.19 (Brasil Telecom, Brazil)
193.254.233.242 (Teleradiocompany Soniko-Svyaz Ltd, Ukraine)
202.57.189.141 (Internet Service Provider Co. Ltd., Thailand)
209.207.112.195 (Treasuremart, Canada)
210.56.15.19 (COMSATS, Pakistan)
211.20.45.138 (Chunghwa Telecom, Taiwan)
216.224.176.47 (Earthlink, US)

5.45.181.164
5.175.148.207
24.126.203.109
31.170.106.13
37.26.244.86
37.59.76.3
42.96.136.158
43.101.119.123
46.249.46.182
50.19.77.237
50.31.99.126
59.90.147.31
59.167.120.210
64.221.210.108
69.65.47.245
69.85.92.155
72.66.16.146
73.123.5.128
80.152.149.121
84.253.2.244
85.93.219.253
88.88.101.162
91.121.248.127
92.21.156.70
92.146.246.96
93.92.207.86
94.76.234.163
95.225.161.106
99.169.151.134
101.89.80.132
115.153.226.65
118.41.184.73
119.252.162.18
123.224.196.84
125.63.91.52
128.32.149.121
141.0.176.155
141.0.176.231
159.253.20.217
166.111.143.248
173.213.112.245
176.56.229.201
184.82.187.181
189.75.96.19
193.254.233.242
202.57.189.141
209.207.112.195
210.56.15.19
211.20.45.138
216.224.176.47

advstar.com
aldio.ru
askwhite.net
atkit.ru
autocanonicals.com
billablelisten.pl
bioshift.net
boxtralsurvisv.pl
cflyon.ru
cipriotdilingel.ru
confloken.ru
dinitrolkalor.com
dobar.pl
dqnouce.ru
encounterkaspe.pl
evamaro.ru
fearedembracin.su
fitoteafclope.pl
gellax.com
haicut.com
htimemanagemen.su
indianayellow.net
infocyber.pl
jintropictonic.pl
kcrio-oum.com
litfors.com
mypicshare.net
namelesscorn.net
netfest.pl
ntrolingwhitel.pl
orlandotenerife.net
phicshappening.com
photoshopya.net
porkystory.net
quliner.ru
rolino.pl
sadertokenupd.ru
secmicroupdate.ru
secondhandfurnitur.com
seldomname.com
sminiviolatede.pl
stadionservisecheck.ru
steppinglegalzoom.com
stockanddraw.net
suggestedlean.com
svictrorymedia.ru
trainyardscree.pl
uawxaeneh.com
usergateproxy.net
weatherrecord.net
widexsecconnect.ru
youhavegomail.com

Monday 1 October 2012

Something evil on 82.165.38.206

There's something evil on 82.165.38.206 (1&1, Germany).. Zbot, basically. The WHOIS details are refreshingly honest about the intent of the evil domains on the server. There are some legitimate domains as well, so it looks like a hacked server.

Probably NOT EVIL:
athentours.de
beachhandball-camp.com
beachhandball-camp.de
beachhandball-camps.com
beachhandball-camps.de
beachhandballcamp.com
beachhandballcamp.de
beachhandballcamps.com
beachhandballcamps.de
ferienwerk-muenchen.com
ferienwerk-muenchen.de
gosurfcamps.de
h2o-beachhandballcamp.com
h2o-beachhandballcamp.de
h2o-beachhandballcamps.com
h2o-beachhandballcamps.de
h2o-camp.com
h2o-camp.de
h2o-camps.com
h2o-camps.de
h2obeachhandballcamp.com
h2obeachhandballcamp.de
h2obeachhandballcamps.com
h2obeachhandballcamps.de
h2ocamp.com
h2ocamp.de
h2ocamps.com
h2ocamps.de
jugendferienwerk-muenchen.com
jugendferienwerk-muenchen.de
jugendreisenbadenwuerttemberg.de
jugendreisenmuenchen.de
jugendreisenstuttgart.de
senior-surfcamp.com
senior-surfcamp.de
seniorsurfcamp.com
seniorsurfcamp.de
xn--ferienwerk-mnchen-e3b.com
xn--ferienwerk-mnchen-e3b.de
xn--jugendferienwerk-mnchen-tpc.com
xn--jugendferienwerk-mnchen-tpc.de
xn--jugendreisenmnchen-y6b.de

