InBoxRevenge KS Forum

[AlphaCentauri]

This one looks pretty convincing until you dig:

Subject: Creation of your personal Vaccination Profile

You have received this e-mail because of the launching of State Vaccination H1N1 Program.
You need to create your personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website. The Vaccination is not obligatory, but every person that has reached the age of 18 has to have his personal Vaccination Profile on the cdc.gov site. This profile has to be created both for the vaccinated people and the not-vaccinated ones. This profile is used for the registering system of vaccinated and not-vaccinated people.
Create your Personal H1N1 Vaccination Profile using the link:
Create Personal Profile [links to http://online.cdc.gov.nyugewc.be/h1n1flu/profile.php?&session_id=[very long alphanumeric ID]&email=[3Dme@mydomain.com]]

Centers for Disease Control and Prevention (CDC) · 1600 Clifton Rd · Atlanta GA 30333 · 800-CDC-INFO (800-232-4636)

Needless to say, nyugewc.be is in Belgium, not Atlanta, Georgia where the Centers for Disease Control is located. Also, the CDC is a federal program and would not be creating a state registry -- state health departments would be doing that. There are minor grammatical and capitalization errors you would hope would be caught before a government email was sent, even though the CDC probably employs an international staff. The spam was mailed from 95.65.244.238, which in in Turkey, also not a likely choice for a US federal program.

The linked page
http://spamtrackers.eu/wiki/index.php/Image:CDC.jpg
has a download vacc_profile.exe, which Avira detects as a trojan TR/Crypt.XPACK.Gen, but only 3 of 41 programs tested at VirusTotal detect it:
http://www.virustotal.com/analisis/be45 ... 1259683346

Antivirus ..... Version ..... Result
a-squared ..... 4.5.0.43 ..... -
AhnLab-V3 ..... 5.0.0.2 ..... -
AntiVir ..... 7.9.1.88 ..... TR/Crypt.XPACK.Gen
Antiy-AVL ..... 2.0.3.7 ..... -
Authentium ..... 5.2.0.5 ..... -
Avast ..... 4.8.1351.0 ..... -
AVG ..... 8.5.0.426 ..... -
BitDefender ..... 7.2 ..... -
CAT-QuickHeal ..... 10 ..... -
ClamAV ..... 0.94.1 ..... -
Comodo ..... 3102 ..... -
DrWeb ..... 5.0.0.12182 ..... -
eSafe ..... 7.0.17.0 ..... -
eTrust-Vet ..... 35.1.7150 ..... -
F-Prot ..... 4.5.1.85 ..... -
F-Secure ..... 9.0.15370.0 ..... -
Fortinet ..... 4.0.14.0 ..... -
GData ..... 19 ..... -
Ikarus ..... T3.1.1.74.0 ..... -
Jiangmin ..... 11.0.800 ..... -
K7AntiVirus ..... 7.10.906 ..... -
Kaspersky ..... 7.0.0.125 ..... -
McAfee ..... 5818 ..... -
McAfee+Artemis ..... 5818 ..... -
McAfee-GW-Edition ..... 6.8.5 ..... Heuristic.BehavesLike.Win32.Downloader.H
Microsoft ..... 1.5302 ..... -
NOD32 ..... 4652 ..... a variant of Win32/Kryptik.BFV
Norman ..... 6.03.02 ..... -
nProtect ..... 2009.1.8.0 ..... -
Panda ..... 10.0.2.2 ..... -
PCTools ..... 7.0.3.5 ..... -
Prevx ..... 3 ..... -
Rising ..... 22.24.01.09 ..... -
Sophos ..... 4.48.0 ..... -
Sunbelt ..... 3.2.1858.2 ..... -
Symantec ..... 1.4.4.12 ..... -
TheHacker ..... 6.5.0.2.082 ..... -
TrendMicro ..... 9.100.0.1001 ..... -
VBA32 ..... 3.12.12.0 ..... -
ViRobot ..... 2009.12.1.2065 ..... -
VirusBuster ..... 5.0.21.0 ..... -

It's botnet hosted:

;; QUESTION SECTION:
;online.cdc.gov.nyugewc.be. IN A

;; ANSWER SECTION:
online.cdc.gov.nyugewc.be. 1800 IN A 201.226.30.225
online.cdc.gov.nyugewc.be. 1800 IN A 201.245.214.219
online.cdc.gov.nyugewc.be. 1800 IN A 41.251.26.102
online.cdc.gov.nyugewc.be. 1800 IN A 59.92.38.67
online.cdc.gov.nyugewc.be. 1800 IN A 89.218.225.216
online.cdc.gov.nyugewc.be. 1800 IN A 95.56.119.112
online.cdc.gov.nyugewc.be. 1800 IN A 112.202.208.222
online.cdc.gov.nyugewc.be. 1800 IN A 114.27.194.64
online.cdc.gov.nyugewc.be. 1800 IN A 119.95.219.202
online.cdc.gov.nyugewc.be. 1800 IN A 121.96.99.25
online.cdc.gov.nyugewc.be. 1800 IN A 187.35.57.20
online.cdc.gov.nyugewc.be. 1800 IN A 189.15.118.17
online.cdc.gov.nyugewc.be. 1800 IN A 189.53.127.134
online.cdc.gov.nyugewc.be. 1800 IN A 196.217.230.35
online.cdc.gov.nyugewc.be. 1800 IN A 201.27.211.43

Nameservers:
ns1.davies-estates.com (Xin Net)
ns1.pandachine.com (Moniker)

[spamislame]

This is the same bunch of assholes behind the TRS, Chase Bank, Ally Bank, etc. etc. etc. Zbot infections.

That same domain is still hosting the Ally Bank, Chase Bank and IRS scams as well as this alleged "CDC" scam.

SiL

[spamislame]

Oh!

And Gar Warner is already on it:

http://garwarner.blogspot.com/2009/12/m ... -zeus.html

SiL

[AlphaCentauri]

One registrar on the case:

Hello,

The domain and account have been deleted.

Sincerely,
Moniker.com Support Center

[spamislame]

That's great, but there are, on average, 20,000 or more per day of these domains.

I know Mr. Warner is routinely reporting every single one of them, and has the attention of law enforcement as well.

They're persistent little buggers.

SiL

[AlphaCentauri]

That's great, but there are, on average, 20,000 or more per day of these domains.

ns1.pandachine.com is the nameserver. Just a quick search comes up with all these domains depending on it, likely only a small part of the total, since I easily found one not on the list just by matching the pattern of the domain names:

nyugewc.be NS ns1.pandachine.com
nyugewd.be NS ns1.pandachine.com
lykasf.be NS ns1.pandachine.com
lykasm.be NS ns1.pandachine.com
nyugewm.be NS ns1.pandachine.com
nyugewn.be NS ns1.pandachine.com
nyugewq.be NS ns1.pandachine.com
nyugewt.be NS ns1.pandachine.com
lykasv.be NS ns1.pandachine.com
nyugeww.be NS ns1.pandachine.com
nyugewy.be NS ns1.pandachine.com
lykasz.be NS ns1.pandachine.com
nyugewz.be NS ns1.pandachine.com
hreesf.im NS ns1.pandachine.com
hreesf.org.im NS ns1.pandachine.com
hrees.org.im NS ns1.pandachine.com
hreesv.org.im NS ns1.pandachine.com
hreesf.com.im NS ns1.pandachine.com
hrees.com.im NS ns1.pandachine.com
hreesv.com.im NS ns1.pandachine.com
hreesf.co.im NS ns1.pandachine.com
hrees.co.im NS ns1.pandachine.com
hreesv.co.im NS ns1.pandachine.com
hrees.im NS ns1.pandachine.com
hreesf.net.im NS ns1.pandachine.com
hrees.net.im NS ns1.pandachine.com
hreesv.net.im NS ns1.pandachine.com
hreesv.im NS ns1.pandachine.com
pandachine.com NS ns1.pandachine.com

The list for ns2.pandachine.com comes up with the same domains, even though dnsstuff traversal doesn't return that result. Perhaps they thought they'd be clever and let us blackhole the one without inactivating the other, or maybe they swap off. I'm not sure why dnsstuff misses it:

Looking up at the 2 nyugewy.be. parent servers:
Server Response Time
ns1.davies-estates.com [67.202.107.79] Timeout
ns1.pandachine.com [0.0.0.0] Timeout

When I try an alternate lookup I get

dig: couldn't get address for 'ns1.pandachine.com': not found

ns2.pandachine.com isn't responding when I check that way, either.

They've done the same with the other nameserver, too, and since it's still alive, you can query it:

; <<>> DiG 9.3.2 <<>> @ns1.davies-estates.com lykasz.be A
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36548
;; flags: qr aa rd; QUERY: 1, ANSWER: 15, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;lykasz.be. IN A

;; ANSWER SECTION:
lykasz.be. 1800 IN A 196.217.221.240
lykasz.be. 1800 IN A 201.43.94.97
lykasz.be. 1800 IN A 201.92.93.89
lykasz.be. 1800 IN A 201.172.137.233
lykasz.be. 1800 IN A 41.251.26.102
lykasz.be. 1800 IN A 95.65.187.65
lykasz.be. 1800 IN A 118.171.133.110
lykasz.be. 1800 IN A 119.95.219.202
lykasz.be. 1800 IN A 125.202.254.181
lykasz.be. 1800 IN A 189.18.151.58
lykasz.be. 1800 IN A 190.25.74.65
lykasz.be. 1800 IN A 190.35.186.15
lykasz.be. 1800 IN A 190.161.75.6
lykasz.be. 1800 IN A 190.163.65.177
lykasz.be. 1800 IN A 190.209.12.55

;; AUTHORITY SECTION:
lykasz.be. 1800 IN NS ns1.davies-estates.com.
lykasz.be. 1800 IN NS ns2.davies-estates.com.

;; ADDITIONAL SECTION:
ns1.davies-estates.com. 1800 IN A 94.23.177.147
ns2.davies-estates.com. 1800 IN A 122.197.244.37

;; Query time: 13 msec
;; SERVER: 94.23.177.147#53(94.23.177.147)
;; WHEN: Tue Dec 1 23:22:08 2009
;; MSG SIZE rcvd: 353

The ns.2 nameserver doesn't show up in dnsstuff. That's the sort of detail Xin Net will miss, too.

.im is Isle of Mann. They appear to be shutting these down much more promptly than .be (Belgium).

The other question is are the phishers really paying for 20,000 domains a day with their own money? If not, it doesn't matter how many they registered in bulk; if they stiffed the registrar by paying with someone else's paypal account, the registrar will probably suspend them in bulk, too.

[AlphaCentauri]

The CDC has a warning on their website, and has sent out an email alert to addresses on their mailing list:
http://www.cdc.gov/hoaxes_rumors.html