Clicky
Last visit was: Fri Jul 04, 2014 6:52 pm
It is currently Fri Jul 04, 2014 6:52 pm

//session trojan Zbot


All times are UTC - 5 hours [ DST ]


 [ 26 posts ]  Go to page Previous  1, 2
Author Message
 PostPosted: Sun Sep 18, 2011 2:58 pm   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
A German-language version of the same botnet's fraudulent Facebook "friend request" has been reported (source: hXXp://www.da-gaming.de/index.php?mod=board&action=thread&where=6124&start=0). An example of a URL that it uses is

session44447796956483.stackfg.com/confirm/reqde/

That domain name is registered at

Domain Name: STACKFG.COM
Registrar: PAKNIC (PRIVATE) LIMITED
Whois Server: whois.paknic.com
Referral URL: http://www.paknic.com
Name Server: NS1.ADVISORHIRINGJOB.ORG [domain suspended]
Name Server: NS1.LIKSTENED.COM
Status: ok
Updated Date: 16-sep-2011
Creation Date: 15-sep-2011
Expiration Date: 15-sep-2012

Client Hold Sept 21


Top
 Profile  
 PostPosted: Mon Sep 19, 2011 1:28 pm   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
Another scam botnet domain has been picked up by the ZeuS Tracker, although a web search doesn't return any examples of the site being used in the wild, yet. It is capable of running the botnet's suite of over a dozen different scams, including the Facebook "friend request" in at least three languages (English, Dutch and German).

Domain Name: USEDITWOULFUR.COM
Registrar: REGIONAL NETWORK INFORMATION CENTER, JSC DBA RU-CENTER
Whois Server: whois.nic.ru
Referral URL: http://www.nic.ru
Name Server: NS1.LIKSTENED.COM
Name Server: NS1.THE-HIRINGDIVISION.COM [domain suspended]
Status: clientTransferProhibited
Updated Date: 18-sep-2011
Creation Date: 13-sep-2011
Expiration Date: 13-sep-2012

[Edit: Update #1, 19-September-2011] An in-the-wild instance of useditwoulfur.com being used in the German-language version of the malware attack against Facebook subscribers is

session61210390497897.useditwoulfur.com/confirm/reqde/

The botnet's DNS has been disabled for the moment because its remaining DNS provider LIKSTENED.COM has been suspended.

[Edit: Update #2, 20-September-2011] useditwoulfur.com has been suspended by its domain registrar who set its status to "clientHold". I would not be surprised to learn that the Complainterator participated in the suspension.


Top
 Profile  
 PostPosted: Wed Sep 21, 2011 12:50 pm   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
The latest four botnet-controlled domains about which I am aware have been suspended:
customidet.com
idlefgt.com
stackfg.com
useditwoulfur.com

Those site's remaining DNS provider seems to be
ns1.parkingstachanal.com (IP 194.0.252.114, hosted on the VooServers Ltd network in the UK)
ns2.parkingstachanal.com ( IP 65.61.188.4, Rackspace Hosting, USA)

IP 194.0.252.114 has been listed in the Spamhaus SBL for several months.


Top
 Profile  
 PostPosted: Fri Oct 07, 2011 7:52 pm   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
The same botnet, apparently, has launched a new malware campaign with at least two new domains and with two DNS providers. The campaign uses a spoofed United States Internal Revenue Service (IRS) web page. An example of a URL that it uses is

http://irs.techdlfs.com/reviews/return/?id=SRDUFGGVU381&d=Sat,%208%20Oct%202011%2001:51:23%20+0530

which actually reduces to http://techdlfs.com/reviews/return/

Domain Name: DDPLOPT.COM
Registrar: PAKNIC (PRIVATE) LIMITED
Whois Server: whois.paknic.com
Referral URL: http://www.paknic.com
Name Server: NS1.CHAIRALITYPOL.COM
Name Server: NS1.ENVELOPESF-RSWITCH.COM
Status: ok
Updated Date: 06-oct-2011
Creation Date: 05-oct-2011
Expiration Date: 05-oct-2012

Domain Name: TECHDLFS.COM
Registrar: PAKNIC (PRIVATE) LIMITED
Whois Server: whois.paknic.com
Referral URL: http://www.paknic.com
Name Server: NS1.CHAIRALITYPOL.COM
Name Server: NS1.ENVELOPESF-RSWITCH.COM
Status: ok
Updated Date: 06-oct-2011
Creation Date: 05-oct-2011
Expiration Date: 05-oct-2012


Top
 Profile  
 PostPosted: Sun Oct 09, 2011 5:06 pm   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
Both ddplopt.com and techdlfs.com have been suspended by their domain registrar. A third site msvoipid.com was detected running the same scam; it was promptly suspended by its domain registrar REGISTERMATRIX.COM CORP. A fourth site systrmp.com is currently running the same scam.

Domain Name: SYSTRMP.COM
Registrar: PAKNIC (PRIVATE) LIMITED
Whois Server: whois.paknic.com
Referral URL: http://www.paknic.com
Name Server: NS1.CHAIRALITYPOL.COM
Name Server: NS1.ENVELOPESF-RSWITCH.COM
Status: ok
Updated Date: 06-oct-2011
Creation Date: 15-sep-2011
Expiration Date: 15-sep-2012

The fraudulent webpages used in the scam contain an invisible iFrame which I believe contains a black hole exploit. Google has cached one such webpage, leaving the iFrame intact and active in the cached version.

