MySpace subject to phishing campaign

Social networks are often subject to phishing and today MySpace is the target. MX Lab intercepted some messages from MySpace <message-*********@message.myspace.com> – where * stands for random letter and number combination. The from address is obviously spoofed.

The body of the email:

Dear MySpace user!

Please be informed that you are required to update your MySpace account.

Please update your MySpace account by clicking here:

hxxp://accounts.myspace.com.iuuuujef.co.uk/msp/index.php?fuseaction=update&code=5A3TCE-JA3T2OSOJ1-AT2LKB0WNLB0-SMSWSGFPGEL97-0JHN4840QT&email=****@*******.co.uk

If you’re unable to click on the link above, copy and paste it into your browser’s address bar.

————————-

At MySpace we care about your privacy. This email is never sent unsolicited.

If you think you’ve received this email in error, or if you have any questions or concerns regarding your privacy, please contact us at:

privacy@myspace.com

MySpace, Inc.
8391 Beverly Blvd. #349
Los Angeles, CA 90048
USA

©2003-2009 MySpace.com. All Rights Reserved.

The domains included are fast-flux domains to avoid Intent Analysis. The domain in this case is registered with the following details:

Domain name:

         iuuuujef.co.uk

     Registrant:
         Joe Tentpeg

     Registrant type:
         Non-UK Individual

     Registrant's address:
         5556 Butt hole Court
         Bum diddle
         66545
         Belgium

     Registrar:
         Webfusion Ltd t/a 123-Reg.co.uk [Tag = 123-REG]
         URL: http://www.123-reg.co.uk

     Relevant dates:
         Registered on: 09-Nov-2009
         Renewal date:  09-Nov-2011
         Last updated:  10-Nov-2009

     Registration status:
         Registration request being processed.

     Name servers:
         No name servers listed.

     WHOIS lookup made at 11:19:48 10-Nov-2009

When we performed WHOIS lookups for other domains involved we noticed some irregularities. The registrant name is different each time but the address doesn’t fit at all. The zip code doesn’t match the country because the zip codes in Belgium are based on 4 numbers. We can assume that the registrant did used different details for registration in order to avoid detection by the registrar.

November 10, 2009
Categories: Phishing . Tags: , . Author: mxlab . Comments: Leave a Comment

DHL Tracking Number 3YMH6JJY contains trojan

MX Lab intercepted a large amount of emails with the subject “DHL Tracking Number 3YMH6JJY” containing the trojan TrojanDownloader:Win32/Cutwail.gen!C (Microsoft), Trojan.Kobka.E (GData), AVG (SHeur2.BQSN() or Troj/Agent-LQA (Sophos).

The contents of the email:

Dear customer!

The courier company was not able to deliver your parcel by your address.

You may pickup the parcel at our post office personaly.

The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.

Thank you for attention.
DHL Express Services.

The attachment is named 3YMH6JJY.zip and contains the file 3YMH6JJY.exe, 56 kB big. The threat has the characteristics of ZBot, a trojan that disables firewall, steals sensitive financial data makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system. The trojan can communicate with a remote SMTP server for sending out emails.

The following files are being created:

c:\2.tmp
c:\6.tmp
%AppData%\wiaservg.log
%Temp%\2515696084.exe
%Temp%\b2jp5k.exe
%Temp%\debug.exe
%Temp%\services.exe
%Temp%\svchost.exe
%Temp%\taskmgr.exe
%Temp%\win32.exe
%Temp%\winamp.exe
%Temp%\g260h.exe
%Temp%\habnf88jkefh87ifiks.tmp
%Temp%\jisfije9fjoiee.tmp
%Temp%\ogxyx.exe
%Temp%\pskfo83wijf89uwuhal8.tmp
%UserProfile%\reader_s.exe
%System%\reader_s.exe
%System%\dllcache\ndis.sys
%System%\ntos.exe
%System%\p2hhr.bat
%System%\wbem\grpconv.exe
%System%\wbem\Performance\WmiApRpl_new.ini
%System%\wsnpoem\audio.dll
%System%\wsnpoem\video.dll
%System%\z7v89qurrt.dll

The following file was deleted: %System%\grpconv.exe.
The following file was modified: %System%\drivers\ndis.sys.
The following directory was created: %System%\wsnpoem.

