Wednesday, October 07, 2009

Microsoft "Your e-mail will be blocked" phish

An interesting phishing campaign has resulted in several news stories about stolen passwords. That got me digging in the UAB Spam Data Mine looking for related emails. I didn't find THAT phish, but we did receive a large number of email messages claiming to be sent by with this seemingly important warning:

Your e-mail will be blocked within 48 hours for spam, if this is mistake please cintact us.
Please click here for detailes.

Thank You.
Spam security Customer Service

The "Click Here" portion of the email was a link to a website containing the domain name:

with a randomized "host name" portion of the machine, such as:

Email subject lines observed during this phishing campaign included:

Alert: Account Deactivation Notice
Important message about your account information
Online Access Supended
Online Account Locked
Online Security Measures
Re-Confirm Your Online Access.
Your account has been flagged!
Your account has been placed on restricted status
Your Account Suspension
Your Online Account Needs Update

The spam had a unique forgery in the email headers to make them appear to be from Microsoft. In an email header, there is a "Received" line which shows the address from which an email was sent, such as:

Received: from ( [] (may be forged))
by (8.11.6/8.11.0) with ESMTP id n96Lew069365
for <>; Tue, 6 Oct 2009 21:40:59 GMT
Received: from []) by with SMTP id 69811070;

In this case, the "Return-Path" line is fake, and has been added by the sender. The second "Received" line is also fake, trying to convince you that the sending IP "" is actually a Microsoft computer, which it's not!

The End?

Unfortunately, that's as far as this part of the investigation can go. The website had already been terminated, by asking the Registrar to remove the nameserver from active duty, meaning that no computers can reach the website in question.

But is that really the end?

The nameserver for this domain, which has already been terminated, was By setting that as our nameserver, we can see that the site was "fast flux" hosted on many different IP addresses. For instance, resolving the domain currently, according to, points us to:

By hard-coding one of these IP addresses to the domain name, we can see that what WOULD have happened if we had visited the site was that we would have loaded an IFRAME from the site:


THAT website has been listed since September 3rd at MalwareDomainList as a LuckySploit exploiter.

So, the question is at large - was this a phishing site at all? or merely a way to get people to have LuckySploit take over their computers?

Whois points to Badness

Here is the WHOIS data for which was registered October 5, 2009 at, an infamous Chinese registrar.

Administrative Contact:
Name: Ferd Derfo
Organization: Ferd Derfo
Address: Moskow
City: Moskow
Province/state: MSK
Country: RU
Postal Code: 133331
Phone: +7.9357738849
Fax: +7.9357738849

Here is the WHOIS data for which was registered at another infamous Chinese registrar,, on July 21, 2009:

Serpino Berbeto +1.2128848801
Serpino Berbeto
403 po box
New York NY US 10037

Do a search on "Serpino Berbeto" and you'll find more than 1,000 ways in which this identity is involved in the creation of domains used for the distribution of malware, and with online fraud domains, including fake Escrow sites, spam, pirated software (, Canadian Pharmacy (

The Serpino identity is one of the many "resellers" that cause OnlineNIC and other Chinese registrars to be such widely used havens for cybercriminals.

Serpino is hosting this site, and several other recent malware infection sites he's been behind, on a webblock belonging to "The Bigness Group" in St. Petersburg, Russia.

Serpino's sites on that netblock include: - -
lovisiribkabolishajaimalenkaja - - -

of course other aliases are also hosting malware on this netblock, which seems to be filling the role of the old Russian Business Network, also of St. Petersburg:

Tourino Markes / has registered: = - associated with both Zeus and the Fragus exploit kit

Kelly Watsen / has registered: = - associated with LuckySploit exploit kit

Fego Fegochev / has registered: = - associated with the LuckySploit exploit kit = - also associated with LuckySploit

Passive DNS reveals all sorts of badness. Recommendation? Everyone should block "The Bigness" and their entire network block!

IRS Zeus Again???

I ran the fast flux IP addresses given above through some checks at a Passive DNS Logging system to see if they were "known" IP addresses. Yes. Several of the IP addresses above are part of the same Fast Flux network which is being used for the "Avalanche" botnet, which is currently behind the IRS Zeus net!

So what happens if we hard-code a host entry for the above IP addresses, and tell it that it is one of the recent IRS domains?

That's right. I added this line to my "hosts" file:

and visited:

an IRS domain which has no active nameserver and has not been live for more than a week. It resolved on the IP address used above for the domain, and displayed the IRS Zeus infection website, complete with an active link for downloading the current malware.

File size: 95744 bytes
MD5...: fe80e38049ebb5f082adfb3dd9110d51
Click for Virus Total Report, showing that only 7 of 41 anti-virus products currently detect this Zbot / Zeus Bot infector.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.