Bredolab botnet taken down


According to the news site Softpedia, a 27-year-old man was arrested at the Yerevan airport, Armenia, yesterday who is suspected of being the Bredolab botnet runner.

Authorities believe he is the person who was responsible for creating and managing the Bredobal botnet that was capable of sending out 3.5 billion spam messages per day. 143 Bredolab CnC servers, server that give the instructions to the zombies in the botnet, hosted by a LeaseWeb reseller have been taken down.

The people of FireEye are monitoring the activities of the botnet and can confirm that the CnC servers are offline except one CnC server that is located in Russia.

proobizz.cc

nslookup proobizz.cc
Non-authoritative answer:
Name:   proobizz.cc
Address: 109.196.134.41

If this take down will have an effect on the spam levels will be clear during the following days.

Directory scam: Registration of the World Company Register 2011/2012


MX Lab, http://www.mxlab.eu, detected a new directory scam with the subject “World Company Register 2011/2012″ from the company EU Business Services Ltd under the name “Europe Business Guide”.

In the past, MX Lab already warned about some directory scams and the malicious marketing techniques these companies handle.

MX Lab wants to point out a few things before you sign their contract with the Europe Business Guide.

The email we intercepted comes from Laura Allan <info@serv2ebg.com> and when we visit the site http://www.serv2ebg.com/ we get an online website directory to see.

The message has the subject “World Company Register 2011/2012″ and the following email body:

Ladies and Gentlemen.

In order to have your company inserted in the registry of World Businesses
for 2011/2012 edition, please print, complete and submit the enclosed
form (PDF file) to the following address:

Europe Business Guide
P.O. BOX 2021
3500 GA, UTRECHT
THE NETHERLANDS

email: register@ebg-online-2011.com
FAX: +31 20 524 8107

Updating is free of charge!

If you are not the intended recipient, please submit an email to
unsubscribe@ebg-online-2011.com
Your request shall be dealt with accordingly.

Attached to the email is the PDF file EBG_2011.pdf.

The first item you will need to be carefull with is near the marker 1 at the top of the document on the right:

To update your company profile, please print, complete and return this form.
(Updating is free of charge). Only sign if you want to place an insertion.

The second item you need to read are the small letters, especially near the marker 2:

THE VALIDATION TIME OF THE CONTRACT IS THREE YEARS AND STARTS ON THE EIGHTH DAY AFTER SIGNING THE CONTRACT. THE INSERTION IS GRANTED AFTER SIGNING AND RECEIVING THIS DOCUMENT BY
THE SERVICE PROVIDER. I HEREBY ORDER A SUBSCRIPTION WITH SERVICE PROVIDER EU BUSINESS SERVICES LTD “EUROPE BUSINESS GUIDE”. I WILL HAVE AN INSERTION TO ITS DATA BASE FOR THREE YEARS. THE PRICE PER YEAR IS EURO 990.

What does this mean? Well, according to the document, when it is returned back with your signature, your entry in the Europe Business Guide is subject to a contract for the next 3 years with a price tag of 990 Euro per year.

This is a malicious technique in order to get companies signed to a contract of 990 Euros per year adn again, we expect that some people will be fooled by this way of working.

Our recommendation is: don’t sign the document and don’t do business with this company.

Follow these guidelines if you are a victim of this directory scam:

  • Do not pay, even if they imply to take your case to court.
  • If you have paid a certain amount, stop the next payments. Expect that you won’t get a refund either.
  • Send them a letter informing them you have been misled and telling them to cancel the contract.
  • If possible, report to (local) authorities.

Some additional information.

The domain serv2ebg.com was used in the from address. This domain does not contain a web site but only shows the webhost directory.

The domain has been registered very recently on October, 8th, 2010 with the following details at the DNS registrar HICHINA ZHICHENG TECHNOLOGY LTD:

Domain Name: SERV2EBG.COM
   Registrar: HICHINA ZHICHENG TECHNOLOGY LTD.
   Whois Server: grs.hichina.com
   Referral URL: http://www.net.cn
   Name Server: NS1.DOMREFERENCE.COM
   Name Server: NS2.DOMREFERENCE.COM
   Status: ok
   Updated Date: 08-oct-2010
   Creation Date: 08-oct-2010
   Expiration Date: 08-oct-2011
Domain Name ..................... SERV2EBG.COM
Name Server ..................... ns1.domreference.com
                                  ns2.domreference.com
Registrant ID ................... hc348010405-cn
Registrant Name ................. zhang ming
Registrant Organization ......... zhang ming
Registrant Address .............. gaoyaoshichangyuanlu12hao12lou101shi
Registrant City ................. gaoyaoshi
Registrant Province/State ....... Guangdong
Registrant Postal Code .......... 023652
Registrant Country Code ......... CN
Registrant Phone Number ......... +86.6358559985 -
Registrant Fax .................. +86.6358559985 -
Registrant Email ................ dfghrter@hotmail.com
Administrative ID ............... hc348010405-cn
Administrative Name ............. zhang ming
Administrative Organization ..... zhang ming
Administrative Address .......... gaoyaoshichangyuanlu12hao12lou101shi
Administrative City ............. gaoyaoshi
Administrative Province/State ... Guangdong
Administrative Postal Code ...... 023652
Administrative Country Code ..... CN
Administrative Phone Number ..... +86.6358559985 -
Administrative Fax .............. +86.6358559985 -
Administrative Email ............ dfghrter@hotmail.com
Billing ID ...................... hc348010405-cn
Billing Name .................... zhang ming
Billing Organization ............ zhang ming
Billing Address ................. gaoyaoshichangyuanlu12hao12lou101shi
Billing City .................... gaoyaoshi
Billing Province/State .......... Guangdong
Billing Postal Code ............. 023652
Billing Country Code ............ CN
Billing Phone Number ............ +86.6358559985 -
Billing Fax ..................... +86.6358559985 -
Billing Email ................... dfghrter@hotmail.com
Technical ID .................... hc348010405-cn
Technical Name .................. zhang ming
Technical Organization .......... zhang ming
Technical Address ............... gaoyaoshichangyuanlu12hao12lou101shi
Technical City .................. gaoyaoshi
Technical Province/State ........ Guangdong
Technical Postal Code ........... 023652
Technical Country Code .......... CN
Technical Phone Number .......... +86.6358559985 -
Technical Fax ................... +86.6358559985 -
Technical Email ................. dfghrter@hotmail.com
Expiration Date ................. 2011-10-08 10:28:21

The domain used to send the unsubscribe requests to is ebg-online-2011.com and is registered at the DNS registrar Dotster also on October, 8th, 2010.

   Domain Name: EBG-ONLINE-2011.COM
   Registrar: DOTSTER, INC.
   Whois Server: whois.dotster.com
   Referral URL: http://www.dotster.com
   Name Server: NS1.DOMREFERENCE.COM
   Name Server: NS2.DOMREFERENCE.COM
   Status: ok
   Updated Date: 08-oct-2010
   Creation Date: 08-oct-2010
   Expiration Date: 08-oct-2011
Registrant:
   International Directories LTD
   C/Azcona 58, Local
   madrid, madrid  28028
   ES

   Registrar: DOTSTER
   Domain Name: EBG-ONLINE-2011.COM
      Created on: 08-OCT-10
      Expires on: 08-OCT-11
      Last Updated on: 08-OCT-10

   Administrative, Technical Contact:
      fernandez, marco  bricinternational@gmail.com
      International Directories LTD
      C/Azcona 58, Local
      madrid, madrid  28028
      ES
      +34917919176

   Domain servers in listed order:
      NS1.DOMREFERENCE.COM
      NS2.DOMREFERENCE.COM

Note that this domain is registered with a license holder in Spain.

The company itself is running it's business on http://www.europebusinessguide.net/ and when visiting the About us page we found the following:

The Europe Business Guide Online is a product of EU Business Services Ltd, a corporation organized and existing under the law of Nevis, West Indies.

The domain europebusinessguide.net itself has been registered since March 3rd, 2010 by antoher Chineese DNS registrar:

  Domain Name: EUROPEBUSINESSGUIDE.NET
   Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
   Whois Server: whois.dns.com.cn
   Referral URL: http://www.dns.com.cn
   Name Server: NS1.EUROPEBUSINESSGUIDE.NET
   Name Server: NS2.EUROPEBUSINESSGUIDE.NET
   Status: clientTransferProhibited
   Updated Date: 03-mar-2010
   Creation Date: 02-mar-2010
   Expiration Date: 02-mar-2011
Domain Name.......... EUROPEBUSINESSGUIDE.NET
  Creation Date........ 2010-03-03 12:45:36
  Registration Date.... 2010-03-03 12:45:36
  Expiry Date.......... 2011-03-03 12:45:36
  Organisation Name.... EU BUSINESS SERVICES LTD
  Organisation Address. PO BOX 2021 3500 GA UTRECHT
  Organisation Address.
  Organisation Address. Nevis West Indies
  Organisation Address. 3500
  Organisation Address. WG
  Organisation Address. NL

Admin Name........... EU BUSINESS SERVICES LTD
  Admin Address........ PO BOX 2021 3500 GA UTRECHT
  Admin Address........
  Admin Address........ Nevis West Indies
  Admin Address........ 3500
  Admin Address........ WG
  Admin Address........ NL
  Admin Email.......... toppk7863@yahoo.com
  Admin Phone.......... +1.203824833
  Admin Fax............ +1.203824833

Tech Name............ EU BUSINESS SERVICES LTD
  Tech Address......... PO BOX 2021 3500 GA UTRECHT
  Tech Address.........
  Tech Address......... Nevis West Indies
  Tech Address......... 3500
  Tech Address......... WG
  Tech Address......... NL
  Tech Email........... toppk7863@yahoo.com
  Tech Phone........... +1.203824833
  Tech Fax............. +1.203824833

Bill Name............ EU BUSINESS SERVICES LTD
  Bill Address......... PO BOX 2021 3500 GA UTRECHT
  Bill Address.........
  Bill Address......... Nevis West Indies     
  Bill Address......... 3500    
  Bill Address......... WG     
  Bill Address......... NL   
  Bill Email........... toppk7863@yahoo.com
  Bill Phone........... +1.203824833
  Bill Fax............. +1.203824833
  Name Server.......... ns2.europebusinessguide.net
  Name Server.......... ns1.europebusinessguide.net

The company EU Business Services Ltd have changed domains in order to start a new campaign. It is the same company that MX  Lab covered in another blog article regarding the World Business Guide.

Additional information:

Stop EU Business Services Ltd Trading As World Business Directory
Stop world-businessdirectory.com

Significant drop in spam levels since end of September 2010


MX Lab, http://www.mxlab.eu, noticed a significant drop in the spam level since 22 September 2010. The global numbers show us a decline of approx. 40% even during business days when spam levels are high.

As you can see on the graph, the decline started on 21st of  September 2010 and continued to drop on the 22nd of September.

We detected one major absentee in the spam messages: the Canadian Pharmacy. This kind of spam can be related to the botnet Rustock, believed to be operating from Ukraine or Russia, and the activity on this botnet has dropped from approx. 50 to 60% of the daily worldwide spam volume to 0%.

Another contribution in the spam decline can be assigned to the closure of Spamit.com as this could also have affected the botnet herders of Rustock as well.

Spamit.com was the affiliate program that has paid some of the world’s top spammers to promote pharmacy Web sites and announced to close the doors at the end of September.

The homepage of Spamit.com was replaced by the following announcement:

Dear partners and colleagues!

As we announced we turned off all shops and stoped to recieve traffic. Last week we payed more than 95% of all commissions. Stats will works till 10.10.2010. After that stats will be unavailable. Please take your money from us before this time!

Also please do not use our shop templates with other partner programs. All of them have their own templates.

Thanks again to all of you for the trust and support!

Screenshot of the current hompage:

Spamit.com was also responsible for sending drugs spam on behalf of the Canadian Pharmacy and it is quite often related with Glavmed.com in articles (more information).

Will this mean that we get less spam? No, probably not. It will take some time but we expect to see Rustock getting back to business or other botnets may fill in the gap.

Three other botnets, Grum, Letho and Pushdo, are gaining ground with the drop down of Rustock from 10% – 20% towards 20%  while the botnet Grum almost reaches 30% of the daily spam.

iTunes abused in spam campaign that redirects users to online pharmacy


MX Lab, http://www.mxlab.eu, started to intercept a spam campaign that is abusing iTunes to redirect users to the online site of Pharmacy Express.

The email messages comes from the address iTunes Store <do_not_reply@itunes.com> that is obviously spoofed. Also email headers are being spoofed as well:

Received: from badger1402.apple.com (badger1402.apple.com [17.254.6.185])
by asmail.fitnet.biz with SMTP id 02903735943
for <*****@*****.be>; Fri, 1 Oct 2010 21:10:22 +0200

This what the message looks like. A perfect iTunes branded purchase receipt email except that all URLs lead to the online pharmacy web site.

Domains that are being uses:

hxxp://medicineni.com
hxxp://iwvblrig.info
hxxp://cyvvlrgu.info
hxxp://pxdnafse.info
…….

As we write, new domains are being brought into circulation. All these domains are hosting the online pharmacy web site Pharmacy Express.

Emails with subject “So now you’re on LinkedIn: What’s next?″ lead to malware


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “So now you’re on LinkedIn: What’s next?”. This campaign is a follow up of the the LinkedIn Messages, 9/30/2010 campaign that we reported yesterday. The malware is not changed in any way.

The email is send from the spoofed address “LinkedIn <linkedin@em.linkedin.com>”, email headers are forged and the message has the following body with complete LinkedIn branding:

The message is very similar to the LinkedIn Alert email threat we have seen a few days ago but has now some other approach to distribute the malware after clicking a link in the message.

All the URL redirect the visitor to a web site and then redirects them immediatly to hxxp://hatcher.com.au/1.html. When the webpage is loaded you will get an image to see to install the Adobe Flash Player. The file flash_player_07.78.exe is offered to be downloaded.

The trojan is known as Trojan-Spy.Win32.Zbot.aptt (Kaspersky), Win32/Spy.Zbot.ZR (NOD32), Trojan.Zbot (PCTools), Trojan.Generic.KD.44402 (F-Secure).

The following files will be created:

%AppData%\Yguze\ubce.exe
%AppData%\Ywimuq\ipafe.tiy
%AppData%\Ywimuq\ipafe.tmp
%Temp%\tmp0e1f500d.bat

The following directories are created:

%AppData%\Yguze
%AppData%\Ywimuq

A new process is created:

ubce.exe

Several Windows registry changes will be exectued and the trojan will establish a connection with the host ohmaebahsh.ru on port 80 and perform a GET request for bin/koethood.bin.

Virus Total permlink and MD5: b77b6eac5d9e9d088b400652405c4b19.

Follow

Get every new post delivered to your Inbox.

Join 288 other followers