Following processes are created:

%System%\reader_s.exe
%UserProfile%\reader_s.exe
%Temp%\g260h.exe
%Temp%\winamp.exe
%Temp%\services.exe
%Temp%\svchost.exe
%Temp%\ogxyx.exe

A new memory page created in the address space of the system process(es): %System%\svchost.exe.
The following module was loaded into the address space of other process(es): %System%\z7v89qurrt.dll with process name: IEXPLORE.EXE.

Connections to remore hosts:

12.191.105.50 port 25
12.49.129.230 port 25
207.58.165.84 port 25
209.128.32.160 port 25
209.181.247.105 port 25
209.85.135.27 port 25
216.130.106.200 port 25
24.106.49.86 port 25
62.72.96.41 port 25
64.183.119.211 port 25
72.9.145.85 port 80
94.75.207.170 port 80
94.75.228.136 port 80
78.159.121.41 port 38811

The following URLs are requested from the remote web server:

* hxxp://www.panel911.com/traffic/in.cgi?google2
* hxxp://virtualmits.com/ndw/vp1.php?id=1CA619795E68E12&ver=v10&er=S_wd_rd_we_re_
* hxxp://virtualmits.com/ndw/ndw.php?id=1CA619795E68E12&ver=v10&er=S_wd_rd_we_re_
* hxxp://virtualmits.com/ndw/ndw.php?id=1CA619795E68E12&ver=v12
* hxxp://virtualmits.com/ndw/ndw.php?id=1-1CA6197986CAB58&ver=v12
* hxxp://1job1.cn/us4/error
* hxxp://1job1.cn/us4/us4.php?1=computername_0001e9af&i=
* hxxp://1job1.cn/l/controller.php?action=bot&entity_list=&uid=3&first=1&guid=13441600&v=15&rnd=6293712
* hxxp://1job1.cn/us4/us4.php?2=computername_0001e9af&n=1&v=16778496&i=&s=0&sp=0&lcp=0&pr=0
* hxxp://1job1.cn/l/controller.php?action=report&guid=0&rnd=6293712&uid=3&entity=1257509694:unique_start
* hxxp://1job1.cn/l2/2.php
* hxxp://1job1.cn/l2/1.php
* hxxp://1job1.cn/us4/us4.exe
* hxxp://1job1.cn/x.exe
* hxxp://1job1.cn/l2/stat.php

SMTP traffic will be generated from following email addresses:

  • <undersellsgq0@royaldevice.com>
  • <blackballedvm6@rotaerota.com>
  • <reciprocallydo@roispy.com>
  • <frankingoc6485@rmservicing.com>
  • <rackn84@rmanet.com>
  • <wrongdoinglq@rhgmarketing.com>
  • <kazooo@roxcel-usa.com>
  • <ladybirdwtz01@restaurantesol.com>
  • <pleadyl76@rotodiff.com>
  • <deflectorsoj@ramcaterers.com>
  • <demolishedlx@robinson-pilaw.com>
  • <foreordainingg7@rcalum.com>
  • <dismisseseic2@rosenfeldlaw.com>
  • <epitomizezm2@roldeco.com>
  • <dashinglyl8@regenesis-rehab.com>
  • <tattyttg74@rocorpn.com>

Virus Total permlink and MD5:  08ba612f05b0433a4a5ca2df4da38deb.

November 10, 2009
Categories: Viruses . Tags: , , , . Author: mxlab . Comments: 10 Comments

PayPal phishing in attachments

Yesterday MX Lab reported regarding a phishing email that has no URL but instead an attached HTML document with a web form included. Since then we see more similar cases and also PayPal is subject to this technique. The senders address shows us “www.paypal.com” <service@paypal.com> but this is spoofed. The email was sent from 69.128.90.226, an IP address in the US, pointing to mail.dandlequipment.com.

The body of the email:

To make sure everything is in order,please download the PayPal Security Account Verification and fill in all the required data for verfication.

The actual webpage:

The webform makes a POST to hxxp://0xD5.0xC3.0xDF.0xA9/paypalverification.php/.

November 9, 2009
Categories: Phishing . Tags: , , . Author: mxlab . Comments: 1 Comment

Phish of Banca Agricola Popolare di Ragusa has no URL but is in an attachment

In almost every phish email there is an URL leading to the phishingsite where you are asked for a login, password and other personal information. With the latest phish targeting Banca Agricola Popolare di Ragusa the URL is not inside the email but there is an attachment in HTML format. The goal of this trick is to avoid filters that detect phishing based on Intent Analysis.

