MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

30.4.10

A recent tour of scareware XXI

Desktop Security 2010
204.12.223.187
United  States United States Kansas City Krutik Servers

desktopsecurity2010win.com
certifiedsecureprocessingpayments.com
ns1.startsecureplace.com
ns2.startsecureplace.com
startsecureplace.com

91.121.45.67

France France Ovh Sas
global-d-security.com
level1-antivirus.com
max6antispyware.com
mega1-scanner.com
mega2-scanner.com
mega6-scanner.com
mega7-scanner.com
microantivirus-scanner0.com
microantivirusscanner1.com
microantivirusscanner2.com
pro-2in1-securityh.com
spy-detectora.com
z3-antispyware.com
zan-antivirus-scan.com
zyn-antivirus-scan.com


Setup_328s3.exe (C89D7DAFEA8CC605E6E81A040A1061D7)
4/40 (10.00%)

scanner.secure-your-pc.info/scan.php?campaign=mmb_784713781&landid=6
antivirus-live-1.com
antivirus-21pro.com

AntiSpyware Soft
193.33.115.92
antispyware-system.net
antivirus-armature.com
avprocess.com
defendersoftpremium.net
www.antivirus-armature.com
www.avprocess.com
www.defendersoftpremium.net
Austria Austria Klagenfurt Anexia Internetdienstleistungs Gmbh

209.212.149.20
www1.freeguard33-pr.net
www1.new-sys-scanner1.net
www1.new-sys-scanner2.net - 209.212.147.240
www1.freesys-scanner.net - 209.212.147.241
www1.new-sys-scanner3.net - 209.212.147.244
www1.scanfree2.net - 209.212.147.245
www1.freesys-scanner3.com - 209.212.149.18
United  States United States Arlington Heights Ecomdevel Llc

188.124.5.66
www1.smartguard20-td.com
www1.smartprotection2.com
www1.smartprotection2.net
www1.smartprotection5.net
Turkey Turkey Vital Teknoloji - Dedicated Pool

my-antispyware-update.com - 212.117.177.19
Luxembourg Luxembourg Luxembourg Root Esolutions

208.76.61.100
spy-remover-i9.com
spy-remover-i4.com
spy-remover-i5.com
spy-remover-i6.com
spy-remover-i7.com
defence-status2.com
defence-status3.com
defence-status6.com
defence-status9.com
security-status3.com
security-status4.com
securitystatus6.com
securitystatus7.com
securitystatus8.com
securitystatus9.com
United  States United States San Francisco Everydns Llc

Related information
A recent tour of scareware XX
A recent tour of scareware XIX
A recent tour of scareware XVIII
Una recorrida por los últimos scareware XVII
Una recorrida por los últimos scareware XVI
Una recorrida por los últimos scareware XV
Una recorrida por los últimos scareware XIV
A recent tour of scareware XIII
A recent tour of scareware XII
A recent tour of scareware X
Una recorrida por los últimos scareware X
Una recorrida por los últimos scareware IX
Una recorrida por los últimos scareware VIII
Una recorrida por los últimos scareware VII
Una recorrida por los últimos scareware VI
A recent tour of scareware V
A recent tour of scareware IV
A recent tour of scareware III
A recent tour of scareware II
A recent tour of scareware

Jorge Mieres

Ver más

26.4.10

Phishing database VI

Financial and banking institutions
HSBC
http://www.publimovilradio.com/modules/IBlogin.html
http://favre-4.fr/xd881/index2.html?hsbc.co.uk/1/2/HSBCINTEGRATION/CAM10;jsessionid=0000GE8AijuUV604QIMQn-iQJDM:11j74lld0?IDV_URL=hsbc.MyHSBC_pib
http://66.179.18.171/lib/support/templates/CVS/1/Login/2/User/ID/HSBC/SessionID/Submit/IBlogin.html

http://mangiaonthird.com/ww/xx/CAM10.php?idv_cmd=idv.Logoff&nextPage=IDV_CAM10_AUTHENTICATION=d4d54d300fee03b7a1ca7212efcdd9a5LogonBy=Connectd4d54d300fee03b7a1ca7212efcdd9a5
http://www.hexagonetimisoara.com/plugins/tmp/IBlogin.html
http://www.atecatamarca.com.ar/restringido/galerias/IBlogin.html
http://taisang.tk/admin/IBlogin.html
http://taisang.tk/modules/IBlogin.html
http://www.programaarena.com.br/libraries/pattemplate/patTemplate/Reader/www.hsbc.co.uk/IBlogin.html
http://spyselect.ie/ext/update.hsbc.co.uk/1/2/personal/internet-banking-jsession=00quurGtvuPvBm9/
http://bosombuddies.ca/gallery/include/pib-home/pib-home/2/1/personal/hsbc.co.uk/IBlogin.html
http://isi.org.ru/netcat/dump/IBlogin.html
http://www.futureworld.org.uk//includes/modules/payment/HSBCINTEGRATION/CAM10;jsessionid=0000giYEk-6jtEJIpKn19x4far8/IBlogin.html
http://segzy.x10hosting.com/images/IBlogin.html
http://thaijoggingclub.net/gallery_img/IBlogin.html
http://woorisurg.com/bbs/hsbc/1.php?jsessionid=CAM10:jsessionid=0000RcSVT4vYF7HNB8AsppR8HRo:11j71fovq?IDV_URL=hsbc.MyHSBC_pib
http://81.10.19.242/hsbc.co.uk/1/2/IBLogin.html?CAM10;jsessionid=0000siN86yIRSUo4ohplM0Vo2s2:14etg74ed?IDV_URL=hsbc.MyHSBC_pib
http://www.neosemitech.com//board/data/session/cgibin/IBlogin.html

Merrill Lynch Bank (Suisse) S.A.
http://70.38.37.38/~homebase/samba.mllbs.ch/prospect.php?_nfpb=login&_pageLabel=page_logonform

SunTrust
http://wvw.suntrust-sc.com/portals/
http://equatorhd.ca/www.suntrust.com/portal/server.pt/?session=9e50b36bb2497496c6398461a2082fcc9cf45c66fcb67ddc44b04dafa0a2065399f6f9353fb42e260a8def4e4e0af2ca
http://treasurehd.ca/va/www.suntrust.com/portal/server.pt/confirm.php?session=9e50b36bb2497496c6398461a2082fcc9cf45c66fcb67ddc44b04dafa0a2065399f6f9353fb42e260a8def4e4e0af2ca
http://smtp.ultracom-bg.com/portals/suntrust.html
http://secure.suntrust-sec.com/portals/?server.pt/?server.pt?space=Login&ui_ReasonCode=6004

Bradesco
http://87.249.61.69/core/bradesco/Cadastro/index2.php
http://72.167.206.97/zencart/media/desco/log/site/
http://www.fcrorschacherberg.ch/images/sert/bradesco/scripts/ib2k1.dll/LOGIN.php
http://189.1.168.11/~internet/cadastro/log/site/
http://bradescompleto.c0m.la/Seguranca/log/site/perfil/

Bank of America
http://platinum.tritoncore.com/~chancefi/media/.bnkofamericasitykeybknofamerica/signon.php?section=signinpage&update=&cookiecheck=yes&destination=nba/signin
http://sitekey.bankofamerica.com.sas.signon.do.detect.2.signin.sessionid.wsbtxkjzscpehcdziwcaczsbv.veqtvcqsejpmvkduxjbamaijc.zjasksnomikpyargqdiyhwwpu.wzstgytqxmbtyrdgzqdahmqmk.psdlhyghwdoryepkejiwkqwbt.wjdjvowmsfsqoij.brevardcountylandandlots.com/signon/signon.do.php?pageType=708XeMWZ&cust=&l=lWXS3AlBXVShqAhQRfhgTDrf=nttps://sitekey.bankofamerica.com/sas/signon.do?SignIn&SMSESSIONID=ASERTFGUY2I94O0389GYBH23JNMKUYH83JMN12I90U82HJNASDKOASD9AS8D&iv=90832yhIopOWjos
http://www.newlife-baptistchurch.org/ioncube/linked.www.bankofamerica.com/security.update/trust.updater/sitekey-challenge-update/update.bankofamerica.com/update.html
http://ikaska.org/.safe.ssl.comfirmed-onlinebankingofamerica.com./index.html
http://ebookpal.info/images/banners/mailboa/boa/sas/cgi-bin/ias/A/1/bofa/ibd/IAS/presentation/pm_token=C2886KJEHD89483JSO3829ENDHU8392OJD/safe.ssl.confirm.onlinebankingofamerica.com/index.html
http://76.76.104.251/~arrayofl/www.bankofamerica.com.updates.confirm.bankofamerica.com/webscrcmd=_login-run/webscrcmd=_account-run=524685741142/updates-bankofamerica/confirm-bankofamerica.com/boa/signon.php?section=signinpage&update=&cookiecheck=yes&desti http://www.circuitocultural.org/bof/index.html
http://113.105.152.38/updates/bankofamerica/

BBS
http://finnulbbsnetaxeptno.t35.com/1.HTM

MasterCard
http://www.mitraogan.co.id/mo24/email/secure.mastercard384912/index.php

VISA
http://206-51-223.ftth.xms.internl.net/mail/25721.visa.com/index.html

National Bank
http://www.epiphone.co.kr/login/

CartaSI
http://user24821.vs.easily.co.uk/titolari.cartasi.it/33554433&REALMOID/gtwpages/index.jsp/index.htm
http://shinhak.or.kr/bbs/data/gtwpages/

Santander
http://www.sowhere2.co.za//administrator/components/com_joomap/tmpl/santander.php
http://colorama.com.ar/traxxis/system/controls/msctrl/msct/hmrc/allaccounts/abbey/Logon.htm

CBN - Central Bank of Nigeria
http://nigcbnupdatee.t35.com/OnlineCBN.html
http://vervpincodeupdate.t35.com/newupgrade.html

E-Commerce
PayPal
http://host-87-103-181-222.pppoe.omsknet.ru/paypal.it/webscr_cmd=_login-submit-amp-dispatch=5885d80a13c0db1f059ee17e99acf19529de9a5cb8b345b6e847e9b5572143/login.html
http://paypak.freewebhostx.com/paypal/index.htm
http://ppmediasetup.com/paypal/newaccount/infostatus/directory099140919084/instance0195088189177147/tst1/webscr.htm
http://boomerscatering.com/images/mkj/www.PayPal.Com/fr/webscrcmd=_login-done&login_access=1190737782.htm
http://www.wanttoregisternewdoamin.com/www.PayPal.Com22/webscrcmd=_login-done&login_access=1190737782.htm
http://www.argentineadventure.com.ar/Templates/paypal/paypal/paypal/www.paypal.com/www.paypal.com/www.paypal.com/www.paypal.com/us/details.html
http://loni9.altervista.org/paypal/
http://cepulamea.net/pp/www.PayPal.Com/
http://removeonlinepp.com/
http://likegyldig.net/cam/www.PayPal.com/login/security/confirmation4548684645384534/fr/webscr.htm?cmd=_Processing&dispatch=5885d80a13c0db1fb6947b0aeae66fdbfb2119927117e3a6f876e0fd34af4365214f1aa46a34b94d6755cfc46c0aa05c214f1aa46a34b94d6755cfc46c0aa05c
http://www.julienthomasajulie12.com/www.PayPal.Com22/webscrcmd=_login-done&login_access=1190737782.htm
http://wedfcergdsf.chytrak.cz/fiefnalgsdfpreterwsddffpal1.html
http://125.221.45.73/paypal.com/cmd=_login-run.html
http://users5.nofeehost.com/acc9host/Confirm.html
http://www.ezleadcapture.com/partnersites/FR/cmd=_login-run&dispatch=/5885d80a13c0db1f998ca054efbdf2c29878a435fe324eec8ea269f5b79ff8ce/Online_Login/Activer_Comptes.aspx/index.htm
http://www.ccrm.ch/language/web/
http://noreplypplweb.t35.com/Premier-rekening%20openen.htm
http://werfgtegrsd.chytrak.cz/fiefnalgsdfpreterwsddffpal1.html
http://harborwireless.net/images/pp/.www2.paypalcom/us/cgi-bin/1/webscr/cmd=_login-submit.php
http://paypal-com.mkreed.com/index.html?paypal/paypalup/publication/paypal/paypal/cgi-bin/webscrcmd=_login-run/webscrcmd=_account-run/updates-paypal/confirm-paypal/
http://fr-support.eu/fr_cgi/fr/webscr.php?cmd=_login-run&dispatch=5885d80a13c0db1f998ca054efbdf2c29878a435fe324eec2511727fbf3e9efce9cfe7b9b4e56bdb9eb455fa2753068ef9cfe7b9b4e56bdb9eb455fa2753068
http://www.njomza-azemi.com/ws/

