IRS spams

We analyzed following malicious URLs which we believe are used in IRS spams:

hxxp://9×18.com/1FrYnHUV/index.html
hxxp://9×18.com/6GkXis2t/index.html
hxxp://9×18.com/7zSj5u8N/index.html
hxxp://9×18.com/9sfGpVaP/index.html
hxxp://9×18.com/DcXTY95c/index.html
hxxp://9×18.com/EdVTFHRy/index.html
hxxp://9×18.com/H37jjL6S/index.html
hxxp://9×18.com/JLdSGm4e/index.html
hxxp://9×18.com/KirxGAkT/index.html
hxxp://9×18.com/M7vrQsUT/index.html
hxxp://9×18.com/N7kkDdho/index.html
hxxp://9×18.com/U8nC5QAL/index.html
hxxp://9×18.com/Y1aFsgBk/index.html
hxxp://9×18.com/bFdJryZB/index.html
hxxp://9×18.com/igc6smeH/index.html
hxxp://9×18.com/jUyLton1/index.html
hxxp://9×18.com/pHbH0hzY/index.html
hxxp://9×18.com/rPWsV1Cp/index.html
hxxp://9×18.com/tjUQVqbC/index.html
hxxp://beinsync.in/1FrYnHUV/index.html
hxxp://9×18.com/wVKshGdP/index.html
hxxp://beinsync.in/6GkXis2t/index.html
hxxp://alcopaz.com/1FrYnHUV/index.html
hxxp://beinsync.in/7zSj5u8N/index.html
hxxp://alcopaz.com/6GkXis2t/index.html
hxxp://beinsync.in/9sfGpVaP/index.html

Although 9×18.com was restricting these URL access, other malicious URLs were up and serving the purpose redirecting victim to Blackhole exploit kit through following 3 javascripts:

<script type=”text/javascript” src=”hxxp://anydemo.in/ox8rWBHG/js.js”></script>
<script type=”text/javascript” src=”hxxp://Darsshan.com/8n9SXXoy/js.js”></script>
<script type=”text/javascript” src=”hxxp://www.moverpackermart.com/3F634op7/js.js”></script>

Blackhole kit was running at hxxp://85.25.189.174/showthread.php?t=34c79594e8b8ac0f. It first drops Pony downloader from the following location:

hxxp://85.25.189.174/q.php?f=2fcad&e=2
File: info.exe
MD5: 9b196853650fcb8ac182be05b627f07c
Size: 1,31,168 bytes

Pony downloader posts to its dropzone at 91.121.84.204/pony/gate.php. It was also configured to download 3 identical Gameover Zeus payloads from following locations:

1. hxxp://electrosa.com/8zvW2XE.exe
2. hxxp://arteyciencia.es/AUq5p7Sm/4VLks.exe
3. hxxp://hotelsatmatheran.com/0Pvo9Hnu/EpJbWNWD.exe
4. hxxp://poetesa.ro/0SbvQR5X/5op0.exe

Gameover was installed in %APPDATA%\Enze\izvuo.exe

MD5: 4105a615d658d89e836c125844be5f39
Size: 3,41,600 bytes
Timestamp: 2010:10:31 08:13:32+01:00
Payload Build Time: 2012-04-16 03:12:58

This Gameover Zeus variant posts to a dropzone at 86.124.117.250:16824. Webinjects were downloaded from 125.166.213.114:25137. The Gameover variant had a botid of “MF222a20″ and cid of “5555″.

As we have been nothing here, Pony Downloader and Gameover Zeus both payloads share same properties indicating both these payloads were built by same group/people, around same time(?):

Signature: Digitally signed by ‘wU5sF34khy4k0DMt30RspNOOm’
Certificate Validity: 04/20/2012 to 01/01/2040
Company Name: Microsoft Corporation
File Description: Windows Disk Diagnostic User Resolver
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Internal Name: DFDWiz.exe
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: DFDWiz.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 6.1.7600.16385

Advertisements

One Comment

  1. Posted December 6, 2012 at 8:31 am | Permalink | Reply

    Öncelikle yazınız için teşekkür.ederiz. Böyle yazıların bilgilendirici nitelikte olduğunu düşünüyoruz. Tekrar teşekkürler.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: