Wednesday, January 27, 2010

Minipost: VISA Zeus

This is not the first time we've seen a Zeus dropper acting like a VISA phish . . . recently we've had the December 21st VISA and December 12th VISA campaigns. The emails are the same as the previous campaigns.

We've seen these 53 domain names so far today in the UAB Spam Data Mine:

ewasza.co.uk
ewasza.me.uk
ewasze.co.uk
ewasze.me.uk
ewaszi.co.uk
ewaszi.me.uk
ewaszu.co.uk
ewaszu.me.uk
ewaszy.co.uk
ewaszy.me.uk
freeimagesonly.be
freeimagesonly.com
freeimagesonly.co.uk
freeimagesonly.mobi
freeimagesonly.org.uk
gyueeerd.com.vc
gyueeerd.vc
gyueeerf.com.vc
gyueeerf.vc
gyueeerh.com.vc
gyueeerh.vc
gyueeers.com.vc
gyueeers.vc
gyueeeru.com.vc
gyueeeru.vc
iurseda.com.vc
iurseda.vc
iursedq.com.vc
iursedq.vc
iursedz.com.vc
iursedz.vc
medirams.com
norytiod.com.vc
norytiod.vc
norytioq.com.vc
norytioq.vc
norytior.com.vc
norytior.vc
norytiox.com.vc
norytiox.vc
sucipa.com.vc
sucipa.vc
sucipe.com.vc
sucipe.vc
sucipy.com.vc
sucipy.vc
suecond.co.nz
suecond.co.uk
suecond.eu
suecond.me.uk
sueconu.co.uk
sueconu.eu
sueconu.me.uk

They are used in an assortment of hostnames, including:

alerts.cforms.visa.com.suecond.co.nz
reports.cforms.visa.com.suecond.co.nz
statements.cforms.visa.com.suecond.co.nz
transactions.cforms.visa.com.suecond.co.nz

as well as a variety of patterns with random numbers in the middle, such as:

sessionid-1870Y9B7BZNSQB.cforms.visa.com.ewasza.co.uk
sessionid2SW8J2XJQ.cforms.visa.com.ewasza.co.uk
sessionid3PO2C59V.cforms.visa.com.ewasza.co.uk
sessionid-3U5UEDLI878OCD4.cforms.visa.com.ewasza.co.uk
sessionid-601GIB7UW4CW.cforms.visa.com.ewasza.co.uk
sessionid_73IG9LU216.cforms.visa.com.ewasza.co.uk
sessionid_78SEOF26UCWD3.cforms.visa.com.ewasza.co.uk
sessionid-I5AE0X91LP66P.cforms.visa.com.ewasza.co.uk
sessionid_ILRG2PA40.cforms.visa.com.ewasza.co.uk
sessionidLQEGFJMSS.cforms.visa.com.ewasza.co.uk
sessionid-OP5GMS06SF.cforms.visa.com.ewasza.co.uk
sessionid_OW0EZ0Z.cforms.visa.com.ewasza.co.uk
sessionid-SHTSQ7233OL.cforms.visa.com.ewasza.co.uk
sessionid_U3KJ7Q52MC.cforms.visa.com.ewasza.co.uk
sessionidVWMOE6307CRKXRM.cforms.visa.com.ewasza.co.uk

As usual, these are "Fast Flux" hosted, meaning that, for example, all of these IP addresses have been seen to resolve the domains today . . .

8.14.250.36
24.139.170.130
24.139.199.193
24.55.191.38
41.189.44.33
58.146.223.113
58.146.235.41
58.158.42.57
59.93.102.244
59.93.116.1
59.94.211.34
60.53.195.222
61.247.96.83
61.72.140.57
69.79.96.70
79.183.200.23
84.228.139.23
87.70.85.15
89.218.192.196
94.54.201.43
94.54.3.54
95.104.39.180
95.58.109.118
110.55.15.138
111.119.182.165
112.201.100.237
112.201.126.156
112.201.254.20
112.202.136.44
112.206.169.131
114.142.215.195
114.185.93.52
114.186.197.236
114.186.241.236
114.24.3.17
115.177.129.136
115.184.170.220
115.184.239.50
116.197.79.227
116.50.154.197
116.81.48.121
116.83.35.207
118.33.211.102
118.91.2.149
119.95.213.128
121.138.176.86
121.161.251.25
122.50.143.42
123.231.61.142
125.138.245.199
183.87.51.133
186.24.114.43
186.28.215.77
186.28.69.106
186.97.24.122
187.56.67.100
188.129.234.181
188.56.4.214
189.110.149.105
189.179.10.150
189.179.12.169
189.179.12.229
189.179.12.26
189.18.101.190
189.192.66.18
189.192.7.75
189.192.77.236
189.193.229.197
189.193.43.4
189.194.133.9
189.194.204.77
189.194.204.79
189.194.208.236
189.194.213.203
189.231.5.193
190.0.134.221
190.140.29.142
190.142.57.30
190.16.136.134
190.160.226.227
190.213.161.169
190.213.161.225
190.245.121.41
190.25.63.8
190.26.176.197
190.26.50.164
190.27.40.1
190.32.78.27
190.34.46.168
190.39.129.16
190.64.7.89
194.54.36.6
200.112.81.253
200.112.92.60
200.126.69.238
200.169.71.144
200.66.45.15
200.92.200.202
200.95.250.127
201.13.55.17
201.132.143.149
201.132.6.179
201.139.142.208
201.153.96.80
201.227.129.238
201.231.205.87
201.232.142.97
201.26.127.10
201.43.140.52
202.69.171.135
210.93.54.46
211.201.216.148
211.255.29.30
218.164.0.237
219.169.208.98
219.52.84.57

(More complete list of machines:

alerts.cforms.visa.com.suecond.co.nz
reports.cforms.visa.com.suecond.co.nz
statements.cforms.visa.com.suecond.co.nz
transactions.cforms.visa.com.suecond.co.nz
alerts.cforms.visa.com.ewasza.co.uk
reports.cforms.visa.com.ewasza.co.uk
statements.cforms.visa.com.ewasza.co.uk
transactions.cforms.visa.com.ewasza.co.uk
alerts.cforms.visa.com.ewasze.co.uk
reports.cforms.visa.com.ewasze.co.uk
statements.cforms.visa.com.ewasze.co.uk
transactions.cforms.visa.com.ewasze.co.uk
alerts.cforms.visa.com.ewaszi.co.uk
reports.cforms.visa.com.ewaszi.co.uk
statements.cforms.visa.com.ewaszi.co.uk
transactions.cforms.visa.com.ewaszi.co.uk
alerts.cforms.visa.com.ewaszu.co.uk
reports.cforms.visa.com.ewaszu.co.uk
statements.cforms.visa.com.ewaszu.co.uk
transactions.cforms.visa.com.ewaszu.co.uk
alerts.cforms.visa.com.ewaszy.co.uk
reports.cforms.visa.com.ewaszy.co.uk
statements.cforms.visa.com.ewaszy.co.uk
transactions.cforms.visa.com.ewaszy.co.uk
alerts.cforms.visa.com.freeimagesonly.co.uk
reports.cforms.visa.com.freeimagesonly.co.uk
statements.cforms.visa.com.freeimagesonly.co.uk
transactions.cforms.visa.com.freeimagesonly.co.uk
alerts.cforms.visa.com.suecond.co.uk
reports.cforms.visa.com.suecond.co.uk
statements.cforms.visa.com.suecond.co.uk
transactions.cforms.visa.com.suecond.co.uk
alerts.cforms.visa.com.sueconu.co.uk
reports.cforms.visa.com.sueconu.co.uk
statements.cforms.visa.com.sueconu.co.uk
transactions.cforms.visa.com.sueconu.co.uk
alerts.cforms.visa.com.ewasza.me.uk
reports.cforms.visa.com.ewasza.me.uk
statements.cforms.visa.com.ewasza.me.uk
transactions.cforms.visa.com.ewasza.me.uk
alerts.cforms.visa.com.ewasze.me.uk
reports.cforms.visa.com.ewasze.me.uk
statements.cforms.visa.com.ewasze.me.uk
transactions.cforms.visa.com.ewasze.me.uk
alerts.cforms.visa.com.ewaszi.me.uk
reports.cforms.visa.com.ewaszi.me.uk
statements.cforms.visa.com.ewaszi.me.uk
transactions.cforms.visa.com.ewaszi.me.uk
alerts.cforms.visa.com.ewaszu.me.uk
reports.cforms.visa.com.ewaszu.me.uk
statements.cforms.visa.com.ewaszu.me.uk
transactions.cforms.visa.com.ewaszu.me.uk
alerts.cforms.visa.com.ewaszy.me.uk
reports.cforms.visa.com.ewaszy.me.uk
statements.cforms.visa.com.ewaszy.me.uk
transactions.cforms.visa.com.ewaszy.me.uk
alerts.cforms.visa.com.suecond.me.uk
reports.cforms.visa.com.suecond.me.uk
statements.cforms.visa.com.suecond.me.uk
transactions.cforms.visa.com.suecond.me.uk
alerts.cforms.visa.com.sueconu.me.uk
reports.cforms.visa.com.sueconu.me.uk
statements.cforms.visa.com.sueconu.me.uk
transactions.cforms.visa.com.sueconu.me.uk
alerts.cforms.visa.com.freeimagesonly.org.uk
reports.cforms.visa.com.freeimagesonly.org.uk
statements.cforms.visa.com.freeimagesonly.org.uk
transactions.cforms.visa.com.freeimagesonly.org.uk
alerts.cforms.visa.com.gyueeerd.com.vc
reports.cforms.visa.com.gyueeerd.com.vc
statements.cforms.visa.com.gyueeerd.com.vc
transactions.cforms.visa.com.gyueeerd.com.vc
alerts.cforms.visa.com.gyueeerf.com.vc
reports.cforms.visa.com.gyueeerf.com.vc
statements.cforms.visa.com.gyueeerf.com.vc
transactions.cforms.visa.com.gyueeerf.com.vc
alerts.cforms.visa.com.gyueeerh.com.vc
reports.cforms.visa.com.gyueeerh.com.vc
statements.cforms.visa.com.gyueeerh.com.vc
transactions.cforms.visa.com.gyueeerh.com.vc
alerts.cforms.visa.com.gyueeers.com.vc
reports.cforms.visa.com.gyueeers.com.vc
statements.cforms.visa.com.gyueeers.com.vc
transactions.cforms.visa.com.gyueeers.com.vc
alerts.cforms.visa.com.gyueeeru.com.vc
reports.cforms.visa.com.gyueeeru.com.vc
statements.cforms.visa.com.gyueeeru.com.vc
transactions.cforms.visa.com.gyueeeru.com.vc
alerts.cforms.visa.com.iurseda.com.vc
reports.cforms.visa.com.iurseda.com.vc
statements.cforms.visa.com.iurseda.com.vc
transactions.cforms.visa.com.iurseda.com.vc
alerts.cforms.visa.com.iursedq.com.vc
reports.cforms.visa.com.iursedq.com.vc
statements.cforms.visa.com.iursedq.com.vc
transactions.cforms.visa.com.iursedq.com.vc
alerts.cforms.visa.com.iursedz.com.vc
reports.cforms.visa.com.iursedz.com.vc
statements.cforms.visa.com.iursedz.com.vc
transactions.cforms.visa.com.iursedz.com.vc
alerts.cforms.visa.com.norytiod.com.vc
reports.cforms.visa.com.norytiod.com.vc
statements.cforms.visa.com.norytiod.com.vc
transactions.cforms.visa.com.norytiod.com.vc
alerts.cforms.visa.com.norytioq.com.vc
reports.cforms.visa.com.norytioq.com.vc
statements.cforms.visa.com.norytioq.com.vc
transactions.cforms.visa.com.norytioq.com.vc
alerts.cforms.visa.com.norytior.com.vc
reports.cforms.visa.com.norytior.com.vc
statements.cforms.visa.com.norytior.com.vc
transactions.cforms.visa.com.norytior.com.vc
alerts.cforms.visa.com.norytiox.com.vc
reports.cforms.visa.com.norytiox.com.vc
statements.cforms.visa.com.norytiox.com.vc
transactions.cforms.visa.com.norytiox.com.vc
alerts.cforms.visa.com.sucipa.com.vc
reports.cforms.visa.com.sucipa.com.vc
statements.cforms.visa.com.sucipa.com.vc
transactions.cforms.visa.com.sucipa.com.vc
alerts.cforms.visa.com.sucipe.com.vc
reports.cforms.visa.com.sucipe.com.vc
statements.cforms.visa.com.sucipe.com.vc
transactions.cforms.visa.com.sucipe.com.vc
alerts.cforms.visa.com.sucipy.com.vc
reports.cforms.visa.com.sucipy.com.vc
statements.cforms.visa.com.sucipy.com.vc
transactions.cforms.visa.com.sucipy.com.vc
alerts.cforms.visa.com.freeimagesonly.be
reports.cforms.visa.com.freeimagesonly.be
statements.cforms.visa.com.freeimagesonly.be
transactions.cforms.visa.com.freeimagesonly.be
alerts.cforms.visa.com.freeimagesonly.com
reports.cforms.visa.com.freeimagesonly.com
statements.cforms.visa.com.freeimagesonly.com
transactions.cforms.visa.com.freeimagesonly.com
alerts.cforms.visa.com.medirams.com
reports.cforms.visa.com.medirams.com
statements.cforms.visa.com.medirams.com
transactions.cforms.visa.com.medirams.com
alerts.cforms.visa.com.suecond.eu
reports.cforms.visa.com.suecond.eu
statements.cforms.visa.com.suecond.eu
transactions.cforms.visa.com.suecond.eu
alerts.cforms.visa.com.sueconu.eu
reports.cforms.visa.com.sueconu.eu
statements.cforms.visa.com.sueconu.eu
transactions.cforms.visa.com.sueconu.eu
alerts.cforms.visa.com.freeimagesonly.mobi
reports.cforms.visa.com.freeimagesonly.mobi
statements.cforms.visa.com.freeimagesonly.mobi
transactions.cforms.visa.com.freeimagesonly.mobi
alerts.cforms.visa.com.gyueeerd.vc
reports.cforms.visa.com.gyueeerd.vc
statements.cforms.visa.com.gyueeerd.vc
transactions.cforms.visa.com.gyueeerd.vc
alerts.cforms.visa.com.gyueeerf.vc
reports.cforms.visa.com.gyueeerf.vc
statements.cforms.visa.com.gyueeerf.vc
transactions.cforms.visa.com.gyueeerf.vc
alerts.cforms.visa.com.gyueeerh.vc
reports.cforms.visa.com.gyueeerh.vc
statements.cforms.visa.com.gyueeerh.vc
transactions.cforms.visa.com.gyueeerh.vc
alerts.cforms.visa.com.gyueeers.vc
reports.cforms.visa.com.gyueeers.vc
statements.cforms.visa.com.gyueeers.vc
transactions.cforms.visa.com.gyueeers.vc
alerts.cforms.visa.com.gyueeeru.vc
reports.cforms.visa.com.gyueeeru.vc
statements.cforms.visa.com.gyueeeru.vc
transactions.cforms.visa.com.gyueeeru.vc
alerts.cforms.visa.com.iurseda.vc
reports.cforms.visa.com.iurseda.vc
statements.cforms.visa.com.iurseda.vc
transactions.cforms.visa.com.iurseda.vc
alerts.cforms.visa.com.iursedq.vc
reports.cforms.visa.com.iursedq.vc
statements.cforms.visa.com.iursedq.vc
transactions.cforms.visa.com.iursedq.vc
alerts.cforms.visa.com.iursedz.vc
reports.cforms.visa.com.iursedz.vc
statements.cforms.visa.com.iursedz.vc
transactions.cforms.visa.com.iursedz.vc
alerts.cforms.visa.com.norytiod.vc
reports.cforms.visa.com.norytiod.vc
statements.cforms.visa.com.norytiod.vc
transactions.cforms.visa.com.norytiod.vc
alerts.cforms.visa.com.norytioq.vc
reports.cforms.visa.com.norytioq.vc
statements.cforms.visa.com.norytioq.vc
transactions.cforms.visa.com.norytioq.vc
alerts.cforms.visa.com.norytior.vc
reports.cforms.visa.com.norytior.vc
statements.cforms.visa.com.norytior.vc
transactions.cforms.visa.com.norytior.vc
alerts.cforms.visa.com.norytiox.vc
reports.cforms.visa.com.norytiox.vc
statements.cforms.visa.com.norytiox.vc
transactions.cforms.visa.com.norytiox.vc
alerts.cforms.visa.com.sucipa.vc
reports.cforms.visa.com.sucipa.vc
statements.cforms.visa.com.sucipa.vc
transactions.cforms.visa.com.sucipa.vc
alerts.cforms.visa.com.sucipe.vc
reports.cforms.visa.com.sucipe.vc
statements.cforms.visa.com.sucipe.vc
transactions.cforms.visa.com.sucipe.vc
alerts.cforms.visa.com.sucipy.vc
reports.cforms.visa.com.sucipy.vc
statements.cforms.visa.com.sucipy.vc
transactions.cforms.visa.com.sucipy.vc


