//session trojan Zbot

A place to discuss malware of every flavor, e.g. Storm, Waledac, Conficker and Zeus

//session trojan Zbot

Postby Red Dwarf » Wed Aug 24, 2011 3:44 am

Found in large spammimg runs, a series of URLs in the form

hxxp//:session99599080480050.permitfg.com/confirm/req/
hxxp://session98960786197613.pmstdl.com/confirm/req/
hxxp://session98204351586916.downtohole.com/confirm/req/
hxxp://session00239061301752.fileuplarc.com/confirm/req/

The 14 digit number varies.

permitfg.com Registrar: PAKNIC (PRIVATE) LIMITED
pmstdl.com Registrar: REGIONAL NETWORK INFORMATION CENTER, JSC DBA RU-CENTER [Client Hold]
downtohole.com Registrar: PAKNIC (PRIVATE) LIMITED
fileuplarc.com Registrar: PLANETDOMAIN PTY LTD.

The URL loads a spoofed Facebook login page complete with the Facebook favicon.
The page contains:
Facebook Login
Your version of Macromedia Flash Player is too old to continue. Download and install the latest version of Adobe Flash Player.

If you click on the link to download "updateflash.exe" you are downloading the dangerous Zbot trojan. The primary payload of Trojan:W32/Zbot variants focuses on stealing online banking information.
Image

A few samples from over 2000 I have seen in the past week
Code: Select all
session97698057793601.downtohole.com/confirm/req/
session97728784838062.downtohole.com/confirm/req/
session99427076617378.fileuplarc.com/confirm/req/
session99485503555366.fileuplarc.com/confirm/req/
session99525797920572.downtohole.com/confirm/req/
session99916841992131.downtohole.com/confirm/req/
session99932245150373.fileuplarc.com/confirm/req/
session99960289962058.fileuplarc.com/confirm/req/


The domains run on the same botnet, too:

fileuplarc.com has address 66.159.180.140
fileuplarc.com has address 71.217.16.172
fileuplarc.com has address 83.221.72.119
fileuplarc.com has address 114.134.131.217
fileuplarc.com has address 178.24.192.186
fileuplarc.com has address 217.50.208.61

downtohole.com has address 66.159.180.140
downtohole.com has address 71.217.16.172
downtohole.com has address 83.221.72.119
downtohole.com has address 114.134.131.217
downtohole.com has address 178.24.192.186
downtohole.com has address 217.50.208.61

permitfg.com has address 62.42.16.182
permitfg.com has address 82.158.170.45
permitfg.com has address 83.138.205.124
permitfg.com has address 85.85.109.1
permitfg.com has address 94.223.194.61
permitfg.com has address 201.173.234.222
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: //session trojan

Postby Red Dwarf » Wed Aug 24, 2011 4:40 am

Name servers used to resolve access to the Zbot trojan distributors

ns1.lareconexiondelser.net - with sponsor = Registrar: GANDI SAS
ns1.remiann.net - with sponsor = Registrar: MESH DIGITAL LIMITED

IP addresses used for name servers and contact for the owner responsible
ns1.lareconexiondelser.net 67.222.139.64
ns1.remiann.net 67.222.139.64

> COLO4 - Colo4Dallas LP - complain to:sales@dfw-datacenter.com
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: //session trojan

Postby NotBuyingIt » Wed Aug 24, 2011 11:56 am

ns1.remiann.net has been severed from a botnet that is running the Facebook exploit. Its domain registration record was changed today to show that remiann.net no longer provides its own DNS; ns1.remiann.net has been providing a fast-flux botnet's DNS for several months at least. My occasional remarks about it are at
http://www.mywot.com/en/forum/13208-rul ... l-a-botnet


The 14 digit number varies.
Trend Micro is suggesting that the number is randomly generated so that each message, or each small set of messages, has a different number in the domain name field of the URLs in the fraudulent "friend requests". I saw that mentioned at
http://www.mywot.com/en/forum/15454--zb ... h-facebook
NotBuyingIt
Spammer Killing Machine
 
Posts: 612
Joined: Sun Jun 13, 2010 5:22 pm

Re: //session trojan

Postby Red Dwarf » Wed Aug 24, 2011 4:37 pm

One of the name servers has been suspended. Credit goes to the responsible registrar.
http://legacytools.dnsstuff.com/tools/t ... ainterator
Server Response Time
ns1.lareconexiondelser.net [67.222.139.64] 200.125.77.157 201.173.234.222 217.216.121.104 46.37.84.93 77.27.251.129 83.138.205.124 85.180.161.105 87.182.77.214 11ms
ns1.remiann.net [0.0.0.0] Timeout
Mesh Digital wrote:Thanks for getting in touch and bringing this to our attention; I can confirm that the domain remainn.net is now disabled and the user's account is under investigation. Apologies for any inconvenience that this caused.

If you need anything further, please do let me know.