eBay
http://93.157.1.128/shop/images/ws/eBayISAPI.dll_SignIn.php
http://junk.boggsman.com/rustyauction/eBayISAPI.dll.htm
http://singine34byaloginsecurelzy8izjha728wijabzwaz.9k.com/u-Brownie-Wise_W032879327328929Qitem1QQJSyyyd37sdcmbbyloginpag23za32wa32w2azZza3ewsaz.html
http://cgi-isapi-login-change-email.com/cgi/wp/eBay/eBayISAPI.php?cmd=SignIn&co_partnerId=2&pUserId=&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&pp=&pa2=&errmsg=&runame
ftp://ppxsw.pop3.ru/.signin.ebay.com.ws.eBayISAPI.dllSignOutConfirm&i.html
http://private-listing-auction-system.sjhdaj.com/vpp/index2.php?W0QQcmdZViewItemQQhashZitem3efe448c6bQQitemZQQptZUSQ5fE559FF65111E0E55111E0E559FF=0
http://www.purchase-motors-ebay.com/a2/anderson.j01.cgi.ebay.com-ebaymotors-2005-Nissan-Maxima-3.5SL-GREAT-BUY-VERY-CLEAN_W0QQitemZ120551342473QQcmdZViewItemQQptZUS_Cars_Truckshashitem1c116b8189/
ftp://220.132.154.109/ehay/Signinehayconnectviewitemnumber06.htm
http://ebaidelogin.t35.com/httpaccesssigninfree.html
http://windows7hacks.net/p/$uggcf:/fptv.ronl.pb.hx/jf/rOnlVFNCV.qyy%3FErtvfgreRagreVasb?threatensorgflags=0111

USAA
http://12.69.112.9/www.usaa.com/internet/logon/



Online Games
World of Warcraft
http://www.worldofwarcraft-securitycheck.com/login/login.asp?ref=https://www.worldofwarcraft.com/account/&app=wam

Habbo
http://habbocrdtgratix.altervista.org/
http://habbogratiscr.t35.com/

Steam
http://projectsteam.t35.com/Freepack/login.htm

Zynga Poker
http://www.chipsbonus.tk/
http://nusantarabikes.com/
http://claimbuddiesbonus.my3gb.com/confirmation.html
http://zyngapoker-bonus.t35.com/ZyngaPoker/BonusChips/Zynga_Poker_login.html
http://conpirmationfacebook.110mb.com/comfirmation.html
http://secure-alert.110mb.com/TexasHoldemPoker%20Registrations.Html
http://account-zynga.com/
http://log-in-facebook111.freewebhostx.com/
http://www.formbuddy.com/cgi-bin/formdisp.pl?u=ramy-12&f=formbuddy
http://giftbnus2010.t35.com/Zynga_Bonus%20Chips.com.html


Social Networks
Facebook
http://free_sms_al.t35.com/
http://gfjgfhgjg.altervista.org/
http://facwbook.t35.com/
http://h1.ripway.com/Norii/scrips/index.html
http://expertidr.altervista.org/
http://adadadadadadada.altervista.org/
http://ikillu.altervista.org/
http://trojanagent.altervista.org/
http://poker-cips.t35.com/
http://freefarmvilecash.altervista.org/
http://albaniaunited.altervista.org/
http://newfacebook2.altervista.org/
http://shkarkofilmafcbo.altervista.org/
http://fbcomercial.altervista.org/
http://fbstafflive.altervista.org/
http://albanfb.altervista.org/
http://midhje.altervista.org/
http://shkarkomuzik.altervista.org/
http://facebookhelpteam.t35.com/heb/
http://facebookdemsn.t35.com/
http://faacceeb0o0k.t35.com/Index.htm/
http://dj25337.t35.com/
http://fb847029808.t35.com/
http://facebook258.t35.com/
 http://alb-facebook.tk/
http://nsafacebook.net/
http://cassiopea.no-ip.biz/home/webserver/fake/facebook/

Web Mail
Windows Live
http://soldado.is-the-boss.com/hotmail/login.srf.htm
http://hot4mail.freehostia.com/hotmail/login.srf.htm
http://hotmike.t35.com/login.srf.htm
http://www.themsn.com.ar/login.srf.htm
http://www.cervezabahb.com.ar/themsn/login.srf.htm
http://morad.eb2a.com/hotmail/login.srf.htm
http://azzam111.is-the-boss.com/hotmail_live/login.srf.htm
http://login.live.com.nsatc.net/

Yahoo!
http://ymailgroupz.t35.com/

AOL
http://pictureme.t35.com/

Información relacionada
Phishing database V
Phishing database IV
Phishing database III
Phishing database II
Phishing database I
Página web del film Besouro vulnerada con ataques de phishing a PayPal
Web de Hooters Alemania comprometida con phishing a HSBC
Disección de un kit fraudulento. Wachovia phishing attack

Ver más

19.4.10

ZeuS on IRS Scam remains actively exploited

Updated 19.04.2010

A new wave of domain scam employed by the IRS ZeuS ahead. So far we have detected only a few, but we believe that in the coming hours will begin to appear much more in the crime scene of this old strategy used by ZeuS.

