Tag Archives: Gameover

Update: 950 Euro transfer to Intesa Sanpaolo

New Hostile URLs observed on April 5, 2013:

 

hxxp://www.freerider.it/info1.html
hxxp://heartmecouture.com/info1.html
hxxp://www.milservice.pl/info1.html
hxxp://moneysystem.50webs.com/info1.html
hxxp://www.schmerbachskeller.de/info1.html
hxxp://svdnet.com/info1.html
hxxp://elima-docs-tpr.narod.ru/info1.html
hxxp://gesfi.com/info1.html
hxxp://www.padcacweb.pwp.blueyonder.co.uk/info1.html
hxxp://50.63.26.224/info1.html
hxxp://www.pon-vonbohlmannsland.de/info1.html
hxxp://ferret.perm.ru/info1.html
hxxp://www.mtetv.it/info1.html
hxxp://www.kkwalberberg.mynetcologne.de/info1.html
hxxp://w0e2fj2b3.homepage.t-online.de/info1.html
hxxp://personal.nbnet.nb.ca/info1.html
hxxp://valleylabel.net/info1.html
hxxp://nightfox.republika.pl/info1.html
hxxp://troop228.info/info1.html
hxxp://matpol.cba.pl/info1.html
hxxp://www.gianlucaboezio.it/info1.html
hxxp://www.wittmann-praxis.de/info1.html
hxxp://champwrestlinginfo.tripod.com/info1.html
hxxp://spiritoftheage.org.uk/info1.html
hxxp://www.stock-marketfair.com/info1.html
hxxp://www.magna4.com.br/info1.html
hxxp://biancas-scrapseite.pytalhost.de/info1.html
hxxp://ostunivilla.com/info1.html
hxxp://papagai.de/info1.html
hxxp://www.stahlvolleyballa.homepage.t-online.de/info1.html
hxxp://www.cyted.com/info1.html
hxxp://sttrni.com.br/info1.html
hxxp://wabostudios.com/info1.html
hxxp://www.ceccatobassano.it/info1.html
hxxp://www.sitkarymowanie.republika.pl/info1.html
hxxp://dokutainment.square7.ch/info1.html
hxxp://www.biglife.de/info1.html
hxxp://www.advmorais.com.br/info1.html
hxxp://www.chenilleawardletters.net/info1.html
hxxp://jkatinc.com/info1.html
hxxp://lawsonprinters.com/info1.html
hxxp://pianowithchris.com/info1.html
hxxp://prod1-imagesvu.integra.fr/info1.html
hxxp://qmbit.de/info1.html

 

This page contain an encoded script which is used to redirect to a Blackhole exploit kit v 2.x at hxxp://bangpleasure.com/news/wanting_book_switch.php. This BH kit is hosted at IP address 97.107.142.157 at the time of this writing.

 

 

 

Advertisements

950 Euro transfer to Intesa Sanpaolo

We analyzed a spam theme distributed from Cutwail SpamBot that is used theme of “950 Euro transfer to Intesa Sanpaolo” on April 04, 2013:

Spam Subject(s):

Si deve essere attestato a 950,00 à dal tuo conto corrente bancario presso Intesa anPaolo.
Richiesta di ammortamento di à 950,00 dal conto bancario di Intesa SanPaolo
Gli ammortamenti delle 950,00 à dal tuo conto bancario in Intesa SanPaolo
à 950,00 sono dal vostro conto di Intesa SanPaolo ammortizzato in 24 ore

Spam Template:

<!DOCTYPE html PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>
<HTML><HEAD><TITLE></TITLE>
</HEAD>
<BODY>

Gentile Cliente, <br>
Abbiamo ricevuto la richiesta di ammortamento di à 950,00 dal proprio conto bancario in Intesa SanPaolo per risolvere la consegna dei documenti. <br>L’ammortamento dei fondi e la trasmissione di documenti ulteriori fatto in 24 ore.<br><br>
<a href=”hxxp://herr-pferd.de/info1.html”>Vedi i dettagli dell’ordine </a> <br>
Cordiali saluti, Servizio clienti sostegno della Intesa SanPaolo Banca.<br>
</BODY></HTML>

