//session trojan Zbot

A place to discuss malware of every flavor, e.g. Storm, Waledac, Conficker and Zeus

Re: //session trojan Zbot

Postby NotBuyingIt » Sun Sep 18, 2011 2:58 pm

A German-language version of the same botnet's fraudulent Facebook "friend request" has been reported (source: hXXp://www.da-gaming.de/index.php?mod=board&action=thread&where=6124&start=0). An example of a URL that it uses is

session44447796956483.stackfg.com/confirm/reqde/

That domain name is registered at

Domain Name: STACKFG.COM
Registrar: PAKNIC (PRIVATE) LIMITED
Whois Server: whois.paknic.com
Referral URL: http://www.paknic.com
Name Server: NS1.ADVISORHIRINGJOB.ORG [domain suspended]
Name Server: NS1.LIKSTENED.COM
Status: ok
Updated Date: 16-sep-2011
Creation Date: 15-sep-2011
Expiration Date: 15-sep-2012

Client Hold Sept 21
NotBuyingIt
Spammer Killing Machine
 
Posts: 609
Joined: Sun Jun 13, 2010 5:22 pm

Re: //session trojan Zbot

Postby NotBuyingIt » Mon Sep 19, 2011 1:28 pm

Another scam botnet domain has been picked up by the ZeuS Tracker, although a web search doesn't return any examples of the site being used in the wild, yet. It is capable of running the botnet's suite of over a dozen different scams, including the Facebook "friend request" in at least three languages (English, Dutch and German).

Domain Name: USEDITWOULFUR.COM
Registrar: REGIONAL NETWORK INFORMATION CENTER, JSC DBA RU-CENTER
Whois Server: whois.nic.ru
Referral URL: http://www.nic.ru
Name Server: NS1.LIKSTENED.COM
Name Server: NS1.THE-HIRINGDIVISION.COM [domain suspended]
Status: clientTransferProhibited
Updated Date: 18-sep-2011
Creation Date: 13-sep-2011
Expiration Date: 13-sep-2012

[Edit: Update #1, 19-September-2011] An in-the-wild instance of useditwoulfur.com being used in the German-language version of the malware attack against Facebook subscribers is

session61210390497897.useditwoulfur.com/confirm/reqde/

The botnet's DNS has been disabled for the moment because its remaining DNS provider LIKSTENED.COM has been suspended.

[Edit: Update #2, 20-September-2011] useditwoulfur.com has been suspended by its domain registrar who set its status to "clientHold". I would not be surprised to learn that the Complainterator participated in the suspension.
NotBuyingIt
Spammer Killing Machine
 
Posts: 609
Joined: Sun Jun 13, 2010 5:22 pm

Re: //session trojan Zbot

Postby NotBuyingIt » Wed Sep 21, 2011 12:50 pm

The latest four botnet-controlled domains about which I am aware have been suspended:
customidet.com
idlefgt.com
stackfg.com
useditwoulfur.com

Those site's remaining DNS provider seems to be
ns1.parkingstachanal.com (IP 194.0.252.114, hosted on the VooServers Ltd network in the UK)
ns2.parkingstachanal.com ( IP 65.61.188.4, Rackspace Hosting, USA)

IP 194.0.252.114 has been listed in the Spamhaus SBL for several months.
NotBuyingIt
Spammer Killing Machine
 
Posts: 609
Joined: Sun Jun 13, 2010 5:22 pm

Re: //session trojan Zbot

Postby NotBuyingIt » Fri Oct 07, 2011 7:52 pm

The same botnet, apparently, has launched a new malware campaign with at least two new domains and with two DNS providers. The campaign uses a spoofed United States Internal Revenue Service (IRS) web page. An example of a URL that it uses is

http://irs.techdlfs.com/reviews/return/?id=SRDUFGGVU381&d=Sat,%208%20Oct%202011%2001:51:23%20+0530

which actually reduces to http://techdlfs.com/reviews/return/

Domain Name: DDPLOPT.COM
Registrar: PAKNIC (PRIVATE) LIMITED
Whois Server: whois.paknic.com
Referral URL: http://www.paknic.com
Name Server: NS1.CHAIRALITYPOL.COM
Name Server: NS1.ENVELOPESF-RSWITCH.COM
Status: ok
Updated Date: 06-oct-2011
Creation Date: 05-oct-2011
Expiration Date: 05-oct-2012

