MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

28.2.09

Monthly compendium of information. February 2009

Pistus Malware Intelligence Blog
27.02.09
LuckySploit, the right hand of ZeuS

25.02.09
Phishing Kit In-the-Wild for cloning website, version 2

24.02.09
A recent tour of scareware IV

22.02.09
Botnet Zeus. Mass propagation of his Trojan. Part Two
21.02.09 Google Groups again used to spread pornographic sp...
19.02.09
More Waledac in action. Can you guess how much you...

18.02.09
Botnet Zeus. Mass propagation of his Trojan. Part One

17.02.09
AntiSpyware 2009 has expanded its offers malicious...

16.02.09
Phishing Kit In-the-Wild for cloning websites

14.02.09
Waledac more loving than ever

13.02.09
Strategies of deception, spam and malicious code

11.02.09
Social Engineering and Waledac Valentine

09.02.09
Exploiting vulnerabilities through SWF

07.02.09
Creating Online PoisonIvy based polymorphic malwar...

05.02.09
Exploitation of vulnerabilities through JS

04.02.09
A recent tour of scareware III

03.02.09 Mass propagation of malware in fake codecs

02.02.09
Drive-by Update to spread malware

01.02.09 MySpace susceptible to threats through XSS


Evilfingers Blog
27.02.09 LuckySploit, the right hand of Zeus
25.02.09 Phishing Kit In-the-Wild for cloning of web site, version 2
24.02.09 Zeus botnet. Mass propagation of trojan. Part two
21.02.09 Google Groups again used to spread porn spam
20.02.09 Whitepaper. Attacks - Weaknesses of commonly exploited security
20.02.09 Whitepaper. Analysis of an attack from Web-based malware
18.02.09 Zeus botnets. Mass propagation of trojan. Part one
16.02.09 Phishing Kit In-the-Wild for cloning of web site
14.02.09 Waledac more loving than ever
12.02.09 Waledac, Social Engineering and St. Valentine Day
10.02.09 Exploiting vulnerabilities through SWF
08.02.09 Creating Online polymorphic malware based PoisonYvi
06.02.09 Exploitation of vulnerabilities through JS
04.02.09 Most Common Safety Violations

02.02.09 Drive-By Update for spreading malware
01.02.09 Touchy to threats through MySpace XSS


ESET Latinoamérica Blog (Spanish)
27.02.09 February Threat Report
24.02.09 Through spam Malware pretends to be Windows Live Messenger
18.02.09 Protection against data theft attempts
16.02.09 Fake MSN Messenger SMS spreads malware
13.02.09 Viagra for Valentine's Day?
10.02.09 List of rogue security programs IV
06.02.09 Online Casinos: Playing with danger
04.02.09 Valentine's Day as an excuse to spread malware
02.02.09 Threat Report January

Related information
Monthly compendium of information. January 2009

Jorge Mieres

Ver más

27.2.09

LuckySploit, the right hand of ZeuS

LuckySploit is the name of a set of scripts (toolkit) designed to exploit different vulnerabilities and allow execution of binaries on the victim machine arbitrarily.

Currently, these scripts, subject to obfuscation, are being used by the botnet ZeuS to recruit zombies attack PCs through Drive-by-Download.

When accessing the web address, only displayed a blank page, but to check its source code is a code written in JavaScript like this:

The script is encrypted with the RSA algorithm. This information is displayed at the end of the code.

Another interesting fact is that the script is displayed only once, ie if you try to log back in to the same address, again to check the HTML source code, the script is no longer available.

Some of the domains that contain LuckySploit are reflected below:
r-state. com / equip /
trafffive .cn / wait /? t = 15
trafffive .cn / bm /? t = 15
directlink9 .cn / wait /? t = 15
directlink4 .cn / bm /? t = 15
directlink2 .cn / wait /? t = 15
directlink1 .cn / bm /? t = 15
directlink0 .cn / wait /? t = 15
superioradz .info/opis3 /? t = 2
superioradz .info/opis2 /? t = 2
rodexcom .org / parus /? t = 5
dvlorg .net / parus /? t = 25
top.sei-keine .com / u-store /? t = 1
statclick .net / main /? t = 1
deinglaube. com / images /
202.73.57.6 / tomi
federalreserve.banknetworks .net / bb /? t = 2
fuadrenal .com / myth /? t = 2
fuck-lady .com / prn / index. php
hello-to-you .net / rttz /? t = 6

It's worth noting that many of these URL's are active, therefore if you decide to access any of it, keep in mind the security measures appropriate to the case.

