Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1400663
  • 博文数量: 416
  • 博客积分: 13005
  • 博客等级: 上将
  • 技术积分: 3297
  • 用 户 组: 普通用户
  • 注册时间: 2006-04-05 16:26
文章分类

全部博文(416)

文章存档

2014年(1)

2013年(4)

2012年(46)

2011年(64)

2010年(12)

2009年(4)

2008年(40)

2007年(187)

2006年(58)

分类: 网络与安全

2012-01-18 15:24:54


Investigating "Info.zip" mal-spam campaign
We're seeing a large number of spam emails advertising links ending in:

"/Info.zip?" some parameters, e.g., n=033-5834, id=4561392, 1091-2905, etc.


The spam message arrives in a variety of different languages, presumably attempting to guess the native language of the recipient and/or evade spam detection. The order Id used in the subject, message, and link varies in every message to attempt to evade spam detection. The messages translate to:

"Your order has been accepted.
Id Order 1947-210.
Terms of delivery and the date can be found in the self-generated MSWord file."

The ZIP is detected by a few A/V vendors, for example:
MD5: 30b9a90029e129a6114dae7bce8a15c6
(11/41)

Once unzipped the Trojan appears as an 83 character filename:
Info.Doc_________~snip~__________.exe
MD5: 19f6d8f565d465f3ee9c03881cbc3893
(12/43)

From what we've seen so far, the MD5 for the malware samples are all the same. The binary executable is UPX packed, and drops "5ee2fffe0001a11d.exe" (or similar hexadecimal filename) to the user's temp directory and is set to run at startup. It then checks in:

POSTing infection details to:
hxxp://heppishopdrm.ru/stat/image.php

And retrieving an update from:
hxxp://
MD5: 4d02fbd17529a1fc867d991c6fd22b61
(28/42) - goes by a few names: Trojan Lebag, Graftor.
which checks into: duffiduffii.ru/dbs/logo90.php, likely for an encrypted config:

We have seen these sites utilize five IPs in round-robin with a short TTL of 300 (fast-flux). IPs seen so far, include:
67.40.211.116 (AS209 - QWEST)
60.19.30.135 (AS4837 - CN UNICOM-LN)
218.24.113.3 (AS4837 - CN UNICOM-LN)
205.185.117.149 (AS18779 - PONYNET)
82.210.157.9 (AS12476 - ASTERCITYNET)
122.194.5.110 (AS4837 - CN UNICOM-LN)

for many of the IPs show a recent history of C&C abuse for cyber-crime (Zeus and SpyEye)

The malware domains were recently registered and currently utilizes the nameservers:
ns1.locatormate.net
ns1.anzbankingnz.net
Which both currently point to 108.59.35.213 (AS32413 - North Texas Connect) - this IP has an October 2011 Spamhaus SBL advisory for it related to SpyEye. Other domains using these nameservers should be treated as suspicious/malicious.

The "familytindoor.net" domain was recently registered with this information and gmail address:

Here's a list of what we have seen spammed out so far related to this campaign (most/all of these are not yet in any blacklist and appear to be compromised sites):
hxxp://
hxxp://jump-float.org/downloads/azienda/Info.zip
hxxp://
hxxp://
hxxp://modsart.in/downloads/azienda/Info.zip
hxxp://fattoconamore.it/downloads/azienda/Info.zip
hxxp://
hxxp://evacuazione.com/downloads/kantoor/Info.zip
hxxp://marcobasile.com/downloads/kantoor/Info.zip
hxxp://knuttisportebike.it/downloads/azienda/Info.zip
hxxp://modsart.in/downloads/kantoor/Info.zip
hxxp://leoparquet.it/downloads/azienda/Info.zip
hxxp://funimont.it/downloads/azienda/Info.zip
hxxp://eskilito.com/downloads/azienda/Info.zip
hxxp://duediemme.it/downloads/azienda/Info.zip
hxxp://cosmick.it/downloads/kantoor/Info.zip
hxxp://
hxxp://
hxxp://
hxxp://
hxxp://villamontesiro.com/downloads/azienda/Info.zip
hxxp://reginaisabella.org/downloads/kantoor/Info.zip
hxxp://marcobasile.com/downloads/azienda/Info.zip
hxxp://leoparquet.it/downloads/kantoor/Info.zip
hxxp://jump-float.org/downloads/kantoor/Info.zip
hxxp://fattoconamore.it/downloads/kantoor/Info.zip
hxxp://cosmick.it/downloads/azienda/Info.zip
hxxp://
hxxp://villamontesiro.com/downloads/kantoor/Info.zip
hxxp://eskilito.com/downloads/kantoor/Info.zip
hxxp://arcocurvatrici.com/downloads/azienda/Info.zip
hxxp://
hxxp://funimont.it/downloads/kantoor/Info.zip
hxxp://reginaisabella.org/downloads/azienda/Info.zip
hxxp://duediemme.it/downloads/kantoor/Info.zip
hxxp://evacuazione.com/downloads/azienda/Info.zip
hxxp://arcocurvatrici.com/downloads/kantoor/Info.zip
hxxp://
hxxp://
hxxp://
hxxp://
hxxp://
hxxp://knuttisportebike.it/downloads/kantoor/Info.zip
hxxp://
hxxp://
hxxp://
hxxp://
hxxp://
hxxp://
hxxp://
hxxp://
hxxp://
hxxp://
hxxp://
hxxp://
hxxp://
hxxp://
hxxp://radionotizie.biz/downloads/azienda/Info.zip

I will make updates to this post as I continue my analysis.

阅读(857) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~