Malicious URL:

NY Traffic Ticket

The text “To Plead Click Here” in spam contained malicious hyperlink which eventually redirects victim to a Phoenix Exploit kit at hxxp://vitalitysomer.ru:8080/pages/glavctkoasjtct.php.

This phoenix kit is hosted at the following IP addresses on a fast flux infrastructure:

Phoenix controller drops a CVE-2010-0188 PDF exploit from hxxp://vitalitysomer.ru:8080/pages/jnapaqjrezbpj8.pdf. PDF file had following properties:

File: jnapaqjrezbpj8.pdf
MD5: 73a3d52244f68a2eb4254be2f9e9d740
Size: 13,151 bytes

Successful exploit drops a pony downloader on victim machine. This Pony Downloader is downloaded on another Phoenix exploit-kit at hxxp://validatoronmee.ru:8080/pages/dq.php?i=15. This kit is hosted at the same FastFlux infrastructure as vitalitysomer.ru. Pony downloader had following properties:

File: duczdzd.exe
MD5: 392a574415aa24efbb1f7eda3564060d
Size: 1,40,840 bytes
Timestamp: 2012:04:13 23:48:26+02:00

Pony downloader beacons to its dropzone at buyandsmile.atomclick.co/pony/gate.php. It was also configured to download 3 identical Gameover Zeus payloads from following places:

1. avrupamodaevi.com/Rp076wCE/JVB0dU2.exe
2. guidobruscia.it/aPRh4MrM/j0Bxm4C.exe
3. 20rueraspail.be/pBBJkPFK/PwpKbEJm.exe

Gameover installes in %APPDATA%\Wievo\myaxu.exe

MD5: 5210005536c9f3bbcda0149da4ff37c8
Size: 3,13,384 bytes
Timestamp: 2010:11:01 22:21:42+01:00

This Gameover Zeus variant posts to a dropzone at, Webinjects were downloaded from & The Gameover variant had a BotID “mf222a15” and CID “2222”.

Interestingly, Pony Downloader and Gameover Zeus both shared same properties indicating both these payloads were built by same group/people, around same time.

Signature: This file is digitally signed by ‘gvpQYV0qr00yndP’
Certificate Validity: 04/13/2012 to 01/01/2040
Company Name: Microsoft Corporation
File Description: Windows Disk Diagnostic User Resolver
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Internal Name: DFDWiz.exe
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: DFDWiz.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 6.1.7600.16385


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: