Friday, January 10, 2014

Target Database Breach "Phishing" Email leads to . . .

Several folks that also do security research called and texted and Facebook messaged today asking if we had seen "the New Target Phishing email"? We're normally pretty good folks to ask about that sort of thing, since Malcovery Security has both a Spam Data Mine, which is often a good source for such messages, and our PhishIQ system. I thought if it existed to the point that there was "buzz" about it, I should have hundreds of copies. But I didn't. I had three. Kinda.

Here's what the emails actually looked like.

I'll tell you what it does in just a minute.

By the way, if you find phishing sites and aren't sure what to do with them, we LOVE collecting phish! Use Malcovery's PhishIQ Report Phish page to send us any links!

Target Gift Card Spam

When I ran my search, I found all of the "normal" Target spam. People love to use Target to convince people to give up their personal contact information through the "Impossible to get Gift Card" scam.

We've blogged about Gift Card spam and related malware on several occasions including:

  • Cyber Monday 2010 - when we warned about scams using Victoria Secrets and Oliver Garden gift cards. In that scam you have to complete a series of "tasks" in order to earn your gift card, after going through several steps where you think you have "won" something. The final tasks back then were things like "Stay three nights in a Red Horse Inn hotel's luxury suite" or "buy a new car from General Motors!" but LONG before you found out about those tasks, the criminals already had your email, home address, cell phone number, and your agreement to let them share that data with other marketing firms.

  • A Day in the Life of Spam (2009) - in that blog I tried to fully categorize 10,583 spam messages received on October 4, 2009. 28 of the emails were "Giveaway gotchas" -- gift cards, plane tickets, cell phones, laptops that you had "won" if you would just perform some tasks.

  • We also told you about the Member Source Media LLC case where the FTC fined Chris Sommer $200,000 for running his spam scam where he sent email for "Free Products that Weren't Free".

So, today, I wasn't surprised to see spam with subjects and senders like these:

Share Your Opinion. Do you Love TargetShopping OpinionShoppingOpinion@ramblerose.info
Share Your Opinion. Do you Love TargetTarget Shopping SurveyTargetShoppingSurvey@ramblerose.info
Shopped Target LatelyShoppingOpinionShoppingOpinion@ramblerose.info
Special: Snag a $100 Target Gift Card!SavingCenterUSASours@frigidfiz.com
Complete the Target Shopping SurveyShoppingOpinionShoppingOpinion@ramblerose.info
Chance to Get a $100 Target Reward! Complete Sponsor OffersSavingCenterUSABakewell@frigidfiz.com
Back to School Savings - get a $100 Target Gift CardSavingsCenterUSAKeels@coldfiz.com

Here's what these usually look like (or at least the more high end ones):

Target Phish? Not really ...!

All of those are normal, everyday occurrences. But these caught my eye!

Alert to Target Shoppers - your identity is at risk.Local Alerttps0128@yahoo.com

So what happens if you click on the links in the email? Let's find out!

Here's the Fiddler capture of the redirect stream: So, clicking on the link where it says "Has your identity been stolen - CLICK HERE to check the database" or where it says "CHECK TO SEE IF YOUR IDENTITY HAS BEEN STOLEN - CLICK HERE NOW!" takes you through a chain of "automatically redirected" websites:

  • www.mb01.com
  • www.maxbounty.com
  • khvx.secoptim.com
  • rewardzone.surveyblogonlne.com

All of those numbers out next to the URLs? Those are the Affiliate Codes and Redirect Codes, so the scammers can make sure to direct you to the correct scam and to make sure the right spammer gets credit for his hard work stealing your time, money, and possibly identity.

and then your "Political Opinion Survey" starts up . . .

The Fine Print

Before we go win our $1000 Shopping Voucher, make sure to read the fine print on that one . . .

rewardzone.surveyblogonlne.com is not sponsored by or affiliated with This Website. This Website has not authored, participated in, or in any way reviewed this advertisement or authorized it. The trial products offered on the last page pay this website for leads generated. *Free trial offers may require shipping and handling. See manufacturer's site for details as terms vary with offers.

