InBoxRevenge KS Forum

Found in large spammimg runs, a series of URLs in the form

hxxp//:session99599080480050.permitfg.com/confirm/req/
hxxp://session98960786197613.pmstdl.com/confirm/req/
hxxp://session98204351586916.downtohole.com/confirm/req/
hxxp://session00239061301752.fileuplarc.com/confirm/req/

The 14 digit number varies.

permitfg.com Registrar: PAKNIC (PRIVATE) LIMITED
pmstdl.com Registrar: REGIONAL NETWORK INFORMATION CENTER, JSC DBA RU-CENTER [Client Hold]
downtohole.com Registrar: PAKNIC (PRIVATE) LIMITED
fileuplarc.com Registrar: PLANETDOMAIN PTY LTD.

The URL loads a spoofed Facebook login page complete with the Facebook favicon.
The page contains:

If you click on the link to download "updateflash.exe" you are downloading the dangerous Zbot trojan. The primary payload of Trojan:W32/Zbot variants focuses on stealing online banking information.


A few samples from over 2000 I have seen in the past week


The domains run on the same botnet, too:

fileuplarc.com has address 66.159.180.140
fileuplarc.com has address 71.217.16.172
fileuplarc.com has address 83.221.72.119
fileuplarc.com has address 114.134.131.217
fileuplarc.com has address 178.24.192.186
fileuplarc.com has address 217.50.208.61

downtohole.com has address 66.159.180.140
downtohole.com has address 71.217.16.172
downtohole.com has address 83.221.72.119
downtohole.com has address 114.134.131.217
downtohole.com has address 178.24.192.186
downtohole.com has address 217.50.208.61

permitfg.com has address 62.42.16.182
permitfg.com has address 82.158.170.45
permitfg.com has address 83.138.205.124
permitfg.com has address 85.85.109.1
permitfg.com has address 94.223.194.61
permitfg.com has address 201.173.234.222

Name servers used to resolve access to the Zbot trojan distributors

ns1.lareconexiondelser.net - with sponsor = Registrar: GANDI SAS
ns1.remiann.net - with sponsor = Registrar: MESH DIGITAL LIMITED

IP addresses used for name servers and contact for the owner responsible
ns1.lareconexiondelser.net 67.222.139.64
ns1.remiann.net 67.222.139.64

> COLO4 - Colo4Dallas LP - complain to:[email protected]

ns1.remiann.net has been severed from a botnet that is running the Facebook exploit. Its domain registration record was changed today to show that remiann.net no longer provides its own DNS; ns1.remiann.net has been providing a fast-flux botnet's DNS for several months at least. My occasional remarks about it are at
http://www.mywot.com/en/forum/13208-rul ... l-a-botnet


Trend Micro is suggesting that the number is randomly generated so that each message, or each small set of messages, has a different number in the domain name field of the URLs in the fraudulent "friend requests". I saw that mentioned at
http://www.mywot.com/en/forum/15454--zb ... h-facebook

One of the name servers has been suspended. Credit goes to the responsible registrar.
http://legacytools.dnsstuff.com/tools/t ... ainterator
Server Response Time
ns1.lareconexiondelser.net [67.222.139.64] 200.125.77.157 201.173.234.222 217.216.121.104 46.37.84.93 77.27.251.129 83.138.205.124 85.180.161.105 87.182.77.214 11ms
ns1.remiann.net [0.0.0.0] Timeout

ns1.lareconexiondelser.net has just been rehosted to IP 178.162.250.46 on the Leaseweb Germany GmbH network where it continues to provide DNS for the botnet's domains.

Both fileuplarc.com and wungrp.com have been suspended (Status: clientHold; Name Server: No nameserver) by their domain registrar PLANETDOMAIN PTY LTD.

[Edit: Update]
And later the same day, both downtohole.com and permitfg.com have been suspended (Status: clientHold; Name Server: No nameserver) by their domain registrar PAKNIC (PRIVATE) LIMITED

permitds.com is running a suite of the botnet's phishing scams and malware including the fake Facebook friend request. I saw that it was reported at PhishTank
http://www.phishtank.com/phish_detail.p ... id=1260995
http://www.phishtank.com/phish_detail.p ... id=1260992
(Although PhishTank may show the site as being "offline" the scam is currently online. PhishTank sometimes will falsely mark a dangerous malware site offline, probably to discourage its unprepared volunteers from inspecting it.)

In addition to the previously identified ns1.lareconexiondelser.net, the botnet's DNS has now begun to be provided by

ns1.livingbebtfree.net - with sponsor = Registrar: MESH DIGITAL LIMITED
(currently hosted at IP 178.162.250.46 by Leaseweb Germany GmbH)

The URL in spam has this format:

[Edit: When I first posted this comment, I erroneously stated that pubident.com had been suspended. However, I see that it is still active as I post this correction. I apologize for the mistake.]

For the past several days pubident.com has been running a suite of the same botnet's phishing scams and malware including the fake Facebook friend request. I haven't yet come across any in-the-wild examples of the botnet's exploits using permitds.com so I cannot say whether its chief target is Facebook this time. (Perhaps others will post a few examples to this thread.) However, the earliest indication of a scam by pubident.com that I have found was a Facebook exploit reported by malwareurl.com.