Contents of the email:

Gentile Cliente,

Un nuovo documento di rendicontazione a sua disposizione.
Per consultarlo e salvarlo sul suo PC entro un anno da oggi, visitando l’area Estratto conto e documentazione dei suoi Servizi via internet.
Per l’assistenza ai Servizi via internet pui contattare il numero verde 800 010 257, gratuito anche da cellulare.

Cordiali saluti.
Banca Agricola Popolare di Ragusa


Questo e un messaggio automatico.
Per disabilitare il servizio puograve utilizzare la funzione Modifica abilitazioni (Comunicazioni Estratto conto e documentazione).
Prima di stampare, pensa all’ambiente ** Think about the environment before printing

When opening the novembre 2009.hml document we got the following screenshot in the browser.

The webform submits the details to hxxp://67.214.177.8/passo1.php and redirects you afterwards to the official login page of the bank.

November 8, 2009
Categories: Phishing . Tags: . Author: mxlab . Comments: 2 Comments

Facebook updated account agreement email contains Sasfis trojan

Apparently, the virus campaigns are far from over. MX Lab reported on this blog regarding the latest virus campaign that would be an attempt to grow the Cutwail botnet by infecting new computer systems by launching new trojan variants every few days.

MX Lab now intercepts a new Facebook virus campaign from the spoofed address <automailer+gtevzolc@facebook.com> or similar.

The campaign is send out with one of the following subjects:

Facebook updated account agreement
new Facebook account agreement
new account agreement

The content of the email:

Dear Facebook user,

Due to Facebook policy changes, all Facebook users must submit a new, updated account agreement, regardless of their original account start date.
Accounts that do not submit the updated account agreement by the deadline will have restricted.

Please unzip the attached file and run “agreement.exe” by double-clicking it.

Thanks,
The Facebook Team

Confirmation Code #: 3233075834

The email contains the ZIP archive agreement.zip with the 20 kB big executable agreement.exe inside. This trojan is known as Trojan.Sasfis.A (BitDefender), W32/Sasfis.E (F-Prot) or Trojan:Win32/Oficla.E (Microsoft).

MX Lab submitted the sample to Virus Total at 2009.11.07 00:03:35 UTC and 21 of the 41 AV engines did detect the trojan. The first sample was submitted at 2009.11.06 09:24:44 UTC. So this means that after more than 2 hours 52% of the AV engines can intercept this piece of malware.

Please do remember that Facebook, or any other company, will not communicate in any way like this. Companies like Facebook will not send attachments to update your profile, agreement or anything else.

The trojan will create the files %Temp%\1.tmp and %System%\ifmq.kqo, modify the Windows registry and will try to connect to the remote host 193.104.27.91. The following URLs are requested:

hxxp://193.104.27.91/limpopo/bb.php?id=&v=200&tm=1&b=300
hxxp://193.104.27.91/limpopo/bb.php?id=&v=200&tm=2&b=300
hxxp://193.104.27.91/limpopo/bb.php?id=&v=200&tm=3&b=300

Virus Total link and MD5: c175b5afc8bb7a7f716ccf3829412ff1.

November 7, 2009
Categories: Viruses . Tags: , , , , , . Author: mxlab . Comments: 2 Comments

Bredolab surges to new heights thanks to Cutwail botnet

Several sources reported a surge of the Bredolab trojan in the middle of October but MX Lab did noticed an real increase on October 27th.

The following graph shows the virus detection from October 7th until November 5th (from right to left) with small peaks at the beginning of October while at the end the virus outbreak really started for us. Virus detection and interception rate increased 5x to 6x times compared to the normal average.

We noticed Bredolab appearing in different campaigns where Facebook Password Reset Confirmation was perhaps one of the most widespread campaigns targeting social network users. But let’s not forget DHL tracking emails or the Western Union Payment.

So what is going on? Bredolab is being distributed mainly over the Cutwail (or Pandex) botnet. One of the reasons is that this botnet is trying to infect new computers to be added to the botnet as zombies. A larger botnet can be used to distribute even more emails containing mailware and infect even more systems or send out new large spam campaigns.

The Cutwail botnet activity decreased from sending around 45% of spam at the beginning of the year to only 11% in September. Other botnets increased in size and activity. One of the newer botnets is called Maazbem and was responsible for a large casino-related spam email campaign earlier in May 2009.

The malware authors of Cutwail are trying to make up some of those losses and to regain a dominant position in the botnet scene. So far, approximately 3.6 Billion Bredolab emails are likely to be send out each day, worldwide.

In order to do so they publish new variants on a regular base to avoid detection by AV engines. As we could see during the last few days, virus detection was sometimes very low when a new variant was out and the file was offered tyo Virus Total for inspection.

At Virus Total, a great tool by the way, we often noticed that the 41 AV engines did had difficulties in detecting the new variant resulting in less protection for an end user system. In some cases, not even 30% of the engines did detect the trojan after more than 6 hours when the variant first appeared.

It is clear that the traditional signature or heuristic based AV engines fail to offer a good security in a very short time frame. A time frame that is so important to detect and handle malware correctly. At MX Lab we can only recommend to deploy anti virus engines in multiple layers with a zero hour anti virus solution as the main and first line of defense.

November 6, 2009
Categories: Viruses . Tags: , , , , . Author: mxlab . Comments: 1 Comment

Cutwail variant in UPS Delivery Problem email

In the ongoing virus story, MX Lab intercepts a new variant of the Cutwail trojan masked in emails from UPS regarding a delivery problem with the subject: UPS Delivery Problem.

The content of the email:

Dear customer!

Unfortunately we were not able to deliver the postal package which was sent on the 20th of June in time
because the addressee’s address is incorrect.
Please print out the invoice copy attached and collect the package at our office.

United Parcel Service of America.

[Update November 7th, 2009 - 02:10 AM local Belgian time]

The Cutwail trojan has changed again and also the email characteristics are different. The subject states “Congratulations”

The content of the email:

Congratulations!! You have won todays Macbook Air.

Please open attached file and see datails.

The email contains the ZIp archive winner.zip with the executable winner.exe.

Virus Total link and MD5: 3b9c3d653c3e5cb40c93e9599ee507de

November 6, 2009
Categories: Viruses . Tags: , , , , . Author: mxlab . Comments: 2 Comments

Western Union money transfer email contains new variant of Bredolab

MX Lab intercepts a new trojan W32/Bredolab!Generic variant attached in emails from Western Union with the instructions on how to receive the money transfer.

Possible subjects:

Western Union transfer is available for withdrawl.
Western Union. You should receive money transfer! Order 7909.

Senders:

<contact@westernunion.com>
<service@westernunion.com>

Content of the email:

Hello.

The amount of money transfer: 5887 USD.
Money is available to withdrawl.

You may find the Money Control Number and receiver’s details in document attached to this email.

Western Union.
Customer Service Center.

We did noticed that with this campaign, since November 5th 2009, the attached ZIP archive is only 4 kB big and when extracted the executable is 0 kB big! It seems there is some issue with the email distribution but we expect that this can change quickly.

Virus Total link and MD5: e6069e83c06da868637489466daed9d3.

November 6, 2009
Categories: Viruses . Tags: , , , , . Author: mxlab . Comments: 5 Comments

Email with subject “Hello Darling” contains Cutwail trojan

MX Lab intercepted new emails containing a new variant of the Cutwail trojan listening to the names Win32:Cutwail-AA (Avast) or W32/Trojan3.BLU (F-Prot). At Virus Total, only 11 of the 41 AV engines detect the trojan so the detection rate is quite low.

The messages comes from a spoofed email address and has the subject “Hello Darling”. It contains the attachment photo.zip and in the archive the 32 kB big file photo.exe is present.

The body of the email is very short:

Hi, how are you? My photos Which I promised in attached file

This Cutwail trojan will create the following files:

c:\2.tmp
c:\3.tmp
c:\4.tmp
c:\5.tmp
%UserProfile%\reader_s.exe
%System%\reader_s.exe
%System%\dllcache\ndis.sys

New processed are being created:

%System%\reader_s.exe – 49,152 bytes
%UserProfile%\reader_s.exe – 49,152 bytes

New memory pages created in the address space of the system process(es):

%System%\svchost.exe – 5,124,096 bytes
%System%\svchost.exe – 81,920 bytes

The following Registry Key was created:

