Tuesday, March 26, 2013

Fake FedEx Phishing Zbot


URL Query Examples:
http://urlquery.net/search.php?q=fedex_trk&type=string&start=2013-03-11&end=2013-03-26&max=50


2013-03-26 16:38:29
0 / 0http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip208.109.227.206

2013-03-26 10:18:09
0 / 1http://ilconline.org/images/fedex_trk_61293150511865307217.zip208.109.138.8

2013-03-25 17:26:17
0 / 1http://ilconline.org/images/fedex_trk_61293150511865307217.zip208.109.138.8

2013-03-25 15:32:11
0 / 1http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip72.167.183.50

2013-03-25 15:26:38
0 / 1http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip72.167.183.50

2013-03-25 15:21:55
0 / 1http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip72.167.183.50

2013-03-25 15:18:27
0 / 1http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip72.167.183.50

2013-03-25 15:12:23
0 / 0http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip72.167.183.50

2013-03-25 15:10:29
0 / 1http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip72.167.183.50

2013-03-25 15:01:10
0 / 0http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip72.167.183.50

2013-03-25 14:59:39
0 / 1http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip72.167.183.50

2013-03-25 14:47:02
0 / 1http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip72.167.183.50

Got get it

Offending Host:
178.175.139.47 Taken down
213.57.77.220  Taken down
hotels2013.org
adverts2013.org
yamaha-motor2013.com

UPDATE: Callback:
Date (CET)Alerts / IDSURLIP

2013-03-31 11:57:12
0 / 1http://adverts2013.com/pmserver/get.php213.57.77.220

2013-03-30 19:26:22
0 / 1http://geographic-channel.com/pmserver/browse.php213.57.77.220

2013-03-30 19:26:09
0 / 1http://geographic-channel.com/pmserver/browse.php213.57.77.220

2013-03-30 19:22:41
0 / 1http://hotels2013.org/pmserver/browse.php213.57.77.220

2013-03-30 19:22:38
0 / 1http://hotels2013.org/pmserver/browse.php213.57.77.220

2013-03-29 17:55:07
0 / 1http://printing-offices.com/pmserver/backget.php213.57.77.220

2013-03-28 14:14:10
0 / 0http://geographic-channel.com/pmserver/browse.php213.57.77.220

2013-03-28 08:12:55
0 / 0http://hotels2013.org/pmserver/browse.php213.57.77.220

2013-03-27 17:57:39
0 / 0http://adverts2013.com/pmserver/get.php213.57.77.220

2013-03-27 16:48:43
0 / 0http://hotels2013.org/pmserver/browse.php213.57.77.220

2013-03-27 16:45:52
0 / 0http://adverts2013.com/pmserver/get.php213.57.77.220

2013-03-27 14:31:09
0 / 0http://powersock2014.com/pmserver/file.php213.57.77.220

2013-03-27 14:22:58
0 / 0http://printing-offices.com/pmserver/get.php213.57.77.220

2013-03-27 14:18:14
0 / 0http://printing-offices.com/pmserver/backget.php213.57.77.220

2013-03-27 13:59:13
0 / 0http://hotels2013.org/pmserver/browse.php213.57.77.220

2013-03-27 07:49:40
0 / 0http://adverts2013.com/pmserver/get.php213.57.77.220

2013-03-27 04:33:37
0 / 0http://adverts2013.com/pmserver/get.php213.57.77.220


PORT    STATE    SERVICE      VERSION
22/tcp  open     ssh          OpenSSH 5.5p1 Debian 6+squeeze3 (protocol 2.0)
80/tcp  open     http         nginx 1.2.7


 
inetnum:        178.175.139.32 - 178.175.139.63
netname:        VPSCORNER-NET
descr:          VPSCorner
country:        MD
admin-c:        CC11822-RIPE
tech-c:         CC11822-RIPE
status:         ASSIGNED PA
mnt-by:         TRABIA-MNT
changed:        noc@trabia.net 20130318
source:         RIPE


 Submitted.

Web Traffic:

POST /pmserver/browse.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: hotels2013.org
Content-Length: 119
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.2.7
Date: Tue, 26 Mar 2013 13:29:45 GMT
Content-Type: application/octet-stream
Content-Length: 26704
Connection: keep-alive
X-Powered-By: PHP/5.3.23-1~dotdeb.0
Cache-Control: public
Content-Disposition: attachment; filename="%2e/files/ftc.jpg"
Content-Transfer-Encoding: binary





POST /pmserver/get.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: adverts2013.com
Content-Length: 380
Connection: Keep-Alive
Cache-Control: no-cache



HTTP/1.1 200 OK
Server: nginx/1.2.7
Date: Tue, 26 Mar 2013 13:30:16 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive





POST /pmserver/get.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: adverts2013.com
Content-Length: 253
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.2.7
Date: Tue, 26 Mar 2013 13:30:29 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.23-1~dotdeb.0






VT
SHA256:98a822051873c177dd4af1c387754abba8ad510ec38edb807fc0a42e2cacb1c8
File name:pon.exe
Detection ratio:4 / 45
Analysis date:2013-03-26 16:12:47 UTC ( 1 minute ago )


https://www.virustotal.com/en/file/98a822051873c177dd4af1c387754abba8ad510ec38edb807fc0a42e2cacb1c8/analysis/1364314367/


SHA256:		fd7868f90757f63a092220a06f28ec2e500358d23c0ba6aae13bc61ff3b14ecc
File name:fedex_trk_61293150511865307217.scr
Detection ratio:8 / 46
Analysis date:2013-03-26 01:49:15 UTC ( 14 hours, 3 minutes ago )

https://www.virustotal.com/en/file/fd7868f90757f63a092220a06f28ec2e500358d23c0ba6aae13bc61ff3b14ecc/analysis/



SHA256:f10596fca058a7303c9d1c38ba54b84b8d535e680a26c17de6703888f23e7154
File name:alfasp1alfa3.exe
Detection ratio:6 / 44
Analysis date:2013-03-26 16:08:45 UTC ( 1 minute ago )

https://www.virustotal.com/en/file/f10596fca058a7303c9d1c38ba54b84b8d535e680a26c17de6703888f23e7154/analysis/1364314125/

Posted by at 12:33 PM 0 comments
Labels: , , , , , , ,
Subscribe to: Posts (Atom)