Clicky
Last visit was: Fri Jul 04, 2014 7:20 pm
It is currently Fri Jul 04, 2014 7:20 pm

//session trojan Zbot


All times are UTC - 5 hours [ DST ]


 [ 26 posts ]  Go to page 1, 2  Next
Author Message
 PostPosted: Wed Aug 24, 2011 3:44 am   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
Found in large spammimg runs, a series of URLs in the form

hxxp//:session99599080480050.permitfg.com/confirm/req/
hxxp://session98960786197613.pmstdl.com/confirm/req/
hxxp://session98204351586916.downtohole.com/confirm/req/
hxxp://session00239061301752.fileuplarc.com/confirm/req/

The 14 digit number varies.

permitfg.com Registrar: PAKNIC (PRIVATE) LIMITED
pmstdl.com Registrar: REGIONAL NETWORK INFORMATION CENTER, JSC DBA RU-CENTER [Client Hold]
downtohole.com Registrar: PAKNIC (PRIVATE) LIMITED
fileuplarc.com Registrar: PLANETDOMAIN PTY LTD.

The URL loads a spoofed Facebook login page complete with the Facebook favicon.
The page contains:
Quote:
Facebook Login
Your version of Macromedia Flash Player is too old to continue. Download and install the latest version of Adobe Flash Player.

If you click on the link to download "updateflash.exe" you are downloading the dangerous Zbot trojan. The primary payload of Trojan:W32/Zbot variants focuses on stealing online banking information.


A few samples from over 2000 I have seen in the past week
Code:
session97698057793601.downtohole.com/confirm/req/
session97728784838062.downtohole.com/confirm/req/
session99427076617378.fileuplarc.com/confirm/req/
session99485503555366.fileuplarc.com/confirm/req/
session99525797920572.downtohole.com/confirm/req/
session99916841992131.downtohole.com/confirm/req/
session99932245150373.fileuplarc.com/confirm/req/
session99960289962058.fileuplarc.com/confirm/req/


The domains run on the same botnet, too:

fileuplarc.com has address 66.159.180.140
fileuplarc.com has address 71.217.16.172
fileuplarc.com has address 83.221.72.119
fileuplarc.com has address 114.134.131.217
fileuplarc.com has address 178.24.192.186
fileuplarc.com has address 217.50.208.61

downtohole.com has address 66.159.180.140
downtohole.com has address 71.217.16.172
downtohole.com has address 83.221.72.119
downtohole.com has address 114.134.131.217
downtohole.com has address 178.24.192.186
downtohole.com has address 217.50.208.61

permitfg.com has address 62.42.16.182
permitfg.com has address 82.158.170.45
permitfg.com has address 83.138.205.124
permitfg.com has address 85.85.109.1
permitfg.com has address 94.223.194.61
permitfg.com has address 201.173.234.222


Top
 Profile WWW  
 PostPosted: Wed Aug 24, 2011 4:40 am   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
Name servers used to resolve access to the Zbot trojan distributors

ns1.lareconexiondelser.net - with sponsor = Registrar: GANDI SAS
ns1.remiann.net - with sponsor = Registrar: MESH DIGITAL LIMITED

IP addresses used for name servers and contact for the owner responsible
ns1.lareconexiondelser.net 67.222.139.64
ns1.remiann.net 67.222.139.64

> COLO4 - Colo4Dallas LP - complain to:[email protected]


Top
 Profile WWW  
 PostPosted: Wed Aug 24, 2011 11:56 am   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
ns1.remiann.net has been severed from a botnet that is running the Facebook exploit. Its domain registration record was changed today to show that remiann.net no longer provides its own DNS; ns1.remiann.net has been providing a fast-flux botnet's DNS for several months at least. My occasional remarks about it are at
http://www.mywot.com/en/forum/13208-rul ... l-a-botnet


Quote:
The 14 digit number varies.
Trend Micro is suggesting that the number is randomly generated so that each message, or each small set of messages, has a different number in the domain name field of the URLs in the fraudulent "friend requests". I saw that mentioned at
http://www.mywot.com/en/forum/15454--zb ... h-facebook


Top
 Profile  
 PostPosted: Wed Aug 24, 2011 4:37 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
One of the name servers has been suspended. Credit goes to the responsible registrar.
http://legacytools.dnsstuff.com/tools/t ... ainterator
Server Response Time
ns1.lareconexiondelser.net [67.222.139.64] 200.125.77.157 201.173.234.222 217.216.121.104 46.37.84.93 77.27.251.129 83.138.205.124 85.180.161.105 87.182.77.214 11ms
ns1.remiann.net [0.0.0.0] Timeout
Mesh Digital wrote:
Thanks for getting in touch and bringing this to our attention; I can confirm that the domain remainn.net is now disabled and the user's account is under investigation. Apologies for any inconvenience that this caused.

If you need anything further, please do let me know.

Kind Regards, April



Top
 Profile WWW  
 PostPosted: Thu Aug 25, 2011 10:47 am   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
ns1.lareconexiondelser.net has just been rehosted to IP 178.162.250.46 on the Leaseweb Germany GmbH network where it continues to provide DNS for the botnet's domains. :(

Both fileuplarc.com and wungrp.com have been suspended (Status: clientHold; Name Server: No nameserver) by their domain registrar PLANETDOMAIN PTY LTD. :)

[Edit: Update]
And later the same day, both downtohole.com and permitfg.com have been suspended (Status: clientHold; Name Server: No nameserver) by their domain registrar PAKNIC (PRIVATE) LIMITED :D


Top
 Profile  
 PostPosted: Fri Aug 26, 2011 8:38 am   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
permitds.com is running a suite of the botnet's phishing scams and malware including the fake Facebook friend request. I saw that it was reported at PhishTank
http://www.phishtank.com/phish_detail.p ... id=1260995
http://www.phishtank.com/phish_detail.p ... id=1260992
(Although PhishTank may show the site as being "offline" the scam is currently online. PhishTank sometimes will falsely mark a dangerous malware site offline, probably to discourage its unprepared volunteers from inspecting it.)

In addition to the previously identified ns1.lareconexiondelser.net, the botnet's DNS has now begun to be provided by

ns1.livingbebtfree.net - with sponsor = Registrar: MESH DIGITAL LIMITED
(currently hosted at IP 178.162.250.46 by Leaseweb Germany GmbH)


Top
 Profile  
 PostPosted: Sat Aug 27, 2011 4:57 am   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
The URL in spam has this format:
Code:
session95881394976189.permitds.com/confirm/req/
session96189520992562.permitds.com/confirm/req/
session96711780993499.permitds.com/confirm/req/


Top
 Profile WWW  
 PostPosted: Sun Sep 04, 2011 5:51 pm   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
[Edit: When I first posted this comment, I erroneously stated that pubident.com had been suspended. However, I see that it is still active as I post this correction. I apologize for the mistake.]

For the past several days pubident.com has been running a suite of the same botnet's phishing scams and malware including the fake Facebook friend request. I haven't yet come across any in-the-wild examples of the botnet's exploits using permitds.com so I cannot say whether its chief target is Facebook this time. (Perhaps others will post a few examples to this thread.) However, the earliest indication of a scam by pubident.com that I have found was a Facebook exploit reported by malwareurl.com.

The sole DNS provider for pubident.com is ns1.lareconexiondelser.net (IP 173.236.84.186, hosted by SingleHop); the other published DNS was ns1.livingbebtfree.net which very likely had been disabled before the scam(s) commenced.


Top
 Profile  
 PostPosted: Mon Sep 05, 2011 6:06 pm   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
The following write-up might describe the same exploit that is being discussed in this thread.
http://www.theregister.co.uk/2011/08/30 ... us_trojan/


Top
 Profile  
 PostPosted: Mon Sep 05, 2011 11:59 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
pubident.com
1. fails to resolve according to dnsstuff traversal, with name servers down:
http://legacytools.dnsstuff.com/tools/t ... ainterator
ns1.lareconexiondelser.net [0.0.0.0] Timeout
ns1.livingbebtfree.net [0.0.0.0] Timeout

2. Has 95% failure rate around the world using host-tracker

3. Has 100% resolution failure at squish.net
Results
16.7% No such domain (NXDOMAIN) at ns1.domainmonster.com (109.68.33.100)
While querying ns1.livingbebtfree.net/IN/A
16.7% No such domain (NXDOMAIN) at ns2.domainmonster.com (109.68.33.102)
While querying ns1.livingbebtfree.net/IN/A
16.7% No such domain (NXDOMAIN) at ns3.domainmonster.com (69.25.32.3)
While querying ns1.livingbebtfree.net/IN/A
25.0% Query timed out at ns1.lareconexiondelser.net (173.236.84.186)
While querying ns1.lareconexiondelser.net/IN/A
25.0% Query timed out at ns2.lareconexiondelser.net (181.123.51.158)
While querying ns1.lareconexiondelser.net/IN/A

The domain itself looks untouched
Domain Name: PUBIDENT.COM
Registrar: PAKNIC (PRIVATE) LIMITED
Name Server: NS1.LARECONEXIONDELSER.NET
Name Server: NS1.LIVINGBEBTFREE.NET
Status: ok
Updated Date: 26-aug-2011

Previous IP addresses used for pubident.com
62.42.22.10
77.180.251.245
77.208.33.201
77.209.128.203
77.210.156.231
77.210.156.82
81.184.231.198
81.9.174.10
82.158.200.71
84.123.147.146
84.123.88.225
84.124.229.71
84.127.187.220
85.152.183.24
85.219.92.112
85.84.60.87
87.111.107.8
95.18.51.114
95.18.51.143
122.218.13.29
178.24.228.175
188.171.0.164
200.125.77.157
212.225.216.63
213.60.168.21
213.60.64.164
217.184.245.130
217.216.120.158


Top
 Profile WWW  
 PostPosted: Tue Sep 06, 2011 9:51 am   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
pubident.com appears to be suspended now:

Domain Name: PUBIDENT.COM
Registrar: PAKNIC (PRIVATE) LIMITED
Whois Server: whois.paknic.com
Referral URL: http://www.paknic.com
Name Server: NS1.LARECONEXIONDELSER.NET
Name Server: NS1.LIVINGBEBTFREE.NET
Status: clientHold
Status: clientTransferProhibited
Updated Date: 06-sep-2011
Creation Date: 23-aug-2011
Expiration Date: 23-aug-2012

Surprisingly, the site's DNS report that is provided at its domain registrar's site http://www.paknic.com/Whois.aspx doesn't yet show any 06-sep-2011 update.

I would still be concerned about ns1.lareconexiondelser.net which has returned to IP 67.222.139.64 where it, along with ns1.remiann.net, earlier provided DNS for several of the botnet's domains. As far as I can tell, ns1.lareconexiondelser.net has only provided DNS for its own domain and for the botnet's malware-laden domains.


Top
 Profile  
 PostPosted: Tue Sep 06, 2011 6:24 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
Quote:


Top
 Profile WWW  
 PostPosted: Tue Sep 06, 2011 9:40 pm   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
lareconexiondelser.net appears to be suspended (Lock Status: clientHold; Name Server: BLACKHOLE.GANDI.NET) by its domain registrar GANDI SAS.

I applaud those who have helped to bring down the botnet-controlled domains.


Top
 Profile  
 PostPosted: Tue Sep 06, 2011 10:18 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
Finally. I'm sure I wasn't the only one.
Sent 24th and again 27th
Quote:
This is a compliance request for you to suspend the domain lareconexiondelser.net used for distibuting the Zbot trojan
and to remove its name server Address record
ns1.lareconexiondelser.net [178.162.250.46]
and any www. address record

EVIDENCE
http://siteadvisor.com/sites/lareconexi ... et/msgpage
http://www.mywot.com/en/scorecard/larec ... et/msgpage


Top
 Profile WWW  
 PostPosted: Sat Sep 17, 2011 10:45 am   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
Another Facebook "friend request" exploit is in progress; this time the campaign is apparently attacking the Dutch. As in the past, the exploit probably uses a black-hole exploit in an invisible iFrame and a malicious EXE file disguised as a Macromedia Flash Player update:
Quote:
Aanmelden bij Facebook
—————————————————————————————————————
Uw versie van Macromedia Flash Player is te oud om door te gaan. Download en
installeer
de nieuwste versie van Adobe Flash Player.

Here are some examples of spammed URLs (as reported to PhishTank.com, mostly from the clean-mx.de database)

session56761735331539.customidet.com/confirm/reqnl/
session10020607122327.customidet.com/confirm/reqnl/
session90781741481121.customidet.com/confirm/reqnl/
session85700562579533.customidet.com/confirm/reqnl/
session79458084701772.customidet.com/confirm/reqnl/
session69570016113210.customidet.com/confirm/reqnl/

The domain name is registered at

Domain Name: CUSTOMIDET.COM
Registrar: PAKNIC (PRIVATE) LIMITED
Whois Server: whois.paknic.com
Referral URL: http://www.paknic.com
Name Server: NS1.ADVISORHIRINGJOB.ORG
Name Server: NS1.LIKSTENED.COM
Status: ok
Updated Date: 16-sep-2011
Creation Date: 23-aug-2011
Expiration Date: 23-aug-2012

[Edit: Update] The exploit is also running at a second domain

Domain Name: IDLEFGT.COM
Registrar: REGISTERMATRIX.COM CORP.
Whois Server: whois.registermatrix.com
Referral URL: http://www.registermatrix.com
Name Server: NS1.ADVISORHIRINGJOB.ORG [which is not functioning]
Name Server: NS1.LIKSTENED.COM
Status: clientTransferProhibited
Updated Date: 16-sep-2011
Creation Date: 15-sep-2011
Expiration Date: 15-sep-2012


Top
 Profile  
 [ 26 posts ]  Go to page 1, 2  Next

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Ahrefs, Wayback machine and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  


Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Style originally created by Volize © 2003 • Redesigned SkyLine by MartectX © 2008