You'll also want to pay special attention to

How Do We Use The Personal Information?

How Do We Use The Personal Information?

We may use the Personal Information for any legally permissible purpose in our sole discretion Ad Serving Companies

We may use third party ad networks or ad serving companies to serve advertisements on our websites. We may pass the Personal Information about you to these companies so that they can deliver targeted advertisements that they believe will be of interest to you. The information passed to these companies may include, but is not limited to, your IP address, e-mail address, name, mailing address, telephone number, date of birth, gender, and any other information you provide to us. Web pages that are served by these companies will be subject to their own applicable privacy policies, if any.

Marketing Partners

We may share, license or sell your Personal Information to third parties for various marketing purposes, including their online (e.g., e-mail marketing) and offline (e.g., telemarketing, cell phone text messaging, skip tracing, and direct mail) marketing programs.

That's just part of it, there are many additional things they can do with your data!

Back to the Survey

There was a third question, but you get the idea. I finish question 3, it congratulates me and then sends me to get my reward! Wait? Where is the Target Gift Card? Well, I guess $1,000 shopping voucher at Sears/JCPenney/Kohl's/Macy's will have to do for now. Oh! And there is only ONE remaining! I better snag that!

By our Fiddler trace, you can see that we've just been handed off from one Affiliate marketing program to another. We are leaving the "rewardzone" system, and headed to the "shopping-sweepstakes.com" system, with "t.afftrackr.com" making sure that everyone is going to get paid for their participation in scamming us.

So, here we go ... we said we wanted the $1,000 Sears/Macy's/Kohl's/JCPenney card, so we choose one and start our NEXT survey

After it "calculated my eligibility" it asked me for my email address. I accidentally hit "Back" then and now it is begging me not to go!

Oh goodie! More prizes! Hey? Wasn't I supposed to be getting $1,000 from JCPenney? I just got a big pay cut for all my hard work here. But that's cool, I shop at WalMart too. I'll take $150 Walmart card, I guess . . . Oh. Actually, our Fiddler tells us that we've swapped systems again...We're now on at www.marktflow.com.

But wait! We ALWAYS read the fine print!

Got that? You must complete 2 silver, 2 gold, and 8 platinum offers ... WITHIN ONE CALENDAR DAY! So, it's 6:00 PM for me now, so I have 6 hours to do all the offers, or I get NOTHING.

In case the website goes down later, here's a local copy of some of the "example offers" that you have to finish TODAY!

OK? Let the Privacy Rape Begin!

Here comes the personal information extract . . . first, we're going to need a PHONE NUMBER, EMAIL, BIRTHDATE, and GENDER. Why? Because $150 Walmart Gift Card, that's why!

OK, you get the point. . . I have 13 more questions to go . . . see the Progress Bar? We are SO CLOSE to getting our gift card! Let's skip through the rest of the questions for now, but ask yourself, "what is likely to happen now that I've told these people that I have a house, a car, I'm planning to move, I like to go on vacation, I have a pet, an active checking account, and at least $15,000 in debt, as well as the next 13 questions . . .

  • Are you currently employed full time?
  • Are you interested in continuing your education?
  • Do you have health insurance?
  • Do you ever pay out of pocket for prescription drugs?
  • Do you smoke?
  • Does anyone at your home suffer from Asthma?
  • Back Pain?
  • Diabetes?
  • Joint Pain?
  • Sleep Apnea?
  • Anxiety or Depression?
  • Have you had a colonoscopy?
Remember. This guy has your email address and your telephone number. Whew! At least our 20 questions are done, right?

And then we start getting all the pop-up offers!

Wait! My home address? My birthday? Oh yeah, I forgot...they have to ship me my Gift Card, so of COURSE they need my home address! Duh!