Both of the name servers for the sites trace to IP 199.71.214.131, (Psychz Networks, USA). The same configuration was used in some earlier malware campaigns by the same botnet. PAKNIC is also the domain registrar for both of the name servers. The zombie computers under the botnet's control are mostly located in Spain apparently. I notice that most of their IP addresses are "listed in SORB" .


Top
 Profile  
 PostPosted: Sun Oct 09, 2011 11:52 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
Juicy bits of code extracted from Phish URL systrmp.com/app/bps/main/

Code:
<iframe src="c.php" width="5" height="5" frameborder="0">


Code:
function write_url() {
    var url;
    if (app_type == 'ins') {
    url = 'https://insurance.lexisnexis.com';
    } else if (app_type == 'hea') {
    url = 'https://healthcare.lexisnexis.com';
    } else if (app_type == 'aig') {
    url = 'https://aig.accurint.com';
    } else if (app_type == 'xbps') {
    url = 'https://riskinvestigations.lexisnexis.com';
    } else {
    url = 'http://www.accurint.com';
    }
    document.write(url);
}


Code:
    <div class="smallblack">
            <strong>Phishing schemes are on the rise. Learn how to protect your Accurint User Name and Password ...</strong>
            <div id="toggleOptions" style="display: none;"><br>
Always start sign on from: <strong>http://www.accurint.com</strong> or <strong>http://accurintlexisnexis.com</strong>
and never enter your ID or Password information at any other URL or
site, or your security may be compromised. Never click or follow links
to Accurint from email messages because if you do so you may be taken
to a site that looks like Accurint but is not the Accurint site. If you
accessed any other URL or site that looks like Accurint or if you
clicked on a link within an email to access Accurint and entered your
account information, please change your Password immediately.<br>
            <br>
Protect the security of your User Name and Password by following these
guidelines: (a) Never share User Names or Passwords; (b) Do not write
your User Name and Password down anywhere; (c) Install and use current
anti-virus software; (d) Inform your administrator or contact Customer
Support immediately if you believe your User Name or Password have been
compromised. <br>
            <br>
            </div>


AVG intercepts the page with "Virus identified JS/Phish"


Top
 Profile WWW  
 PostPosted: Mon Oct 10, 2011 2:14 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
Sample URLs in the past few hours
Code:
irs.systrmp.com/reviews/return/

sess_id9837964.systrmp.com/reviews/return/
sess_id9849911.systrmp.com/reviews/return/
sess_id9870183.systrmp.com/reviews/return/
etc
session0073465.systrmp.com/reviews/return/
session0787800.systrmp.com/reviews/return/
session0897844.systrmp.com/reviews/return/
etc


Top
 Profile WWW  
 PostPosted: Wed Oct 12, 2011 7:15 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
Domain Name: SYSTRMP.COM
Registrar: PAKNIC (PRIVATE) LIMITED
Whois Server: whois.paknic.com
Referral URL: http://www.paknic.com
Name Server: No nameserver
Status: clientHold
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 11-oct-2011

In summary
chipiden.com Status: clientHold / REGISTERMATRIX.COM CORP. / Oct 11
cpsystms.com Status: clientHold / BIZCN.COM, INC. / Oct 12
systmsd.com Status: redemptionPeriod / 1 API GMBH / Oct 12
systrmp.com Status: clientHold / PAKNIC (PRIVATE) LIMITED / Oct 11


Top
 Profile WWW  
 PostPosted: Thu Oct 13, 2011 8:57 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
The latest botnet infector

mrsystms.com Registrar: REGISTERMATRIX.COM CORP.
Name Server: NS1.CHAIRALITYPOL.COM and NS1.ENVELOPESF-RSWITCH.COM on 173.236.45.150 at Nexeon Technologies, Inc.in Texas

mrsystms.com has address 81.203.3.89 (Cableuropa - ONO, Spain)
mrsystms.com has address 90.172.85.224 (France Telecom Espana SA)

Examples of spammed links

irs.mrsystms.com/reviews/return/
That is the link to the Inland Revenue Service phishing site

session9104213.mrsystms.com/reviews/return/
session9132885.mrsystms.com/reviews/return/
session9154980.mrsystms.com/reviews/return/
sess_id5776544.mrsystms.com/reviews/return/
sess_id6577213.mrsystms.com/reviews/return/
sess_id9005416.mrsystms.com/reviews/return/
sess_id9467772.mrsystms.com/reviews/return/


Top
 Profile WWW  
 PostPosted: Mon Oct 17, 2011 3:14 am   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
Sent 13 Oct - Registrar: REGISTERMATRIX.COM CORP.
Quote:
Urgent

This is a compliance request for you to suspend the illegal domain mrsystms.com used for ZBOT botnet infections

EVIDENCE
viewtopic.php?f=14&t=4510&p=54121
http://siteadvisor.com/sites/mrsystms.com/msgpage
http://mywot.com/en/scorecard/mrsystms.com/msgpage


Status: clientDeleteProhibited
Status: clientHold
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 13-oct-2011


Top
 Profile WWW  
 PostPosted: Wed Oct 19, 2011 11:57 pm   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
During early October, DNS for the botnet's scam domains was provided by ns1.chairalitypol.com and ns1.envelopesf-rswitch.com. Both chairalitypol.com and envelopesf-rswitch.com have been suspended. Their domain registrar PAKNIC (PRIVATE) LIMITED has set the status of each domain to "clientHold" and has changed their name server to "No nameserver".


Top
 Profile  
 [ 26 posts ]  Go to page Previous  1, 2

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Wayback machine and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  


Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Style originally created by Volize © 2003 • Redesigned SkyLine by MartectX © 2008