My students are back from the holidays, and I couldn't be happier! Tomorrow night I have 14 new graduate students who I'll be meeting in my Computer Security class where I teach at the University of Alabama at Birmingham. But this analysis was by one of my undergraduate research students who works on malware analysis for me.
Although the volume is greatly reduced from Christmas and New Years, we are continuing to see a regular flow of "eCards" into the UAB Spam Data Mine. Today's domain name of choice was "smartcardgreeting.com". The website hasn't changed since what I showed in the January 3rd post - Happy New Year! Here's a Virus! - but the malware is much less detectable.
How bad? Only ONE of thirty-nine products at VirusTotal.com was able to detect this malware as being a bad file:
The other malware he analyzed today was a fake ClassMates.com malware. ClassMates.com has been targeted on and off for most of the month of December with a spam message claiming to have a video for you to review. Of course the video doesn't actually play and instead prompts you to download a program which claims to be an AdobePlayer.
There were actually two separate groups of five domains involved in this attack.
adobflashplayer10.com
installadobereader.com
installcashion.com
newflasplayerforcm.com
newgoodclassmates.com
and
flashplayerforwindows.com
flashsiters.com
installationsflash.com
newsflashbbc.com
windowsflashplayer10.com
The latter group was registered on TodayNic.com, and used the Nameserver NS1.NEWHOSTINGFORUS.COM.
Each of which had a page called "reunion2009.htm" which contained the fake video, and the malware downloader and looked like this:
All of the sites were registered with the Chinese domain registrar, BizCN.com, and each used the same nameserver, NS1.AVAILABLEREG.COM.
The first piece of malware, Adobe_Player10.exe, actually has a mediocre detection rate of 16 out of 39 VirusTotal detections. Unfortunately, the only function of this malware is to drop the REAL malware, which is being downloaded from the site:
shangaicons.com/22.exe
22.exe is "double-packed", where the hacker takes his virus, packs it with a packer to avoid undetection, and then takes the results and packs them with a different packer as well. It resulted in a very hard to detect piece of malware, as evidenced by the fact that only ONE of 39 anti-virus products were able to detect this as well:
My student malware analyst was able to successfully unpack the 22.exe malware, and found that it is a root-kitted keylogger, in the same family we've been seeing. It steals passwords from your computer as you type them, and sends them with patterns like this:
C:\Program Files\Internet Explorer\iexplore.exe
http://%s%s?user_id=%.4u&version_id=%s&passphrase=%s&socks=%lu&version=%lu&crc=%.8x
URL: sniffer_ftp_%s
ftp_server=%s&ftp_login=%s&ftp_pass=%s&version=%lu
URL: sniffer_pop3_%s
pop3_server=%s&pop3_login=%s&pop3_pass=%s
URL: sniffer_imap_%s
imap_server=%s&imap_login=%s&imap_pass=%s
URL: sniffer_icq_%s
icq_user=%s&icq_pass=%s
to the Ukrainian IP address:
91.211.65.30
which we first reported seventeen days ago and asked for termination.
We saw about 375 copies of the ClassMates.com email today, with a wide assortment of subject lines, including:
- Accomplishments by classmates and reunion information
- Alumni Events: Classmates
- An Invitation to Personal Classmates Day
- Bringing Classmates Together January 2009
- Classmates - ALUMNI Reunion Calendar
- Classmates - Calendar 2009
- Classmates - Custom Invitations
- Classmates 2009 January - Invitation
- Classmates Alumni Event Calendar
- Classmates Day - January 2009.
- Classmates Important Meeting Information
- Classmates in January - Invitation to All Faculty to the Spring 2009 ...
- Classmates in January...Invitation! - Page 1
- Classmates Institutional Membership Invitation
- Classmates International Honour Society Invitation Acceptance
- Classmates invitation - Reunion party Greeting Card.
- Classmates Membership Invitation
- Classmates Membership Invitation from teachers
- Classmates Message Boards
- Classmates Organisation.Class Reunion Information
- Classmates Organiser Warning - AN URGENT MESSAGE - Your Classmates Are Waiting
- Classmates Organiser Warning - Classmates Organisation.Have any special memories from when we were in high school?
- Classmates Organiser Warning - Don't Miss Tonight's Classmates Reunion !