The sole DNS provider for pubident.com is ns1.lareconexiondelser.net (IP 173.236.84.186, hosted by SingleHop); the other published DNS was ns1.livingbebtfree.net which very likely had been disabled before the scam(s) commenced.

The following write-up might describe the same exploit that is being discussed in this thread.
http://www.theregister.co.uk/2011/08/30 ... us_trojan/

pubident.com
1. fails to resolve according to dnsstuff traversal, with name servers down:
http://legacytools.dnsstuff.com/tools/t ... ainterator
ns1.lareconexiondelser.net [0.0.0.0] Timeout
ns1.livingbebtfree.net [0.0.0.0] Timeout

2. Has 95% failure rate around the world using host-tracker

3. Has 100% resolution failure at squish.net
Results
16.7% No such domain (NXDOMAIN) at ns1.domainmonster.com (109.68.33.100)
While querying ns1.livingbebtfree.net/IN/A
16.7% No such domain (NXDOMAIN) at ns2.domainmonster.com (109.68.33.102)
While querying ns1.livingbebtfree.net/IN/A
16.7% No such domain (NXDOMAIN) at ns3.domainmonster.com (69.25.32.3)
While querying ns1.livingbebtfree.net/IN/A
25.0% Query timed out at ns1.lareconexiondelser.net (173.236.84.186)
While querying ns1.lareconexiondelser.net/IN/A
25.0% Query timed out at ns2.lareconexiondelser.net (181.123.51.158)
While querying ns1.lareconexiondelser.net/IN/A

The domain itself looks untouched
Domain Name: PUBIDENT.COM
Registrar: PAKNIC (PRIVATE) LIMITED
Name Server: NS1.LARECONEXIONDELSER.NET
Name Server: NS1.LIVINGBEBTFREE.NET
Status: ok
Updated Date: 26-aug-2011

Previous IP addresses used for pubident.com
62.42.22.10
77.180.251.245
77.208.33.201
77.209.128.203
77.210.156.231
77.210.156.82
81.184.231.198
81.9.174.10
82.158.200.71
84.123.147.146
84.123.88.225
84.124.229.71
84.127.187.220
85.152.183.24
85.219.92.112
85.84.60.87
87.111.107.8
95.18.51.114
95.18.51.143
122.218.13.29
178.24.228.175
188.171.0.164
200.125.77.157
212.225.216.63
213.60.168.21
213.60.64.164
217.184.245.130
217.216.120.158

pubident.com appears to be suspended now:

Domain Name: PUBIDENT.COM
Registrar: PAKNIC (PRIVATE) LIMITED
Whois Server: whois.paknic.com
Referral URL: http://www.paknic.com
Name Server: NS1.LARECONEXIONDELSER.NET
Name Server: NS1.LIVINGBEBTFREE.NET
Status: clientHold
Status: clientTransferProhibited
Updated Date: 06-sep-2011
Creation Date: 23-aug-2011
Expiration Date: 23-aug-2012

Surprisingly, the site's DNS report that is provided at its domain registrar's site http://www.paknic.com/Whois.aspx doesn't yet show any 06-sep-2011 update.

I would still be concerned about ns1.lareconexiondelser.net which has returned to IP 67.222.139.64 where it, along with ns1.remiann.net, earlier provided DNS for several of the botnet's domains. As far as I can tell, ns1.lareconexiondelser.net has only provided DNS for its own domain and for the botnet's malware-laden domains.

lareconexiondelser.net appears to be suspended (Lock Status: clientHold; Name Server: BLACKHOLE.GANDI.NET) by its domain registrar GANDI SAS.

I applaud those who have helped to bring down the botnet-controlled domains.

Finally. I'm sure I wasn't the only one.
Sent 24th and again 27th

Another Facebook "friend request" exploit is in progress; this time the campaign is apparently attacking the Dutch. As in the past, the exploit probably uses a black-hole exploit in an invisible iFrame and a malicious EXE file disguised as a Macromedia Flash Player update:

Here are some examples of spammed URLs (as reported to PhishTank.com, mostly from the clean-mx.de database)

session56761735331539.customidet.com/confirm/reqnl/
session10020607122327.customidet.com/confirm/reqnl/
session90781741481121.customidet.com/confirm/reqnl/
session85700562579533.customidet.com/confirm/reqnl/
session79458084701772.customidet.com/confirm/reqnl/
session69570016113210.customidet.com/confirm/reqnl/

The domain name is registered at

Domain Name: CUSTOMIDET.COM
Registrar: PAKNIC (PRIVATE) LIMITED
Whois Server: whois.paknic.com
Referral URL: http://www.paknic.com
Name Server: NS1.ADVISORHIRINGJOB.ORG
Name Server: NS1.LIKSTENED.COM
Status: ok
Updated Date: 16-sep-2011
Creation Date: 23-aug-2011
Expiration Date: 23-aug-2012

[Edit: Update] The exploit is also running at a second domain

Domain Name: IDLEFGT.COM
Registrar: REGISTERMATRIX.COM CORP.
Whois Server: whois.registermatrix.com
Referral URL: http://www.registermatrix.com
Name Server: NS1.ADVISORHIRINGJOB.ORG [which is not functioning]
Name Server: NS1.LIKSTENED.COM
Status: clientTransferProhibited
Updated Date: 16-sep-2011
Creation Date: 15-sep-2011
Expiration Date: 15-sep-2012