Kind Regards, April

User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: //session trojan Zbot

Postby NotBuyingIt » Thu Aug 25, 2011 10:47 am

ns1.lareconexiondelser.net has just been rehosted to IP 178.162.250.46 on the Leaseweb Germany GmbH network where it continues to provide DNS for the botnet's domains. :(

Both fileuplarc.com and wungrp.com have been suspended (Status: clientHold; Name Server: No nameserver) by their domain registrar PLANETDOMAIN PTY LTD. :)

[Edit: Update]
And later the same day, both downtohole.com and permitfg.com have been suspended (Status: clientHold; Name Server: No nameserver) by their domain registrar PAKNIC (PRIVATE) LIMITED :D
NotBuyingIt
Spammer Killing Machine
 
Posts: 612
Joined: Sun Jun 13, 2010 5:22 pm

Re: //session trojan Zbot

Postby NotBuyingIt » Fri Aug 26, 2011 8:38 am

permitds.com is running a suite of the botnet's phishing scams and malware including the fake Facebook friend request. I saw that it was reported at PhishTank
http://www.phishtank.com/phish_detail.p ... id=1260995
http://www.phishtank.com/phish_detail.p ... id=1260992
(Although PhishTank may show the site as being "offline" the scam is currently online. PhishTank sometimes will falsely mark a dangerous malware site offline, probably to discourage its unprepared volunteers from inspecting it.)

In addition to the previously identified ns1.lareconexiondelser.net, the botnet's DNS has now begun to be provided by

ns1.livingbebtfree.net - with sponsor = Registrar: MESH DIGITAL LIMITED
(currently hosted at IP 178.162.250.46 by Leaseweb Germany GmbH)
NotBuyingIt
Spammer Killing Machine
 
Posts: 612
Joined: Sun Jun 13, 2010 5:22 pm

Re: //session trojan Zbot

Postby Red Dwarf » Sat Aug 27, 2011 4:57 am

The URL in spam has this format:
Code: Select all
session95881394976189.permitds.com/confirm/req/
session96189520992562.permitds.com/confirm/req/
session96711780993499.permitds.com/confirm/req/
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: //session trojan Zbot

Postby NotBuyingIt » Sun Sep 04, 2011 5:51 pm

[Edit: When I first posted this comment, I erroneously stated that pubident.com had been suspended. However, I see that it is still active as I post this correction. I apologize for the mistake.]

For the past several days pubident.com has been running a suite of the same botnet's phishing scams and malware including the fake Facebook friend request. I haven't yet come across any in-the-wild examples of the botnet's exploits using permitds.com so I cannot say whether its chief target is Facebook this time. (Perhaps others will post a few examples to this thread.) However, the earliest indication of a scam by pubident.com that I have found was a Facebook exploit reported by malwareurl.com.

The sole DNS provider for pubident.com is ns1.lareconexiondelser.net (IP 173.236.84.186, hosted by SingleHop); the other published DNS was ns1.livingbebtfree.net which very likely had been disabled before the scam(s) commenced.
NotBuyingIt
Spammer Killing Machine
 
Posts: 612
Joined: Sun Jun 13, 2010 5:22 pm

Re: //session trojan Zbot

Postby NotBuyingIt » Mon Sep 05, 2011 6:06 pm

The following write-up might describe the same exploit that is being discussed in this thread.
http://www.theregister.co.uk/2011/08/30 ... us_trojan/
NotBuyingIt
Spammer Killing Machine
 
Posts: 612
Joined: Sun Jun 13, 2010 5:22 pm

Re: //session trojan Zbot

Postby Red Dwarf » Mon Sep 05, 2011 11:59 pm

pubident.com
1. fails to resolve according to dnsstuff traversal, with name servers down:
http://legacytools.dnsstuff.com/tools/t ... ainterator
ns1.lareconexiondelser.net [0.0.0.0] Timeout
ns1.livingbebtfree.net [0.0.0.0] Timeout

2. Has 95% failure rate around the world using host-tracker

3. Has 100% resolution failure at squish.net
Results
16.7% No such domain (NXDOMAIN) at ns1.domainmonster.com (109.68.33.100)
While querying ns1.livingbebtfree.net/IN/A
16.7% No such domain (NXDOMAIN) at ns2.domainmonster.com (109.68.33.102)
While querying ns1.livingbebtfree.net/IN/A
16.7% No such domain (NXDOMAIN) at ns3.domainmonster.com (69.25.32.3)
While querying ns1.livingbebtfree.net/IN/A
25.0% Query timed out at ns1.lareconexiondelser.net (173.236.84.186)
While querying ns1.lareconexiondelser.net/IN/A
25.0% Query timed out at ns2.lareconexiondelser.net (181.123.51.158)
While querying ns1.lareconexiondelser.net/IN/A

The domain itself looks untouched
Domain Name: PUBIDENT.COM
Registrar: PAKNIC (PRIVATE) LIMITED
Name Server: NS1.LARECONEXIONDELSER.NET
Name Server: NS1.LIVINGBEBTFREE.NET
Status: ok
Updated Date: 26-aug-2011