- Classmates Organiser Warning - How can someone miss a Classmates meeting?
- Classmates Organiser Warning - How to Hold A Class Meeting And Promote Classmate Support
- Classmates Organiser Warning - Meeting high school and junior college classmates
- Classmates Organiser Warning - Webster meetings among former classmates
- Classmates Party invitation...
- Classmates Personal Invitation: Custom invitation
- Classmates Preview, public invitation
- Classmates Reunion - Invitation
- Classmates Reunion - Are you ready to accept the invitation?
- Classmates Reunion - Classmates Reunion - Special Preview Invitation
- Classmates Reunion - Custom Invitations
- Classmates Reunion - Invitation: Ready
- Classmates Reunion - Personal Invitation Letter to visit Classmates Day
- Classmates Reunion - Personalized Invitations
- Classmates Reunion - Ready to view your Classmates Invitation?
- Classmates Reunion - Your Classmates Invitation - He's Ready, Are You?
- Classmates Reunion Calendar
- Classmates Reunion Soon - [Class Reunion] Save the Date
- Classmates Reunion Soon - All your classmates receiving invitations!
- Classmates Reunion Soon - classmates meeting
- Classmates Reunion Soon - Classmates Organisation.What Have You Been Up To
- Classmates Reunion Soon - ClassMates.com about meeting classmates
- Classmates Reunion Soon - Important Dates for Classmates Meeting
- Classmates Reunion Soon - Mini-Reunion / Meeting with Classmates
- Classmates Reunion Soon - UPDATE: Reunion Date Change
- Classmates Reunion Soon - Video
- Classmates Reunion Soon - You Have 1 Message Waiting for You. Classmates portal
- Classmates Reunion Soon - Your Classmates Are Waiting to meet with you
- Classmates Reunion Soon - Your classmates Day New Date.
- Classmates Reunion Soon - Your classmates Day New Date..How can someone miss a Classmates meeting?
- Classmates Reunion Soon - Your classmates Day New Date.Important Dates for Classmates Meeting
- Classmates Video your personal invitation by John
- Classmates/com: HappyScrappers January Invitation
- Classmates/com: January is the time to learn at a low cost
- Classmates: Be ready for Reunion Day.
- Classmates: custom invitations 2009
- Classmates: Display your invitations from your profile
- Classmates: Invitation Design 2009
- Classmates: Membership Invitation - American Studies Association
- Classmates: Membership Invitation. 2009 season
- Classmates: View Your Invitation - Click Here
- Classmates: View your personal invitation video from Chris O'Malley
- Classmates: Your complete invitation is viewable for 30 days after the event.
- Classmates: Your Invitation Place
- Classmates: your invitation to a private view
- Do not miss the Classmates reunion
- Do-Not-Miss Classmates reunion.
- Events Calendar : Classmates
- Friends waiting for your visit! Classmates
- Get all of your classmates together Day - January 2009
- Important Classmates Day's 2009
- Invitation to the Classmates - January 12th | Earth ...
- January - Classmates/com
- January 16, 2009: Deadline for Classmates Invitation
- January Invitation. Classmates
- January Invitations, Classmates Invitations, Online ...
- My Classmates news
- Reconnect with your MBA classmates and favorite teachers
- Search for Classmates
- Spam Accomplishments by classmates and reunion information
- The power of a personal invitation - Classmates
- Traditional January Invitations, Classmates Party ...
- Use Classmates.com to bring class together.
- Welcome to Classmates Personal Invitation
- Your Classmates Are Waiting. Classmates Invite all friends.
- Your Classmates Are Waiting.Look an invitation.
- Your classmates Day New Date.A Meeting with my HighSchool Classmates
- Your classmates Day New Date.Important Meeting for Classmates
- Your classmates Day!
- Your classmates will be able to find your
- Your High bring classmates together.
(The previous batch of domains, including "classmatersunion.com, indexguideclassmates.com, renewclassmates.com" all used the nameserver, NS1.GOODNEWYEARHOSTING.COM)
The Classmates malware domains are hosted by Fast Flux, and are using the same Fast Flux network as the current MBNA phishing sites, such as bankcardservices.mbna.co.uk.dlls-id01.eu.
No comments:
Post a Comment
Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.