The domains, as usual, have the following structure:

irs.gov.rewsserr.eu/fraud.applications/application/statement.php

From where you try to download the binary ZeuS under the name tax-statement.exe (6898fb162ceaf75a7f3690d51b0e8967): 36/40 (90.00%)

The other domains are detected:

irs.gov.rewssert.eu
irs.gov.rewsserx.eu
irs.gov.rewsserz.eu
irs.gov.rewsserr.be
irs.gov.rewsserx.be
irs.gov.rewsserz.be
irs.gov.ryuepoy.eu
irs.gov.ryuepoy.be
irs.gov.ryuepou.eu
irs.gov.ryuepou.be
irs.gov.ryuepoo.eu
irs.gov.ryuepoo.be
irs.gov.ryuepoi.eu
irs.gov.ryuepoi.be
irs.gov.rtadesrw.eu
irs.gov.pexxaz.vg

List of domains used

Updated
31.03.2010
ZeuS campaign on the spread of Scam alluding to the IRS, among others, is still very active. New domains are In-the-wild trojan spreading a variant of ZeuS.


irs.gov.eawsqa.pl/fraud.applications/application/statement.php
irs.gov.eawsqy.pl/fraud.applications/application/statement.php
irs.gov.eawsqu.pl/fraud.applications/application/statement.php

irs.gov.ewsqas.be
irs.gov.ewsqaz.be
irs.gov.ewsqaq.be
irs.gov.awsqaa.be
irs.gov.eawsqa.be
irs.gov.rewdpv.be
irs.gov.rewdpw.be
irs.gov.rewdpc.be
irs.gov.rewdpd.be
irs.gov.rewdpe.be

irs.gov.rewdpa.co.uk
irs.gov.rewdpq.co.uk
irs.gov.rewdpx.co.uk
irs.gov.rewdpz.co.uk
irs.gov.eawsqa.co.uk
irs.gov.eawsqe.co.uk
irs.gov.rewdps.co.uk
irs.gov.eawsqw.co.uk
irs.gov.eawsqt.co.uk
irs.gov.eawsqq.co.uk
irs.gov.eawsqr.co.uk

This variant of the trojan, which spreads under the name tax-statement.exe (6898fb162ceaf75a7f3690d51b0e8967) has a high detection rate.

ZeuS IRS Scam update list 31.03.2010


Updated 27.02.2010
irs.gov.wannafilez.org/fraud.applications/application/statement.php
irs.gov.wannafilez.net/fraud.applications/application/statement.php
irs.gov.wannafiles.org/fraud.applications/application/statement.php
irs.gov.wannafile.org/fraud.applications/application/statement.php
irs.gov.mobfilez.org/fraud.applications/application/statement.php
irs.gov.milesfiles.net/fraud.applications/application/statement.php
irs.gov.mobfiles.org/fraud.applications/application/statement.php
irs.gov.ffilez.org/fraud.applications/application/statement.php
irs.gov.diggafilez.org/fraud.applications/application/statement.php
irs.gov.ffilez.net/fraud.applications/application/statement.php
irs.gov.fastgilez.org/fraud.applications/application/statement.php
irs.gov.diggafilez.net/fraud.applications/application/statement.php


ZeuS IRS Scam update list 27.02.2010

Updated 24.02.2010. More domains used by ZeuS for his company of infection under the IRS logo and the same Drive-by-Download.

irs.gov.msdrv-v1.tk/fraud.applications/application/statement.php
irs.gov.yrxo.kr/fraud.applications/application/statement.php
irs.gov.yrxo.or.kr/fraud.applications/application/statement.php
irs.gov.yrxo.co.kr/fraud.applications/application/statement.php
irs.gov.yrxo.kr/fraud.applications/application/statement.php
irs.gov.yrxo.ne.kr/fraud.applications/application/statement.php
irs.gov.yrxs.or.kr/fraud.applications/application/statement.php
irs.gov.yrxc.kr/fraud.applications/application/statement.php
irs.gov.yrxc.or.kr/fraud.applications/application/statement.php
irs.gov.yrxc.ne.kr/fraud.applications/application/statement.php
irs.gov.yrxc.co.kr/fraud.applications/application/statement.php
irs.gov.yrxs.co.kr/fraud.applications/application/statement.php
irs.gov.yrxs.kr/fraud.applications/application/statement.php
irs.gov.yrxs.ne.kr/fraud.applications/application/statement.php


Updated 20.02.2010

ZeuS creators have launched a new campaign of infection using as cover a false notification purportedly issued by the IRS (Internal Revenue Service) U.S.; through which spreads a variant of the trojan (MD5:14FBCE4A3F67E46B18308AC6824B2A00) responsible for recruiting zombies .
It has a high detection rate.

In addition, the page's source code, is injected iframe label associated with the address hxxp://109.95.114.251/usa50/in.php, provoking an attack of Drive-by-Download.