In some scripts, to desofuscarlo clearly read at the end of a message that says:
attack_level = 0;;
try (
f = 'Welcome to LuckySploit:) \ n TOASTED STI';

Thus, Zeus is adhering to its network equipment malicious infected computers.

Related information
Botnet Zeus. Mass propagation of his Trojan. Part two
Botnet Zeus. Mass propagation of his Trojan. Part one

Jorge Mieres

Ver más

25.2.09

Phishing Kit In-the-Wild for cloning website, version 2

A few days ago telling them that it's active phishing package that contains files of cloned websites well known and heavily used by users ready to be exploited.

This package has expanded its "coverage" of fraud, offering a second package with another large quantity of fake websites that seek to be transparent to the user and obtain information.


Phishing kit keeps the same strategy of spreading the previous pack, ie a file index.html that is a true copy of the actual page, a login.php and a .txt, but not cloning proposals to steal data:

Adult Friend Finder
Amazon
Bebo
Break
DeviantArt
FlickR
FreeWebs
GeoCities
LiveJournal
Playstation Underground
PornoTube
SendSpace
SourceForge
Studivz
Tagged
Tripod - Lycos
Veoh
WWE
Xanga
XTube - A Broken Images


On the one hand, strategies that seek to obtain money without greater efforts are becoming more aggressive and more invasive, and on the other, most of these kits are available online for free or on payment, in this case, a sum of money not as high as with similar pack.

Phishing attacks are becoming more dangerous because their creators seek development effectiveness in order to provide the copy is as faithful as possible to the real.

This poses a potential risk associated with the combination with intrusive techniques such as malware kit (ElFiesta, MPack, IcePack, etc.), are implanted in ghosts or violated servers to spread phishing, is becoming increasingly dangerous for those unknown, even to those who know well, the operation of these attack techniques.


Related information
Phishing Kit In-the-Wild for cloning websites

Jorge Mieres

Ver más

24.2.09

A recent tour of scareware IV

As usual, new variants of known scareware (rogue) are emerging every day using the usual methods of deception (false alerts, domain names alluding, false scans, etc.)..

Some of the latest malware of this style are:

XpyBurner *
MD5: eb8f9f40c563250f53b404b61dbfb491
IP: 72.232.186.20
United States United States Las Vegas Dwd Technologies Llc
Platform: Windows
Associated domains:
Xpyburner. Com
Xpyburnerpro. Com
VT Report:
19/ 38 (50.00%)

Security System *
MD5:
45bcdb17659fc0f6f6277e9e027441cc
IP: 72.232.186.18
United States United States Las Vegas Dwd Technologies Llc
Platform: Windows
Associated domains:
System-tuner. Com
Systemsecurityse. Com

VT Report: 19/ 39 (48.72%)

HDrive Sweeper *

MD5:
c1fc9887457353607062fd8df689fde0
IP: 72.232.186.21
United States United States Las Vegas Dwd Technologies Llc
Platform: Windows
Associated domains:
Hdrivesweeper. Com
Hdrivesweeperpro. Com
VT Report:
21/ 39 (53.85%)

System Tuner *
MD5: fa36c3b1d61b6e9d7b2f6b0ee645806d
IP: 72.232.186.18
United States United States Las Vegas Dwd Technologies Llc
Platform: Windows
Associated domains:
System-tuner. Com
Systemsecurityse. Com
VT Report:
22/ 35 (62.86%)

* Encunetran is on the same IP range.

AntiSpyware 3000
MD5:
945725b374fad6a35e24e2e8543a5d85
IP: 210.51.37.113
China Shanghai China-stock-ltd Xindongli
Platform: Windows
Associated domains:
antispyware3000. net
duocw. com
VT Report:
38/ 39 (97.44%)

Virus Doctor
MD5:
82e6594e1d241f23eb2c524beecc9963
IP: 64.86.17.9
Canada Teleglobe Inc. Montreal Canada
Platform: Windows
Associated domains:
mysupervisor. net
virus-doctor. com
pay-virusdoctor. com
trdatasft. com
Online virusdoctor. com
VT report:
21/ 39 (53.85%)

Total Virus Protection
MD5:
84e782738fcef71a8701da221fed94c5
IP: 83,133,123,166 / 92,241,176,220
Germany Wuppertal Germany LNC-dsl-discounter
Russian Federation Russian Federation Wahome Colocation
Platform: Windows
Associated domains:
t61.1paket. com
totalmalwareprotection. com
xpvirusprotection. com
xpvirusprotection2009. com
VT Report:
3/ 39 (7.69%)

MalwareDoc
MD5: af5f63cdaed1e619b65d7bf506e40e3a
IP: 193.138.172.5
Russian Federation Moscow Russian Federation New Communication Technologies
Platform: Windows
Associated domains:
antispyknight. biz
474.metago. Cn beforethehost. Com, bobthejoker. Info atingloves. Ru, farmhut. Net, femoffice. Net, foxtrot1. Biz, friendis. Us, gaysagays. Com, gogogogogogogogogogogo. Cn google-analutuk. Com, iframestat. org, intellpoint. org, avascript. bz, kva-kva. net, Lencom. com, live69. ru, matchwow. us, mycashnew. ru, mynewcards. ru, odnoklassniki-newyear2009. ru, ownroom. org, oy4b-oykb. ru, piontor. com, Pompova. ru, pop.yandex2. cn pornuha. cc, smsgogo. cn topsale. us
VT Report:
7/ 38 (18.42%)

Antivirus 1
MD5: 27a882668aeda52450ef78a0d6e42a30

IP: 70.38.19.201
Canada - Ontario - Toronto - Alexandre Lussier
Platform: Windows

Associated domains:
2010.info anti-virus, antivirus-2010.info, av1-download.info, av1-site.info, downloads.anti-virus-2010.info, tagsdirect.winfamilyholiday.com, Anti-virus1-installs.info
VT Report:
5/ 39 (12.82%)

Related information
A recent tour of scareware III
A recent tour of scareware II
A recent tour of scareware

Jorge Mieres

Ver más

22.2.09

Botnet Zeus. Mass propagation of his Trojan. Part Two

The first part could count well above what it is ZeuS, next to a small list of domains and IP addresses involved with the Trojan and useful to block them.

The map below shows information relating to each host infected by ZeuS who is identified through a point. Although at first glance, the information that shows the map can give the impression of inadequate, we must take into account that each node can represent multiple IP addresses or domains hosted on one server, bringing the percentage of equipment Infected power.


Although the list is very small compared with the amount of domains that host to ZeuS, is extremely important for administrators to block them in its network structure to avoid problems of infection.

85.17.139.189 investmentguard.co.uk/foto/body_bg_akh10. Jpg

85.17.143.132 mainssrv.com / pic / timeats. Jpg

91.197.130.39 goldarea.biz / bot. Exe

92.48.119.151 allmusicsshop.com/bnngJPdf7772Nd. Exe

92.62.100.14 chinkchoi.net/3n539 @ 32d. Exe

92.62.101.54 drupa1.com/s/fuck. Exe

92.62.101.54 ltnc.info / utility / lease / software / update / config. Bin

92.62.101.54 tdxs.info / utility / backup / config. Bin

94.103.80.150 zone-game.org/ldr. Exe

94.75.214.18 vokcrash.com/144/load. Php

196.2.198.243/wweb11/zdr. Exe

196.2.198.243/xwweb/zdb. Exe

58.65.236.41 / z. Exe

67.225.177.120/moon/cfg1.bin

78.26.179.201/matt/loader. Exe

91.211.65.122 / ~ nostr551te/endive/dogi. Exe

92,241,164,198 / ~ cadazeu / testbot / ldr. Exe

92.62.101.60/g1/data

92.62.101.60/g2/data

92.62.101.60/g2/run. Exe

94.247.3.211/ddk/audio

94.247.3.211/rot/load. Exe

94.247.3.211/rot/zlom

freecastingus.cn/z12/config. bin

freecastingus.cn/z12/loader. exe

http://ltnc.info/utility/lease/software/update/config. bin

http://tdxs.info/utility/backup/config. bin


Furthermore, each of the domains, along with your IP address, represent a breach of infected host or server.

Given that the means of spread and infection employed by ZeuS are, email and technical Drive-by-Download through different exploit where one of the best known is Luckysploit, or sites which are vulnerable to malware implanted kits as ElFiesta; is extremely important to block domains and IP addresses I have outlined.