Domain Name: TECHDLFS.COM
Registrar: PAKNIC (PRIVATE) LIMITED
Whois Server: whois.paknic.com
Referral URL: http://www.paknic.com
Name Server: NS1.CHAIRALITYPOL.COM
Name Server: NS1.ENVELOPESF-RSWITCH.COM
Status: ok
Updated Date: 06-oct-2011
Creation Date: 05-oct-2011
Expiration Date: 05-oct-2012
NotBuyingIt
Spammer Killing Machine
 
Posts: 609
Joined: Sun Jun 13, 2010 5:22 pm

Re: //session trojan Zbot

Postby NotBuyingIt » Sun Oct 09, 2011 5:06 pm

Both ddplopt.com and techdlfs.com have been suspended by their domain registrar. A third site msvoipid.com was detected running the same scam; it was promptly suspended by its domain registrar REGISTERMATRIX.COM CORP. A fourth site systrmp.com is currently running the same scam.

Domain Name: SYSTRMP.COM
Registrar: PAKNIC (PRIVATE) LIMITED
Whois Server: whois.paknic.com
Referral URL: http://www.paknic.com
Name Server: NS1.CHAIRALITYPOL.COM
Name Server: NS1.ENVELOPESF-RSWITCH.COM
Status: ok
Updated Date: 06-oct-2011
Creation Date: 15-sep-2011
Expiration Date: 15-sep-2012

The fraudulent webpages used in the scam contain an invisible iFrame which I believe contains a black hole exploit. Google has cached one such webpage, leaving the iFrame intact and active in the cached version.

Both of the name servers for the sites trace to IP 199.71.214.131, (Psychz Networks, USA). The same configuration was used in some earlier malware campaigns by the same botnet. PAKNIC is also the domain registrar for both of the name servers. The zombie computers under the botnet's control are mostly located in Spain apparently. I notice that most of their IP addresses are "listed in SORB" .
NotBuyingIt
Spammer Killing Machine
 
Posts: 609
Joined: Sun Jun 13, 2010 5:22 pm

Re: //session trojan Zbot

Postby Red Dwarf » Sun Oct 09, 2011 11:52 pm

Juicy bits of code extracted from Phish URL systrmp.com/app/bps/main/

Code: Select all
<iframe src="c.php" width="5" height="5" frameborder="0">


Code: Select all
function write_url() {
    var url;
    if (app_type == 'ins') {
    url = 'https://insurance.lexisnexis.com';
    } else if (app_type == 'hea') {
    url = 'https://healthcare.lexisnexis.com';
    } else if (app_type == 'aig') {
    url = 'https://aig.accurint.com';
    } else if (app_type == 'xbps') {
    url = 'https://riskinvestigations.lexisnexis.com';
    } else {
    url = 'http://www.accurint.com';
    }
    document.write(url);
}


Code: Select all
    <div class="smallblack">
            <strong>Phishing schemes are on the rise. Learn how to protect your Accurint User Name and Password ...</strong>
            <div id="toggleOptions" style="display: none;"><br>
Always start sign on from: <strong>http://www.accurint.com</strong> or <strong>http://accurintlexisnexis.com</strong>
and never enter your ID or Password information at any other URL or
site, or your security may be compromised. Never click or follow links
to Accurint from email messages because if you do so you may be taken
to a site that looks like Accurint but is not the Accurint site. If you
accessed any other URL or site that looks like Accurint or if you
clicked on a link within an email to access Accurint and entered your
account information, please change your Password immediately.<br>
            <br>
Protect the security of your User Name and Password by following these
guidelines: (a) Never share User Names or Passwords; (b) Do not write
your User Name and Password down anywhere; (c) Install and use current
anti-virus software; (d) Inform your administrator or contact Customer
Support immediately if you believe your User Name or Password have been
compromised. <br>
            <br>
            </div>


AVG intercepts the page with "Virus identified JS/Phish"
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: //session trojan Zbot

Postby Red Dwarf » Mon Oct 10, 2011 2:14 pm

Sample URLs in the past few hours
Code: Select all
irs.systrmp.com/reviews/return/

sess_id9837964.systrmp.com/reviews/return/
sess_id9849911.systrmp.com/reviews/return/
sess_id9870183.systrmp.com/reviews/return/
etc
session0073465.systrmp.com/reviews/return/
session0787800.systrmp.com/reviews/return/
session0897844.systrmp.com/reviews/return/
etc
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: //session trojan Zbot

Postby Red Dwarf » Wed Oct 12, 2011 7:15 pm

Domain Name: SYSTRMP.COM
Registrar: PAKNIC (PRIVATE) LIMITED
Whois Server: whois.paknic.com
Referral URL: http://www.paknic.com
Name Server: No nameserver
Status: clientHold
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 11-oct-2011

In summary
chipiden.com Status: clientHold / REGISTERMATRIX.COM CORP. / Oct 11
cpsystms.com Status: clientHold / BIZCN.COM, INC. / Oct 12
systmsd.com Status: redemptionPeriod / 1 API GMBH / Oct 12
systrmp.com Status: clientHold / PAKNIC (PRIVATE) LIMITED / Oct 11
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: //session trojan Zbot

Postby Red Dwarf » Thu Oct 13, 2011 8:57 pm

The latest botnet infector

mrsystms.com Registrar: REGISTERMATRIX.COM CORP.
Name Server: NS1.CHAIRALITYPOL.COM and NS1.ENVELOPESF-RSWITCH.COM on 173.236.45.150 at Nexeon Technologies, Inc.in Texas

mrsystms.com has address 81.203.3.89 (Cableuropa - ONO, Spain)
mrsystms.com has address 90.172.85.224 (France Telecom Espana SA)

Examples of spammed links

irs.mrsystms.com/reviews/return/
That is the link to the Inland Revenue Service phishing site

session9104213.mrsystms.com/reviews/return/
session9132885.mrsystms.com/reviews/return/
session9154980.mrsystms.com/reviews/return/
sess_id5776544.mrsystms.com/reviews/return/
sess_id6577213.mrsystms.com/reviews/return/
sess_id9005416.mrsystms.com/reviews/return/
sess_id9467772.mrsystms.com/reviews/return/
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: //session trojan Zbot

Postby Red Dwarf » Mon Oct 17, 2011 3:14 am

Sent 13 Oct - Registrar: REGISTERMATRIX.COM CORP.
Urgent

This is a compliance request for you to suspend the illegal domain mrsystms.com used for ZBOT botnet infections

EVIDENCE
viewtopic.php?f=14&t=4510&p=54121
http://siteadvisor.com/sites/mrsystms.com/msgpage
http://mywot.com/en/scorecard/mrsystms.com/msgpage


Status: clientDeleteProhibited
Status: clientHold
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 13-oct-2011
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: //session trojan Zbot

Postby NotBuyingIt » Wed Oct 19, 2011 11:57 pm

During early October, DNS for the botnet's scam domains was provided by ns1.chairalitypol.com and ns1.envelopesf-rswitch.com. Both chairalitypol.com and envelopesf-rswitch.com have been suspended. Their domain registrar PAKNIC (PRIVATE) LIMITED has set the status of each domain to "clientHold" and has changed their name server to "No nameserver".
NotBuyingIt
Spammer Killing Machine
 
Posts: 609
Joined: Sun Jun 13, 2010 5:22 pm

Previous

Return to Malware

Who is online

Users browsing this forum: Baidu [Spider] and 2 guests

cron