Jump to bottom for update list of malicious URLs
If you drive in a city with toll roads, you are familiar with the E-Z Pass System. If you are, you may have been tempted to click on an email that looked like this: A quick search in the Malcovery Security Spam Data Mine revealed these related emails:
date | subject | sender_name ------------+---------------------------------------+--------------------------------- 2014-07-08 | In arrears for driving on toll road | E-ZPass Collection Agency 2014-07-08 | In arrears for driving on toll road | E-ZPass Info 2014-07-08 | In arrears for driving on toll road | E-ZPass Customer Service Center 2014-07-08 | In arrears for driving on toll road | E-ZPass Info 2014-07-08 | Indebted for driving on toll road | E-ZPass Service Center 2014-07-08 | Indebted for driving on toll road | E-ZPass Service Center 2014-07-08 | Indebted for driving on toll road | E-ZPass Collection Agency 2014-07-08 | Indebted for driving on toll road | E-ZPass Customer Service Center 2014-07-08 | Indebted for driving on toll road | E-ZPass Info 2014-07-08 | Indebtedness for driving on toll road | E-ZPass Collection Agency 2014-07-08 | Indebtedness for driving on toll road | E-ZPass Customer Service Center 2014-07-08 | Indebtedness for driving on toll road | E-ZPass Customer Service Center 2014-07-08 | Pay for driving on toll road | E-ZPass Info 2014-07-08 | Payment for driving on toll road | E-ZPass Info 2014-07-08 | Payment for driving on toll road | E-ZPass Info 2014-07-08 | Payment for driving on toll road | E-ZPass InfoBut the destination websites are certainly not on E-Z Pass's domains!
machine | path ---------------------------+------------------------------------------------------------------- www.federalparts.com.ar | /tmp/api/3eLv aFKXBvmuxydKFVfEZIMWSl7f4VJfOpfcdAHPeo=/toll www.fiestasnightclub.com | /tmp/api/kJ1a5XRhE7MM9YhRVR1186why1TgPCPH7aieECyjb I=/toll www.flavazstylingteam.com | /tmp/api/vBrLdEDWRK4sXs6KaHEbWzHnbEYIFSo42BZvGd4crCY=/toll www.fleavalley.com | /tmp/api/ycI2IRHcInDd1/cetyLMZMjwyxKxTAEHFkjk1dRUfYs=/toll www.frazeryorke.com | /wp-content/api/LtvaZdAvP3GFuaqyulY/C3haFCeID3krbtMHt52cdnM=/toll www.fsp-ugthuelva.org | /tmp/api/fMVyiIXcbY9gamr17zPrnhTgz2Zvs825GTmvvRjlTIA=/toll www.fyaudit.eu | /components/api/yiBOsvUdvftbCd4Fa1zmVtIkbs4x3ThiUnFoIgwyI9Q=/toll www.giedrowicz.pl | /tmp/api/R4a4iKmACUtWoRHq1DsCiQ1aH 3J7QgBMfp1zq8gqj8=/toll www.gostudy.ca | /components/api/Q/sV7HtfnZGOW4lzlLSfFuKM/lLu8LQmOlT TVXKb2o=/toll www.graphiktec.com | /tmp/api/nZbX6I6vYQrsTlY4OAw44Qq96Lnw/JOoLDdBmdLh21M=/toll www.h2oasisinc.com | /components/api/BivlBt/AhVodCMM9zRuvcQpIyG2X6Knd8sERnP1 QDA=/toll www.habicher.eu | /tmp/api/yra96tiDlyYbYxsbJpr/hDVSPmwh6GKYLF6PaD3nUAI=/toll www.grupoancon.com | /components/api/6jI99hwDmjAvkEvuX8JvVSkS3InPtLii ZN3dbIVkOM=/toll www.happymaree.com.au | /tmp/api/d4ik5Y2GvCVSSJQhXI9wYYpBvxjLS78peeRYMKV0V7c=/toll www.headspokerfest.com | /tmp/api/RTuPCuYLjaj1KnTeJrMlCoH9HL4IixR eBvajB6TCeE=/toll www.headspokerfest.com | /tmp/api/43J6l5G/CkNp6kmGl0b jUY/oOL4411pPds8nylDE5g=/tollWhen we visit one of the URLs, we are prompted to download a .zip file, containing a .exe file.
Both are conveniently named for the City and ZIP Code from which we are connected.
For example:
When we run this malware, it attempts to make contact with the following C&C locations:
76.74.184.127:443 113.53.247.147:443 50.57.139.41:8080 188.165.192.116:8080 82.150.199.140:8080 203.157.142.2:8080 212.45.17.15:8080 92.240.232.232:443 188.165.192.116:8080At Malcovery Security, we've been tracking the ASProx botnet for some time. Most of these IP addresses were already known to belong to the ASProx botnet for some time. This is the same botnet that sent the Holiday Delivery Failure spam imitating Walmart, CostCo, and BestBuy over the holidays and that send the Court Related Malware through the early months of 2014.
Thanks to some updates from new friends on Twitter, we wanted to give an update on what we are seeing in the Malcovery Spam Data Mine. Because every advertised URL is unique, we have taken the approach of replacing the "unique stuff" with "...STUFF..." in the URLs below. The important part is that we realize that anything that you see in your logs that includes either "tmp/api" or "wp-content/api" or "components/api" and then some "STUFF" and then "=/toll" is going to be one of these URLs that is part of the current E-Z Pass spam, which began on July 8th and is still continuing here on July 12th. If you have access to Very Large Logs, we'd love to get YOUR URLs of this pattern to see if we can help webmasters identify and shut this stuff down. Note the alphabetical progression through compromised domain names? These are sorted by timestamp, not by domain name. It just so happens those are the same thing. We believe the criminals have a very large list of pre-compromised domains that they can use at will. Possibly these are just harvested passwords from other malware campaigns.
This malware is the ASProx malware. If anyone has more details on the "what happens next?" part of the malware, please do share. What we have observed and been told is that infected machines are primarily used for advertising click-fraud, but happy to learn more about those aspects and share what we learn.
2014-07-08 10:15:00-05 | www.fiestasnightclub.com | "/tmp/api/..STUFF…=/toll |
2014-07-08 11:15:00-05 | www.flavazstylingteam.com | "/tmp/api/..STUFF…=/toll |
2014-07-08 11:20:00-05 | www.fleavalley.com | "/tmp/api/..STUFF…=/toll |
2014-07-08 13:20:00-05 | www.fsp-ugthuelva.org | "/tmp/api/..STUFF…=/toll |
2014-07-08 13:30:00-05 | www.frazeryorke.com | "/wp-content/api/…STUFF…=/toll |
2014-07-08 14:10:00-05 | www.fyaudit.eu | "/components/api/…STUFF…=/toll |
2014-07-08 15:30:00-05 | www.giedrowicz.pl | "/tmp/api/..STUFF…=/toll |
2014-07-08 16:40:00-05 | www.gostudy.ca | "/components/api/…STUFF…=/toll |
2014-07-08 17:45:00-05 | www.graphiktec.com | "/tmp/api/..STUFF…=/toll |
2014-07-08 18:45:00-05 | www.h2oasisinc.com | "/components/api/…STUFF…=/toll |
2014-07-08 18:50:00-05 | www.habicher.eu | "/tmp/api/..STUFF…=/toll |
2014-07-08 19:00:00-05 | www.grupoancon.com | "/components/api/…STUFF…=/toll |
2014-07-08 19:20:00-05 | www.headspokerfest.com | "/tmp/api/..STUFF…=/toll |
2014-07-08 19:30:00-05 | www.happymaree.com.au | "/tmp/api/..STUFF…=/toll |
2014-07-09 01:10:00-05 | www.ingersollpharmasave.ca | "/components/api/…STUFF…=/toll |
2014-07-09 01:30:00-05 | www.improlabsa.com | "/components/api/…STUFF…=/toll |
2014-07-09 01:45:00-05 | www.innovem.nl | "/components/api/…STUFF…=/toll |
2014-07-09 02:00:00-05 | www.intelliwaste.net | "/components/api/…STUFF…=/toll |
2014-07-09 04:15:00-05 | www.investment-mastery.com | "/wp-content/api/…STUFF…=/toll |
2014-07-09 05:50:00-05 | www.islandbiblechapel.com | "/tmp/api/..STUFF…=/toll |
2014-07-09 06:15:00-05 | www.ironstoneranch.com | "/tmp/api/..STUFF…=/toll |
2014-07-09 13:00:00-05 | www.klaafalaaf.de | "/components/api/…STUFF…=/toll |
2014-07-09 20:00:00-05 | www.listerus-capital.com | "/components/api/…STUFF…=/toll |
2014-07-10 00:10:00-05 | www.learn-a-language.eu | "/components/api/…STUFF…=/toll |
2014-07-10 06:30:00-05 | www.mindsolutions.sk | "/components/api/…STUFF…=/toll |
2014-07-10 07:15:00-05 | www.mintom.it | "/components/api/…STUFF…=/toll |
2014-07-10 14:00:00-05 | www.moretrends.de | "/tmp/api/..STUFF…=/toll |
2014-07-10 15:00:00-05 | www.nortech.com.au | "/components/api/…STUFF…=/toll |
2014-07-10 18:30:00-05 | www.p-press.com | "/components/api/…STUFF…=/toll |
2014-07-11 00:00:00-05 | www.porno-sexshop.ch | "/tmp/api/..STUFF…=/toll |
2014-07-11 01:00:00-05 | www.powiatstargardzki.eu | "/components/api/…STUFF…=/toll |
2014-07-11 02:00:00-05 | www.projectstc.org | "/components/api/…STUFF…=/toll |
2014-07-11 08:15:00-05 | www.radmotors.com.pl | "/components/api/…STUFF…=/toll |
2014-07-11 10:10:00-05 | www.reportsolutions.com | "/components/api/…STUFF…=/toll |
2014-07-11 16:00:00-05 | www.search4staff.com | "/components/api/…STUFF…=/toll |
2014-07-11 18:00:00-05 | www.sirman.us | "/tmp/api/..STUFF…=/toll |
2014-07-11 20:30:00-05 | www.stjosephbristol.org | "/components/api/…STUFF…=/toll |
2014-07-11 21:15:00-05 | www.stpat.nsw.edu.au | "/components/api/…STUFF…=/toll |
2014-07-12 15:00:00-05 | avauncemarketing.net | "/wp-content/api/…STUFF…=/toll |
Nice find, Gary. do you know how the malware selected the city and zip? Was it random, or did it appear targeted based on your location or your toll road usage?
