Better Business Bureau Complaint

Subject:
Better Business Bureau Complaint

Attachment:
Complaint_ID04F57291141.htm

BBB complaint

Through encoded javascript, victim is eventually redirected to a Phoenix Exploit kit at hxxp://41.168.5.140:8080/navigator/jueoaritjuir.php.

Phoenix controller is configured to drop a PDF exploit CVE-2010-0188 from the hxxp://41.168.5.140:8080/navigator/auxqfudmbuiwg4.pdf. This flash file had the following properties.

Name: auxqfudmbuiwg4.pdf
Size: 13,223 bytes
MD5: 9963aab22f61a8dd4118638c1f64181c

The PDF exploits CVE-2010-0188 and was detected by 27 of 42 AV vendors on VirusTotal.

Successful exploit will redirect victim to ebayfordummies[.]su:8080 /navigator/frf3.php?i=15 and install Pony Loader on the victim machine. This Pony loader had following properties:

File: dsarcubqinhsjqkugsbm.exe
MD5: fb967688f434ef239a718dede24269b5
Size: 93,736 bytes
Digital Signature: ADt82UxX8ndawrW
Certificate Validity: 04/06/2012 to 01/01/2040

This Phoenix kit is hosted on a fast flux infrastructure at following IP addresses:

78.83.233.242
125.19.103.198
41.66.137.155
41.168.5.140
62.85.27.129
194.85.97.121
200.169.13.84
202.149.85.37
210.56.23.100
210.109.108.210
211.44.250.173
219.94.194.138
180.235.150.72

This Pony Loader posts to a C&C at http://www.alberghi.com /pony/gate.php, hosted at IP address 109.168.126.112. And then downloads 2 identical Gameover Zeus payloads from the following URL’s:

1. geovanabauerdocesfinos.com.br /6md3zev5/hQj.exe
2. http://www.dwa-wrestling.de /DGUhkavQ/SkxZGut.exe

Gameover installed in %APPDATA%\Avnaza\bixuak.exe

MD5: ba0f0a33956dfc96a1126a108eb4e47e
Size: 2,75,496 bytes
Signature: This file is digitally signed by ‘ADt82UxX8ndawrW’
Certificate Validity: 04/06/2012 to 01/01/2040
Timestamp: 2010:10:29 22:03:29+02:00

During analysis, Gameover Zeus variant dropzone was identified at 213.164.225.186:16841. Webinjects were pulled from IP at 46.49.110.114:11199. The Gameover variant had a botid “mf222a7″ and cid “5555″.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: