Sunday, May 31, 2009

Phishers Try MSN Worms to steal credentials

At the University of Alabama at Birmingham our Computer Forensics students are working on a large number of spam and phishing related projects. One of those includes tracking the Fast Flux nodes related to various botnets. As I was meeting with one of the students this week to talk about a particular phishing botnet we noticed that the hosts were doing something that seemed to be related to MSN.

In this particular botnet, computers take turns hosting the phishing websites for various banks. For instance at the end of this week, the botnet was hosting phishing sites like these:

or these:

or these:

or these:

The phishers are still doing that, of course, but as we were exploring the IP addresses being used by the botnet for hosting these phishing sites (more than 250 of them since Thursday afternoon), we found some domains that didn't fit this pattern.

First we checked out the WHOIS information . . .

Registered May 15, 2009 at XIN NET Technologies . . .

Using the nameserver NS1.MY-CHEERFUL-DNS.COM

And oh, look! Our old friend Pan Wei Wei!

Organization : Pan Wei wei
Name : Pan Wei wei
Address : BaoChun Rd. 27, No. 3, 1F, Apt. 1903
City : Bejing
Province/State : Beijing
Country : CN
Postal Code : 100176

Pan Wei Wei has been involved with this particular botnet since at least October, as others have noticed as well. For instance, see Dancho Danchev's blog entry from December. Dancho follows the popular trend of wrongly calling this the "Rock Phisher", but that's a common misperception, and he certainly ACTS like the Rock phisher. We prefer the term "Rock-Like", but that's not the point here. Dancho and many others have good evidence on this guy.

Pan Wei Wei used to prefer his gmail address - or - but apparently he no longer uses those.

After Googling around a bit and checking the UAB Spam Data Mine, we find that this domain is not being used in spammed email, but is rather being used in an MSN message worm.

Messages are received such as:

damn, saw naked pics of yours or maybe the one in pic is similar to you .... crazy lol


phewww +o( unbelivable, is that you??? who ever is really similar to you lol ...

The criminal needs to update his graphics on this one. What's supposed to happen here is that a graphic is displayed from one of several random ImageShack locations. Above the image are the words:

Click on the image to download the party pictures gallery...
(Click Open or Run when prompted.)

Clicking on the image will actually run this file:

Which causes you to download this file:


File size: 31745 bytes
MD5 : fa0e304fa4c11a89a2345e009ecebf1c

The detection of this file as a virus is actually quite high. 34 out of 40 anti-virus tools now detect this malware, including Microsoft who labels the malware

Microsoft 1.4701 2009.06.01 VirTool:Win32/Obfuscator.FI

Virus Total Analysis here

The next interesting looking website was

A WhoIs check confirms that this domain was also created by Pan Wei Wei, although this is more recent - with a created date of May 28, 2009. It also uses the nameserver NS1.MY-CHEERFUL-DNS.COM (and NS2, NS3, NS4).

This one is a much clearer phishing attempt. Here we are asked right at the beginning to provide our MSN userid and password in order to view the 35 pictures in our Private Gallery.

Userids and passwords are checked immediately. If you provide fake data, you get "invalid login! please try again..."

If you provide real data, someone will need to tell me what it does, because I don't have an MSN account that I would like to share with the criminals.

It was interesting to me that although they chose to host this site on a botnet, where each computer on the botnet is a potential host to help them anonymize the source, they chose to hard code an IP address of their stylesheets and javascript programs:

There are two domain names associated with that IP address:


I wonder if those might be similar scams?

Given that they were also both registered by Pan Wei Wei using XIN NET TECHNOLOGY as the registrar, I feel that it might be a safe bet. was registered March 15, 2009. was registered April 24, 2009.

The last interesting domain we are seeing on this botnet is:

Registered May 26, 2009 by Pan Wei Wei on XIN NET TECHNOLOGY using Name Servers NS1.MY-CHEERFUL-DNS.COM (and NS2, NS3, NS4)

We found a post about this one from Steve Swift at on a Vista Forum.

Steve had received a new email from Haris_Sheikh, which he knew because he had a link sent to him from an offline colleague:

You have received (1) new email from haris_sheikh.

Clicking on the link gave him a "System Notice" that read like this:

Your Live Account is about to get expired. For further details please visit,

If you've been a victim of any of these type of frauds, you may have bigger problems than you know. We've seen hotmail and accounts used to try to scam the friends who send you email (see our blog article on Traveler Scams.)

For some of them, changing your password might help --

For other support on your hotmail or emails you can visit:

To report possible fraud on your account, you can usethis reporting form.

For others, you probably have malware running on your computer which is being used to send spam and steal your passwords!

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.