Probably EVIL:
coolgeneration31.org
hjdfhjpqhf52vzskdjui1231232.org
hjdfhjpqhf45vzskdjui123123.org
hjdfhjpqhf47vzskdjui123123.org
hjdfhjpqhf48vzskdjui123123.org
hjdfhjpqhf49vzskdjui123123.org
fd12fg333333.org
working-bhh555.org
ker234hdfa88a8.org
askd232ddsda.org
goldfishinsea.org
d34245f3d.org
d5bb8ae4ec63cf.org
kirvlingshoping.org
donalldakcll.org
freesalebigban.org
bigamadillo.org
analiz-pro.org
kunbengober.org
ddosmanager.org
mislimsip0tir.org
goyerbyhsjanhxas.org
frostbeulekommts.org
trinnitti-soft.org
frostbeulekommt.org
intelentbot.org
45a5ge5aert.org
matonyok-trust.org
bergfileorderingserv.org
mailforw.org
shcool2010.com
vikingwer10.com
vatind0.com
d3f78j9h8h321312nf0.com
revers1001.com
update-java01.com
zapas2011.com
frerestreetsw111.com
reserve14443211.com
vikingwer11.com
testforus7771.com
generaladvertising191.com
chicoracquetclub1.com
vmeste-mi-fruktoviy-sad1.com
hft2bnmkoedfsdfgfg5o1.com
slaviki-res1.com
blachervers-2.com
frerestreetsw112.com
for-advanced-cfg12.com
vxuservx222.com
zeppbrannigan22.com
verasertys22.com
kemebrremewrewroi6d3b3jb3b332.com
narawertyopsanzaol7632.com
ognenaiaduga2.com
doo1deivahn2.com
worldfierro2.com
trytokickmewhenimoneywwww2.com
domain510003.com
frerestreetsw113.com
34k5jh4kjh324h123.com
hhhhujnja23.com
vvverdasentarycoolnew12233.com
jrykj233.com
fhb7654568768877dhfdbdjdeek677567433.com
znakizodiakapinger33.com
kilovattmegatonnsdor33.com
5qsx-v-b-f-r-we-4543-7767-4443.com
mjsdkflkblsdfbllalsdf777793.com
kemebrremewernrewroi43b3b3b3.com
kemebrremewrewroi43b3b3b3.com
kemebrmewernrewroi6nn3b3b3b3.com
kemebrmewernrewroi4367b3b3b3.com
sourtel3.com
hft2bnmkosdfgfg5o3.com
ffhsdf4747282e734723878784234.com
ipfff3444.com
bersiuzhuf0d9g8ghddee44.com
offirstactivityna4.com
ghgng43fgjl82309dfg8df4.com
just1tto2005.com
domain460015.com
kateserv29115.com
apre-delfud1-225.com
domain445725.com
lsazzzx45.com
2344292985375634367124i2443455.com
kateserv29175.com
234k23j4h3g5.com
mailwbg5.com
bejhjhbejr77eh5.com
mnn-gff-65-33-22-22-22-bve-6.com
mnn-gff-66nn-33-22-22-22-bve-6.com
freeroom66.com
xn3yy2uroomfdnew91c2v6.com
photox15serv257.com
matenixserv257.com
dtdtdtdouble6677.com
allbe777.com
testforus777.com
pxcallcentercareers77.com
galox29serv77.com
natenixserv77.com
for-advanced-cfg7.com
domain460018.com
ptichkaleti88.com
bngh77tutjt88.com
gssghgkio7erasdotaser8.com
679iss8.com
formul89.com
solnishko999.com
for-advanced-cfg9.com
switzern9.com
vikingwer9.com
jghrt9frgtr9.com
google-1aa.com
peuhiuyca.com
berkamifa.com
sjaprotecasga.com
iesiuzeiphae4xuoch1ahgha.com
mega-kreslo-suka.com
hahamanhanla.com
ywhzwhcnjmkj28888kljsdkkccnvma.com
abortinghomethinkanormall2116tv2dnvma.com
ywhzwhcnjmzmfdhd6em16tv2dnvma.com
islaantillana.com
leboj1ra.com
hahahayahooousa.com
pddonlinedata.com
reepta.com
teughoojaeghaopuegeudeeb.com
remainresetservweb.com
qsbj356jlkb33trhbj44dklasbkb.com
jsbjlsdjlkb234jblkba8899sjkb.com
srvpvrb.com
adobesystemcorporatecodec.com
icereserv-sec.com
minisystemic.com
meteosystemic.com
qlcombrasilmusic.com
ghsmaristic.com
celeron-mypc.com
krrhazvrjma8d.com
samecomandnetad.com
ommso99dd.com
freelinceradanced.com
hostedllinked.com
muiredised.com
336nnfbvdsfuoibvc6nn78fdhdffdgffd.com
kffkdmsdn3438nfd.com
nbguiewjmznejjcuaije2hd.com
dkjs8000sjdshd.com
oepjvondifnnkskfcxzvjiefrkd.com
nextcomesonlservbuild.com
bntuyahqpcmd.com
8hrhhhtt63639serd.com
eorjroijdojrd.com
goldharbord.com
vhklideomailasd.com
cerutedwestedltd.com
pokemonnertt345e.com
mylitlebusinessplace.com
ufoksuudservice.com
serokolservice.com
someadverdownservice.com
dst1-finance.com
mbnfinance.com
recruitadyfinance.com
zswealthlastsource.com
45gvvrfr665gbffbdtrtee.com
keticussorke.com
crewboddylifestyle.com
tuvnahdmcjrueifhgne.com
palecvzhope.com
sampeladvertisingbase.com
java-00update.com
direct-gate.com
quintaavenue.com
versnoteinluserve.com
mikrobnjnru7f.com
hgng44fgjl82509dfg83df.com
ywhzwskdjfgh3lkjhtkjsdfghu9w845tgdf.com
asdff23fsafasdfsdf.com
scvsmmdiocuhsdf.com
jdhfjksdhyurw89yurhksff.com
bedegiudmakkshhf.com
h88dfsdfrefmkf.com
ufhwf8093hrdsf.com
gsdfgd536fdg.com
entcrgmd3kvc2r6nwhfom215m22eg.com
aimsfg.com
y25qwrmzv6z3nwem5mnry21smg.com
eg4zxkydxjvsd21mzgldhzkxyz2ng.com
bdg8b70dgbng.com
nqpftydjfgbbbdlspyfng.com
justcheckping.com
ponibong.com
ualol3e3ejdh98hjd893h.com
aa9798ajgjghu87h.com
cocteil-malevich.com