Tuesday, January 26, 2010

American Bankers Association version of Zeus Bot / Zbot

Today our top spam-delivered malware is coming to us in the guise of a message from the American Bankers Association.

Subject lines seen in the UAB Spam Data Mine include:

An unauthorized transaction billed from your bank account
An unauthorized transaction billed from your bank card
An unauthorized transaction billed to your bank account
An unauthorized transaction billed to your bank card
unauthorized transaction
unauthorized transaction billed from your bank account
unauthorized transaction billed from your bank card
unauthorized transaction billed to your bank account
unauthorized transaction billed to your bank card

While most of the emails come from the email address:

noreply@mail.aba.com

others are arriving with a message_id in the from address, such as:

message_ODRL6039id@mail.aba.com

The emails look like this:

An unauthorized transaction billed from your bank card.

Amount of transaction: $1781.30
Transaction ID: 7980-9779263

Please review the transaction report by clicking the link below:

get the transaction report

---------
Letter ID 9996-0347362324-49929775497-69019696317-70662423061-65867724-18065800918


where the "Amount of transaction" and "Transaction ID"

The website looks like this:



Hostnames that we saw in the spam include:

machine
-----------------------------------
getreport.aba.com.edfa4.com.vc
getreport.aba.com.edfa4.vc
getreport.aba.com.edfa5.com.vc
getreport.aba.com.edfa5.vc
getreport.aba.com.edfa6.com.vc
getreport.aba.com.edfa6.vc
getreport.aba.com.edfa7.com.vc
getreport.aba.com.edfa7.vc
getreport.aba.com.edfa8.com.vc
getreport.aba.com.edfa8.vc
getreport.aba.com.ferdsae.vc
getreport.aba.com.gertfdv.am
getreport.aba.com.sawesae.vc
getreport.aba.com.sawesag.com.vc
getreport.aba.com.sawesaj.com.vc
getreport.aba.com.sawesal.com.vc
getreport.aba.com.sawesao.vc
getreport.aba.com.sawesaq.vc
getreport.aba.com.sawesat.vc
getreport.aba.com.sawesau.vc
getreport.aba.com.uifersag.no.com
getreport.aba.com.uifersag.uy.com
getreport.aba.com.uifersar.cn.com
getreport.aba.com.uifersar.no.com
getreport.aba.com.uifersar.uy.com
getreport.aba.com.uifersat.cn.com
getreport.aba.com.uifersat.no.com
getreport.aba.com.uifersat.uy.com
getreport.aba.com.yhuusd.com.vc
getreport.aba.com.yhuusd.vc
getreport.aba.com.yhuush.vc

The malware that is dropped from this website, "transactionreport.exe" is almost entirely undetected according to this VirusTotal Report. Only six of forty-one AV products currently detect this malware, and only two of them are properly identifying it as Zeus.

Kaspersky calls it "Trojan-Spy.Win32.Zbot.gen", as does Sunbelt.

Authentium and F-Prot heuristically detect it as "El dorado", which is pretty close behavior-wise to Zbot. F-Secure and McAfee identify it as a risk, but don't classify it further.

Besides the obvious "transactionreport.exe", there is also a drive-by infector which originates at the IP address "109.95.114.251" on the path "/us01d/in.php". I'll update this post later this evening with more details about that malware path, but I would assume at this point its going to drop a PDF that leads to a fake AV product.

That IP address is famously associated with Zeus through the owner of its network - actually called in the WHOIS data "VISHCLUB" and described as being "Kanyovskiy Andriy Yuriyovich" of Kazakhstan - akanyovskiy@troyak.org. Perhaps send him an email and ask him how the life of crime is treating him. Apparently there are no laws against providing hosting for cybercriminals in Kazakhstan, but several sources say this IP address is actually in Great Britain, and I'm pretty sure they don't stand for this kind of behavior. Criminal emails such as:
Natalia Ilina - try@5mx.ru
Polina Kuznetsova - wsw@maillife.ru
Mikhail Vorobiev - bombs@maillife.ru
taffy@blogbuddy.ru
and kievsk@yandex.ru

all show up when you investigate previous Zeus infections that use this netblock with domain names like:

hostingdnssite.com
quicksitehostdns.com
platinumhostingservice.com
nekovo.ru
dnsserverbackupzones.com
windowsserverinfo.com
androzo.ru

and that's just so far in January 2010!

A Facebook version of the Zeus malware was active last night and this morning, but that's an on-going extension of the previously mentioned version.

Saturday, January 23, 2010

AOL Update spreads Zeus / Zbot

The UAB Spam Data Mine has been receiving emails like these all weekend . . .

Dear AOL Instant Messenger (AIM) user,

Your AIM account is flagged as inactive. Within the following 72 hours it’ll be deleted from the system.

If you plan to use this account in the future, you have to download and launch the latest update for the AIM. This update is critical.

In order to install the update use the following link. This link is generated exclusively for your account and is available within a certain period of time. As soon as this link is not available anymore you will get another letter.

Thank you,

AIM Service Team

This e-mail has been sent from an e-mail address that is not monitored. Please do not reply to this message. We are unable to respond to any replies.


The email subjects today are primarily three:

AOL Instant Messenger critical update
Your AOL Instant Messenger account is flagged as inactive
Your AOL Instant Messenger account will be deleted



The download link points to a file called:

aimupdate_7.1.6.475

File size: 130048 bytes
MD5 : 506b74fab91958e0a9714c4ef5a9f24d
SHA1 : bdb3ecffb2245a6a3f4bda3880aa562a13bff421

VirusTotal of course informs us that this is a Zeus / Zbot infector:

(See VirusTotal Report)

Before you even download the "executable", there is drive-by malware that hits the visitor.

== 109.95.114.251/usr5432/in.php is called as a result of an iframe on the page.

This leads to the download and loading of:

== 109.95.114.251/usr5432/xd/pdf.pdf
and then
== /usr5432/xd/sNode.php
and /usr5432/xd/swfobject.js

and then nekovo.ru/kissme/rec.php
which downloads nekovo.ru/abs.exe

abs.exe is only detectable by 5 of 41 anti-virus products according to VirusTotal, most of them detecting them as "Hiloti":

VirusTotal Report on Hiloti - abs.exe




Websites that have been used in this campaign, all using the path "products/aimController.php", include:


machine
--------------------------------
update.aol.com.favucca.co.im
update.aol.com.favuccaco.im
update.aol.com.favucca.com.im
update.aol.com.favuccacom.im
update.aol.com.favuccaim
update.aol.com.favucca.im
update.aol.com.favucca.net.im
update.aol.com.favuccanet.im
update.aol.com.favucca.org.im
update.aol.com.favuccaorg.im
update.aol.com.hasdxzzw.co.im
update.aol.com.hasdxzzw.com.im
update.aol.com.hasdxzzw.im
update.aol.com.hasdxzzw.net.im
update.aol.com.hasdxzzw.org.im
update.aol.com.oifeazx.com.pl
update.aol.com.oifeazxcom.pl
update.aol.com.oijeaxx.com.pl
update.aol.com.oijeaxxcom.pl
update.aol.com.oijeazx.com.pl
update.aol.com.oijeazxcom.pl
update.aol.com.oijhaxx.com.pl
update.aol.com.oijhaxxcom.pl
update.aol.com.oijhayx.com.pl
update.aol.com.oijhayxcom.pl
update.aol.com.oijqayx.com.pl
update.aol.com.oijqayxcom.pl
update.aol.com.oiybaqr.com.pl
update.aol.com.oiybaqrcom.pl
update.aol.com.oiybkqr.com.pl
update.aol.com.oiybkqrcom.pl
update.aol.com.oiyqaqr.com.pl
update.aol.com.oiyqaqrcom.pl
update.aol.com.oiyqayr.com.pl
update.aol.com.oiyqayrcom.pl
update.aol.com.oiyqayx.com.pl
update.aol.com.oiyqayxcom.pl
update.aol.com.onybkqr.com.pl
update.aol.com.onybkqrcom.pl
update.aol.com.onybksm.com.pl
update.aol.com.onybksmcom.pl
update.aol.com.onybksr.com.pl
update.aol.com.onybksrcom.pl
update.aol.com.onybmsm.com.pl
update.aol.com.onybmsmcom.pl
update.aol.com.pikie.com.pl
update.aol.com.pikoe.com.pl
update.aol.com.pikqe.com.pl
update.aol.com.pikye.com.pl
update.aol.com.pioqe.com.pl
update.aol.com.pioqo.com.pl
update.aol.com.saxxxzabe
update.aol.com.saxxxzfbe
update.aol.com.saxxxznbe
update.aol.com.saxxxzn.be
update.aol.com.terfkioa.com.pl
update.aol.com.terfkioa.net.pl
update.aol.com.terfkioc.com.pl
update.aol.com.terfkioc.net.pl
update.aol.com.terfkiod.com.pl
update.aol.com.terfkiod.net.pl
update.aol.com.terfkiof.com.pl
update.aol.com.terfkiof.net.pl
update.aol.com.terfkioq.com.pl
update.aol.com.terfkioq.net.pl
update.aol.com.terfkior.com.pl
update.aol.com.terfkios.com.pl
update.aol.com.terfkios.net.pl
update.aol.com.terfkiox.com.pl
update.aol.com.terfkiox.net.pl
update.aol.com.yhff10.com.pl
update.aol.com.yhff11.com.pl
update.aol.com.yhffd0.com.pl
update.aol.com.yhffd1.com.pl
update.aol.com.yhffd2.com.pl
update.aol.com.yhffd3.com.pl
update.aol.com.yhffd4.com.pl
update.aol.com.yhffd5.com.pl
update.aol.com.yhffd6.com.pl
update.aol.com.yhffd7.com.pl
update.aol.com.yhffd8.com.pl
update.aol.com.yhffd9.com.pl
update.aol.com.yhnki6u.com.pl
update.aol.com.yhnki6ucom.pl
update.aol.com.yhnkz6u.com.pl
update.aol.com.yhnkz6ucom.pl
update.aol.com.yhuki6u.com.pl
update.aol.com.yhuki6ucom.pl
update.aol.com.yhuoi6u.com.pl
update.aol.com.yhuoi6ucom.pl
update.aol.com.yhuoo6u.com.pl
update.aol.com.yhuoo6ucom.pl
update.aol.com.yhuou6u.com.pl
update.aol.com.yhuou6ucom.pl
update.aol.com.yhusssqb.com.pl
update.aol.com.yhusssqc.com.pl
update.aol.com.yhusssqd.com.pl
update.aol.com.yhusssqf.com.pl
update.aol.com.yhusssqg.com.pl
update.aol.com.yhusssqh.com.pl
update.aol.com.yhusssqj.com.pl
update.aol.com.yhusssqn.com.pl
update.aol.com.yhusssqq.com.pl
update.aol.com.yhusssqs.com.pl
update.aol.com.yhusssqu.com.pl
update.aol.com.yhusssqv.com.pl
update.aol.com.yhusssqw.com.pl
update.aol.com.yhusssqy.com.pl
update.aol.com.yhuui6u.com.pl
update.aol.com.yhuui6ucom.pl
update.aol.com.yhuyu6u.com.pl
update.aol.com.yhuyu6ucom.pl
update.aol.com.yhuyu6y.com.pl
update.aol.com.yhuyu6ycom.pl
update.aol.com.yhyki6u.com.pl
update.aol.com.yhyki6ucom.pl
(116 rows)

Monday, January 18, 2010

Sendspace Zbot spreader a Flashback to Dec 15-20

From December 15th to December 20th, the top Zbot or "Zeus" trojan spreader was a spam email campaign which claimed to have news about a photo that may depict the recipient. The "photo" was actually called "photo.exe" and the website from which it was to be downloaded was intended to look like "Sendspace.com", a popular file sharing service.

Beginning early in the morning of January 16th, the UAB Spam Data Mine began to notice that the Sendspace version of Zeus may be making a return. On January 16th, we received six copies of the spam, nearly identical to those received December 15-20. They came between 6:15 and 8:30 AM, and then stopped.

The spam messages ask a variation of question such as:

Hey! Is this photo yours?

Subject such as:
Fw:your photo
Re:your photo
Re:
Fw:look


and provide a link supposedly to a "sendspace" page for you to see the photo.

On January 17th, we saw another burst, beginning shortly after 8:00 AM, and ending about 10:15 AM, with 90 messages being received.

Then at 11:15 PM on January 17th the real campaign began, and has been flowing steadily ever since, although the spam is definitely on a rising trend - we've seen just over 700 copies today so far.