Just in case though, it might be worth noting in Fiddler that we are no longer talking to MarktFlow. Through T.AffTrackr.com (passing along the credit so the right scammers keep getting paid) we are now seeing offers from "www.offersfromqh.com" associated with "www.qualityhealth.com".

FINALLY! All I have to do is confirm my Email Address (I gave them a valid email: privacyrape@gmail.com wonder if it will start getting spam?) and now I will have my card! It says right there this is the Last Step, right?

Not quite. "YOU MUST INSTALL TO CONTINUE?" What am I installing?

My favorite part there, see the part where it says "I want to earn points for searching the web?" Make ShopAtHome.com my Default Search Provider. Make ShopAtHome.com my Default New Tab. (So, every time your browser opens a new tab, you reload the SearchAtHome.com website. How convenient!)

NOW, All I have to do it complete those 2 Silver, 2 Gold and 8 Platinum offers!

So, I have to EITHER buy a set of Santoku Cooking Knives, (which I can return and keep one $100 knife for FREE!) or sign up for CreditReport.com. I already have a Credit Report service, so I guess I'll buy the knives. That's one down!

Now I can either get Vitamins (don't believe in them), Dr. Seuss Book Club (don't have kids at home), Amora Coffee (I drink Starbucks and already have a local roaster's coffee delivered to the house), a Hunting Knife (I don't hunt), Disney Movie Club (no kids at home), or M-Go Movie Rentals (I already have NetFlix AND Hulu). Hmmm. $150 Walmart Gift Card though ... Shoot. I guess I'll buy some Dr. Seuss books for my nieces.

Wait ... The Gold Offers are mostly the Silver offers I didn't want! And I have to buy TWO of them! I can choose from M-Go movie rentals, a Non-stick ceramic skillet (only $79.95), Dr. Seuss book club sign-up, Disney Movie Club sign up, Sedona Beauty products sign up, or Amora Coffee sign up. Well, I don't have kids at home, and already have NetFlix, I'm already beautiful, and I already have coffee delivered to the house, so I guess I go for the Ceramic Skillet. Cool! It comes with free scissors! ($79.95 plus shipping) and . . . shoot I guess you can never have too much coffee!

Wait. I have to do EIGHT Platinum Offers?? Hmmm... I already bought the knives as my Silver, so I guess I buy the MuscleXLerator, because $150 Walmart Gift Card, and . . .

Oh heck. I'll take the Free Hunting Knife, Sign up from Freester.com, Get ProtectMyID by Experian (don't you wonder if these companies know so many of their referrals are from criminals? I wonder if they care?) Pimsleur Language Learning, because my Rosetta Stone has been on my shelf for two full years and I still can't speak Mandarin, (speaking of heavily spam-advertised products! Pimsleur! Shame on you!) How many is that . . . Shoot. I still need three more.

Well? I guess I'll get ActionProWhite teeth Whitener so I can have that inhuman glow in the dark smile, Join the Disney Movie Club (I can cancel at any time) and well, I do have a lot of wrinkles around my eyes, but that's because I smile so much. Come on Sedona Beauty Secrets!

NOW THAT, Ladies and Gentlemen, is How you get a Free $1000 Target Gift Card, except they actually plan to give me a $150 WalMart gift card instead . . . *IF* I complete 2 Silver, 2 Gold, and 8 Platinum tasks.

$1000 Target Gift Card? Tell the Spammers No Thank You!

Posted by Gary Warner at 5:27 PM
Labels: , , , ,

Tuesday, January 07, 2014

Zeus Financial Crime Malware targets Credit Unions and smaller banks

A trend that we've been seeing in both phishing and malware is that criminals are beginning to aim lower in the Financial services market. While it is still true that some of the biggest financial institutions are regularly targeted by phishing and malware, there is an increasing trend in targeting SMALLER institutions as well. But are smaller institutions worth the effort? They are when the criminals can do a targeted delivery, *OR* when the small brand is actually a representative of a group of brands all serviced by the same Financial Services Company's platform.

