www.hsbc.co.uk.dezzzz1.com.pl | /1/2/HSBCINTEGRATION/banking.php
www.hsbc.co.uk.dezzzza.com.pl | /1/2/HSBCINTEGRATION/banking.php
www.hsbc.co.uk.dezzzzc.com.pl | /1/2/HSBCINTEGRATION/banking.php
www.hsbc.co.uk.dezzzzd.com.pl | /1/2/HSBCINTEGRATION/banking.php
www.hsbc.co.uk.dezzzze.com.pl | /1/2/HSBCINTEGRATION/banking.php
www.hsbc.co.uk.dezzzzf.com.pl | /1/2/HSBCINTEGRATION/banking.php
www.hsbc.co.uk.dezzzzg.com.pl | /1/2/HSBCINTEGRATION/banking.php
www.hsbc.co.uk.dezzzzq.com.pl | /1/2/HSBCINTEGRATION/banking.php
www.hsbc.co.uk.dezzzzr.com.pl | /1/2/HSBCINTEGRATION/banking.php
www.hsbc.co.uk.dezzzzs.com.pl | /1/2/HSBCINTEGRATION/banking.php
www.hsbc.co.uk.dezzzzt.com.pl | /1/2/HSBCINTEGRATION/banking.php
www.hsbc.co.uk.dezzzzv.com.pl | /1/2/HSBCINTEGRATION/banking.php
www.hsbc.co.uk.dezzzzw.com.pl | /1/2/HSBCINTEGRATION/banking.php
www.hsbc.co.uk.dezzzzx.com.pl | /1/2/HSBCINTEGRATION/banking.php
www.hsbc.co.uk.dezzzzz.com.pl | /1/2/HSBCINTEGRATION/banking.php
www.hsbc.co.uk.leptprs.co.kr | /1/2/HSBCINTEGRATION/banking.php
www.hsbc.co.uk.leptprs.kr | /1/2/HSBCINTEGRATION/banking.php
www.hsbc.co.uk.leptprs.ne.kr | /1/2/HSBCINTEGRATION/banking.php
www.hsbc.co.uk.leptprs.or.kr | /1/2/HSBCINTEGRATION/banking.php
Pretty subtle, but perhaps you noticed it too?
I checked today's spam in the UAB Spam Data Mine to see what domains we had seen in actual spam messages as well, and as you can see, we actually added a few since the last check by the Phishing Operations folks:
The email body that we're seeing says this:
As part of the new security measures, all HSBC customers are required to complete "Digital Certificate Form". Please complete the form as soon as possible.
To access the form please click on the following link:
Subjects used by this email include:
Enhancements: New Release
Obtain Digital Certificate
Please Read: This Document Contains Important Information
Please read this important information concerning your privacy
This Document Contains Important Information
All of those websites and spam messages seem to point to a phishing page:
But in reality, as we see on page two of the scam, what they hope to do is encourage the creation of a "Digital Certificate" using the program they provide.
The program is of course a Zbot or Zeus Bot installer program.
We ran the file, called "certificate.exe" through VirusTotal to learn some facts about it, including the fact that only six of forty-one anti-virus products detect this as malware:
VirusTotal Report here
File size: 130048 bytes
MD5 : 21de77648ebf5cd70e3ddd92f172b9a5
SHA1 : bdb1819004cfff9a6829be26dd715542983d5129
I uploaded the zbot infector to Anubis, the excellent "Analyzing Unknown Binaries" project.
They produced this beautiful 24 page PDF report (Anubis Report of Certificate.exe, which tells us that the malware gets copied to c:\windows\system32\sdra64.exe, which makes sure its going to load in memory every time you login by tying itself to the "user init" process through the Registry key: HKLM\software\microsoft\windows nt\currentversion\winlogon
I threw up a VM and followed one of the HSBC spam links. There was code on the HSBC-look-alike page that decoded and tried to force me to download a file called "pdf.pdf" from a website called "atthisstage.com". The real action came from launching "certificate.exe" however, which immediately connects to "elnasa.ru" and downloads a file "/asd/elnasa.ble".
(Dancho Danchev has an excellent blog today which also mentions how "atthisstage.com" is responsible for serving up a variety of exploits to grow the "Pushdo" botnet, (which I normally refer to as "Cutwail", same bot, different AV company name), Please visit Dancho's Blog for more details. So, if you visited this page, not only are the criminal stealing all of your personal information with the data theft aspects of Zeus, you are probably also spamming for them through the Pushdo botnet.
Sadly, according to ZeusTracker, that particular Command & Control has been live since at least December 16th. The Ukrainian IP address its on, 126.96.36.199, is part of the "Vesteh-Net" AS47560, which is a fairly common host of Zeus C&C servers, including:
anacardic.in (January 1)
justinnew6.com (January 1)
justinnew5.com (January 1)
justinnew4.com (January 1)
188.8.131.52 (December 25)
elnasa.ru (December 16)
stomaid.ru (December 9)
All of those are currently online.
Elnasa.ru was registered by firstname.lastname@example.org (Alexsey V Kijanskiy), probably an alias, on December 14th, and has nameserver on 184.108.40.206 and 220.127.116.11.
That last one's an interesting IP. It also serves as the nameserver for:
trust-service.cn (18.104.22.168 - Zeus - email@example.com)
recessa.ru (22.214.171.124 - Zeus - firstname.lastname@example.org)
stomaid.ru (126.96.36.199 - Zeus - email@example.com)
recrush.ru (188.8.131.52 - unknown - in Moldova)
nekovo.ru (184.108.40.206 - Zeus - firstname.lastname@example.org)
androzo.ru (220.127.116.11 - unknown - in Kazakhstan)
18.104.22.168 is on a single Class C ASN - AS49934.
Its only upstream is AS31366, Stebluk Vladimir Vladimirovich.
I wonder if other crappy little Ukrainian Zeus Bot hosters buy their network services from Stebluk?
EuroAccess, AS34305, currently has 27 live C&C servers, including what looks like near neighbor IPs, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, and 220.127.116.11, 18.104.22.168, 22.214.171.124. Doesn't seem connected.
Root eSolutions, AS5577, currently has 3 live C&C servers, including what looks like near neighbor IPs, 126.96.36.199, but its also not really that connected.
Nope, I guess its entirely a coincidence there are so many Zeus Bot C&C's in the Ukraine.
Yesterday the big Avalanche target was actually eBay, with domains like this:
The eBay phishing page was also a drive-by infector, launching malware through several attempted attacks of your browser from:
(yeah, don't go there!)
(That network is in Kazakhstan, seriously, "VishClub"???)
inetnum: 188.8.131.52 - 184.108.40.206
descr: Kanyovskiy Andriy Yuriyovich
Although we didn't grab a screen capture yesterday, as the ultimate evidence that these campaigns are related, we can put yesterday's "eBay path" onto today's "HSBC hostname" and still see the eBay content. Notice the URL in this screen shot:
Huge variety of subjects for the eBay version in our email, but the basic patterns were:
account notification: security alert
eBay customer service informs you
eBay customer service team informs you
eBay online form
eBay reminder: notification
eBay reminder: online form
eBay security upgrade
eBay: alert - online form released
eBay: customer alert
eBay: important announce
eBay: important message
eBay: important notification
eBay: important security update
eBay: instructions for customer
eBay: security issues
eBay: service message
eBay: urgent message
eBay: urgent notification
Enhanced online security measures
Important eBay mail
Important notice from eBay
important notification from eBay
Important security update
Information from eBay customer service
Instructions for customer
instructions for eBay users
instructions for our customers
instructions from customer service
instructions from customer service team
Message from customer service
Message from customer service team
New eBay form
new eBay form released
new enhanced online security measures
new online security measures
new security measures
Notification from eBay
our enhanced online security measures
Our new security measures
Scheduled security maintenance
service message from eBay
Service notification from eBay
Urgent message for eBay user
urgent message from eBay
Urgent notification from customer service
Urgent security notification
we have released newe version of eBay form
All of those subjects also can be followed by:
- a timestamp including date, such as: Tue, 12 Jan 2010 19:54:25 +0200
- a message id, such as: (message id:3924375238)
- a reference number, such as: Ref No. 947990