MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

9.8.10

Campaign infection through Phoenix Exploit's Pack

Phoenix Exploit's Pack (PEK) is another crimeware programs more widely accepted within the online criminal ecosystem, whose use in the past week massifies spreading a large amount of malware.
Executable binaries that are part of the campaign so far is active, spread under the default name of the executable that incorporates the package, called exe.exe. Some of the executables that are part of this campaign are:

8515e378f836afbaf30e29bdf7eed799 - Not detected
bb04fe6f6232dcc0661435ae9a6da513 - Zbot/Krap
82caf746a0d4e32ad633c075f22c1969 - FakeAV
8c30bae5db5d6e693bd3d343176d10d4 - GootKit
80592a5c5c7f4e91e1fc7d45c69b26df - Zbot
f36dd53834bcd0997dbbf50f54617941 - Probably a variant of Vundo
f4d4734d4f7392290a341a367e412226 - FakeAV
310226a86e883284eb3e821895156c4e - Katusha
971eab628a7aac18bb29cba8849dff61 - Probably a variant of Genome
0c1de65a594796b77030892498da1372 - Small/Agent
10b21cd819089f8d0a3788107c1125f4 - Olmarik/TDSS
687992266d21c6d6ad3232d6c98e2819 - Papras
51b834a745afd2787848f59ee30df659 – Zbot

The upgrade of the binaries that are spread through this crimeware is very dynamic. It also has a wide range of precompiled exploits to exploit vulnerabilities in classic and browsers and PDF readers.

all.pdf (75c38165c54f99bc3631544855206aad) CVE-2009-0927
allv7.pdf (be3d6d64687cc83825476947e2955591)
collab.pdf (69fef7cb57f8c16128ec9daba51e53ae) CVE-2007-5659
geticon.pdf (149335ac9d8b1e9918411c4c71cdf8bf) CVE-2009-0927
flash.swf (3310c3eb2b43f1353166a7cd21566e34)
ie.html (715d1fc6c63fc350cad997083e2ddfbb) CVE-2006-0003
libtiff.pdf (e0b17cc54294f26b9b9df77770dc5380) 
newplayer.pdf (13da5c68a1eb5a895c1bd3da8740ee75)
printf.pdf (c62c08cc2ed57c187d5fd0eda12e1443) CVE-2008-2992
vistaie7.html (ffcb420c6a9c4c91c130fdf171424299)
vistan7ie8.html (74aae64e8c583623d3592a2f7061c64d)
vistan7other.html (640c67a372889068a426aebaf21f18b9)
xpie7.html (0e8488bc4f4936fceb4907a141b91567)
xpie8.html (c8bba1b71d570917551d8c96486ff5e6)
xpother.html (242988c80807f9bdb2631a7a9c65c941)

Among the domains used during July 2010 for the campaign are:

1.fxguard.co.cc
1.tmjack.co.cc
1247892628.zage.in
2.keyzan.in
32874239049394.com
33askday7w2.com
appstoredemon.com
autoaccoustics.ru
avadrom.co.in
barabudd444.com
barabudd555.com
baragas-budd3.com
bardj96.info
bequeathooh4.info
beretjhvb5.info
bestrachel.com
bootch.in
bstservice.biz
ca200dajskjdhd.com
carauter.com
cheryy.com
cinbonto.com
condonikzang.info
congealagmfd6dbd.info
contritefg6.info
conundrumwth.info
dandbcorporation.com
debiller.com
dogmun.com
domsre.com
durposty.com
effacedfge8.info
effusive24ghj.info
elvagony.com
encelih.biz
eurpoker.org
fedou-kast.com
fffvideo.info
fist0.info
fortuna1.info
fortunaclasse.com
gepare.com
googlemugl.com
guglctat.net
gygack.com
heging.com
highclips.ru
iktagirl.com
illinate.be
illinated.co.in
in.xtborder.co.cc
intercullertdi50.net
irrationalsdv3.info
jenaallee.com
jk100asdsadhg.com
judiciousr347.info
justanothersillydomain.org
kaksosatshop.info
khozywebs.ru
kigll.com
kombry.com
lampstage.in
larseny.com
lartoil.com
lcitsih.biz
liveenline.com
lkem.info
loltrafo.co.cc
magicvideoonline.in
metyre.com
miror-couter-3.in
miror-couter-4.in
miror-couter-6.in
mixoto.co.in
mjef.info
monovideo.ru
musicmastersite.in
mytlo.com
navigable446.info
nextso.net
nimtsih.biz
paypay.co
perspicacitydg3.info
prosoftdesign.in
ratifytur6.info
regaledgh7.info
seawizard.net
servat-cooper.com
sexandvideo.ru
spl.ipomats.in
sunn.in
taciturnsdg5.info
tamesteel.net
toppulse32.org
utanmay.co.cc
utry.in
vbmn.info
vdsconfig.in
volgo-marun.cn
wanefbdf3.info
yadr3.com
zealotbbd6.info
zomotuir.com
zoor.in
zsitsih.biz

Related information

0 comentarios:

Post a Comment