Small brands in Zeus

At Malcovery Security our malware analysts review malware that is being distributed via spam email messages on a daily basis. Quite often the malware is related to financial crimes, such as the Zeus malware, which has multiple vectors of attack. First, it is important to note that while Zeus is a financial crimes trojan, stealing userids and passwords and allowing advanced attacks to your bank account. But Zeus is ALSO a "backdoor" allowing criminals to take full control of your computer at any time. Zeus is ALSO a means for delivering additional malware. For example, in today's spam messages imitating Wells Fargo bank sending you "Important Bank Documents", which we received over 4500 times in the Malcovery Spam Data Mine, recipients who opened the attached "Bank Documents" would really have been opening a malware downloader (Current detection: 14 of 47 at VirusTotal) that would download Zeus malware (currently detected by 10 of 47 AV products at VirusTotal), that would update itself to a less detectable version of Zeus ((5 of 47 detections) and then download CryptoLocker.

While Zeus captures pretty much all userids and passwords, it can be tuned to pay special attention to certain banks by setting a list of URL Substrings in a place on your computer that will compare them to anything being visited by your browser. If you visit one of these "targeted" strings, Zeus might be instructed to send the criminal screenshots every time you click your mouse, to send the criminal all of the contents of your web forms, or even trigger to ask you for your Two Factor Authentication. We can learn about what the criminals are targeting by grabbing those URL Substrings out of memory and comparing them to URL Substrings we've seen in other instances of Zeus.

On December 27, 2013, Malcovery's "Today's Top Threat" featured report was about a spam message that claimed to have an attached VoiceMail for you to listen to. Similar to today's malware distribution, a small Dropper/Downloader was used to download a copy of Zeus (in this case from the domains oilwellme.com and mistubishidehumidifiers.co.uk). (VirusTotal report - 11 of 48 AV products detected this at the time of our report.)

When we dumped memory for that copy of Zeus, we were surprised to see a very long list of Credit Unions! Please be sure to understand that we are not saying Zeus does not target "big banks" -- we still see the ANZ, Barclays, BBVA, BMO, CapitalOne, Chase, Citi, Discover, HSBC,

Police Credit Union
www.policecu.com.au
SGE Credit Union
cuviewpoint.net/mvpsge/
Swan Hill Credit Union
cuviewpoint.net/mvpstmarys/
Woolworths Employees Credit Union
Encompass Transport Credit Union
ibank.encompasscu.com.au
Family First Credit Union
cuviewpoint.net/mvpfamilyfirst/
Goulburn Murray Credit Union
www.policecu.com.au

I've pictured just a few of the targeted Credit Unions above, but there were more than FORTY credit unions just targeted in that single version of Zeus!

In today's "Wells Fargo Spam" version of Zeus, we had several other small brands targeted:

Vancouver City Savings Credit Bank
vancity.com
Jefferson Bank of Missouri
jefferson-bank.com
Nashville Citizens Bank
nashvillecitizensbank.com
Elan Financial Services
myaccountaccess.com
First Data StatementLook
statementlook.com

Why are small brands targeted? Sometimes it may be because the malware delivery has been targeted to a particular geographic location where the small bank is prominent. More likely, it is because the criminals have some local resource in that location that is able to assist with money muling and "cashing out" compromised accounts.

Elan Financial Services is an interesting one. By targeting this portal, the criminals may be able to target the 1600 banks and 400 credit unions that a financial services company such as Elan may service through their portal. FirstData's StatementLook service is another targeted today, which also serves as an EBPP (Electronic Bill Payment & Presentation) allowing many smaller boutique credit card providers to off-load the electronic banking aspects of their service to a central location. Many other portals for online banking and financial services for smaller banks and credit unions can also be found from time to time in the Zeus Malware Configuration files (also known as ".BIN" files). For example, many small banks use the "NetTeller" service, or "MyCardStatement.com", or other types of Integration services, such as "FundsDirect.co.uk" which is a front end to 2300 different investment funds, all also targeted by today's Zeus.

