I'm on vacation today, so I was actually alerted to the story by a friend twittering this SC Magazine story. Vacation or not, that was worth checking into. I took a dip into the UAB Spam Data Mine looking for domain names associated with this version of the malware.
We've seen more than sixty different Subject lines used by the spam:
2010 New Year Wishes!
A Great 2010!
A Happy New Year!
A New Year e-card is waiting for you
A special card just for you
Greeting Card from Santa
Greeting for you!
Greeting you with heartiest New Year wishes.
Greetings from Santa
Happy 2010 To U!
Happy 2010!
Happy New Year 2010!
Happy New Year greetings e-card is waiting for you
Happy New Year greetings for you
Happy New Year greetings from your friend
Happy New Year To U!
Happy New Year Wish!
Happy New Year wishes just for you
Happy New Year Wishes!
Happy New Year!
Happy, Happy New Year!
Have a funfilled and blasting NewYear!
Have a Great New Year!
Have a happy and colorful New Year!
Have a Happy New Year!
Have a very Happy New Year!
I made an Ecard for U!
I sent you the ecard
l want to share Greeting with you
New Year 2010 Ecard Special Delivery
New Year 2010 greetings for you
New Year 2010!
New Year Cheers!
New Year E-card for you
New Year Ecard Notification
New Year Wishes!
Regards from Santa
Santa has sent you a digital postcard!
Santa has sent you a greeting card!
Santa has sent you a Happy New Year E-Card!
Santa has sent you a New Year E-Card!
Santa has sent you a New Year greeting card!
Santa has sent you an E-Card!
Santa has sent you an ecard!
Santa has something to show you!
Santa sent you New Year Greetings
Santa sent you a Greeting!
Santa sent you New Year Wishes!
Santa wishes you a Happy New Year
Sparkling wishes on the New Year!
Special New Year Wish for you.
Warmest Wishes For New Year!
Welcome 2010!
Wishing you a Happy New Year!
Wishing you the Best New Year!
You have a greeting card
You have a New Year Greeting!
You Have An E-card Waiting For You!
You have received a greetings card
You Received an Ecard.
You've got a Happy New Year Greeting Card!
You've got a New Year card!
You've got an E-card
Each domain can be used with any subject, and with any of the following paths:
/2010.html
/card.html
/ecard.html
/postcard.html
Domain names are pre-pended with random host names, such as:
aohqi.aweleon.com
bpn.bedioger.com
cjk.bicodehl.com
amb.birdab.com
coki.cismosis.com
amg.crucism.com
csxyg.cycloro.com
aqlec.encybest.com
asthu.framtr.com
boiij.frostep.com
dxuo.gumentha.com
bba.hindger.com
bt.hornalfa.com
delhy.noloid.com
aju.nonprobs.com
cvr.oughwa.com
buqdv.pantali.com
djre.pathoph.com
balr.prerre.com
cuh.purgand.com
dope.rascop.com
baamo.specipa.com
These domains are of course registered at China Springboard Inc. On each domain name, you can click the name to see the Waledac Tracker report by our friend Jeremy at SudoSecure in Huntsville. Some of these domain names have as many 12,000 entries in his Waledac Tracker!
aweleon.com - registered Oct 27, 2009 - NS1.FAVOLU.COM - hjuahge@yeah.net
bedioger.com - registered Aug 7, 2009 - NS1.FAVOLU.COM - pljlkeg@126.com
bicodehl.com - registered Nov 26, 2009 - NS1.FAVOLU.COM - xihyakern@163.com
birdab.com - registered Sep 30, 2009 - NS1.FAVOLU.COM - hjuahge@yeah.net
cismosis.com - registered Aug 7, 2009 - NS1.FAVOLU.COM - pljlkeg@126.com
crucism.com - registered Sep 30, 2009 - NS1.FAVOLU.COM - hjuahge@yeah.net
cycloro.com - registered Oct 27, 2009 - NS1.FAVOLU.COM - hjuahge@yeah.net
encybest.com - registered Nov 26, 2009 - NS1.FAVOLU.COM - xihyakern@163.com
framtr.com - registered Nov 26, 2009 - NS1.FAVOLU.COM - xihyakern@163.com
frostep.com - registered Nov 26, 2009 - NS1.FAVOLU.COM - xihyakern@163.com
gumentha.com - registered Nov 26, 2009 - NS1.FAVOLU.COM - xihyakern@163.com
hindger.com - registered Nov 26, 2009 - NS1.FAVOLU.COM - xihyakern@163.com
hornalfa.com - registered Nov 26, 2009 - NS1.FAVOLU.COM - xihyakern@163.com
noloid.com - registered Nov 26, 2009 - NS1.FAVOLU.COM - xihyakern@163.com
nonprobs.com - registered Aug 7, 2009 - NS1.FAVOLU.COM - pljlkeg@126.com
oughwa.com - registered Nov 26, 2009 - NS1.FAVOLU.COM - xihyakern@163.com
pantali.com - registered Oct 27, 2009 - NS1.FAVOLU.COM - hjuahge@yeah.net
pathoph.com - registered Oct 27, 2009 - NS1.FAVOLU.COM - hjuahge@yeah.net
prerre.com - registered Oct 27, 2009 - NS1.FAVOLU.COM - hjuahge@yeah.net
purgand.com - registered Nov 26, 2009 - NS1.FAVOLU.COM - xihyakern@163.com
rascop.com - registered Sep 30, 2009 - NS1.FAVOLU.COM - hjuahge@yeah.net
specipa.com - registered Sep 30, 2009 - NS1.FAVOLU.COM - hjuahge@yeah.net
DomainName : FRAMTR.COM
RSP: China Springboard Inc.
