Tuesday, December 22, 2009

A donde se va Avalanche? BBVA! y United Bankers Association

The Avalanche botnet continues to send out spam for spreading malware and phishing. Its newest target is Spanish banking giant BBVA.

We don't get a lot of Spanish spam to the UAB Spam Data Mine, but we have received several copies with subjects like:

Establecidas nuevas medidas de seguridad
Aviso Urgente
nuevas medidas de seguridad
Nuevas Medidas De Seguridad
Haga El Favor De Confirmar Sus Datos
Aviso Importante Para Los Clientes Del Banco

The message looks like this:
Estimado cliente,
Servicio técnico del banco BBVA renovó el software para mejorar el servicio de los clientes del banco.
Para asegurar la integridad de sus datos Usted tiene que rellenar el Formulario de cliente.
Para empezar a rellenar el formulario pulse en el vínculo:
http://formulario.bbva.es/DFAUTH/DFServlet/LogonServlet.php?id=9450983366442462436235235236689910980197561325891724661774&email=userid@domain.tld
Esto es un mensaje automático, no hace falta que respondas.
Reciba un cordial saludo,
Grupo BBVA.


The samples that we have so far use these domain names:

formulario.bbva.es.kfjoitiil.co.uk
formulario.bbva.es.kfjtimiil.co.uk
formulario.bbva.es.kfjtitiil.co.uk
formulario.bbva.es.kfotitiil.co.uk
formulario.bbva.es.mfjtitiil.co.uk
formulario.bbva.es.ofjtitiil.co.uk

The list is already growing . . . up to 14 now . . .

formulario.bbva.es.kfjmitiil.co.uk
formulario.bbva.es.kfjoitiil.co.uk
formulario.bbva.es.kfjtimiil.co.uk
formulario.bbva.es.kfjtitiil.co.uk
formulario.bbva.es.kfjtitiim.co.uk
formulario.bbva.es.kfjtitiml.co.uk
formulario.bbva.es.kfjtmtiil.co.uk
formulario.bbva.es.kfjtotiil.co.uk
formulario.bbva.es.kfmtitiil.co.uk
formulario.bbva.es.kfotitiil.co.uk
formulario.bbva.es.kmjtitiil.co.uk
formulario.bbva.es.kojtitiil.co.uk
formulario.bbva.es.mfjtitiil.co.uk
formulario.bbva.es.ofjtitiil.co.uk



The first page of the websites just asks for a Userid and Password:



The second page asks visitors to provide 100 three-digit numbers which are used as a fraud prevention mechanism by the bank. In normal usage, visitors to the bank are prompted with an X and Y coordinate, like "A7", and will add to their password the three digit number that is found on that position on their card. Each banking customer has their own unique card. The phisher here can't use their userid and password unless they also have the card information, so they are asking for THE ENTIRE CARD!



But what else can we learn by looking at Passive DNS?

As with all of the "Avalanche family" of phishing and malware sites, the site is hosted via Fast Flux. That is, infected personal computers around the world have malware on them which allows the criminal to point his Nameserver settings to these compromised home computers. When someone clicks on the spam message, they are directed not to the criminal's webserver, but to one of these compromised home computers.

The Fast Flux phrase refers to the fact that the criminal constantly updates his nameservers to rotate the hosting of the spammed hostname across many hundreds of bots.

As an example, here are some of the IP addresses for the hostname:

formulario.bbva.es.kfjtitiil.co.uk:

61.0.70.16
85.98.91.104
87.69.46.150
89.139.168.132
95.56.43.92
121.128.247.163
121.131.237.21
183.87.51.109
187.7.94.21
189.105.197.134
189.110.217.186
189.163.144.141
189.179.6.48
189.192.13.43
189.193.59.146
189.194.168.45
189.220.219.70
190.141.201.180
190.162.176.58
190.190.237.103
196.217.220.42
196.217.228.33
196.217.53.158
200.66.40.188
200.83.102.20
201.132.106.254
201.160.230.120
201.164.184.87
201.166.100.22
201.166.44.190
201.218.67.203
217.132.22.172
220.67.225.229
222.107.109.74

When we investigate one of those IP addresses, we find that the same Fast Flux hosts were found to also be hosting the Visa.com Zeus malware distribution sites that we've discussed earlier, and also a "United Bankers Association" site.

We can still see the UBA version, and find many samples of it in the UAB Spam Data Mine, such as these:

The bank you have an account in, is declared bankrupt. Learn How to Save your Money: >link<

Subjects for this spam include:

A message for the owner of ******** bank account.
A new back is declared bankrupt.
Bankrputcy declaration.

Yeah, it really says "back" instead of "bank" and really uses "********" in the subject line.

The sites we found sharing Fast Flux hosting with the BBVA campaign include:

u-b-a.org.dirpote1.be
bankruptcy.u-b-a.org.dirpote1.be
unitedba.org.dirpote1.be
ub-assoc.org.dirpote1.be
bankruptcy.unbassoc.org.dirpote1.be
ubassoc.org.dirpote1.be
bankruptcy.ubassoc.org.dirpote1.be
ub-association.org.dirpote1.be
bankruptcy.ub-association.org.dirpote1.be
unitedbankersassociation.org.dirpote1.be
bankruptcy.unitedbankersassociation.org.dirpote1.be
unitedbankers.org.dirpote1.be
bankruptcy.unitedbankers.org.dirpote1.be
u-b-a.com.dirpote1.be
bankruptcy.u-b-a.com.dirpote1.be
bankruptcy.unitedba.com.dirpote1.be

We saw tons of this spam yesterday for a variety of domains and hostnames, such as:

bankruptcy.ub-assoc.org.uk.dirtotp1.co.uk
bankruptcy.ub-association.org.uk.dirtotp2.co.uk
bankruptcy.ubassoc.co.uk.dirtotp3.co.uk
bankruptcy.u-b-a.co.uk.vdfproo.co.uk
bankruptcy.unitedbankersassociation.co.uk.dirdlpr3.be
bankruptcy.unitedbankers.co.uk.dirdlpro.be
bankruptcy.u-b-a.co.uk.dirdlpro1.be
bankruptcy.ubassoc.co.uk.dirdlpro2.be
bankruptcy.ubassoc.co.uk.progh1.be
bankruptcy.u-b-a.co.uk.progh2.be
bankruptcy.unitedba.co.uk.tpotpdd.be
bankruptcy.unitedbankers.co.uk.tpotpdd1.be
bankruptcy.unitedbankers.co.uk.vdfproo.be
bankruptcy.ub-assoc.co.uk.vstdrerr.be
bankruptcy.unitedbankersassociation.com.111ttillil.co.uk
bankruptcy.ubassoc.com.11fttillil.co.uk
bankruptcy.u-b-a.com.11tttillil.co.uk
bankruptcy.unitedba.com.1jfttillil.co.uk
bankruptcy.ub-assoc.com.yjfttillil.co.uk
bankruptcy.u-b-a.com.dirpote1.be
bankruptcy.unitedba.com.dirpote3.be
bankruptcy.unitedba.com.dirpote4.be
bankruptcy.ubassoc.com.dirpote5.be
bankruptcy.ub-association.com.dirpote6.be
bankruptcy.unbassoc.org.dirpote7.be
bankruptcy.ub-assoc.com.dirpote8.be
bankruptcy.u-b-a.com.dttflji.be
bankruptcy.ub-association.com.itdflji.be
bankruptcy.ubassoc.com.ittdlji.be
bankruptcy.u-b-a.com.ittfdji.be
bankruptcy.ub-assoc.com.ittfldi.be
bankruptcy.ubassoc.com.ittfljd.be
bankruptcy.ubassoc.org.ittflji.be
bankruptcy.ubassoc.com.ittfljx.be
bankruptcy.u-b-a.org.ittflxi.be
bankruptcy.ubassoc.com.ittfxji.be
bankruptcy.ubassoc.com.itxflji.be
bankruptcy.unbassoc.com.ityxlji.be
bankruptcy.ub-assoc.org.ixtflji.be
unitedbankers.co.uk.promoderp.be
bankruptcy.u-b-a.org.xttflji.be
bankruptcy.ubassoc.com.ydtflji.be
bankruptcy.u-b-a.com.11t1jtiil.com
bankruptcy.u-b-a.org.11t1kt1pl.com
bankruptcy.ubassoc.com.11t1ktiil.com
bankruptcy.ubassoc.com.11tfjtiil.com
bankruptcy.u-b-a.com.i1tfjtiil.com
bankruptcy.ub-association.com.ictfjtiil.com
bankruptcy.ub-association.com.ivtfjtiil.com
bankruptcy.unitedba.com.11t1kt1il.net
bankruptcy.u-b-a.com.11t1ktiil.net
bankruptcy.ub-association.com.11tfjtiil.net
bankruptcy.ubassoc.com.i1tfjtiil.net
bankruptcy.u-b-a.com.ictfjtiil.net
bankruptcy.unitedbankersassociation.com.ivtfjtiil.net


This site doesn't provide ANY information about the so-called bankruptcy of "your bank", but it does tell you you have to upgrade your Adobe Macromedia Flash Player:



The malware distributed there, called "flashinstaller.exe" is binary identical to the current fake Visa malware, "cardstatement.exe". A VirusTotal Report shows 13 of 41 anti-virus products currently detecting the malware.

Additional information
File size: 188928 bytes
MD5 : d61c6195eda54b1009208ba823ccdac4

There are also tons of "visa.com" links, such as:

sessionid2ypkfd1y0wa0.visa.com.dirpote1.be
sessionid-0n8owwc0.visa.com.dirpote1.be
sessionid3yfwwyc0.visa.com.dirpote1.be
sessionidsubv3f0.visa.com.dirpote1.be
sessionid_3s76mvuowvpjkg0.visa.com.dirpote1.be
sessionidqsz66rkt0hdji0.visa.com.dirpote1.be
sessioniddmw8pukq74ck0.visa.com.dirpote1.be
sessionid8r1efl0.visa.com.dirpote1.be
sessionid_v9k2ybsrl0.visa.com.dirpote1.be
sessionid36x1p4ya4sl0.visa.com.dirpote1.be
sessionid08ypfdtr1z4o0.visa.com.dirpote1.be
sessionid_9yagx6ub4w37q0.visa.com.dirpote1.be
sessionid_ff17zq0.visa.com.dirpote1.be
sessionidl5292sut0.visa.com.dirpote1.be
sessionid-e3wkqkg0min23u0.visa.com.dirpote1.be
sessionid_yvotp5t613z9u0.visa.com.dirpote1.be

No comments:

Post a Comment

Turning comments back on. I will censor, so please be polite! If you would like to share information privately, please leave a "Contact Me" post and I will reach out. Thank you!