Small Banks as Phishing Targets

Of course it isn't just malware that is beginning to target smaller banks. Last year was a record-breaking year for the number of phishing sites that were seen by Malcovery -- more than 700 different brands were targeted! Some of the smaller brands that we've seen over the last year included not only Banks, but also Credit Unions, and even regional Cable systems!

First Convenience Bank (Texas)
with phishing servers in Iran
First Niagara Financial Group
with phishing servers in Pakistan
Buckeye Cable Systems
with phishing servers in Poland and Sweden

Posted by Gary Warner at 12:11 PM
Labels: , ,

Monday, January 06, 2014

Yahoo Malware, additional data based on Fox-IT report

This weekend on the news, or perhaps Monday morning on NPR, you heard that the popular Yahoo domain has been targeted by criminals who pushed malicious advertisements through their services to unsuspecting victims. This technique, generally known as "malvertising", works because advertisement hosters, such as Yahoo, Microsoft, and Google, run deep networks of ads that pull in third party content, which can itself pull in third party content, through many links down an increasingly untrustworthy and untraceable chain. This is nothing new, but is still concerning after at least five years worth of investigations into how to protect ad networks better.

The famous "DNS Changer" case that was featured on the FBI's website in the story Case against Internet fraud ring reveals millions unknowingly affected worldwide actually began when criminals were using such malicious ads to push Fake Antivirus malware to a variety of high profile websites, including the New York Times, which explained its own breach in this September 2009 story, Advertising - On the Web, Ads Can Be a Security Hole.

In the current Yahoo campaign, it was the excellent researchers at Fox-IT in the Netherlands who broke the news. Their story, Malicious advertisements served via Yahoo showed some key information about what was going on.

One very important difference between what you are hearing on the news and reality ... NO ONE HAD TO CLICK the ads in order to be infected. Because the ads displayed an "IFRAME" which caused a REDIRECT to be executed, simply having the ad displayed in your JavaScript aware browser was enough to cause the Exploit Kit to be visited. Over 300,000 computers per hour were visiting the Exploit kit, and roughly 11% of them, 27,000 per hour, were actually infected with malware as a result of the visit. These are very acceptable numbers in the malware distribution world. (visit and infection rates based on Fox-IT's analysis of the destination server hosted in the Netherlands.)

Basically, some of the advertisements that appeared through Yahoo's ad network contained an IFRAME. An IFRAME is an HTML command that says "go get some content from this OTHER website, and display it as part of what is being shown here." According to Fox's article, some of the domains where the IFRAMEs were hosted included:

  • blistartoncom.org (192.133.137.59), registered on 1 Jan 2014
  • slaponitkons.net (192.133.137.100), registered on 1 Jan 2014
  • origina-filmsonline.com (192.133.137.63)
  • funnyboobsonline.org (192.133.137.247)
  • yagerass.org (192.133.137.56)

Magnitude Exploit Kit

Their article also says that the IFRAME would redirect the computer to a copy of an Exploit Kit known as "Magnitude" by issuing an HTTP REDIRECT statement. You may be familiar with the most famous Exploit Kit in history, the Blackhole Exploit Kit. Back in December this blog ran a story Paunch and the Black Hole / Cool EK Exploit Kit that discussed the fact that the criminals behind that kit have finally been apprehended, and that since their arrest in October, there had been a marked decline in Exploit Kit-based infections.

During my "Malcovery Security Year in Review 2013" webinar (recording available here), one of my predictions was "Prediction #6: Malicious Email Innovators will expand into the vaccum left by Black Hole Exploit arrests". We'll be watching the Magnitude Exploit Kit to see if it can rise to that level.

One reason to believe that Magnitude may dominate this space is to look at where known cybercriminals moved their goods after the demise of BlackHole Exploit Kit. BlackHole was actually one of TWO Exploit Kits run by Paunch. The "premium" Exploit Kit was called "Cool EK" and delivered zero-day (0-day) exploits that were not publicly available anywhere else. After the zero-days became publicly disclosed, Paunch would push those exploits to the lower cost and more common BlackHole Exploit Kit. The primary buyers of the Cool EK throughout the summer were the criminals behind Reveton, which was also known as "Police Lock Ransomware".

One of the early uses of the Magnitude EK was disclosed on the website "kahusecurity", in their article Deobfuscating Magnitude Exploit Kit. The analysis shows that Magnitude was pushing very new Zero-day exploits, and more interestingly, the end-game of the infection was to install the Reveton PoliceLock Exploit Kit!


(Click image to visit the KahuSecurity report on Magnitude EK)

This is also not the first time that the Magnitude Exploit Kit has been associated with a high-profile website "drive-by infection". Our friend Fabio Assolini, of Kaspersky Security, confirmed that PHP.net, the official website of PHP, was actually injected with a malicious iframe that pointed to the Magnitude Exploit Kit and infected visitors with the Tepfer Trojan (which is better known in some circles as Papras). Here's his tweet (thanks to KahuSecurity for the link):

Other great analysis links for understanding Magnitude EK include:

Magnitude used in ADP Spam

We certainly agree with ProofPoint and Dell on their assertion that Cutwail is using Magnitude. While Reveton was a primary user of the Cool EK, the heaviest user of the BlackHole EK were the malware spammers behind Cutwail. One example of Cutwail using Magnitude would be the October 22, 2013 ADP Payroll spam campaign. In that campaign, Malcovery's T3 Report customers would have been warned of spam messages with subjects "ADP payroll: Account Charge Alert" and "ADP RUN: Account Charge Alert" where URLs on compromised WordPress sites, including cinematracks.com, campwow.com, ceo-interviews.com, and businessblogtechs.com were being used to send visitors to the Magnitude EK site abrakandabr.ru to retrieve "adp.report.php" from port 8080. Just as in this weekend's Yahoo exploit, the primary infection method was a hostile ".jar" file dropped from the Exploit Kit. On October 22, 2013, the ADP spam campaign's Magnitude server dropped the jar file we reported to VirusTotal in this report. which when last scanned was detected as hostile by 6 of 47 Antivirus vendors.

Check Your Logs for . . .

Fox-IT lists that there were several "seemingly random subdomains" on the following domains that were used in the redirection, which they list as:

  • boxsdiscussing.net
  • crisisreverse.net
  • limitingbeyond.net
  • and others

Based on some research that I've done in the Internet Identity Passive DNS Research platform, I was able to find those names ... here are some examples:

201214.yqs.lucd.ici.ptwd.ivntyzjdlzuk.boxsdiscussing.net
201211.ef.ivntyzjdlzuk.boxsdiscussing.net
201116.vbnf.mkr.ovei.zza.cgu.ivntyzjdlzuk.boxsdiscussing.net
201214.rcfg.bgy.tej.veae.juv.ivntyzjdlzuk.boxsdiscussing.net
201311.leo.dx.ivntyzjdlzuk.boxsdiscussing.net
201115.fe.srqe.sbisakxivel.boxsdiscussing.net
2018.xfi.eah.mhi.sbisakxivel.boxsdiscussing.net
201311.zn.sbisakxivel.boxsdiscussing.net
201216.ehp.sbisakxivel.boxsdiscussing.net
201216.rmji.kjm.hrp.xpex.sbisakxivel.boxsdiscussing.net
201115.obw.wx.sbisakxivel.boxsdiscussing.net
201116.bomw.tswi.vpzy.ir.kqdy.sbisakxivel.boxsdiscussing.net

