//session trojan Zbot

NotBuyingIt · **Joined:** Sun Jun 13, 2010 5:22 pm **Posts:** 528

A German-language version of the same botnet's fraudulent Facebook "friend request" has been reported (source: hXXp://www.da-gaming.de/index.php?mod=board&action=thread&where=6124&start=0). An example of a URL that it uses is

session44447796956483.stackfg.com/confirm/reqde/

That domain name is registered at

Domain Name: STACKFG.COM
Registrar: PAKNIC (PRIVATE) LIMITED
Whois Server: whois.paknic.com
Referral URL: http://www.paknic.com
Name Server: NS1.ADVISORHIRINGJOB.ORG [domain suspended]
Name Server: NS1.LIKSTENED.COM
Status: ok
Updated Date: 16-sep-2011
Creation Date: 15-sep-2011
Expiration Date: 15-sep-2012

Client Hold Sept 21

NotBuyingIt · **Joined:** Sun Jun 13, 2010 5:22 pm **Posts:** 528

Another scam botnet domain has been picked up by the ZeuS Tracker, although a web search doesn't return any examples of the site being used in the wild, yet. It is capable of running the botnet's suite of over a dozen different scams, including the Facebook "friend request" in at least three languages (English, Dutch and German).

Domain Name: USEDITWOULFUR.COM
Registrar: REGIONAL NETWORK INFORMATION CENTER, JSC DBA RU-CENTER
Whois Server: whois.nic.ru
Referral URL: http://www.nic.ru
Name Server: NS1.LIKSTENED.COM
Name Server: NS1.THE-HIRINGDIVISION.COM [domain suspended]
Status: clientTransferProhibited
Updated Date: 18-sep-2011
Creation Date: 13-sep-2011
Expiration Date: 13-sep-2012

[Edit: Update #1, 19-September-2011] An in-the-wild instance of useditwoulfur.com being used in the German-language version of the malware attack against Facebook subscribers is

session61210390497897.useditwoulfur.com/confirm/reqde/

The botnet's DNS has been disabled for the moment because its remaining DNS provider LIKSTENED.COM has been suspended.

[Edit: Update #2, 20-September-2011] useditwoulfur.com has been suspended by its domain registrar who set its status to "clientHold". I would not be surprised to learn that the Complainterator participated in the suspension.

NotBuyingIt · **Joined:** Sun Jun 13, 2010 5:22 pm **Posts:** 528

The latest four botnet-controlled domains about which I am aware have been suspended:
customidet.com
idlefgt.com
stackfg.com
useditwoulfur.com

Those site's remaining DNS provider seems to be
ns1.parkingstachanal.com (IP 194.0.252.114, hosted on the VooServers Ltd network in the UK)
ns2.parkingstachanal.com ( IP 65.61.188.4, Rackspace Hosting, USA)

IP 194.0.252.114 has been listed in the Spamhaus SBL for several months.

NotBuyingIt · **Joined:** Sun Jun 13, 2010 5:22 pm **Posts:** 528

The same botnet, apparently, has launched a new malware campaign with at least two new domains and with two DNS providers. The campaign uses a spoofed United States Internal Revenue Service (IRS) web page. An example of a URL that it uses is

http://irs.techdlfs.com/reviews/return/?id=SRDUFGGVU381&d=Sat,%208%20Oct%202011%2001:51:23%20+0530

which actually reduces to http://techdlfs.com/reviews/return/

Domain Name: DDPLOPT.COM
Registrar: PAKNIC (PRIVATE) LIMITED
Whois Server: whois.paknic.com
Referral URL: http://www.paknic.com
Name Server: NS1.CHAIRALITYPOL.COM
Name Server: NS1.ENVELOPESF-RSWITCH.COM
Status: ok
Updated Date: 06-oct-2011
Creation Date: 05-oct-2011
Expiration Date: 05-oct-2012

Domain Name: TECHDLFS.COM
Registrar: PAKNIC (PRIVATE) LIMITED
Whois Server: whois.paknic.com
Referral URL: http://www.paknic.com
Name Server: NS1.CHAIRALITYPOL.COM
Name Server: NS1.ENVELOPESF-RSWITCH.COM
Status: ok
Updated Date: 06-oct-2011
Creation Date: 05-oct-2011
Expiration Date: 05-oct-2012

NotBuyingIt · **Joined:** Sun Jun 13, 2010 5:22 pm **Posts:** 528

Both ddplopt.com and techdlfs.com have been suspended by their domain registrar. A third site msvoipid.com was detected running the same scam; it was promptly suspended by its domain registrar REGISTERMATRIX.COM CORP. A fourth site systrmp.com is currently running the same scam.

Domain Name: SYSTRMP.COM
Registrar: PAKNIC (PRIVATE) LIMITED
Whois Server: whois.paknic.com
Referral URL: http://www.paknic.com
Name Server: NS1.CHAIRALITYPOL.COM
Name Server: NS1.ENVELOPESF-RSWITCH.COM
Status: ok
Updated Date: 06-oct-2011
Creation Date: 15-sep-2011
Expiration Date: 15-sep-2012

The fraudulent webpages used in the scam contain an invisible iFrame which I believe contains a black hole exploit. Google has cached one such webpage, leaving the iFrame intact and active in the cached version.

