In this particular botnet, computers take turns hosting the phishing websites for various banks. For instance at the end of this week, the botnet was hosting phishing sites like these:
The phishers are still doing that, of course, but as we were exploring the IP addresses being used by the botnet for hosting these phishing sites (more than 250 of them since Thursday afternoon), we found some domains that didn't fit this pattern.
First we checked out the WHOIS information . . .
Registered May 15, 2009 at XIN NET Technologies . . .
Using the nameserver NS1.MY-CHEERFUL-DNS.COM
And oh, look! Our old friend Pan Wei Wei!
Organization : Pan Wei wei
Name : Pan Wei wei
Address : BaoChun Rd. 27, No. 3, 1F, Apt. 1903
City : Bejing
Province/State : Beijing
Country : CN
Postal Code : 100176
Pan Wei Wei has been involved with this particular botnet since at least October, as others have noticed as well. For instance, see Dancho Danchev's blog entry from December. Dancho follows the popular trend of wrongly calling this the "Rock Phisher", but that's a common misperception, and he certainly ACTS like the Rock phisher. We prefer the term "Rock-Like", but that's not the point here. Dancho and many others have good evidence on this guy.
Pan Wei Wei used to prefer his gmail address - email@example.com or firstname.lastname@example.org - but apparently he no longer uses those.
After Googling around a bit and checking the UAB Spam Data Mine, we find that this domain is not being used in spammed email, but is rather being used in an MSN message worm.
Messages are received such as:
damn, saw naked pics of yours or maybe the one in pic is similar to you .... crazy lol http://my-secret-gallery-download.com/pic_gallery.html
phewww +o( unbelivable, is that you??? who ever is it...is really similar to you lol ... http://my-secret-gallery-download.com/pic_gallery.html
The criminal needs to update his graphics on this one. What's supposed to happen here is that a graphic is displayed from one of several random ImageShack locations. Above the image are the words:
Click on the image to download the party pictures gallery...
(Click Open or Run when prompted.)
Clicking on the image will actually run this file:
Which causes you to download this file:
File size: 31745 bytes
MD5 : fa0e304fa4c11a89a2345e009ecebf1c
The detection of this file as a virus is actually quite high. 34 out of 40 anti-virus tools now detect this malware, including Microsoft who labels the malware
Microsoft 1.4701 2009.06.01 VirTool:Win32/Obfuscator.FI
Virus Total Analysis here
The next interesting looking website was picy-pictures.com
A WhoIs check confirms that this domain was also created by Pan Wei Wei, although this is more recent - with a created date of May 28, 2009. It also uses the nameserver NS1.MY-CHEERFUL-DNS.COM (and NS2, NS3, NS4).
This one is a much clearer phishing attempt. Here we are asked right at the beginning to provide our MSN userid and password in order to view the 35 pictures in our Private Gallery.
Userids and passwords are checked immediately. If you provide fake data, you get "invalid login! please try again..."
If you provide real data, someone will need to tell me what it does, because I don't have an MSN account that I would like to share with the criminals.
There are two domain names associated with that IP address:
I wonder if those might be similar scams?
Given that they were also both registered by Pan Wei Wei using XIN NET TECHNOLOGY as the registrar, I feel that it might be a safe bet. Hotmail-Timeout.com was registered March 15, 2009. Pictures-bucket.com was registered April 24, 2009.
The last interesting domain we are seeing on this botnet is:
Registered May 26, 2009 by Pan Wei Wei on XIN NET TECHNOLOGY using Name Servers NS1.MY-CHEERFUL-DNS.COM (and NS2, NS3, NS4)
We found a post about this one from Steve Swift at on a Vista Forum.
Steve had received a new email from Haris_Sheikh, which he knew because he had a link sent to him from an offline colleague:
You have received (1) new email from haris_sheikh.
Clicking on the link gave him a "System Notice" that read like this:
Your Live Account is about to get expired. For further details please visit,
If you've been a victim of any of these type of frauds, you may have bigger problems than you know. We've seen hotmail and live.com accounts used to try to scam the friends who send you email (see our blog article on Traveler Scams.)
For some of them, changing your live.com/hotmail password might help --
For other support on your hotmail or live.com emails you can visit:
To report possible fraud on your live.com account, you can usethis live.com reporting form.
For others, you probably have malware running on your computer which is being used to send spam and steal your passwords!