URL: http://www.namerich.cn
Name Server: NS6.FAVOLU.COM
Name Server: NS3.FAVOLU.COM
Name Server: NS1.FAVOLU.COM
Name Server: NS2.FAVOLU.COM
Name Server: NS5.FAVOLU.COM
Name Server: NS4.FAVOLU.COM
Status: clientTransferProhibited
Status: clientDeleteProhibited
Creation Date: 2009-11-26
Expiration Date: 2010-11-26
Last Update Date: 2009-12-31
Registrant ID: V-X-57482-12887
Registrant Name: HUA XINGJUN
Registrant Organization: HUA XINGJUN
Registrant Address: CHANGZHOUDADAO214
Registrant City: CZ
Registrant Province/State: JS
Registrant Country Code: CN
Registrant Postal Code: 213072
Registrant Phone Number: +86.051956612412
Registrant Fax: +86.051956612412
Registrant Email: xihyakern@163.com
Some of these domains are already published in MalwareDomainList.com, such as:
noloid.com/wcap.exe - this one is a Fake AV dropper. Here's the VirusTotal report showing 19 of 40 detects:
File size: 230994 bytes
MD5 : ab585c87652c933f82bbaddfd52ea15d
SHA1 : a142cb266ad6cd764501981f6bb194025b7c8cc8
gumentha.com/ecard.html
gumentha.com/counter.php
- this actually causes a download from biozcgicfziy.com/nte/TREST1.php
gumentha.com/in2.php
- this one causes a download from domoktov.com/bu1/
- (you'll be shocked to learn that domain is registered to someone in St. Petersburg, Russia . . .one Denis Sergunkin already known to be hosting Fragus Exploit kits on other domains of his, such as 1tomohappy.com and funky-soft2.com)
purgand.com/in5.php
- this one also hits domoktov.com/bu1/
aweleon.com/ghost.php
- that one ALSO hits domoktov.com. So, Denis? are you paying the Waledac gang? or ARE you the Waledac gang?
This time around the Waledac domains are hosted using Fast Flux, and they are also using Fast Flux for the Nameservers. As we've discussed before, this means that the addresses of the compromised computers are entered into the nameserver records as the host addresses for the malware domains. In other words, getting infected makes your computer spread the infection. So far we've seen more than 1500 computers being used by the malware in this way.
I'll load up a Virtual Machine in a bit to evaluate the actual malware.
Facebook Zbot Still Spreading
We're also seeing an on-going fake Facebook update, which is the Zeus bot. Here are the 45 domains we've seen in the UAB Spam Data Mine so far this morning:
www.facebook.com.hyjjjh1a.com
www.facebook.com.hyjjjh1a.net
www.facebook.com.hyjjjh1d.com
www.facebook.com.hyjjjh1d.net
www.facebook.com.hyjjjh1f.com
www.facebook.com.hyjjjh1f.net
www.facebook.com.hyjjjh1h.com
www.facebook.com.hyjjjh1h.net
www.facebook.com.hyjjjh1j.com
www.facebook.com.hyjjjh1j.net
www.facebook.com.hyjjjh1m.com
www.facebook.com.hyjjjh1q.com
www.facebook.com.hyjjjh1q.net
www.facebook.com.hyjjjh1s.com
www.facebook.com.hyjjjh1s.net
www.facebook.com.ter3awqlaq.com.pl
www.facebook.com.ter3awqlbb.com.pl
www.facebook.com.ter3awqlcd.com.pl
www.facebook.com.ter3awqlds.com.pl
www.facebook.com.ter3awqlee.com.pl
www.facebook.com.ter3awqleg.com.pl
www.facebook.com.ter3awqler.com.pl
www.facebook.com.ter3awqlhg.com.pl
www.facebook.com.ter3awqlju.com.pl
www.facebook.com.ter3awqlre.com.pl
www.facebook.com.ter3awqlsz.com.pl
www.facebook.com.ter3awqlvb.com.pl
www.facebook.com.ter3awqlvr.com.pl
www.facebook.com.ter3awqlwt.com.pl
www.facebook.com.ter3awqlyy.com.pl
www.facebook.com.y7y66yc.com.pl
www.facebook.com.y7y66yd.com.pl
www.facebook.com.y7y66yf.com.pl
www.facebook.com.y7y66yg.com.pl
www.facebook.com.y7y66yh.com.pl
www.facebook.com.y7y66yi.com.pl
www.facebook.com.y7y66yj.com.pl
www.facebook.com.y7y66yk.com.pl
www.facebook.com.y7y66yl.com.pl
www.facebook.com.y7y66ym.com.pl
www.facebook.com.y7y66yo.com.pl
www.facebook.com.y7y66yr.com.pl
www.facebook.com.y7y66yt.com.pl
www.facebook.com.y7y66yu.com.pl
www.facebook.com.y7y66yy.com.pl
0 comments:
Post a Comment