Thursday 14 January 2010

More malicious OWA domains

In addition to these and these.

  • yht30.net.pl
  • yht36.com.pl
  • yht37.com.pl
  • yht38.com.pl
  • yht39.net.pl
  • yht3e.net.pl
  • yht3q.net.pl
  • yht3r.pl
  • yht3t.pl
  • yht3w.net.pl

Wednesday 13 January 2010

And there's more..

More domains relating to this Zbot attack:

  • ui7772.co.kr
  • ui7772.kr
  • ui7772.ne.kr
  • ui7772.or.kr
  • ui7772co.kr
  • ui777f.kr
  • ui777f.ne.kr
  • ui777f.or.kr
  • ui777for.kr
  • ui777l.co.kr
  • ui777l.co.kr
  • ui777lco.kr
  • ui777p.co.kr
  • ui777p.kr
  • ui777p.or.kr
  • vcrtp.eu
  • vcrtp1.eu
  • vcrtp21.eu
  • vcrtprsa21.eu
  • vcrtps21.eu
  • vcrtpsa21.eu
  • vcrtrsa21.eu
  • vcrtrsr21.eu
  • vcrtrsrp2.eu
  • vcrtrsrp21.eu

Convincing look OWA fake leads to PDF exploit

There are getting spammed out at the moment:

From: automailer@blahblah.blah [mailto:automailer@blahblah.blah]
Sent: 13 January 2010 11:08
To: Victim Username
Subject: The settings for the username@blahblah.blah mailbox were changed

Dear user of the blahblah.blah mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox (username@blahblah.blah) settings were changed. In order to apply the new set of settings click on the following link:

http://blahblah.blah/owa/service_directory/settings.php?email=username@blahblah.blah&from=blahblah.blah&fromname=username

Best regards, blahblah.blah Technical Support.

Letter ID#NGTS7OTY8XPZX8FEUYTTTZ1PF

The displayed link isn't the actual link, underneath it points to something like:
http://blahblah.blah.vcrtp21.eu/owa/service_directory/settings.php?email=username@blahblah.bah&from=blahblah.blah&fromname=username

Clicking through the link takes you to a convincing looking OWA (Outlook Web Access) forgery page, populated with the victim's domain name and email address.

There are two exploits on the page, the first one is a drive-by download of an infected PDF file called pdf.pdf for which VirusTotal detection is only 10/41, detected by McAfee as Exploit-PDF.ac and various others. The executable file you are directed to download is also a bit patchy on detections.

Sender names include:
  • operator@
  • support@
  • notifications@
  • no-reply@
  • system@
  • alert@
  • info@
..all on your local domain, obviously.

Subjects include:
  • The settings for the blah@blah.blah mailbox were changed
  • The settings for the blah@blah.blah were changed
  • A new settings file for the blah@blah.blah mailbox
  • A new settings file for the blah@blah.blah has just been released
  • For the owner of the blah@blah.blah e-mail account
  • For the owner of the blah@blah.blah mailbox

Some domains in use on this are:
  • vcrtp1.eu
  • vcrtp21.eu
  • vcrtprsa21.eu
  • vcrtpsa21.eu
  • vcrtrsa21.eu
  • vcrtrsr21.eu
  • vcrtrsrp2.eu
  • vcrtrsrp21.eu
..there are probably many more of a similar pattern.

WHOIS details are fake:
Name:
Quezada, Ramon
Address:
1800 N. Bayshore Drive
33132 Roma
Roma
Italy
Email:
wawddhaepny@yahoo.com
Domains are on a fast flux botnet, so there's no point listing IPs. However, nameservers are as follows:
ns1.raddoor.com
84.243.201.159 [Netrouting Data Facilities, Amsterdam]
ns2.raddoor.com
71.123.51.158 [Verizon Internet Services Inc, Aston]
ns1.elkins-realty.net
84.243.201.159 [Netrouting Data Facilities, Amsterdam]
ns2.elkins-realty.net
71.123.17.61 [Verizon Internet Services Inc, Whitesboro]

Registrant details for raddoor.com are probably bogus:

edmund pang figarro77@gmail.com
751 kinau st. #30
honolulu
HI
96813
US
Phone: +1.8085362450
Registration details for elkins-realty.net are DEFINITELY bogus:
Name : B O
Organization : B O
Address : 123 elm str.
City : Los Angeles
Province/State : beijing
Country :
Postal Code : 23456
Phone Number : 86--8586104812
Fax : 86--8586104819
Email : BO.la@yahoo.com
Once your machine is infected, it probably gets infected with a Zbot variant as in these two previous examples.

Friday 20 November 2009

"please update your blah@blah.blab mailbox" spam

Another version of the Zbot trojan coming in via email, much like this one.

From: operator@blah.blah Sent: 20 November 2009 15:21
To: Blah

Subject: please update your blah@blah.blah mailbox


Dear owner of the blah@blah.blah mailbox,
You have to change the security mode of your account, from standart to secure. Please change the security mode by using the link below:

http://accounts.blah.blah.verzzi.org.uk/webmail/settings/noflash.php?mode=standart&id=[snip]&email=blah@blah.blah

So far verzzi.co.uk and verzzi.org.uk seem to be domains that are used for this, there are probably many others.