Related information
Botnet Zeus. Mass propagation of his Trojan. Part ...
Domain List compromised by Zeus
List of IPs compromised by Zeus



Ver más

21.2.09

Google Groups again used to spread pornographic spam

Spamming techniques are becoming more aggressive and spammers, so to continue the financial industry that is behind the unsolicited advertising, focus all its efforts to seek "alternatives" bypas enable authentication mechanisms implemented in the webmail servers.

Consequently, in recent days, the boxes of millions of users have been bombarded by a significant amount of spam under alluding to matters erotic and pornographic videos of celebrities, use the Google service to disseminate pornographic spam group.

Some of the phrases used in the case to capture the attention of the users are:

Hey! It is Erica. Want to date?

Hi! This is Dana from last Monday video shoot.
Hello!
It is Standard. Could not reach you.

Jessica Alba was caught naked in a sauna!

Jennifer Aniston was caught naked in a sauna!

Jennifer Love Hewitt's nude beach photos!

Cameron Diaz's nude beach photos!

Denise Richards's fitting room hidden pics!

Shakira and her mystery boyfriend pics!

Hi! It is Deena. Fresh legal teens who just got to pose.

Hi! This is Amelia. Fresh legal teens who just got to pose.


On the other hand, some of the profiles used in the service in question are:

http://groups.google.com/group/zcmcrowderifjzub/?iqhphgbeaxegecyvaduryqmgzzv&pli=1
http://groups.google.com/group/rnushafermrlio/?xsopvgfxraihhintaudhuhgwxqqdr
http://groups.google.com/group/xm388drtr876gx/web/ xblsdmz
http://groups.google.com/grou/giuyburroughsyqk/?oscfdntsxfsxygrimaykrdnbpiiwk

http://groups.google.com/group/vlmwillistvkkyx/?mjywanyxpngnhthdsbmhwsgspozh
http://groups.google.com/group/tixjotin2wtv/web/rqcc8ne
http : / / www.google.com/group/rsnclineiqs/?fchgwoioqdxyhxzujnqhsj
http://www.google.com/group/qjmjvwbrobbinsyne/?vuqkpijorysniuzmcmrcmu
http://www.google.com/group/smpwthackercdi/?netcrpysqsrpnwwhddfcvxkemobiv

http://groups.google.com/group/rt4q26ggg4azg/web/pvnrywa
http://www.google.com/group/henvrankinosv/?mpsajqfwyzlqxqpouxokymddoos

http://www.google.com/group/aediyyxfieldsljx/?imingpivvlnkyputxttpugmcwdt

http://groups.google.com/group/zscsqcgzrxhxno/web/k4xkob

http://www.google.com/group/oapfhxjbledsoeakpas/?lkngiiujnfqyotalcibneib

http://www.google.com/group/dtoercardenasmyld/?nqhbbvfazcqwqchrgyzzgvxyu

http://www.google.com/group/smpwthackercdi/?kzxgxdhqmjthzyrjmeckg

http://www.google.com/group/jpfkdowneyviyxlco/?fknhxtryihnlykkddadzjhq

http://www.google.com/group/ldubartlettvqv/?sjeqkrtkzhipuymmeyohncvvm
http://www.google.com/group/tzqmockjapi/?ieywkhfiwklmksgjhhcnycniwmfym

http://www.google.com/group/mdnsylclynnakjl/?zivtwsmexjcvvapfzejv
http://www.google.com/group/thlssheetscru/?ciotibufyziphemhnqemuz

http://www.google.com/group/ynatdxhjenningswmjfcap/?wkqsusarwnzbqzbtqkmgewrwihj

http://www.google.com/group/eblshoemakergaouclt/?tyvkjqeixthanyzeasoty

http://www.google.com/group/jyqpukinneypnyfw/?aasinzdghhknxajmprdshftcbl
http://www.google.com/group/stfxzdfbegayuguh/?fpkvhcnouznregxpqrvchicwza
http://groups.google.com/group/caylyjacobigyeg/web/kuytfopiufyoutd
http://www.google.com/group/egnjomckennalcwin/?pyjzsnomluxqcgathnbo


The list is really long enough to reflect each of the addresses in this post, however, the examples are enough to get a feel focused enough to understand that spam is a problem that affects everyone equally and that the Today business is one of the most exploited.

Jorge Mieres

Ver más