201311.qw.wvtj.cb.eveourvczt.crisisreverse.net
201311.hrph.sqee.zo.eveourvczt.crisisreverse.net
201118.bfcq.eveourvczt.crisisreverse.net
201116.sp.xdq.xwgt.vqna.ms.eveourvczt.crisisreverse.net
201311.zjn.ejh.rws.hwhd.twiurmgmvw.crisisreverse.net
201116.zllf.zj.lbz.be.twiurmgmvw.crisisreverse.net
201216.udi.wke.twiurmgmvw.crisisreverse.net
201311.nez.uj.kbwc.atk.pbgu.twiurmgmvw.crisisreverse.net
201214.quqc.gm.rf.we.tg.fmpryuyqoz.crisisreverse.net
201311.mak.fmpryuyqoz.crisisreverse.net
201311.nsm.fmpryuyqoz.crisisreverse.net
201311.zm.fmpryuyqoz.crisisreverse.net
201115.ysw.fmpryuyqoz.crisisreverse.net

201115.eoju.zqlj.ze.tt.cmxf.paftwtdqc.limitingbeyond.net
201116.pg.paftwtdqc.limitingbeyond.net
201115.pz.rbnq.rwg.paftwtdqc.limitingbeyond.net
201210.xm.sym.paftwtdqc.limitingbeyond.net
201111.bao.paftwtdqc.limitingbeyond.net
201116.wi.tdc.xgx.jfuo.paftwtdqc.limitingbeyond.net
201514.pbcp.paftwtdqc.limitingbeyond.net
201214.aeo.nwfn.cbpz.efs.paftwtdqc.limitingbeyond.net
201216.yjg.ynnu.paftwtdqc.limitingbeyond.net
201210.yu.paftwtdqc.limitingbeyond.net
201116.jy.ek.tma.fuiv.paftwtdqc.limitingbeyond.net
201116.fo.hea.dyu.wqi.cnsw.paftwtdqc.limitingbeyond.net
201514.fwsj.qygk.dmd.bia.vhy.paftwtdqc.limitingbeyond.net
201214.nsnz.paftwtdqc.limitingbeyond.net
In addition to the domains listed by Fox-IT, we were able to confirm these additional domains, which all used the same hostname/subdomain patterns, and all resolved to the same IP address, 193.169.245.78.

  • boxsdiscussing.net
  • chapterwild.net
  • crisisreverse.net
  • elsecommenting.net
  • farmtrains.net
  • federalpoet.net
  • irritatedpound.net
  • layfriend.net
  • liechecks.net
  • limitingbeyond.net
  • suggestsfilm.net
One example of each of those hostname/subdomain patterns for each of those domains, all observed in the IID Passive DNS collection resolving to 193.169.245.78, are given here:

  • 201311.koha.uue.vwm.swp.cfmg.buosehgr.boxsdiscussing.net
  • 201311.et.ck.fsc.gjwa.dh.acirtcbrjmcm.chapterwild.net
  • 201116.sp.xdq.xwgt.vqna.ms.eveourvczt.crisisreverse.net
  • 201214.ups.xwo.jrw.hoy.bmm.bhzoahcvhbv.elsecommenting.net
  • 201210.kyy.qfw.qji.lg.agw.douvcaghuuh.farmtrains.net
  • 201214.lu.oqkt.vu.qfmw.xsyn.gjsjixxiskxe.federalpoet.net
  • 201116.ivfi.pmar.vv.hw.fvyg.aicnkapom.irritatedpound.net
  • 201116.gp.hnpd.lwp.nv.aj.armlnjjyot.layfriend.net
  • 201210.uzb.cavs.bqkw.kpou.cwp.blenzspz.liechecks.net
  • 201210.bigc.opt.jcov.widl.hpv.duohlqzrzqw.limitingbeyond.net
  • 201116.jjia.wo.nmf.chl.sog.gvkqjqvzf.suggestsfilm.net

Fox-IT illustrates the Infection Flow

Please visit the excellent post by Fox-IT to read their analysis, but I've borrowed their graphic from there as a better way to show the traffic flow.
(click graphic to visit original article)

Posted by Gary Warner at 7:16 AM
Labels: , , , , ,
Subscribe to: Posts (Atom)