Previous IP addresses used for pubident.com
62.42.22.10
77.180.251.245
77.208.33.201
77.209.128.203
77.210.156.231
77.210.156.82
81.184.231.198
81.9.174.10
82.158.200.71
84.123.147.146
84.123.88.225
84.124.229.71
84.127.187.220
85.152.183.24
85.219.92.112
85.84.60.87
87.111.107.8
95.18.51.114
95.18.51.143
122.218.13.29
178.24.228.175
188.171.0.164
200.125.77.157
212.225.216.63
213.60.168.21
213.60.64.164
217.184.245.130
217.216.120.158
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: //session trojan Zbot

Postby NotBuyingIt » Tue Sep 06, 2011 9:51 am

pubident.com appears to be suspended now:

Domain Name: PUBIDENT.COM
Registrar: PAKNIC (PRIVATE) LIMITED
Whois Server: whois.paknic.com
Referral URL: http://www.paknic.com
Name Server: NS1.LARECONEXIONDELSER.NET
Name Server: NS1.LIVINGBEBTFREE.NET
Status: clientHold
Status: clientTransferProhibited
Updated Date: 06-sep-2011
Creation Date: 23-aug-2011
Expiration Date: 23-aug-2012

Surprisingly, the site's DNS report that is provided at its domain registrar's site http://www.paknic.com/Whois.aspx doesn't yet show any 06-sep-2011 update.

I would still be concerned about ns1.lareconexiondelser.net which has returned to IP 67.222.139.64 where it, along with ns1.remiann.net, earlier provided DNS for several of the botnet's domains. As far as I can tell, ns1.lareconexiondelser.net has only provided DNS for its own domain and for the botnet's malware-laden domains.
NotBuyingIt
Spammer Killing Machine
 
Posts: 612
Joined: Sun Jun 13, 2010 5:22 pm

Re: //session trojan Zbot

Postby Red Dwarf » Tue Sep 06, 2011 6:24 pm

User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: //session trojan Zbot

Postby NotBuyingIt » Tue Sep 06, 2011 9:40 pm

lareconexiondelser.net appears to be suspended (Lock Status: clientHold; Name Server: BLACKHOLE.GANDI.NET) by its domain registrar GANDI SAS.

I applaud those who have helped to bring down the botnet-controlled domains.
NotBuyingIt
Spammer Killing Machine
 
Posts: 612
Joined: Sun Jun 13, 2010 5:22 pm

Re: //session trojan Zbot

Postby Red Dwarf » Tue Sep 06, 2011 10:18 pm

Finally. I'm sure I wasn't the only one.
Sent 24th and again 27th
This is a compliance request for you to suspend the domain lareconexiondelser.net used for distibuting the Zbot trojan
and to remove its name server Address record
ns1.lareconexiondelser.net [178.162.250.46]
and any www. address record

EVIDENCE
http://siteadvisor.com/sites/lareconexi ... et/msgpage
http://www.mywot.com/en/scorecard/larec ... et/msgpage
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: //session trojan Zbot

Postby NotBuyingIt » Sat Sep 17, 2011 10:45 am

Another Facebook "friend request" exploit is in progress; this time the campaign is apparently attacking the Dutch. As in the past, the exploit probably uses a black-hole exploit in an invisible iFrame and a malicious EXE file disguised as a Macromedia Flash Player update:
Aanmelden bij Facebook
—————————————————————————————————————
Uw versie van Macromedia Flash Player is te oud om door te gaan. Download en
installeer
de nieuwste versie van Adobe Flash Player.

Here are some examples of spammed URLs (as reported to PhishTank.com, mostly from the clean-mx.de database)

session56761735331539.customidet.com/confirm/reqnl/
session10020607122327.customidet.com/confirm/reqnl/
session90781741481121.customidet.com/confirm/reqnl/
session85700562579533.customidet.com/confirm/reqnl/
session79458084701772.customidet.com/confirm/reqnl/
session69570016113210.customidet.com/confirm/reqnl/

The domain name is registered at

Domain Name: CUSTOMIDET.COM
Registrar: PAKNIC (PRIVATE) LIMITED
Whois Server: whois.paknic.com
Referral URL: http://www.paknic.com
Name Server: NS1.ADVISORHIRINGJOB.ORG
Name Server: NS1.LIKSTENED.COM
Status: ok
Updated Date: 16-sep-2011
Creation Date: 23-aug-2011
Expiration Date: 23-aug-2012

[Edit: Update] The exploit is also running at a second domain

Domain Name: IDLEFGT.COM
Registrar: REGISTERMATRIX.COM CORP.
Whois Server: whois.registermatrix.com
Referral URL: http://www.registermatrix.com
Name Server: NS1.ADVISORHIRINGJOB.ORG [which is not functioning]
Name Server: NS1.LIKSTENED.COM
Status: clientTransferProhibited
Updated Date: 16-sep-2011
Creation Date: 15-sep-2011
Expiration Date: 15-sep-2012
NotBuyingIt
Spammer Killing Machine
 
Posts: 612
Joined: Sun Jun 13, 2010 5:22 pm

Next

Return to Malware

Who is online

Users browsing this forum: Baidu [Spider] and 1 guest

cron