ReplyDeleteI found a vulnerability in the Texas equivalent of E-Z Pass - TXTAG - that could be used to create highly targeted malware such as this. The login scheme makes it very easy for someone to access accounts through brute force, which would gain an attacker access to names, home addresses, toll road usage history, email, and more. I don't have an E-Z Pass account but wonder if it has the same issues.
Here is my write-up: http://dnlongen.blogspot.com/2014/04/credit-cards-for-12-million-drivers.html
David - it is using a Geolocation service. It nailed my zipcode both at home and at work when I didn't tunnel. When I tunneled, it gave me cities and zips corresponding to where my remote server was located.
DeleteIt has nothing to do with any records because I got two of them and I don't ever drive, nor anyone in my family. Also, I didn't know what EZ Pass was, so I looked it up. It is in the eastern states, and I nor my family have never even been anywhere near those states, plus, again I am not a driver, so I believe it is just random.
DeleteI live in Australia...never heard of EZ Pass so I looked it up. Was worried as it said debt collection but my own travel tag is in credit. Glad I do my homework before clicking on these things.
Deleteok anyone know what this male ware does and how to fix it. I got fooled and it shut down my windows XP machine and now it will only boot and allow me to logon to a blank screen. I can pull up task manager but can not run explorer.exe nothing seems to fix it. anyone else have this problem or better yet a fix?
ReplyDeleteThanks Gary! I received one of these this morning. It unfortunately fooled me into clicking it but I received a 404 connection error so not sure anything happened. Should I still be concerned?
ReplyDeleteThe spam link on this particular email appeared to be german? - (http://www.leuchtkasten.de/) followed by a long path - i assume to be the query string?
What should I do if I already replied to it?
ReplyDeleteHi Gary. The happymaree.com.au link is the unused (and mostly forgotten about) website for our cafe in Melbourne, Australia! Trying to get in touch with my friend who set up the page for us 2 years ago but would appreciate any advice on what we should do.
ReplyDeleteHi Gary........I too have received this email. Dummy me, did click on the "click here", however when the zip file popped up, I quickly closed it. I am running my Malwarebytes now. Have I already infected my PC by just the click I did?
ReplyDeletemine say Agency E-ZPass Colection
ReplyDeleteI got one of these in my junk email. Funny, I live in Australia and have not driven in USA.
ReplyDeleteSo glad I don't drive! Wasn't even tempted to click on the link, and it got put with all those 'appear in court, or case will be heard in your absence.' straight into the rubbish bin.
ReplyDeleteThank Gary nicely done. Last time I open wipe out my system window 7 clean. So I have to install new OS.
ReplyDeleteI stupidly clicked on the link. It did not download anything but took me to a site that gave me the 404 message. I looked everywhere to see if there was anything downloaded but nothing. I am freaking out. Any thoughts
ReplyDeletejust had the same email originating from - E-ZPass Service Center refund@lincolndisco.com reporting that I had not paid a toll -
ReplyDeleteany fixes for this yet? I also clicked and downloaded with same results.
ReplyDeleteThey're still doing it, but the payload has a broken JavsScript file within a .zip file. The E-mail has my wife's first name and our joint E-mail address, and an "invoice number", but nothing else personalized.
ReplyDeleteReceived the email below in my SPAM. Originally thought it was legit.
ReplyDelete-----Original Message-----
From: E-ZPass Support [mailto:alfred.pearce@perfora.net]
Sent: Tuesday, September 01, 2015 8:02 AM
To: xxxxxxxxx @xxxx.com
Subject: Message has been disinfected :Indebtedness for driving on toll road
#00836201
Notice to Appear,
You have a unpaid bill for using toll road.
You are kindly asked to service your debt in the shortest time possible.
The copy of the invoice is attached to this email.
Kind regards,
Alfred Pearce,
E-ZPass Agent.