Both of the name servers for the sites trace to IP 199.71.214.131, (Psychz Networks, USA). The same configuration was used in some earlier malware campaigns by the same botnet. PAKNIC is also the domain registrar for both of the name servers. The zombie computers under the botnet's control are mostly located in Spain apparently. I notice that most of their IP addresses are "listed in SORB" .

Red Dwarf · **Joined:** Tue Jun 27, 2006 2:01 am **Posts:** 9227

Juicy bits of code extracted from Phish URL systrmp.com/app/bps/main/

Code:

Code:

function write_url() {
    var url;
    if (app_type == 'ins') {
    url = 'https://insurance.lexisnexis.com';
    } else if (app_type == 'hea') {
    url = 'https://healthcare.lexisnexis.com';
    } else if (app_type == 'aig') {
    url = 'https://aig.accurint.com';
    } else if (app_type == 'xbps') {
    url = 'https://riskinvestigations.lexisnexis.com';
    } else {
    url = 'http://www.accurint.com';
    }
    document.write(url);
}

Code:

    <div class="smallblack">
            <strong>Phishing schemes are on the rise. Learn how to protect your Accurint User Name and Password ...</strong>
            <div id="toggleOptions" style="display: none;"><br>
Always start sign on from: <strong>http://www.accurint.com</strong> or <strong>http://accurintlexisnexis.com</strong>
and never enter your ID or Password information at any other URL or
site, or your security may be compromised. Never click or follow links
to Accurint from email messages because if you do so you may be taken
to a site that looks like Accurint but is not the Accurint site. If you
accessed any other URL or site that looks like Accurint or if you
clicked on a link within an email to access Accurint and entered your
account information, please change your Password immediately.<br>
            <br>
Protect the security of your User Name and Password by following these
guidelines: (a) Never share User Names or Passwords; (b) Do not write
your User Name and Password down anywhere; (c) Install and use current
anti-virus software; (d) Inform your administrator or contact Customer
Support immediately if you believe your User Name or Password have been
compromised. <br>
            <br>
            </div>

AVG intercepts the page with "Virus identified JS/Phish"

Red Dwarf · **Joined:** Tue Jun 27, 2006 2:01 am **Posts:** 9227

Sample URLs in the past few hours

Code:

irs.systrmp.com/reviews/return/

sess_id9837964.systrmp.com/reviews/return/
sess_id9849911.systrmp.com/reviews/return/
sess_id9870183.systrmp.com/reviews/return/
etc
session0073465.systrmp.com/reviews/return/
session0787800.systrmp.com/reviews/return/
session0897844.systrmp.com/reviews/return/
etc

Red Dwarf · **Joined:** Tue Jun 27, 2006 2:01 am **Posts:** 9227

Domain Name: SYSTRMP.COM
Registrar: PAKNIC (PRIVATE) LIMITED
Whois Server: whois.paknic.com
Referral URL: http://www.paknic.com
Name Server: No nameserver
Status: clientHold
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 11-oct-2011

In summary
chipiden.com Status: clientHold / REGISTERMATRIX.COM CORP. / Oct 11
cpsystms.com Status: clientHold / BIZCN.COM, INC. / Oct 12
systmsd.com Status: redemptionPeriod / 1 API GMBH / Oct 12
systrmp.com Status: clientHold / PAKNIC (PRIVATE) LIMITED / Oct 11

Red Dwarf · **Joined:** Tue Jun 27, 2006 2:01 am **Posts:** 9227

The latest botnet infector

mrsystms.com Registrar: REGISTERMATRIX.COM CORP.
Name Server: NS1.CHAIRALITYPOL.COM and NS1.ENVELOPESF-RSWITCH.COM on 173.236.45.150 at Nexeon Technologies, Inc.in Texas

mrsystms.com has address 81.203.3.89 (Cableuropa - ONO, Spain)
mrsystms.com has address 90.172.85.224 (France Telecom Espana SA)

Examples of spammed links

irs.mrsystms.com/reviews/return/
That is the link to the Inland Revenue Service phishing site

session9104213.mrsystms.com/reviews/return/
session9132885.mrsystms.com/reviews/return/
session9154980.mrsystms.com/reviews/return/
sess_id5776544.mrsystms.com/reviews/return/
sess_id6577213.mrsystms.com/reviews/return/
sess_id9005416.mrsystms.com/reviews/return/
sess_id9467772.mrsystms.com/reviews/return/

Red Dwarf · **Joined:** Tue Jun 27, 2006 2:01 am **Posts:** 9227

Sent 13 Oct - Registrar: REGISTERMATRIX.COM CORP.

Quote:

Urgent

This is a compliance request for you to suspend the illegal domain mrsystms.com used for ZBOT botnet infections

EVIDENCE
viewtopic.php?f=14&t=4510&p=54121
http://siteadvisor.com/sites/mrsystms.com/msgpage
http://mywot.com/en/scorecard/mrsystms.com/msgpage

Status: clientDeleteProhibited
Status: clientHold
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 13-oct-2011

NotBuyingIt · **Joined:** Sun Jun 13, 2010 5:22 pm **Posts:** 528

During early October, DNS for the botnet's scam domains was provided by ns1.chairalitypol.com and ns1.envelopesf-rswitch.com. Both chairalitypol.com and envelopesf-rswitch.com have been suspended. Their domain registrar PAKNIC (PRIVATE) LIMITED has set the status of each domain to "clientHold" and has changed their name server to "No nameserver".

InBoxRevenge KS Forum

//session trojan Zbot

Who is online