Target page is a fake Flash download:

Target file is flashinstaller.exe with patchy or generic detection at best, according to VirusTotal.

ThreatExpert report is here which could be useful if you are trying to disinfect a machine.

When infected, the machine calls home to 193.104.27.42 in the Ukraine, allegedly belonging to "Vladimir Vasulyovich Kamushnoy" but that could be fake.

Fake WHOIS details for verzzi.co.uk and verzzi.org.uk:

Domain name:
verzzi.co.uk

Registrant:
Suzanne Mendez

Registrant type:
Non-UK Individual

Registrant's address:
Taylor Street Apt. 22
Wilrijk
2771
Belgium

Registrar:
Webfusion Ltd t/a 123-Reg.co.uk [Tag = 123-REG]
URL: http://www.123-reg.co.uk

Relevant dates:
Registered on: 18-Nov-2009
Renewal date: 18-Nov-2011
Last updated: 19-Nov-2009

Registration status:
Registration request being processed.

Name servers:
ns1.elkinsrealty.net
ns1.winderz.net
The Verzzi domains are hosted on a fast flux botnet, so the good news is that it won't be very reliable if some muppet DOES visit the site.

elkinsrealty.net is one nameserver domain, with obviously fake WHOIS details

Domain Name : elkinsrealty.net
PunnyCode : elkinsrealty.net
Creation Date : 2009-07-02 19:50:00
Updated Date : 2009-11-20 01:11:11
Expiration Date : 2010-07-02 19:49:56


Registrant:
Organization : Elkins Realty
Name : O Berg
Address : 2150 1st Ave
City : San Diego
Province/State : beijing
Country :
Postal Code : 92101

Administrative Contact:
Name : Elkins Realty
Organization : O Berg
Address : 2150 1st Ave
City : San Diego
Province/State : beijing
Country :
Postal Code : 92101
Phone Number : 86--6195728001
Fax : 86--6195728002
Email : OBerg@gmail.com

Technical Contact:
Name : Elkins Realty
Organization : O Berg
Address : 2150 1st Ave
City : San Diego
Province/State : beijing
Country :
Postal Code : 92101
Phone Number : 86--6195728001
Fax : 86--6195728002
Email : OBerg@gmail.com

Billing Contact:
Name : Elkins Realty
Organization : O Berg
Address : 2150 1st Ave
City : San Diego
Province/State : beijing
Country :
Postal Code : 92101
Phone Number : 86--6195728001
Fax : 86--6195728002
Email : OBerg@gmail.com
And for Winderz.net:

Registrant:
R Opitz, Brian
341 Church Road
West Sunbury, PA 16061
US

Domain Name: WINDERZ.NET

Administrative Contact, Technical Contact:
R Opitz, Brian straus2009@live.com
341 Church Road
West Sunbury, PA 16061
US
7246372446


Record expires on 17-Nov-2010.
Record created on 17-Nov-2009.
Database last updated on 20-Nov-2009 10:46:04 EST.

Domain servers in listed order:

NS1.WINDERZ.NET 198.177.253.152
NS2.WINDERZ.NET 210.217.45.138
ns1.winderz.net and ns1.elkinsrealty.net are on 198.177.253.152 (Allerion Inc, Altlanta)
ns2.elkinsrealty.net is on 210.217.15.41 (Korea Telecom)
ns2.winderz.net is on 210.217.45.138 (Korea Telecom)

In this case the email "came" from operator@victimdomain - filtering your own domain at the gateway (or the "operator" address) could be useful.

Update: full list so far..
dirddrf.be
dlsports.be
ftpddrs.be
modertps.be
verzzi.co.uk
verzzi.org.uk
verzzq.co.uk
verzzq.me.uk
verzzq.org.uk
verzzg.co.uk
verzzg.me.uk
verzzg.org.uk
verzzm.co.uk
verzzm.me.uk
verzzm.org.uk
verzzn.co.uk
verzzn.me.uk
verzzn.org.uk


Thursday 12 November 2009

support@nacha.org: "Please review the transaction report"

This is the Zbot trojan or something, very much like this one.


From: Electronic Payments Association [mailto:support@nacha.org]
Sent: 12 November 2009 14:58

Subject: Please review the transaction report


Dear bank account holder,
The ACH transaction, recently initiated from your bank account (by you or any third party), was rejected by the Electronic Payments Association. Please review the transaction report by clicking the link below:

Unauthorized ACH Transaction Report

------------------------------------------------------------------
Copyright ©2009 by NACHA - The Electronic Payments Association



The underlying link goes to nacha.org.fffazsf.org.uk which is itself hosted on some sort of Fast Flux botnet. The landing page attempts to get a user to download report.exe ( a Zbot variant). It also opens an IFRAME to 121.12.170.177 in China, a well-known malware domain.



VirusTotal shows patchy detections, still being analysed by ThreatExpert.

The domain name registration is obviously fake:


Domain name: fffazsf.org.uk
Registrant:
Matthew Hughes
Registrant type:
Non-UK Individual
Registrant's address:
203 Striding Ridge Drive Goldsboro 3881 Belgium
Registrar:
Webfusion Ltd t/a 123-Reg.co.uk [Tag = 123-REG]
URL: http://www.123-reg.co.uk

Relevant dates:

Registered on: 12-Nov-2009

Renewal date: 12-Nov-2011
Last updated: 12-Nov-2009
Registration status:
Registration request being processed.
Name servers: ns1.pa-estate.com ns1.tradesdomains.net
Dig deeper at pa-estate.com and we see a familiar email address:

Name : Michell
Organization : Michell

Address : 8663 Sudley Road
City : Manassas
Province/State : beijing

Country : United States

Postal Code : 20108

Phone Number : 571-866-7585793

Fax : 571-866-7585793

Email : Michell.Gregory2009@yahoo.com


A Google Search for that address comes up with over 24,000 references!

tradesdomains.net is registered differently:

Dolorous Lane
fergunis@gmail.com

512 Stonegate Pl

Brentwood
TN

37027

US

Phone: +1.6155546664


ns1.pa-estate.com and ns1.tradesdomains.net are hosted at 207.210.101.253 (Global Net Access, LLC ) which also hosts puioypai.org which looks suspect too. ns2.tradesdomains.net is on 195.178.190.48 (Bahnhof Internet, Sweden).

Added: the email comes from several different addresses, including:
  • report@nacha.org
  • support@nacha.org
  • info@nacha.org
Subjects include:
  • Your ACH transaction was rejected by The Electronic Payments Association (NACHA)
  • Please review the transaction report
  • Your ACH transaction was rejected
Domains spotted so far:
  • nacha.org.tttteacf.co.uk
  • nacha.org.tttteacx.org.uk
  • nacha.org.redaczxm.me.uk
  • nacha.org.fffazsx.co.uk
Some additional nameservers:
  • ns1.pa-estate.net
  • ns1.video-format.com

Tuesday 13 October 2009

Piradius.net running Zbot infrastructure servers

Piradius.net appears to be up to its dark grey hat antics again with a server at 124.217.251.179 which is providing services to the current run of Zbot trojans, as seen (for example) with this recent ThreatExpert report.

Robtex reports the the server is also being used as the NS for a number of Zbot related domains, notably x2dns.ru, cedns.ru, updata-1.com, admin-systems.com, db-1.net, upd01.net, ssl-updates.net and several others connected with this spam run. 124.217.251.179 is also the download server for various Zbot components.

Although Piradius.net probably has many legitimate customers (primarily from Malaysia, Thailand and South-East Asia), it seems to have a lot of bad ones too (including Yohost.org). Prudent network administrators may want to consider blocking 124.217.224.0 - 124.217.255.255 which will probably not cause too many problems.