ASProx Compromised Webpages
The main site which is hosting the malicious code right now is "ads-t.ru". Sites which have been hacked by this attack tool will contain a tag which leads to the page "ads-t.ru/ads.js". A quick Google search for this string will currently reveal more thousands of webpages which have had this code injected.
That domain was registered on September 29th with the email address email@example.com
I wasn't sure if I should try my malware analysis VM 30,000 feet over Wichita Kansas, but I gave it a shot. The index.php file downloads a hostile Flash Player file:
That file is only 797 bytes. VirusTotal has 1 of 41 detects for it, with Symantec calling it "Bloodhound.Exploit.266". The MD5 is 148a8c05fb0b63f036f024e2104a6e4c
The index.php files also causes a malicious PDF file to be downloaded. When the PDF file is opened by an older version of Adobe Reader, the computer becomes infected with one of the "scareware" fake Anti-virus products.
Unfortunately, I don't have a vulnerable copy of Adobe Flash Player handy, so I can't tell you yet what is downloaded by this flash file.
Let's take a search engine agnostic approach for a moment though:
Google.com shows pages injected with:
Bing.com lists these as the top sites injected with "ads-t.ru":
Yahoo! lists only 823 results on ads-t.ru/ads.js with top hits being:
"Apartments in El Paso, TX" LiveATIndependence.com/FortBliss
"TRUE.com The Safest Site in Online Dating" www.TRUE.com
"Tv Ads, Create & Run Video Ads Online" www.SpotMixer.com/video
are sponsored links for that search.
The domain names involved in this scam are all Fast Flux hosted, meaning that machines belonging to a botnet are used to resolve the website addresses. The traffic is then proxied from those IP addresses to the "real" criminal server. Here are some recently used IP addresses. If anyone recognizes that botnet, please shoot me an email:
IRS Version of Zeus
I'm actually blogging this using my free trial of Delta's "GoGo" WIFI service as I fly back from San Jose, where I was speaking at the Merchant Risk Council meeting. What is the primary email that I'm downloading this morning? Its still the fake IRS emails which are being used to distribute the IRS version of the Zeus Bot trojan.
So far this flight I've received 330 copies of the current IRS Zeus email. The domain names used in these emails are:
The binary its dropping is brand new - I was the first one to have it scanned at VirusTotal. As usual with the new binaries, detection is not very good, 9 of 41 antivirus products are currently detecting it, but at least we do have some of the Big AV Guns on board.
See the VirusTotal Report Here.
Detects from F-Secure, Kaspersky, McAfee, Microsoft, Sophos, Sunbelt, and VBA32 right now.
File size: 96256 bytes
Don't Be a Phishing Victim
Today's BBC News quotes Rohyt Belani, the founder and chief executive of Intrepidus Group, a security consultancy:
"Our studies have shown that within the first hour of someone receiving a phishing e-mail, 60% of people click on them. That is not enough time for the security folks to act."
I agree with Rohyt totally, and would urge the consumer message of the day to be "BE CAREFUL with links in your email". If your bank really has an important message for you, go to your bank's website in the way you would normally log in, and do so. If there are important messages from your bank, you should be able to find them there easily.