The domains involved in this new campaign are:

irs.gov.desa.ne.kr/fraud.applications/application/statement.php
irs.gov.desa.or.kr/fraud.applications/application/statement.php
irs.gov.desa.kr/fraud.applications/application/statement.php
irs.gov.desa.co.kr/fraud.applications/application/statement.php
irs.gov.desz.or.kr/fraud.applications/application/statement.php
irs.gov.desz.ne.kr/fraud.applications/application/statement.php
irs.gov.desz.kr/fraud.applications/application/statement.php
irs.gov.desz.co.kr/fraud.applications/application/statement.php
irs.gov.desv.kr/fraud.applications/application/statement.php
irs.gov.deso.or.kr/fraud.applications/application/statement.php
irs.gov.deso.kr/fraud.applications/application/statement.php
irs.gov.desb.or.kr/fraud.applications/application/statement.php
irs.gov.desb.ne.kr/fraud.applications/application/statement.php
irs.gov.desb.kr/fraud.applications/application/statement.php
irs.gov.desb.co.kr/fraud.applications/application/statement.php
irs.gov.edase.kr/fraud.applications/application/statement.php
irs.gov.edasa.kr/fraud.applications/application/statement.php
irs.gov.edasa.co.kr/fraud.applications/application/statement.php
irs.gov.edasa.ne.kr/fraud.applications/application/statement.php
irs.gov.edase.ne.kr/fraud.applications/application/statement.php
irs.gov.edasq.or.kr/fraud.applications/application/statement.php
irs.gov.edasq.co.kr/fraud.applications/application/statement.php
irs.gov.edasq.ne.kr/fraud.applications/application/statement.php
irs.gov.ersm.or.kr/fraud.applications/application/statement.php
irs.gov.edasn.kr/fraud.applications/application/statement.php
irs.gov.ersa.or.kr/fraud.applications/application/statement.php
irs.gov.ersm.co.kr/fraud.applications/application/statement.php
irs.gov.edasq.kr/fraud.applications/application/statement.php
irs.gov.ersq.co.kr/fraud.applications/application/statement.php
irs.gov.edase.co.kr/fraud.applications/application/statement.php
irs.gov.edasn.or.kr/fraud.applications/application/statement.php
irs.gov.ersq.kr/fraud.applications/application/statement.php
irs.gov.edasa.or.kr/fraud.applications/application/statement.php
irs.gov.ersm.ne.kr/fraud.applications/application/statement.php
irs.gov.edase.or.kr/fraud.applications/application/statement.php
irs.gov.ersm.kr/fraud.applications/application/statement.php
irs.gov.edasn.ne.kr/fraud.applications/application/statement.php
irs.gov.ersw.kr/fraud.applications/application/statement.php
irs.gov.erst.ne.kr/fraud.applications/application/statement.php
irs.gov.ersw.or.kr/fraud.applications/application/statement.php
irs.gov.erst.kr/fraud.applications/application/statement.php
irs.gov.erst.or.kr/fraud.applications/application/statement.php
irs.gov.ersq.or.kr/fraud.applications/application/statement.php


Original 14.02.2010
Last year (2009) met several Scam propagated as a strategy of attack by ZeuS, alluding to the IRS (Internal Revenue Service), an agency under the Department of the Treasury of the United States, by which it disseminates a variant of the trojan family of ZeuS.

Today, this same strategy is being actively exploited in another campaign of domains registered with false names similar to the actual page from the IRS, which spread a new trojan variant of ZeuS, where it's clear that the aim is to recruit zombies enabling its extensive network to increase . Here we can see a screenshot of the new Scam.

The message response to an alleged tax attached to it, and that according to the same message must be downloaded and run to visualize the statement.

In this facet of the deception, download a binary called tax-statement.exe (9F0F75BA042B3CB0471749EC2416945B) which has a very acceptable level of detection by antivirus engines, being detected by 37 of 40.

The domains involved in this campaign are:

irs.gov.rep073.co.kr/fraud.applications/application/statement.php
irs.gov.rep021.co.kr/fraud.applications/application/statement.php
irs.gov.rep023.co.kr/fraud.applications/application/statement.php
irs.gov.rep022.co.kr/fraud.applications/application/statement.php
irs.gov.rep023.or.kr/fraud.applications/application/statement.php
irs.gov.rep021.or.kr/fraud.applications/application/statement.php
irs.gov.rep022.or.kr/fraud.applications/application/statement.php
irs.gov.rep022.ne.kr/fraud.applications/application/statement.php
irs.gov.rep021.ne.kr/fraud.applications/application/statement.php
irs.gov.rep022.kr/fraud.applications/application/statement.php
irs.gov.rep023.kr/fraud.applications/application/statement.php
irs.gov.rep021.kr/fraud.applications/application/statement.php
datalink.limewebs.com/www.irs.gov.newsroom.article.0.id=204335.00.html.portlet=6/refund.php

You can download the list of domains used by ZeuS from the IRS on the following link:

ZeuS IRS Domains

ZeuS presents a wide range of domain names according to their propagation strategies, and throughout his term under the nomination "In-the-Wild" were many known and used strategies to obtain financial information of all kinds computers victims.

Undoubtedly, ZeuS is the "creme de la creme" of crimeware of his style.

Related information
Zeus and the theft of sensitive information
Leveraging ZeuS to send spam through social networks
ZeuS Botnet y su poder de reclutamiento zombi
ZeuS, spam y certificados SSL
Eficacia de los antivirus frente a ZeuS
Special!!! ZeuS Botnet for Dummies
Botnet. Securización en la nueva versión de ZeuS
Fusión. Un concepto adoptado por el crimeware actual
ZeuS Carding World Template. (...) la cara de la botnet
Financial institutions targeted by the botnet Zeus. Part two
Financial institutions targeted by the botnet Zeus. Part one
LuckySploit, the right hand of ZeuS
Botnet Zeus. Mass propagation of his Trojan. Part two
Botnet Zeus. Mass propagation of his Trojan. Part one

Jorge Mieres

Ver más

18.4.10

ad_1_.jpg. More about Aurora Attack

In this post we'll try to run Aurora as non-administrative user, and debug ad_1_.jpg which used by the attackers right after the attack.

Well, I was very curious about other files in the attack, after not able to unpack the msconfig32.sys, and thought, maybe other files will give me clues on msconfig32.sys and might give me a way of unpacking it.

I've looked into USCERT advisory regarding the Aurora attack, and saw interesting file, with no explain of what it does, named ad_1_.jpg, it says that the file is XOR'd with 0x95, but nothing else :

Original advisory looked like this :



So it got me curious. I got the file from my friends where I write as-well : MalwareIntelligence

It took me a while to get from this file in the advisory to the original file, the problem was, that I didn't know on how this file got dropped and that what was hard to find out how the attacker opened it in the computer of the victim. It wasn't very important if the file wasn't also packed with other packer (UPX) so every byte was important to be restored as original.