The URLs we've seen in the spam are these:

www.sendspace.com.iko999j0.com.pl
www.sendspace.com.iko999j0.compl
www.sendspace.com.iko999j1.com.pl
www.sendspace.com.iko999j1.compl
www.sendspace.com.iko999j1com.pl
www.sendspace.com.iko999j2.com.pl
www.sendspace.com.iko999j2.compl
www.sendspace.com.iko999j3.com.pl
www.sendspace.com.iko999j3com.pl
www.sendspace.com.iko999j4.com.pl
www.sendspace.com.iko999j5.com.pl
www.sendspace.com.iko999j5.compl
www.sendspace.com.iko999j6.com.pl
www.sendspace.com.iko999j6.compl
www.sendspace.com.iko999j7.com.pl
www.sendspace.com.iko999j7.compl
www.sendspace.com.iko999j7com.pl
www.sendspace.com.iko999j8.com.pl
www.sendspace.com.iko999j9.com.pl
www.sendspace.com.iko999j9com.pl
www.sendspace.com.iko999je.com.pl
www.sendspace.com.iko999je.compl
www.sendspace.com.iko999jq.com.pl
www.sendspace.com.iko999jqcom.pl
www.sendspace.com.iko999jr.com.pl
www.sendspace.com.iko999jrcom.pl
www.sendspace.com.iko999jt.com.pl
www.sendspace.com.iko999jw.com.pl
www.sendspace.com.iko999jw.compl
www.sendspace.com.iko999jwcom.pl
www.sendspace.comiko999j1.com.pl
www.sendspace.comiko999j4.com.pl
www.sendspace.comiko999j5.com.pl
www.sendspace.comiko999j7.com.pl
www.sendspace.comiko999j8.com.pl
www.sendspace.comiko999j9.com.pl
www.sendspace.comiko999je.com.pl
www.sendspace.comiko999jq.com.pl
www.sendspacecom.iko999j1.com.pl
www.sendspacecom.iko999j4.com.pl
www.sendspacecom.iko999j6.com.pl
www.sendspacecom.iko999j7.com.pl
www.sendspacecom.iko999j8.com.pl
www.sendspacecom.iko999j9.com.pl
www.sendspacecom.iko999je.com.pl
www.sendspacecom.iko999jw.com.pl
wwwsendspace.com.iko999j1.com.pl
wwwsendspace.com.iko999j3.com.pl
wwwsendspace.com.iko999j4.com.pl
wwwsendspace.com.iko999j7.com.pl
wwwsendspace.com.iko999j8.com.pl
wwwsendspace.com.iko999j9.com.pl

Note the two pairs of typos? Some ".compl" instead of ".com.pl" and some "sendspacecom" instead of "sendspace.com" and the "wwwsendspace" instead of "www.sendspace". Those are the reasons bad guys do test runs such as we saw on the 16th and 17th. They need to get their bugs worked out.

The webpage looks like this:





While they are at it, perhaps they'll remember to update their malware as well. The version being distributed in this campaign is the same version that was being distributed when the campaign ended on December 20th, which means that 34 out of 41 anti-virus products can detect it, according to this Virus Total Report.

The websites have a secondary infector. An IFRAME in the code calls a malicious website from "gerolli.co.uk". Last go-around it was pulling a file from the "/2img/" subdirectory there. This time around its pulling a file from "/3img/in.php", which when loaded causes "pdf.pdf" to be dropped on the machine, which leads to a Fake Anti-Virus product being installed within a few minutes.

The Zeus bot uses "stomaid.ru" as its Command & Control - just as it has since December 9th.

The computers hosting the "sendspace" version of this webpage are also hosting the "USAA" version that we discussed in yesterday's article - USAA Bank Latest Avalanche Scam.

If you want to see the December version websites, they are listed below:

www.sendspace.com.1citvil1.be
www.sendspace.com.beermeetibe
www.sendspace.com.beermeeti.be
www.sendspace.com.dftjilllcom
www.sendspace.com.dftjilll.com
www.sendspace.com.dftjilllnet
www.sendspace.com.dftjilll.net
www.sendspace.com.fbermeetibe
www.sendspace.com.fbermeeti.be
www.sendspace.com.fbsftiilcom
www.sendspace.com.fbsftiil.com
www.sendspace.com.fbsftiilnet
www.sendspace.com.fbsftiil.net
www.sendspace.com.febrmeeti.be
www.sendspace.com.feeekyyiebe
www.sendspace.com.feeekyyie.be
www.sendspace.com.feeetyyiebe
www.sendspace.com.feeetyyie.be
www.sendspace.com.feeezkyiebe
www.sendspace.com.feeezkyie.be
www.sendspace.com.feeeztyiebe
www.sendspace.com.feeeztyie.be
www.sendspace.com.feeezykiebe
www.sendspace.com.feeezykie.be
www.sendspace.com.feeezytiebe
www.sendspace.com.feeezytie.be
www.sendspace.com.feeezyyiebe
www.sendspace.com.feeezyyie.be
www.sendspace.com.feeezyyikbe
www.sendspace.com.feeezyyik.be
www.sendspace.com.feeezyykebe
www.sendspace.com.feeezyyke.be
www.sendspace.com.feekzyyie.be
www.sendspace.com.feermeetibe
www.sendspace.com.feermeeti.be
www.sendspace.com.feetzyyie.be
www.sendspace.com.fekezyyiebe
www.sendspace.com.fekezyyie.be
www.sendspace.com.fetezyyie.be
www.sendspace.com.ffmjilllcom
www.sendspace.com.ffmjilll.com
www.sendspace.com.ffmjilllnet
www.sendspace.com.ffmjilll.net
www.sendspace.com.ffmjtlllcom
www.sendspace.com.ffmjtlll.com
www.sendspace.com.ffmjtlllnet
www.sendspace.com.ffmjtlll.net
www.sendspace.com.ffmjttllcom
www.sendspace.com.ffmjttll.com
www.sendspace.com.fftjilllcom
www.sendspace.com.fftjilll.com
www.sendspace.com.fftjilllnet
www.sendspace.com.fftjilll.net
www.sendspace.com.fkeezyyiebe
www.sendspace.com.fkeezyyie.be
www.sendspace.com.ftcftiilcom
www.sendspace.com.ftcftiil.com
www.sendspace.com.ftcftiilnet
www.sendspace.com.ftcftiil.net
www.sendspace.com.fteezyyiebe
www.sendspace.com.fteezyyie.be
www.sendspace.com.ftsftiilcom
www.sendspace.com.ftsftiil.com
www.sendspace.com.ftsftiilnet
www.sendspace.com.ftsftiil.net
www.sendspace.com.ftsftiitcom
www.sendspace.com.ftsftiit.com
www.sendspace.com.ftsftiitnet
www.sendspace.com.ftsftiit.net
www.sendspace.com.ftsftiulcom
www.sendspace.com.ftsftiul.com
www.sendspace.com.ftsftiulnet
www.sendspace.com.ftsftiul.net
www.sendspace.com.ftsftkilcom
www.sendspace.com.ftsftkil.com
www.sendspace.com.ftsftkilnet
www.sendspace.com.ftsftkil.net
www.sendspace.com.ftsftmilcom
www.sendspace.com.ftsftmil.com
www.sendspace.com.ftsfttilcom
www.sendspace.com.ftsfttil.com
www.sendspace.com.ftsfttilnet
www.sendspace.com.ftsfttil.net
www.sendspace.com.hcitvil1.be
www.sendspace.com.hreseet01.be
www.sendspace.com.hufteejkibe
www.sendspace.com.hufteejki.be
www.sendspace.com.i1itvil1.be
www.sendspace.com.ic1tvil1.be
www.sendspace.com.ichtvil1.be
www.sendspace.com.ici1vil1.be
www.sendspace.com.icihvil1.be
www.sendspace.com.icit1il1.be
www.sendspace.com.icithil1.be
www.sendspace.com.icitv1l1.be
www.sendspace.com.icitvhl1.be
www.sendspace.com.icitvi11.be
www.sendspace.com.icitvih1.be
www.sendspace.com.icitvil1.be
www.sendspace.com.ihitvil1.be
www.sendspace.com.ireheet01.be
www.sendspace.com.ireseet01.be
www.sendspace.com.ireseht01.be
www.sendspace.com.iresehtt1.be
www.sendspace.com.iresett01.be
www.sendspace.com.ireshet01.be
www.sendspace.com.ireteht01.be
www.sendspace.com.irhseet01.be
www.sendspace.com.iteseht01.be
www.sendspace.com.jtualasabe
www.sendspace.com.jtualasa.be
www.sendspace.com.juzeepee0.jpn.com
www.sendspace.com.kjifatilacom
www.sendspace.com.kjifatila.com
www.sendspace.com.ktualasabe
www.sendspace.com.ktualasa.be
www.sendspace.com.lhfteejkibe
www.sendspace.com.lhfteejki.be
www.sendspace.com.lipskuiil.com
www.sendspace.com.lipskuiil.jpn.com
www.sendspace.com.lipskuiil.kr.com
www.sendspace.com.lipskuiil.no.com
www.sendspace.com.lipskuiil.uy.com
www.sendspace.com.lufheejkibe
www.sendspace.com.lufheejki.be
www.sendspace.com.lufteejkibe
www.sendspace.com.lufteejki.be
www.sendspace.com.lufteejkvbe
www.sendspace.com.lufteejkv.be
www.sendspace.com.lufteejvibe
www.sendspace.com.lufteejvi.be
www.sendspace.com.lufteevkibe
www.sendspace.com.lufteevki.be
www.sendspace.com.luftevjkibe
www.sendspace.com.luftevjki.be
www.sendspace.com.lufthejkibe
www.sendspace.com.lufthejki.be
www.sendspace.com.luhteejkibe
www.sendspace.com.luhteejki.be
www.sendspace.com.mjifatilacom
www.sendspace.com.mjifatila.com
www.sendspace.com.mjifatilwcom
www.sendspace.com.mjifatilw.com
www.sendspace.com.mjifatiwacom
www.sendspace.com.mjifatiwa.com
www.sendspace.com.mjifatwlacom
www.sendspace.com.mjifatwla.com
www.sendspace.com.mjifawilacom
www.sendspace.com.mjifawila.com
www.sendspace.com.mjifwtilacom
www.sendspace.com.mjifwtila.com
www.sendspace.com.mjiuatilacom
www.sendspace.com.mjiuatila.com
www.sendspace.com.mjiwatilacom
www.sendspace.com.mjiwatila.com
www.sendspace.com.mjufatilacom
www.sendspace.com.mjufatila.com
www.sendspace.com.mjwfatilacom
www.sendspace.com.mjwfatila.com
www.sendspace.com.mnvdtdt.co.uk
www.sendspace.com.mnvdtdt.me.uk
www.sendspace.com.mnvdtdt.orguk
www.sendspace.com.mnvdtdt.org.uk
www.sendspace.com.mnvdtdtorg.uk
www.sendspace.com.modeservicepp.co.kr
www.sendspace.com.modeservicepp.com
www.sendspace.com.modeservicepp.kr
www.sendspace.com.muifatilacom
www.sendspace.com.muifatila.com
www.sendspace.com.mwifatilacom
www.sendspace.com.mwifatila.com
www.sendspace.com.polaasa1qc.com
www.sendspace.com.pretopsd.co.uk
www.sendspace.com.pretopsdco.uk
www.sendspace.com.pretopsd.me.uk
www.sendspace.com.pretopsd.org.uk
www.sendspace.com.tjualasabe
www.sendspace.com.tjualasa.be
www.sendspace.com.tkualasabe
www.sendspace.com.tkualasa.be
www.sendspace.com.ttjalasabe
www.sendspace.com.ttjalasa.be
www.sendspace.com.ttkalasabe
www.sendspace.com.ttkalasa.be
www.sendspace.com.ttuajasabe
www.sendspace.com.ttuajasa.be
www.sendspace.com.ttuakasabe
www.sendspace.com.ttuakasa.be
www.sendspace.com.ttualakabe
www.sendspace.com.ttualaka.be
www.sendspace.com.ttualasabe
www.sendspace.com.ttualasa.be
www.sendspace.com.ttualaskbe
www.sendspace.com.ttualask.be
www.sendspace.com.ttualjsabe
www.sendspace.com.ttualjsa.be
www.sendspace.com.ttualksabe
www.sendspace.com.ttualksa.be
www.sendspace.com.ttujlasabe
www.sendspace.com.ttujlasa.be
www.sendspace.com.ttuklasabe
www.sendspace.com.ttuklasa.be
www.sendspace.com.ujifatilacom
www.sendspace.com.ujifatila.com
www.sendspace.com.vdslprr.co.uk
www.sendspace.com.vdslprr.me.uk
www.sendspace.com.vdslprr.org.uk
www.sendspace.com.vufteejkibe
www.sendspace.com.vufteejki.be
www.sendspace.com.wjifatilacom
www.sendspace.com.wjifatila.com

Sunday, January 17, 2010

USAA Bank latest Avalanche Scam

Another major spam campaign has been seen in the "avalanche" group. This one seems to be a "phishing only" spam, as opposed to recent versions that also infect with malware. We've seen more than 5,000 copies of the email in the UAB Spam Data Mine today.

The emails look like this:



We've seen 95 base subject lines:

account notification: security alert
automatic notification
automatic reminder
Customer notification
Enhanced online security measures
Important alert
Important announce
Important banking mail from USAA
important banking mail
Important information
important instructions
important notice from USAA
Important notification from USAA
important notification
Important security alert from USAA
important security update
important USAA mail
information from USAA customer service team
information from USAA customer service
Instructions for customer
instructions for our customers
instructions for USAA customer
instructions for USAA customers
instructions from customer service team
instructions from customer service
message from customer service team
message from customer service
New enhanced online security measures
New online security measures
New security measures
new security notification
new USAA form released
New USAA form
notification from USAA
notification
official information
official update
online banking alert
Our enhanced online security measures
our new security measures
safeguarding customer information
scheduled security maintenance
Security alert
security issues
Security maintenance
security measures
Service message from USAA
service message
service notification from USAA
software updating
Urgent message for USAA customer
Urgent message from USAA
Urgent notification from customer service
urgent notification
Urgent security notification
USAA customer service informs you
USAA customer service team informs you
USAA customer service: account notification
USAA customer service: important information
USAA customer service: important message
USAA customer service: important notification
USAA customer service: important security update
USAA customer service: instructions for customer
USAA customer service: new online form released
USAA customer service: notification
USAA customer service: official information
USAA customer service: official update
USAA customer service: security alert
USAA customer service: security issues
USAA customer service: service message
USAA customer service: urgent notification
USAA notification
USAA online form
USAA reminder: notification
USAA reminder: online form
USAA reminder: please complete online form
USAA security upgrade
USAA: alert - online form released
USAA: customer alert
USAA: important announce
USAA: important information
USAA: important message
USAA: important notification
USAA: important security update
USAA: instructions for customer
USAA: notification
USAA: online form released
USAA: security alert
USAA: security issues
USAA: service message
USAA: software updating
USAA: urgent message
USAA: urgent notification
USAA: urgent security notification
we have released new version of USAA form

The subject lines are uniqued by adding either a Timestamp, a Message ID, a Reference Number. So, for example, the base subject "Account notification: security alert" was received with many patterns, including:

Account notification: security alert [message id: 6411033822]
Account notification: security alert [message id: 8829877625]
Account notification: security alert
account notification: security alert [message ref: 1976348562]
Account notification: security alert [message ref: 2573324226]
account notification: security alert [message ref: 2956755073]
account notification: security alert (message ref: 4790726101)
account notification: security alert
account notification: security alert (message ref: 7771108239)
account notification: security alert [message ref: 8030440576]
account notification: security alert Mon, 18 Jan 2010 00:11:54 +0100
account notification: security alert Mon, 18 Jan 2010 00:48:19 +0100
account notification: security alert Mon, 18 Jan 2010 09:30:38 +1000
Account notification: security alert - Ref No. 511853
Account notification: security alert Sun, 17 Jan 2010 14:14:28 -0300
Account notification: security alert Sun, 17 Jan 2010 14:18:53 -0300
account notification: security alert Sun, 17 Jan 2010 14:35:54 -0300
Account notification: security alert Sun, 17 Jan 2010 17:15:30 +0000

The actual website looks like this:



The URL contains:

/inet/ent_formversionnew/do_action.php?id=(bignumberhere)&email=(emailhere)

Websites we've seen used in spam today (Jan 17) include:

www.usaa.com.12asze.com.pl
www.usaa.com.12aszg.com.pl
www.usaa.com.12aszh.com.pl
www.usaa.com.12aszi.com.pl
www.usaa.com.12aszj.com.pl
www.usaa.com.12aszk.com.pl
www.usaa.com.12aszl.com.pl
www.usaa.com.12aszo.com.pl
www.usaa.com.12aszp.com.pl
www.usaa.com.12aszq.com.pl
www.usaa.com.12aszr.com.pl
www.usaa.com.12aszt.com.pl
www.usaa.com.12aszu.com.pl
www.usaa.com.12aszw.com.pl
www.usaa.com.12aszy.com.pl
www.usaa.com.eee1sa0.com.pl
www.usaa.com.eee1sa1.com.pl
www.usaa.com.eee1sa2.com.pl
www.usaa.com.eee1sa3.com.pl
www.usaa.com.eee1sa4.com.pl
www.usaa.com.eee1sa5.com.pl
www.usaa.com.eee1sa6.com.pl
www.usaa.com.eee1sa7.com.pl
www.usaa.com.eee1sa8.com.pl
www.usaa.com.eee1sa9.com.pl
www.usaa.com.eee1sae.com.pl
www.usaa.com.eee1saq.com.pl
www.usaa.com.eee1sar.com.pl
www.usaa.com.eee1sat.com.pl
www.usaa.com.eee1saw.com.pl

Wednesday, January 13, 2010

Minipost: #CNIRcyberwar ? ? ?

Several Chinese hacker groups have decided to retaliate for the "Iranian Cyber Army" attack against the Chinese search engine, Baidu.com, which we reported yesterday in our story Iranian Cyber Army Returns - Target: Baidu.

A few sources (thanks especially @packetninjas), have sent me links to Chinese webpages where their hacker community is expressing outrage by hacking back. One twitter hashtag seen with regards to this effort has been #CNIRcyberwar .

Despite the hashtag, there is no evidence whatsoever that there are GOVERNMENTS involved in this so-called CyberWar. On the Chinese side, this is the action of some patriotic but mis-guided youth who believe they can change world opinion by trashing a few insignificant websites. On the Iranian side, there is no evidence that any malice was intended towards the nation of China - it seemed their objective was to just place their message before a large audience - a goal they seem to have accomplished. I consider it highly unlikely that additional Iranian attacks on Chinese servers will result from this "CyberWar".

A hacker who claims membership in the "Honker Union for China" has posted many defacements of Iranian sites, along with lists of "official Iranian government sites" that he believes should be targeted, on the site:

http://bbs.360.cn/4261899/34063883.html

There is certainly debate going on, even within his own hacker community. One post this morning on "forums.chinesehonker.org" argued that the Iranians may not be behind the attack, but that it might really be the "dark Yankees" trying to stir up trouble. The rationale of that poster was that the attack came the day before a Chinese government missile interception test. ??? really ???

在没有确切证据的情况下,我倒是认为很能是美国佬干的,原因就是在百度背黑前一天我们进行了导弹拦截实验,进而引起了百度的被黑,这事从一件政治事件引起的网络攻击。
(from 自强不息 on forums.chinesehonker.org)

There is also an attempt to improve the image of Chinese hackers in the world with a little grammatical help from their friends. Another "honker" in the room suggests some help with one defacer's wording, suggesting that they replace:

The big national power spurs strong corps!

with

Our nation has internet experts who aren't afraid to fight back.

and

we are Oppose the special prganization of IR

with

We oppose this special organization of IR.


The Iranian attacks are being discussed in a thread on Baidu as well:


http://tieba.baidu.com/f?kz=695043079

This "soldier" is listing stored images of defaced Iranian websites, which he's actually pulling from the posts of "soping" on the site "bbs.360.cn":

room98.ir - Defaced image, including the text:



chinese honker team[H.U.C.]

I'm very sorry for this Testing!
Because of this morning your Iranian Cyber Army
Maybe you haven't konw this thing!
This morning your Iranian Cyber Army intrusion our baidu.com
So i'm very unfortunate for you
Please tell your so-called Iranian Cyber Army
Don't intrusion chinese website about The United States authoritires to intervene
This is a warning!
Khack by toutian from Honker Union For China


Other sites on his list include:

www.iribu.ir - Defacement image

Text:
CHINA Honker
China do not hear any foreign hacker!
The big national power spurs strong corps!
we are Oppose the special prganization of
IR

Another version of the text read:

Anysize
We are Red_hacker
Let the world hear the voice of China
The state is higher than the dignity of all!

f*** ir !
china up !
honker_Anysize@qq.com
(archived image)

That same text, with a different background image, also appeared on www2.mousavian.ir - (archived image)

An earlier version of the text (another hacker probably using the same vulnerability) read:

High-profile work being
Viruses, anti-virus, invasion, the invasion
The darkness of night, slowly permeates the wing?
The third area information security group By: h4ck3ber

The People's Republic of China Long Live
The great Chinese people long live
Domestic safety inspection
Oppose splkitting Safeguarding unity
http://hi.baidu.com/no_hackTime

pankration.gov.ir - Defacement image

www.diabetes.ir/home - Defacement image

Each of these sites is being tagged repeatedly by various hackers, as you can see documented in this thread:

http://bbs.360.cn/4261899/34063883.html?page=3

Tuesday, January 12, 2010

Iranian Cyber Army returns - target: Baidu.com

Many Americans are not familiar with Baidu, but in China its the word people say when we would say Google. Baidu is a Chinese search engine that commands a powerful 60% of the marketplace. And this morning, their website looked liked this:



The white line of Persian text on the website is a statement that reads:

« ارتش سایبری ایران در اعتراض به دخالت های سايتهاي بيگانه و صهیونیستی در امور داخلی کشورمان و پخش اخبار دروغ و تفرقه برانگیز راه اندازي شده است


Google Translate tells us that that says:

Army of cyber-sites has been established to protest intervention in the internal affairs of our country and broadcast of false and divisive news by Foreigners and Israel.


(with a little word-re-ordering to preserve meaning)


We first heard of the Iranian Cyber Army on December 18th when they attacked Twitter with an almost identical attack. We documented the attack here in our story Who Is the Iranian Cyber Army?.

In today's attack, the nameservers for Baidu were redirected to a small network that caters to "warez" and various piracy and pornography servers. The computer 188.95.49.6 became the address for ns1.baidu.com, ns2.baidu.com, and ns3.baidu.com, and these new "unofficial" nameservers did a wild-card resolution for everything at baidu, pointing it to the same IP address 188.95.49.6.

Later in the morning, that IP address shifted to 188.95.49.19, which is the address which is currently live as of this writing.