HKEY_LOCAL_MACHINE\SOFTWARE\AGProtect

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
+ reader_s = “%System%\reader_s.exe”

so that reader_s.exe runs every time Windows starts
[HKEY_LOCAL_MACHINE\SOFTWARE\AGProtect]
+ Cfg = 09 00 00 00 BE 4B 00 00 4D EE 80 1F BF AC AC AC A5 AC B9 AC AC AC AC AC 7C AC 5E 5F 54 42 5A 5F 42 55 42 57 AC BA AC AC AC AC AC 7C AC 5A 5F 42 5F 5B 54 42 5F 5A 55 42 5B 57 AC B4 AC AC AC AC AC 7C AC 5F 55 58 42 5F 59 59 42 5F 5C 58 42 5E 5F 5C AC B

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
+ reader_s = “%UserProfile%\reader_s.exe”

Connecties with remote hosts are being established:

122.1.235.85:25
129.70.14.10:25
193.243.140.105:25
193.33.99.231:25
194.8.194.96:25
195.95.199.139:25
200.152.177.30:25
202.72.211.115:25
208.70.128.213:25
212.170.236.87:25
159.226.7.162:80
218.61.7.9:80
78.159.121.41:38811

The data requested from the remote server:

hxxp://5job5.cn/l2/1.php
hxxp://5job5.cn/l2/2.php

Since the Cutwail has in build in SMTP server it has the option to send out emails from the following addresses:

  • <blowzt37@rialvacuum.com>
  • <parted@rounbehler.com>
  • <monthly78@roubech.com>
  • <glowwormkv9@roy-iris.com>
  • <baronsd24@rell.com>
  • <redefinitionuxwa911@raymondalexander.com>
  • <plazasu51@royalpapyrus.com>
  • <wailingee927@realtorsathens.com>
  • <lieutenancyhtf51@remec.com>
  • <disapprobationsy8@retecinterface.com>
  • <amniocenteseskui32@rciinc.com>
  • <ceausescuyfi99@renoimage.com>
  • <balkmyq4@rowafil.com>
  • <digits9609@ramaker.com>
  • <steviek@rotatori.com>
  • <spangledgkuf4@rdg.boehringer-ingelheim.com>
  • <pennantslgm00@reepsappraisals.com>
  • <radiologyga491@rowla.com>

Virus Total link and MD5: 28790b4f272920a29340a9ddf2fd84aa.

November 2, 2009
Categories: Viruses . Tags: , , , . Author: mxlab . Comments: Leave a Comment

Email regarding Facebook account update is a phish – part 2

MX Lab did intercepted  emails what appeared as Facebook phishing emails.

The From address is obviously fake and not related to Facebook in any way. These come in with the subjects:

Facebook Account Update
Facebook Update Tool
new login system

But now we did managed to get a working host where the supposed phishing site was hosted. We have visited htxxp://www.facebook.com.ujtqwaqo.eu/globaldirectory/LoginFacebook.php?ref=xxx&email=xxx@xxx.com and got the login screen.

When filling in dummy login and password we got redirected to the following screen and to our suprise we didn’t found a webform to submit personal details but instead a link to a malware file updatetool.exe.

This malware is known as Gen:Trojan.Heur.Zbot.gq0@cS0Ulyb (BitDefender), PWS:Win32/Zbot.gen!R (Microsoft) or Mal/EncPk-LE (Sophos). As you may know by know, ZBot is a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

The file %System%\sdra64.exe is created on an infected system. Hidden files are being created: %System%\lowsec\local.ds, %System%\lowsec\user.ds and %System%\lowsec\user.ds.lll all together with a hidden directory %System%\lowsec.

New memory pages created in the address space of the system process(es): %System%\services.exe, %System%\lsass.exe, %System%\svchost.exe, %System%\alg.exe adn %ProgramFiles%\internet explorer\iexplore.exe.

Windows registry modification are also part of the infection and a connection to a remote host will be established: hxxp://193.104.27.42/lcc/ip2.gif and hxxp://193.104.27.42/ip.php.

Virus Total permlink and MD5: 1ccbe2c88bbaeb8a72ca0ef7e5e51738. It is detected by only 17 of the 41 AV engines at Virus Total.

November 1, 2009
Categories: Phishing, Viruses . Tags: , , , , . Author: mxlab . Comments: Leave a Comment

Previous page Next Page »