I've understood how to DeXOR it correctly (it was XOR to every byte which is not 0x00 or 0x95, with 0x95), attached python algorithm for it :



After unpacking the file to the original file (inside the UPX), I've uploaded it to virustotal, and saw the file was analyzed in the beginning of February (now, 36 out of 40 Anti-Virus catches it).


So, I had it in mind that the file might have been already analyzed, and after analyzing it myself, I've seen that the reports I've read, were from this file (Service creation name, querying important files such as rasmon.dll). So people have already analyzed it for us. I get to save time.


I also wanted to check 2 interesting stuff :

1. Why there was used a BAT file in the attack (and what it did?).

2. Can the attack run as simple user (not admin).


The answer for 1 was simple, (file name was : c:\windows\DFS.bat) after quick reverse-engineering tricks you can get the value of it before it's deleted :



The batch file supposed to run in loop and wait for the handle that catches the exe to allow it to be deleted. If it's not deleted, it will try again. After the file was deleted (it uses dynamic name, that's why it's running from my desktop[on VM]), it deletes the bat file himself. Actually it's a nice trick to verify deletion of exe file after it's done executing, because deleting the exe within the file himself will not succeed without any trick (handle will be locked).

A little tip to this module-writer would be : next time use the /f on del command, it might give you better chances :P

3. Did it work as non-administrative-user? It didn't work as a normal user and didn't try to use any kind of privilege escalation while I was testing it. It also failed doing changes in the registry, and dropping files on c:\windows.

I didn't test it too much because of what I said above (that it's already got tested by others), but from a regular behavior-check tests, it didn't work as non-administrative user.

What can we learn from 2? That if Google have used proper user rights on their computer, initial installation of Aurora, wouldn't have work. It appears that non-admin user would have been enough since the exploit which the attackers used, runs remote code as the user who run internet-explorer.

Regarding the msconfig32.sys? Well... I've tried to implement my unpacker to do the same here, didn't go quite well yet. But I still got hope on this one :). For Mcafee, I wouldn't say it's not related to the attack, I actually think it is :

Two patterns which we see here :

1. Both files used some kind of repeating XOR in every section of the file.

2. Both files used different extension for the file from what it really was.


Under this scenario I'd say that they are related and from the same authors in the attack. Sorry McAfee,

If it was up to me to decide, I would have suggested USCERT to put msconfig32.sys back on their advisory if it was up to me to decide.

Follow me on twitter under @ihackbanme
:)

Related information

Itzhak Avraham
Malware Researcher in MalwareIntelligence

Ver más

3.4.10

Phishing Database V

Financial and banking institutions
HSBC (http://www.hsbc.com)
http://www.ellerencontre.com//forum/add/verify/HSBCINTEGRATIONCAM10jsessionid=00001DwpIt0wIyX1arHd6K8mQB6URL=hsbc.MyHSBCpib/hsbc/1.php?jsessionid=CAM10:jsessionid=0000RcSVT4vYF7HNB8AsppR8HRo:11j71fovq?IDV_URL=hsbc.MyHSBC_pib
http://www.mygrowshop.com/GiantSolutions/includes/hsbc.co.uk/HSBCINTEGRATIONCAM10;js/Register%20forInternetBanking/IBlogin.html
http://www.wings-of-germany.de/language/IBlogin.html
http://www.sugardaddy-match.com/wages/IBlogin.html
http://stalamsink.carpfun.nl/upgrade/IBlogin.html
http://www.taosmotors.net/wages/IBlogin.html
http://werlondik.com/brhsbc.co.uk/1/index.php
http://werlondik.com/security.hsbc.co.uk/1/index.php
http://holetyx.com/hssbc.co.uk/1/index.php
http://ballmeon.com/hhsbc.co.uk/1/index.php
http://derbysik.com/brhsbc.co.uk/1/index.php
http://www.janefrancesphotography.net/images/large/families/IBlogin.html
http://www.academy-uk.net/academy/teacher/images/IBlogin.html
http://lamourencouleurs.fr/emailimages/eefs/verify/HSBCINTEGRATIONCAM10jsessionid=00001DwpIt0wIyX1arHd6K8mQB6URL=hsbc.MyHSBCpib/hsbc/1.php?jsessionid=CAM10:jsessionid=0000RcSVT4vYF7HNB8AsppR8HRo:11j71fovq?IDV_URL=hsbc.MyHSBC_pib
http://hsbc-online.etvx.info/1/2/HSBCINTEGRATION/CAM10;jsessionid=0000tva9NQkofu4NIM7pUel5Tvn11j5bfvduIDV_URL=hsbc.MyHSBC_pib/index.html
http://palizada.org/images/hsbc/1.php?jsessionid=CAM10:jsessionid=0000RcSVT4vYF7HNB8AsppR8HRo:11j71fovq?IDV_URL=hsbc.MyHSBC_pib
http://www.mytime-jewelry.com//administrator/components/com_virtuemart/IBlogin.html
http://www.beavertonletip.com/IBlogin.html
http://www.diningonthego.com/wages/IBlogin.html
http://www.webseomarketing.com/wages/IBlogin.html
http://werlondik.com/brhsbc.co.uk/1/index.php
http://werlondik.com/security.hsbc.co.uk/1/index.php
http://holetyx.com/security.hsbc.co.uk/1/index.php
http://teachers-corner.co.uk/wp-includes/images/smilies/_notes/IBlogin.html
http://ynzal.com/catalog/images/gds/hsbc=HSBCINTEGRATION;jsessionid=0000BZUYYF_dAUw4Iqqlvb4F3RR/index.php
http://www.artbyonlineoriginals.com/images/mail/IBlogin.htm
http://online-credit-repair-info.com/images/IBlogin.html
http://hsbc-online.at-le-bar.com/1/2/HSBCINTEGRATION/CAM10;jsessionid=0000tva9NQkofu4NIM7pUel5Tvn11j5bfvduIDV_URL=hsbc.MyHSBC_pib/index.html
http://www.londontaxis.info/wages/IBlogin.html
http://iomtt.com.ar/hsbc-online//1/2/HSBCINTEGRATION/CAM10;jsessionid=0000tva9NQkofu4NIM7pUel5Tvn11j5bfvduIDV_URL=hsbc.MyHSBC_pib/index.html
http://hsbc.gaadi.eu/1/2/HSBCINTEGRATION/CAM10;jsessionid=0000tva9NQkofu4NIM7pUel5Tvn11j5bfvduIDV_URL=hsbc.MyHSBC_pib/index.html
http://hsbc.mobilenew.co.uk/1/2/HSBCINTEGRATION/CAM10;jsessionid=0000tva9NQkofu4NIM7pUel5Tvn11j5bfvduIDV_URL=hsbc.MyHSBC_pib/index.html
http://hsbc-online.fitnessage.com.sg/1/2/HSBCINTEGRATION/CAM10;jsessionid=0000tva9NQkofu4NIM7pUel5Tvn11j5bfvduIDV_URL=hsbc.MyHSBC_pib/index.html
http://hsbc-online.urtava.com/1/2/HSBCINTEGRATION/CAM10;jsessionid=0000tva9NQkofu4NIM7pUel5Tvn11j5bfvduIDV_URL=hsbc.MyHSBC_pib/index.html
http://johnbarresi.com.au//proeye/proeye2/hsbcbankuk/index.html
http://aspiration.centrale.free.fr/custom/include/index.html
http://lloydsite.org/ib/CAM10-jsessionid=000026MQ7KnXUxsKmiYKszFUkGJ12c58ti63.htm
http://www.oranaarts.com/files/hsbc.onlinebanki/index.htm
http://www.sueoverton.com//mambots/editors/tinymce/jscripts/tiny_mce/editorial.html
http://leverx.ru/hsbcbankuk/index.html
http://gcitizen.org/wp-includes/images/crystal/IBlogin.html
http://jeanjacquesestager.free.fr/_private/IBlogin.php
http://brabantbusinessclub.be/uploads/images/employees/IBlogin.html

ICICI Bank (www.icicibank.com)
http://mrquibble.com/sqladmin/themes/original/img/onlineverification.do/indexx.html

Banco Do Brasil (www.bb.com.br)
http://www.portalbancodobrasilnet.com/portalbb/aapf/login/index.bb

Bradesco (www.bradesco.com.br)
http://www.badminton.hr/logs/bradescorecadastramento.com.br/?http://www.bradesco.com.br
http://www.sodagri.net/Bradesco.com.br/scripts/ib2k1.dll/LOGIN.php
http://www.neetbankingg.com/desco/log/site/
http://simbrasegu.dominiotemporario.com/Bradesco/LOGIN.php

NAB - National Australia Bank (www.nab.com.au)
http://www.jbngems.com/editors/nab/

BBVA
(www.bbva.com)
http://74.54.17.82/~lalampar/provincial.com/tlvz/index.html
http://81.4.128.110:8011/www.bbva.es/TLBS/tlbs/esp/segmento/particulares/index.htm
http://www.servicio-bbva.es.frostmaster.com/TBLS/segmento/particulares/index.htm

Bank of America (http://www.bankofamerica.com)
http://www.flagontheplay.co.uk/classifieds/yellow_images/update.bankofamerica.com/update.bankofamerica.com/securedspot/verify/cmThkRqcUe5qBbIUMLTMUxjVXHuoiRBMC8Qg1BHav4pYFzembFoENcG1gf3H4PaiYU4h/securedpage/
platinum.tritoncore.com/~grafix90/bnkofamericasitykeybknofamerica/signon.php?section=signinpage&update=&cookiecheck=yes&destination=nba/signin
http://www.atcn.com.ng/boa/ibc1/www.boa.com/boa.online/onlinebankingofamerica.com/index.htm
http://www.jeondae.es.kr/images/IRS/Bofa/index.htm

Wells Fargo (www.wellsfargo.com)
http://www.jeondae.es.kr/images/IRS/Wellsfargo/index.html

ING Direct (www.ingdirect.com)
http://www.jeondae.es.kr/images/IRS/INGDirect/index.html

KeyBank (https://www.key.com)
http://www.jeondae.es.kr/images/IRS/Key/index.html

MasterCard (www.mastercard.com)
http://www.mitraogan.co.id/mo24/email/secure.mastercard384912/index.php

NedBank (www.nedbank.co.za)
http://www.abcidealpartners.com/SARS/SARS/SARS/Nedbank/index.html
http://www.design-daisy.com/images/NedBank/NedBank/Internet-Banking.html

FNB - Fist National Bank (www.fnb.co.za)
The same website contains another phishing package but oriented to another bank in South Africa: FNB.

http://www.abcidealpartners.com/SARS/SARS/SARS/FNB/index.html
http://eugenechang.com/2008/05/index.html

Standard Bank (www.standardbank.com)
http://www.abcidealpartners.com/SARS/SARS/SARS/Standard/index.html

Poste Italiane
(www.poste.it)
http://muflexx.com/folder/1.php?logon=myposte
http://youeme.com/_server/https/www.poste.it/bancoposta/online/_private/bpol/CARTEPRE/index.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid=
http://www.ccllbb.org/bancopostaonline.poste.it/bpol/CARTEPRE/index.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid=
http://www.opensourcedeal.com/images/poste/login.html

CartaSI (www.cartasi.it)
http://titolaricartasi.myvnc.com/portale.carta.it/
http://https.universal.pay.secure.code.international.electronic-product.net/titolari.carlasi.it/portaleTitolari/login.html
http://webmail.orbit.net.pk/manual/search/.redirect.tirolari.cartasi.it.portal/index.html

Interbank (www.interbank.com.pe)
http://aditivos.com.sv/includes/fileman/includes/www.interbank.com.pe/

SunTrust (www.suntrust.com)
http://onpointservice.com/www.suntrust.com/portal/server.pt/?session=9e50b36bb2497496c6398461a2082fcc9cf45c66fcb67ddc44b04dafa0a2065399f6f9353fb42e260a8def4e4e0af2ca
http://onmgroup.org/www.suntrust.com/portal/server.pt/?session=9e50b36bb2497496c6398461a2082fcc9cf45c66fcb67ddc44b04dafa0a2065399f6f9353fb42e260a8def4e4e0af2ca

National City (www.nationalcity.com)
http://www.jeondae.es.kr/images/IRS/NationalCity/index.html

egg (http://www.egg.com)
http://rainandbeauty.com/1/images/yourmoney.html
http://www.tdfa.org.tw/19/imageinstore/aspx.html


E-Commerce
PayPal (https://www.paypal.com)
http://paypal.heart4rent.com/
http://gestion-assistance.com/images/Acti-vat-ion/Pay-PaI/web-scr_cmd-__login-submit=88d4dd2s/paypal/webscr.php?cmd=_login-run&dispatch=58fhgh80a13c0db1f998ca054efbdf2c29878a4dfg35fe3dfg24eec251dfg17984bfsdfgfg3e9efc43be68afde3b5a1f8bc51e57a603005e43be68afde3b5a1f8bc51e57a603005e
http://verifmycard.javabien.fr/paypal.fr/cgi-bin/updates-paypal/confirm-paypal/confirm.html
http://sec-ng.com/cgi-biin/confirm-info/bssdsdwdf441dsf5545dsf211s/
http://66.49.189.144/users/sunshine/paypal/cgi-bin/webscr&cmd=_login-run/?flagged&account=_login-run
http://visiotex.com/www.paypal.com/us/cgi-bin/webscr.php?cmd=_login-run&dispatchMessage-ID
http://www.lastudioart.com/recupera/details.html?cmd=_login-done&login_access=1193476743
http://fousad.limewebs.com/www.PyPaL.fr/www.PyPaL.fr/online-securise/fr_cgi-bin/webscrcmd=_login-run/webscr.htm?cmd=_login-run&dispatch=5885d80a13c0db1f1ff80d546411d7f84f1036d8f209d3d19ebb6f4eeec8bd0e600503ac90b3469c8ae903c553e3dc43600503ac90b3469c8ae903c553e3dc43
http://210.109.7.34/paypal/index.html
http://www.wishfoundation.in/images/paypal-verify/paypal-verify/de/confirm/
http://davethecomputerdoctor.com/forum/language/lang_english/email/service-web/PaYpa.L.FR.Comunication/JKLJKLGHJKLHJHJJKLJKLJKLGFKLJDFGKLJSDFKLGSDG5644654D56FG456SDG456SD4G56D4G564SDG564D56G4D56FG456DFG456DSG456DSF4G65SDF4G56D4FG56D4SFG564DSG564SD56G456SDG4DFGJKLSDGJSDFGJKDSLGJKLDSGJKLDJGKLSDJGKJDGJDKLFGJKLDSFJGLKSDJGKLSDJGKLJSDFKGJDKLGJKLDGJKLDGJLKDGJLK/service.connexion.France-Telecom.fr/

eBay (www.ebay.com)
http://budvill.hu/Images/icons/signin.ebay.com.ws.eBayISAPI.dllSignIn&UsingSSL=1&pUserId=&co_partnerId=2&siteid=0&ru=my.ebay.com2Fws2FeBayISAPI.dllFMyMessagesFolderView/


Online Games
World of Warcraft (www.worldofwarcraft.com)
http://us.betiic.net/login/login.htm?ref=https://www.worldofwarcraft.com/account/&app=wam&rhtml=true
http://www.worldofwaracraft-manage.com/
http://www.worldofwarcrazft-login.com/
http://www.account-6.com/wow.html
http://www.blizzardaccount-management.com/
http://us.battxe.net/login/login.html

Social Networks
Orkut (www.orkut.com)
http://orkut2.50webs.com/orkut%20-%20login.htm
http://kirkrjk.t35.com/orkut%20-%20login.htm
http://orkuty-cmm.50webs.com/orkut%20-%20login.htm

Facebook (www.facebook.com)
http://facebook-you.denirulz.org/
http://cassiopea.no-ip.biz/webserver/www.facebook/
http://nabsky.wen.ru/Tools/facebook.php.html

Web Mail
Windows Live (http://login.live.com)
http://agencia.pro.idoo.com//entrevistadas/login.srf.htm
http://cats.goodoolz.com/
http://login.live.com.nsatc.net/

Related information
Phishing database IV
Phishing database III
Phishing database II
Phishing database I
Besouro film website violated, PayPal phishing attacks
Web Hooters Germany committed to phishing HSBC
Dissection of a fraudulent package. Wachovia phishing attack

Jorge Mieres

Ver más

2.4.10

Besouro film website violated, PayPal phishing attacks

The website of the Brazilian film tells the story of capoeirista Besouro, very good by the way :-), has been violated and contains a clone of the PayPal website.

Previously we mentioned that the website Hooters Germany had been the victim of a similar attack.

In this case, as we see, the site has set up a blog on WordPress and this is perhaps the weak point through which managed to upload illegal content.

The truth is that a phishing attack has against PayPal, whose image is described below:

Although the site has no content other than phishing malignant in question, it means that the attacker was not able to host malicious code or packages also phishing against other entities.

For this reason it's essential to check the security arrangements and make regular site audits to detect in advance the harmful activities of this style.

Related information
Web Hooters Germany committed to phishing HSBC
Phishing Database IV
New phishing campaign against Facebook led by Zeus
Phishing campaign aimed at players Zynga
New ZeuS phishing campaign against Google and Blogger
Facebook & VISA phishing campaign proposed by ZeuS
Dissection of a fraudulent package. Wachovia phishing attack

Jorge Mieres

Ver más