Click the image below to see the full unedited version of the original graphic that was posted on the server:


(the original file was named "-1-2.jpg")
(The EXIF data indicates that the file was saved using Adobe Photoshop CS4 Windows on December 27, 2009 at 1:41:44 PM.)

There were also two VERY interesting email addresses on the page:

Soldier@CyberArmyOfIran.com
and
Soldier@IRCArmy.com

The website "cyberarmyofiran.com" is hosted on the Canadian IP address 70.35.29.162, which belongs to "Netfirms Inc".

Registrant:
Domain Privacy Group, Inc.
c/o cyberarmyofiran.com,
7030 Woodbine Ave. Suite 800
Markham, ON L3R 6G2
CA

Domain name: cyberarmyofiran.com

Administrative Contact:
Domain Privacy Group, Inc. privacy635948@domainprivacygroup.com
c/o cyberarmyofiran.com,
7030 Woodbine Ave. Suite 800
Markham, ON L3R 6G2
CA
Fax:

Technical Contact:
Domain Privacy Group, Inc. privacy635948@domainprivacygroup.com
c/o cyberarmyofiran.com,
7030 Woodbine Ave. Suite 800
Markham, ON L3R 6G2
CA
Fax:

Registrar of Record: Netfirms Inc.
Record expires on 2010-12-31.
Record created on 2009-12-31.
Database last updated on 2010-01-12 06:51:32.

The website "ircarmy.com" is hosted on US IP address 98.136.50.138, which belongs to Yahoo! (and is currently using a Yahoo! Nameserver)

Domain Name.......... ircarmy.com
Creation Date........ 2009-12-31
Registration Date.... 2009-12-31
Expiry Date.......... 2010-12-31
Organisation Name.... Iranian Army
Organisation Address. PO Box 61359
Organisation Address.
Organisation Address. Sunnyvale
Organisation Address. 94088
Organisation Address. CA
Organisation Address. US

Admin Name........... Admin PrivateRegContact
Admin Address........ PO Box 61359
Admin Address........
Admin Address........ Sunnyvale
Admin Address........ 94088
Admin Address........ CA
Admin Address........ US
Admin Email.......... contact@myprivateregistration.com
Admin Phone.......... +1.5105952002
Admin Fax............

That first IP address for today's redirect, 188.95.49.6, resolved such names as:

www.baidu.com
proxy.baidu.com
news.baidu.com
passport.baidu.com
post.baidu.com
utility.baidu.com
video.baidu.com
cpro.baidu.com
map.baidu.com
spaces.baidu.com
zhidao.baidu.com

well, actually, EVERYTHING.baidu.com resolved temporarily to this IP address.

What is that IP address normally used for? When I try a reverse resolution on that IP it tells me the server's name is "pink2.warez-host.com"

The site normally hosts such webservers as:

wamboload.org
greateamwarez.pl
xtrem-360.com
shugalclub.com
xtreme-load.com
thewarezlife.com
ddlhentai.com
ewddl.com
warezdream.com
dxdforum.com
warez-host.com
blue.warez-host.com
linkpex.com
housebeats.in
scriptzsector.ws
pirate-club.net
wawa-mania.eu
demon-board.eu
iklotz.ru
0daymusic.biz

So what do we know about WarezHost? Here's what their website says about themselves:



Warez-Host is a privately-owned organization located in Dubai, UAE. At Warez-Host, we understand that our customers' web sites are important and they require reliable services to ensure that service is not interrupted. We have established a solid foundation to offer a reliable, easy to use and low cost web hosting solution for small-to-large sized businesses and helping thousands of customers get their web sites online.

Our goal is to provide a low-cost web hosting solution that is easy-to-use, and is customer service oriented. At Warez-Host, we value our customers and recognize their need for quality service and outstanding customer service.

Warez-Host web hosting is the perfect choice for all of your web hosting needs, our datacenters located in Netherlands, IRAN and Germany.




The Dedicated Server pages for each data center explain what types of content you can host on their servers. For example, its ok to host stolen software and movies ("warez") in all three locations, but the Iranian Data Center list (shown below) makes it clear you can't host pornography in Iran - although you can in their German and Netherlands based data centers.



So, if someone wants to get to the bottom of who hacked Baidu, all they have to do is slap a subpoena on the UAE-based company's Iranian data center manager to see who owns this dedicated server and get logs from it.

Yeah. Good luck with that.

More badness from "warez-host.com" servers:

0daymusic.biz
3rabwarez.com
70sshowonline.com
A1source.us
Alibablog.com
Allokamas.com
Allo-kamas.net
Alternatedown.com
Appfuzion.com
Aspecialtimetoremember.com
Bdwarez.info
Bestindo.us
Blogfigo.com
Bloodordie.com
Brif.net
Cumsafaci.com
Darkantiviruses.org
Ddlfree.com
Ddlhentai.com
Demon-board.eu
Devilstreaming.com
Diplomworld.com
Diplomworld.ru
Dll-404.com
D-moviez.com
Downloaderz.net
Dragon91.com
Dreadfulappz.com
Dxdforum.com
Dzson.com
Endees.com
Enjoywarez.org
Enz.ir
Ewddl.com
Extreme-load.com
Fbghana.com
Figyelo.net
Firstwarez.pl
Freefile.ir
Freemoviewizard.com
Ftaonline.org
Futurewarez.com
Gamehaxerz.com
Geejee.us
Geewee.eu
Get-connection.info
Gormiz.com
Gp-studios.info
Gstonerz.com
Hdppv.net
Hotfilmvn.net
Hot-uploads.com
Housebeats.in
Iklotz.com
Iklotz.ru
Indianddl.info
Insidernet.com
Italywarez.net
Linkbucks.in
Linkpex.com
Linkxpic.com
Live-desi.com
Magazinesbay.com
Marvisatechnology.com
Mastworld.net
Mediaanime.info
Megauploadparadise.com
Mexicowarez.com
Minitech.ws
Mobile1.ir
Montamela.net
Morehtamilsangam.com
Movie-at-home.com
Neopetstuff.com
Neopetstuff.net
Netspond.com
New-connection.info
No2pc.com
Nop-licite.us
Now-connection.info
Operationwolf.net
Parsikade.ir
Pejaforum.net
Persianmember.com
Persianmember.ir
Pirate-club.net
Piratemonster.com
Porn-down.com
Projectannihilation.org
Qpv8.ir
Rapid4all.org
Resell-host.biz
Rivea.org
Sataplu.com
Scriptzsector.ws
Search-ddl.com
Secured-webhosting.com
Seekwarez.com
Seheri-bb.com
Seo-shop.info
Sharing-rapidshare.com
Sharing-rapidshares.com
Shugalclub.com
Simoali.com
Sonicviewbrasil.net
Sportzkrieg.com
Streamdvd.net
Superpartage.com
Tagmite.com
Tamilsangammoreh.com
Tehwarez.com
Tensaibux.com
Tensaidownloader.com
Theentertainmentcore.com
Theforcestrikes.com
Thewarezlife.com
Tsontakias.org
Ultimate-porn.us
Ultrafull.com
Untiempopararecordar.com
Upload4u.ir
Uptaze.com
Wamboload.org
Warez.ir
Warez-design.com
Warezdream.com
Warezground.org
Warez-help.org
Warez-host.com
Warez-host.net
Warezisland.com
Warezlegacy.com
Warez-life.com
Warezmarket.net
Warezs.net
Warez-share.net
Warez-zz.com
Warwealth.com
Watch-free-episodes-online.org
Wawa-mania.eu
Whatsupearl.com
Woodbumgfx.com
Xfresh.us
Xtreme-load.com
You-down.com
Zojesalem.com