Microsoft "Your e-mail will be blocked" phish

An interesting phishing campaign has resulted in several news stories about stolen passwords. That got me digging in the UAB Spam Data Mine looking for related emails. I didn't find THAT phish, but we did receive a large number of email messages claiming to be sent by Microsoft.com with this seemingly important warning:

Your e-mail will be blocked within 48 hours for spam, if this is mistake please cintact us.
Please click here for detailes.

Thank You.
Spam security Customer Service

The "Click Here" portion of the email was a link to a website containing the domain name:

58342875324752.com

with a randomized "host name" portion of the machine, such as:

http://jicjhfchcf63990210626.58342875324752.com/1.html
http://bcaifegghi22625742876.58342875324752.com/1.html
http://ahgdjifchf33143196196.58342875324752.com/1.html
http://dacjfiefdf06964096947.58342875324752.com/1.html
http://aggjbdbejf52476850184.58342875324752.com/1.html
http://gichjabdga24449952037.58342875324752.com/1.html
http://cdbbeibcce54169406995.58342875324752.com/1.html
http://cgahdjahih39067688421.58342875324752.com/1.html
http://dibgdfdbjc50687902460.58342875324752.com/1.html
http://geghdgfbbd77652789593.58342875324752.com/1.html
http://hbahfdbfhb41867793765.58342875324752.com/1.html
http://ecfafijdic45542087833.58342875324752.com/1.html
http://jfjhbgidfj46950802509.58342875324752.com/1.html
http://chcdgeecgh27341962790.58342875324752.com/1.html

Email subject lines observed during this phishing campaign included:

Alert: Account Deactivation Notice
Important message about your account information
NOTIFICATION OF LIMITED ACCOUNT ACCESS
Online Access Supended
Online Account Locked
Online Security Measures
Re-Confirm Your Online Access.
Your account has been flagged!
Your account has been placed on restricted status
Your Account Suspension
Your Online Account Needs Update

The spam had a unique forgery in the email headers to make them appear to be from Microsoft. In an email header, there is a "Received" line which shows the address from which an email was sent, such as:

Return-Path:
Received: from dsl-189-139-6-108-dyn.prod-infinitum.com.mx (dsl-189-139-6-108-dyn.prod-infinitum.com.mx [189.139.6.108] (may be forged))
by GarsServer.com (8.11.6/8.11.0) with ESMTP id n96Lew069365
for <85qrhskymaucw@GarsDomain.com>; Tue, 6 Oct 2009 21:40:59 GMT
(envelope-from bec713-security@microsoft.com)
Received: from dns749.microsoft.com(dns697.microsoft.com [189.139.6.108]) by 189.139.6.108 with SMTP id 69811070;

In this case, the "Return-Path" line is fake, and has been added by the sender. The second "Received" line is also fake, trying to convince you that the sending IP "189.139.6.108" is actually a Microsoft computer, which it's not!

The End?

Unfortunately, that's as far as this part of the investigation can go. The website had already been terminated, by asking the Registrar to remove the nameserver from active duty, meaning that no computers can reach the website in question.

But is that really the end?

The nameserver for this domain, which has already been terminated, was ns1.bloktrest.net. By setting that as our nameserver, we can see that the site was "fast flux" hosted on many different IP addresses. For instance, resolving the domain currently, according to bloktrest.net, points us to:

211.220.122.249
59.28.65.79
61.82.161.51
84.126.133.91
85.136.101.254
86.101.82.52
89.74.19.174
94.189.175.182
116.65.199.187
118.34.214.178
118.38.110.10
119.196.189.101
121.141.44.120
121.181.5.75

By hard-coding one of these IP addresses to the domain name, we can see that what WOULD have happened if we had visited the site was that we would have loaded an IFRAME from the site:

(DO NOT VISIT!) us-business-shop-2019.com/shop/?0a8f23e34c3fccbdbc459ef0d52b3910

THAT website has been listed since September 3rd at MalwareDomainList as a LuckySploit exploiter.

So, the question is at large - was this a phishing site at all? or merely a way to get people to have LuckySploit take over their computers?

Whois points to Badness

Here is the WHOIS data for 58342875324752.com which was registered October 5, 2009 at TodayNIC.com, an infamous Chinese registrar.

Administrative Contact:
Name: Ferd Derfo
Organization: Ferd Derfo
Address: Moskow
City: Moskow
Province/state: MSK
Country: RU
Postal Code: 133331
Phone: +7.9357738849
Fax: +7.9357738849
Email: molda3333vimo@safe-mail.net

Here is the WHOIS data for us-business-shop-2019.com which was registered at another infamous Chinese registrar, ONLINENIC.com, on July 21, 2009:

Serpino Berbeto ad6@safe-mail.net +1.2128848801
Serpino Berbeto
403 po box
New York NY US 10037

ns1.dns-diy.net
ns2.dns-diy.net

Do a search on "Serpino Berbeto" and you'll find more than 1,000 ways in which this identity is involved in the creation of domains used for the distribution of malware, and with online fraud domains, including fake Escrow sites, spam, pirated software (easy-software-store.com), Canadian Pharmacy (shop29.net).

The Serpino identity is one of the many "resellers" that cause OnlineNIC and other Chinese registrars to be such widely used havens for cybercriminals.

Serpino is hosting this site, and several other recent malware infection sites he's been behind, on a webblock belonging to "The Bigness Group" in St. Petersburg, Russia.

Serpino's sites on that netblock include:

yournewvideo.info - 195.88.190.29
brberfsdfsdafs.com - 195.88.190.31
lovisiribkabolishajaimalenkaja - 195.88.190.235
us-business-shop-2019.com - 195.88.190.202
fgddfgdgdfg.com - 195.88.190.235

of course other aliases are also hosting malware on this netblock, which seems to be filling the role of the old Russian Business Network, also of St. Petersburg:

Tourino Markes / moldavimo00@safe-mail.net has registered:
vertigoinvasion.com = 195.88.190.240 - associated with both Zeus and the Fragus exploit kit

Kelly Watsen / potenciallio@safe-mail.net has registered:
landingerfor.org = 195.88.190.235 - associated with LuckySploit exploit kit

Fego Fegochev / moldavimo@safe-mail.net has registered:
ppoqass.info = 195.88.190.246 - associated with the LuckySploit exploit kit
bbortixx.info = 195.88.190.246 - also associated with LuckySploit

Passive DNS reveals all sorts of badness. Recommendation? Everyone should block "The Bigness" and their entire network block!

IRS Zeus Again???

I ran the fast flux IP addresses given above through some checks at a Passive DNS Logging system to see if they were "known" IP addresses. Yes. Several of the IP addresses above are part of the same Fast Flux network which is being used for the "Avalanche" botnet, which is currently behind the IRS Zeus net!

So what happens if we hard-code a host entry for the above IP addresses, and tell it that it is one of the recent IRS domains?

That's right. I added this line to my "hosts" file:

211.53.54.227 www.irs.gov.hyu111a.com

and visited:

www.irs.gov.hyu111a.com/fraud_application/directory/statement.php

an IRS domain which has no active nameserver and has not been live for more than a week. It resolved on the IP address used above for the domain 58342875324752.com, and displayed the IRS Zeus infection website, complete with an active link for downloading the current malware.

File size: 95744 bytes
MD5...: fe80e38049ebb5f082adfb3dd9110d51
Click for Virus Total Report, showing that only 7 of 41 anti-virus products currently detect this Zbot / Zeus Bot infector.