Rejection of your tax appeal

In today’s episode we’ll take a closer look at an IRS-themed spam sample seen floating around the internets on 2011-02-23.

This sample had a link to hxxp://knlu[.]info/wp-content/uploads/fgallery/ir.html. A number of other IRS-themed samples aslo contained links to what appear to be hacked wordpress blogs. These blogs all contained “/fgallery/ir.html” in the URI path.

With a little bit of google-fu we can uncover other hacked wordpress via a simple “inurl:/fgallery/ir.html” search.

The page pulled from the received spam sample, hxxp://knlu[.]info/wp-content/uploads/fgallery/ir.html, contains malicious javascript that redirects victims to hxxp://energirans[.]net/main.php?page=710730c6e154dae7 – a Blackhole exploit kit.

Vulnerable victims then download a malicios binary from energirans[.]net/w.php?f=3dc5c&e=4. This binary has been identified as a Bugat/Feodo banking trojan and has the following properties:

File: about.exe
Size: 63488
MD5: 85DC077D5E50B7E133FEF85E09DFE2FB

Unfortunately, this Bugat/Feodo variant that is only detected by 2/43 AV vendors on VirusTotal.

A closer look at energirans[.]net reveals that it is hosted on a fast-flux infrastructure. Via centralops we can see that the energirans[.]net domains resolves to only one IP at However, the A record for energirans[.]net has a TTL (time to live) of 15 minutes. This indicates that the DNS mapping for the energirans[.]net will only stay cached for 15 minutes. A TTL this short is a strong indicator that the domain in question is hosted on a fast-flux infrastructure. Spamhaus has a good explanation of fast-flux here.

The dropped Bugat/Feodo variant implants itself on the victim machine and then connects to a command and control server at hjpyvexsutdctjol[.]ru where it downloads a configuration file from hjpyvexsutdctjol[.]ru:8080/rwx/B2_9w3/in/. This configuration file instructs the installed Bugat/Feodo variant to hijack account credentials from the listed banking websites. A quick look through this configuration file shows that it targets approximately 300 websites.

The hjpyvexsutdctjol[.]ru is also hosted on a fast-flux infrastructure that utilizes at least the following IPs:

The fast-flux infrastructure hosting hjpyvexsutdctjol[.]ru appears to be different than the above infrastructure hosting the Blackhole exploit kit at energirans[.]net. Note the TTL for hjpyvexsutdctjol[.]ru is 60 seconds – much shorter than the 900 seconds for the energirans[.]net domain.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: