Sponsored by..

Thursday, 4 September 2008

Asprox: jic2.ru

Another new addition to the list of Asprox domains is jic2.ru, again registered via Naunet, so block this or check your logs for access. Again, searching your logs for ".ru/script.js"will help locate suspect activity.

Wednesday, 3 September 2008

"Bangui" malware domains

A whole set of domains distributing malware, currently based on 206.53.51.119 and allegedly registered to someone in Bangui (although most likely it is the RBN again). These domains are being used in blog spam and also what appears to be PHP and ASP injection attacks.

Unlike some injection attacks, the pages carry some scraped text that's relevant to the URL. Combine this with the inbound links created through spam and injection attacks and you have a very black hat SEO campaign. Yahoo! seems to be more prone to this type of SEO than Google.

The pages on these domains use a javascript redirector (menu.js) to end up at a set of fake video and rogue anti-malware sites that install all sorts of nasty things.. again, these endpoints have the hallmark of the RBN.

  • Afwwwf.info
  • Apostit.info
  • Bcuioc.info
  • Bglkhg.org
  • Bihuru.org
  • Biiwhw.info
  • Bikgfjr.info
  • Bioblor.info
  • Bioqw.info
  • Biowfr.info
  • Bkjksl.org
  • Bkssdoue.info
  • Bloiw.org
  • Bocaca.org
  • Cascaa.info
  • Cbasoa.info
  • Cbr1000rrxx.info
  • Csccons.org
  • Cskaa.org
  • Eomnb.info
  • Fasca.info
  • Fasfw555.info
  • Fasw.org
  • Fbkshk.org
  • Fdsaa.org
  • Firstnax.org
  • Fjkjfjoi.info
  • Fjwiojnc.info
  • Flsab.info
  • Foeww.org
  • Foxrat.info
  • Fsaff.org
  • Fsafvn.info
  • Fsancao.info
  • Fsanp.org
  • Fsaqq.info
  • Fsaw.org
  • Fsfa22rr.info
  • Fsfkg.info
  • Fsfworg
  • Fsgkle.org
  • Fsjklhg.info
  • Fskjhgkb.info
  • Fullmediabase.net
  • Fwe75r4fyf65.cn
  • Fwfds.org
  • Fwfisow.org
  • Fwjijc.org
  • Fwoijwh.org
  • Gcoigkm.org
  • Gewop.info
  • Gjgkgjhew.org
  • Golodnijya.org
  • Gucwd.org
  • Hellodolly5k.net
  • Hellodomy5k.net
  • Hhkjj.org
  • Hkljccc.info
  • Hodnejgreat.info
  • Hofhwbc.info
  • Hohotv.org
  • Homosapien5k.net
  • Hrr553.info
  • Hudinarjiii.cn
  • Itgfbn.org
  • Jfldsh.org
  • Jflhg.info
  • Jlbyuo.org
  • Jnbq.info
  • Jowely.org
  • Jplhnh.info
  • Juiok.org
  • Jumpsert.org
  • Jwionw.info
  • Kiwedox.org
  • Kjhiofw.org
  • Kjhlfsh.org
  • Knwponc.org
  • Madnes.info
  • Mazafaker.com
  • Mfpwjmc.org
  • Mkmcsss.org
  • Mpfwmcs.org
  • Mpkcmzz.org
  • Mpmccz.org
  • Mybestz5k.net
  • Nado1000traffa.info
  • Nfeow.org
  • Nfwojw.org
  • Nfwon.org
  • Nhphpkj.info
  • Nifa422.info
  • Njpaw.info
  • Nosdsh.org
  • Pokoder.org
  • Sonvfs.org
  • Werbin.org
  • Wfwcn.org
  • Wn59whgp3w.cn
  • Workfox.info
  • Yzfr1yamahad.info

Tuesday, 2 September 2008

Asprox: 2b24.ru

These domains seem to be today's current Asprox SQL Injection domains - check for them in your logs or block them. 2b24.ru seems to be new, the rest have been around for a few days. The exploit is still using a script called script.js to run.

  • 2b24.ru
  • cg33.ru
  • cv2e.ru
  • cv32.ru
  • mc2n.ru
  • mj5f.ru
  • oc32.ru
  • vwsc.ru

Monday, 1 September 2008

"WorldWide Offshore Integrated Systems Inc"

Another money mule scam, this time claiming to be from "WorldWide Offshore Integrated Systems Inc" of New York, a company that does not exist according to the New York Division of Corporations. Also, there are no Google matches for that search term... except that there will be since I've posted this. Oh, you can figure out what I mean.

Originating IP is 78.175.218.143 in Turkey. Also, I can't think of many "WorldWide " corporations that have to use Yahoo!'s free email service.




Subject: Looking for a job? Good chance for you!
Date: Mon, September 1, 2008 4:38 pm



Hello.

WorldWide Offshore Integrated Systems Inc. is a custom software development company
located in New York, USA.

We offer full cycle custom software programming services, from product idea,
offshore software development to outsourcing support and enhancement.
WorldWide Offshore Integrated Systems Inc. employs a large pool of software
engineers coming from different backgrounds.
We are able to balance product development efforts and project duration to your
business needs.

WorldWide Offshore Integrated Systems Inc. customer service department is currently
offering employment for residents
in order to provide it's new branch with qualified personnel.
The private client support desk is responsible for following up client enquiries,
helping the clients to understand how WorldWide Offshore Integrated Systems Inc. can
save them money on foreign
currency transactions, and developing new business through referrals.

First of all you need no prior experience, even though we are value
your current knowledge, but we will provide all necessary training when
you will join us.

If you're a customer service fanatic, and enjoy working in a challenging and
rewarding environment,
please see below for our current list of opportunities.

Requirements:

è Proficiency in MS Word, Excel & Internet
è Excellent communication skills both oral and written

- This work does not require any experience!
- This is a work at home

You will be paid USD 2500 per 2 weeks.

Should you have any questions regarding this letter,
our offer of employment or anything else, please write me an e-mail.
We are excited to have you join our organization and look forward to working with you.


If you are interested in our position reply to e-mail worldwide61@yahoo.com


Best regards,
Katrin Olley
Employment Manager


Asprox: cg33.ru, cv2e.ru, cv32.ru, mc2n.ru, oc32.ru and vwsc.ru

Another bunch of Asprox SQL injection domains to block or monitor for, all quite new:

  • cg33.ru
  • cv2e.ru
  • cv32.ru
  • mc2n.ru
  • oc32.ru
  • vwsc.ru
Alternatively, look for .ru/script.js in your logs which should pick up most of them.

Update: here's another one - mj5f.ru

Friday, 29 August 2008

Atrivo / Intercage

Atrivo, Inc (also known as Intercage) and their main customer, Esthost (related to Estdomains) might well be a familiar name to people working in IT security. Atrivo is based is California and is run by one Emil Kacperski, so it has always surprised me that such a small operator should be a persistent host of malware.

Well, Atrivo's activities have not gone un-noticed by HostExploit.com who have produced a whitepaper and diagram and a YouTube video explaining how Atrivo's network is involved in a typical PC exploit.

Brian Krebs at the Washington Post has a comprehensive commentary. Note in particular the comments from "Emil K." at the bottom of the article. The RBN blog also has a comment here. Fascinating stuff.

Thursday, 28 August 2008

Where a link turns into a lawsuit

I've seen some daft excesses in local politics in my time, but over Sheboygan, Wisconsin, things have taken a new twist... with a lawsuit over a link.

Jennifer Reisinger operates a website called Sheboygan Spirit which appears to be very critical of local officials and also a now defunct web design business called Brat City Web Design. She was also involved in a campaign to recall the elected mayor, which probably didn't endear her to some city officials.

Last year, the city filed a lawsuit against Ms Reisinger. Why? Because one of her sites carried a link to the Sheboygan Police Department (oops). First, the city sent a cease and desist asking her to remove it, and when she refused to do so they initiated a criminal investigation and legal proceedings.

Remember, this is just a link to the local police department. Not a link to illegal or confidential material. Of course, really the city didn't have a leg to stand on and in November 2007 decided not to pursue the case.

But Ms Reisinger wasn't finished, and a few days ago filed a counter-suit alleging loss of business and a violation of first amendment rights. It looks like it could be a significant case.. depending on the outcome.

There's more information in this item at the Milwaukee Journal Sentinel, and also here at the Citizen Media Law Project.

Wednesday, 27 August 2008

"Bank of America Installation and Upgrade Warning."

The bad guys are busy today, here's another fake bank "upgrade" leading to malware, following on from this one.


Subject: Bank of America Installation and Upgrade Warning.
From: "Bank Of America Update Service Department"
Date: Wed, August 27, 2008 2:23 pm

Attention All Bank of America Customers.
Security & Fraud Protection Update.

At Bank of America, were committed to keeping your information confidential and
secure, and we take that responsibility very seriously.
Our Fraud detection solution helps to protect your business against the risk of
fraudulent transactions alerting you to potential risks.
We have developed the following protection tools to insure you confidentiality.

You can download the latest security pack from our Customer Service Department>>

Sincerely, Jodie William.
2008 Bank of America Corporation. All rights reserved.
This leads to a very convoluted URL with an executable Setup_BankofAmericaclientno4508832.exe - virus detection for this one is a bit poor. Malware is identified variously as TR/ATRAPS.Gen (AntiVir & WebWasher), DeepScan:Generic.Malware.dld!!.083539B0 (BitDefender) and one or two others come up with a generic detection.

Incidentally, the URLs used in both attacks are incredibly long and convoluted.. and not terribly convicincing.

Avoid these "bank certificates" at all costs.

Tilde.exe in C:\Windows\System32 folder


This isn't really about tilde.exe at all, but a file called C:\Windows\System32\~.exe that has a habit of showing up on laptops that have been playing up with frequent browser crashes.

~.exe is kind of an odd name for a file, and crucially it's an ungoogleable name, because Google uses the tilde mark for its Synonym Search function.

Probing more deeply at the file shows that is is 34,616 bytes in size and is described internally as "Microsoft® Remote Std I/O Shell". The version information gives the following details:

  • Company: Microsoft Corporation
  • File Version: 6.0.6001.16470 (fbl_tools(patst).070215-1229)
  • Internal name: remote.exe
  • Language: Language Neutral
  • Original File name: remote.exe
  • Product Name: Microsoft® Windows® Operating System
  • Product Version: 6.0.6001.16470
The icon is identical to the remote.exe sometimes supplied with various Microsoft debugging or support tools. Indeed, it does seem to be just another version of remote.exe which is a component of Microsoft's SMS server.

The ~.exe file may also be accompanied by a couple of strange-looking .dat files, for example __c0084F92.dat or __c00E460A.dat which on closer examination are actually executables.

It does genuinely seem to be a bit of Microsoft software, but in this case it would appear to be acting as a trojan downloader. The .dat files are lilely to be the second stage of the infection, and this could well be related to all the fake anti-virus products that have been promoted recently.

~.exe is detected variously as Trojan-Downloader.Win32.Agent.abnd, Win32/TrojanDownloader.Agent.ABND or Trojan:Win32/Vundo.gen!V (VirusTotal results here). The .dat file shows up variously as Trojan-Downloader:W32/FakeAlert.AN, TROJ_TIBS.CKN, Tibs.gen222, not-a-virus:AdWare.Win32.Agent.ekj (VirusTotal results here and here).

Removal: delete the ~.exe file and any unusual looking .dat files that match the above pattern. If the trojan is active, then one of the .dat files will be locked. The F-Secure Online Scanner seems to be able to safely remove this trojan, although a reboot will be required.

This is the first time that I have seen a Microsoft SMS component used in this way. Presumably it attempts to connect up to a back-end server that I have not yet been able to identify. It may well be that a corporate firewall would block such behaviour.

Tuesday, 26 August 2008

"Colonial Bank Emergency Alert System"

Emergency alert system? Nope, malware download more likely.

Subject: Colonial Bank Emergency Alert System.
From: "Colonial Bank Account Support"
Date: Tue, August 26, 2008 8:35 pm

Dear Colonial Bank Customers. Protect your passwords!

- Never write down your passwords.
- Never share passwords with anyone.
- Change your password every few months.
- Change your password if you think it has been compromised.

For a password to be strong and hard to break, it should be at least nine characters
long, contain characters from each of the following three groups: letters (uppercase
and lowercase), numerals, symbols (all characters not defined as letters or
numerals), not contain your name or user name and not be a common word or name.
Be sure your computer is up-to-date with security patches, anti-virus, and
anti-spyware protection.
Download our latest all-in-one Internet software from our Customer Service
Department to make your online life completely secured.

Press here to Start>>

Sincerely, Parker Wheeler.
2003-2008 Colonial bank Support Team
VirusTotal detections are a mixed bag:

File ColonialDigicertx_509.exe received on 08.26.2008 23:52:05 (CET)
AntivirusVersionLast UpdateResult
AhnLab-V32008.8.21.02008.08.26-
AntiVir7.8.1.232008.08.26HEUR/Crypted
Authentium5.1.0.42008.08.26-
Avast4.8.1195.02008.08.26-
AVG8.0.0.1612008.08.26-
BitDefender7.22008.08.26DeepScan:Generic.
Malware.dld!!.6B08AD0D
CAT-QuickHeal9.502008.08.26(Suspicious) - DNAScan
ClamAV0.93.12008.08.26PUA.Packed.MEW-1
DrWeb4.44.0.091702008.08.26-
eSafe7.0.17.02008.08.26Win32.Stration
eTrust-Vet31.6.60502008.08.26-
Ewido4.02008.08.26-
F-Prot4.4.4.562008.08.26-
F-Secure7.60.13501.02008.08.26Suspicious:W32/Malware!Gemini
Fortinet3.14.0.02008.08.26-
GData192008.08.26-
IkarusT3.1.1.34.02008.08.26Trojan-Proxy.Win32.Small.DT
K7AntiVirus7.10.4282008.08.25-
Kaspersky7.0.0.1252008.08.26-
McAfee53702008.08.26-
Microsoft1.38072008.08.25PWS:Win32/Uloadis.A
NOD32v233902008.08.26-
Norman5.80.022008.08.26W32/Suspicious_M.gen2
Panda9.0.0.42008.08.26-
PCTools4.4.2.02008.08.26Packed/MEW
Prevx1V22008.08.26-
Rising20.59.11.002008.08.26-
Sophos4.32.02008.08.26Mal/EncPk-BA
Sunbelt3.1.1582.12008.08.26VIPRE.Suspicious
Symantec102008.08.26-
TheHacker6.3.0.6.0602008.08.23W32/Behav-Heuristic-066
TrendMicro8.700.0.10042008.08.26Cryp_MEW-11
VBA323.12.8.42008.08.26-
ViRobot2008.8.26.13502008.08.26-
VirusBuster4.5.11.02008.08.26Packed/MEW

Asprox: beyry.ru, iopoe.ru, jetp6.ru, nucop.ru, port04.ru and vj64.ru

There's been a slight shift in the characteristics of the current Asprox attack. The javascript called is now script.js rather than ngg.js or js.js, and this goes to a redirect script currently pointing at /cgi-bin/index.cgi?lle on the local domain.

Active domains in this new attack seem to be as follows, new ones are in bold.
  • beyry.ru
  • cb3f.ru
  • cnld.ru
  • iopc4.ru
  • iopoe.ru
  • jetp6.ru
  • loopk.ru
  • netr2.ru
  • okcd.ru
  • nucop.ru
  • port04.ru
  • ueur3.ru
  • vj64.ru
Check your logs or block these domains. Most business outside of Russia and neighbouring countries could probably block the entire .ru TLD with minimal impact. Look also for the CGI sript (/cgi-bin/index.cgi?lle) to find potentially infected client PCs.

Friday, 22 August 2008

Asprox: iopc4.ru, jetp6.ru, loopk.ru, netr2.ru and ueur3.ru

The domains used is the Asprox SQL injection attack have been stable for most of the past week, but over the last 24 hours some ne wdomains have been registed, so check your logs and/or block the following:

  • iopc4.ru
  • jetp6.ru
  • loopk.ru
  • netr2.ru
  • ueur3.ru

It is likely that some more will turn up during the course of the day.

Friday, 15 August 2008

Another SQL injection domain: mo98g.cn

I mentioned some days ago that there seems to be a parallel SQL injection attack to Asprox with all the hallmarks of being Chinese. Over the past day or so, mo98g.cn has appeared on some infected sites (often alongside Asprox) making a call to mo98g.cn/q.js which is hosted on 222.122.128.5 in South Korea.

The back end seems not to be working at present, so maybe the server has been cleaned up. In any case, this is another domain to block or check your logs for.

Asprox: ujnc.ru

Just a single new Asprox domain to list this morning: ujnc.ru which is still using the js.js redirector, i.e. www.ujnc.ru/js.js. All the domains from the past two days are still active too.

Thursday, 14 August 2008

Asprox: 3njx.ru, cb3f.ru, cnld.ru, nbh3.ru and okcd.ru

Some more Asprox domains to block or look for in your logs:

  • 3njx.ru
  • cb3f.ru
  • cnld.ru
  • nbh3.ru
  • okcd.ru

Renewed Asprox activity: bcus2.ru, jkn3.ru, juc8.ru and locm.ru

After a quiet few days, Asprox seems to have flared up again (at about 1000 CET) with a new set of malware domains, still launching from a SQL injected js.js file on compromised hosts. Keep an eye out for these domains or block them.

These domains are all very recently registered through naunet.ru, there are probably many more on the way soon.

  • bcus2.ru
  • jkn3.ru
  • juc8.ru
  • locm.ru

Tuesday, 12 August 2008

All quiet on the Asprox front?

For the moment the Asprox SQL injection attacks seem to have stopped, although infected sites are still infected and need to be secured as soon as possible.

So, does this mean that the bad guys have given up? Well, no.. but there are probably thousands of sites out there which are still infected, so from that point of view they will still be getting "hits" to their malware sites.

Perhaps the answer is this - the people behind the SQL injection attacks are doing something else. Two very newsworthy events happening over the past few days have been the war in Georgia and the Beijing Olympics. Dancho Danchev reports that the RBN have been actively involved in attacking Georgian sites, including using SQL injection attacks. F-Secure report that Chinese sites have been attacked since the run-up to the Olympics started.

It might well be that these Asprox attacks will be quiet for a couple of weeks, but it is likely that general SQL injection attacks will ramp up again soon.

Sunday, 10 August 2008

Spammers are still stupid

Another case where a spammer is too stupid to use the spamming tool they have just bought.

Subject: hey
From: "hvgoxscw"
Date: Sun, August 10, 2008 7:59 pm

You have 2 options here,
Option 1 - You can put ANY text you want in here.

Option 2 - We will fill it in with the text only portion of the
html message if you put the macro for you: [url removed]
in here.

NOTE: Some email clients don't disply html data. In that case what you
put here will be seen by the recipient. If the email client does

display html data then this will NOT be seen by the recipient.
Based on this you may wish to put a text version of your add here;
however, you can also put some macros here to make the message
more random.

Or use Option 3 and don't add anything at all. Idiot.

Saturday, 9 August 2008

"Hey, take a look!!" / "Yahoo Daily News"

Looks like another variant of the Storm Worm /Zapchast doing the rounds:

Subject: Hey, take a look!!
From: "Yahoo Daily News"

Hello friend !
You have just received a yahoo messenger ultimate version !!


Click Download Now to begin downloading and installing Yahoo Messenger ultimate version 10 ver 10.1



1. Download Now Click Download Now to begin downloading and installing Yahoo! Messenger ultimate version 10.
ver. 10.1
2. When prompted, please click the Run button in each window that appears.

Other versions: XP (9.0 Beta), Vista, Mac, Web, Mobile

Thank you for using our services !!!
Please take this opportunity to let your friends use about this new software by sending them the source.

Copyright © 2008 Yahoo! Inc. All rights reserved. Copyright/IP Policy | Terms of Service |Guide to Online Security

Relevant advertising creates a better web experience. See how

NOTICE: We collect personal information on this site.

To learn more about how we use your information, see our Privacy Policy
In this case the target file to download is msgr8.5us.exe, VirusTotal detection is pretty good.

Expect to see a LOT of these over the next few days, either themed for the Olympics or the war in South Ossetia. Although the subject will always change, a crash course in user education can help to mitigate the risk.

ISC: "More SQL Injections - very active right now"

The Internet Storm Center has published technical details on the Chinese-based SQL injection attack which may be of interest to SQL administrators and programmers and also security specialists. It also flags up another javascript file to look for: csrss/w.js

Keep an eye out for log activity pointing to this file. Blocking the entire .cn TLD will probably do very little harm for most businesses.