Hostile URL(s):

hxxp://herr-pferd.de/info1.html
hxxp://nwernau.de/info1.html
hxxp://soswciechanow.home.pl/info1.html
hxxp://www.glueckauf-altenburg.de/info1.html
hxxp://nyhus.dk/info1.html
hxxp://barake.de/info1.html
hxxp://renata.weihs.w.interia.pl/info1.html
hxxp://vinkraj.narod.ru/info1.html
hxxp://mmjackofm.w.interia.pl/info1.html
hxxp://217.170.66.122/info1.html
hxxp://209.41.177.143/info1.html
hxxp://www.skemadtc.it/info1.html
hxxp://kumballa.de/info1.html
hxxp://www.samba-loco.de/info1.html
hxxp://brauerildiko.hu/info1.html
hxxp://public.dataproject.com/info1.html
hxxp://www.nationalhymne.de/info1.html
hxxp://angstrem.com.pl/info1.html
hxxp://mojdziennik.cba.pl/info1.html
hxxp://eleganceshop.home.pl/info1.html
hxxp://xchange.thegateworldwide.com/info1.html
hxxp://www.burningwick.pwp.blueyonder.co.uk/info1.html
hxxp://jwjoomla.cwsurf.de/info1.html
hxxp://www.agliati.it/info1.html
hxxp://best-nk.c0.pl/info1.html

The text ‘Vedi i dettagli dell’ordine’ contains a hyperlink to one of the URLs listed above. This page contain an encoded script which is used to redirect to a Blackhole exploit kit v 2.x at hxxp://23.advertisingspecialties.biz/news/wanting_book_switch.php. This BH kit is hosted at IP address 96.126.106.62 at the time of this writing.

The kit attempts to download the following files/exploits:

hxxp://23.advertisingspecialties.biz/news/wanting_book_switch.php?tsltj=1l:30:1l:32:32&gmon=3j&eyoyoeuy=1o:30:32:30:1h:1j:1i:1f:1n:33&ggievtn=1o:1d:1f:1d:1f:1d:1f
Name: a4ccf.pdf
Identifier: CVE-2010-0188 exploit
Type: PDF document, version 1.6
Size: 9895 bytes
MD5sum: 1ef1040ba77c13ddc268ca34a4b030c6

If exploitation is successful, it redirects to hxxp://23.advertisingspecialties.biz/news/wanting_book_switch.php?fvpcpp=1l:30:1l:32:32&irzg=1o:30:32:30:1h:1j:1i:1f:1n:33&phrua=1i&nlcdd=obmoxwk&fdrehtz=gfyuft, a Pony variant with the following properties is downloaded:

Name: contacts.exe
Identifier: Pony downloader
Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size: 150,528 bytes
MD5: c42105cc624659827773cb62de516d5a

Pony downloader posts to its dropzone at:

hxxp://3ecompany.com:8080/forum/viewtopic.php

hxxp://23.advertisingspecialties.biz/forum/viewtopic.php

hxxp://23.area-plumbing-company.com/forum/viewtopic.php

hxxp://23.debtfreein100days.com/forum/viewtopic.php

 

Pony downloader was configured to download Gameover Zeus payloads from following locations:

1. hxxp://agarest.com/dckWfjue.exe
2. hxxp://kj-supply.com/JUz8cnK.exe
3. hxxp://chadgunderson.com/ZUmJx.exe

Gameover installes in %APPDATA%\Ppro\rfluo.exe and had following file properties:

File: rfluo.exe
Size: 376,832 bytes
MD5: 6e65ca8fa550b03d1f377cc1c685abd8
Build TimeStamp: 2013-03-16 18:17:58
Language Code: Russian
Character Set: Unicode
Company Name: Корпорация Майкрософт
File Description: Монитор устройств неподвижных изображений
File Version: 5.1.2600.5512 (xpsp.080413-0852)

The Gameover variant had a botid of “candyshop” and cid of 8888. Following P2P Drones were found embedded inside the Gameover Zeus payload:

178.122.63.254:26281
99.54.188.39:17053
78.166.181.174:25812
49.49.77.245:11443
95.58.110.195:28758
94.240.224.115:27794
147.8.213.30:18592
95.104.51.216:25833
194.94.127.98:25549
176.73.238.72:22869
69.77.132.197:20764
75.6.222.103:11577
71.136.48.91:22174
203.128.247.114:29667
186.96.66.82:17103
63.139.177.211:11505
78.139.187.6:14384
198.101.63.2:13725
90.176.158.215:15920

ADP Security Management Update

We analyzed following malicious URL which is used in ADP themed spam on June 28/29 2012:

hxxp://web.abmes.org.br/EiqyDBxS/index.html

ADP Security Update

The spam sample we analyzed was sent from 95.41.229.91 – a known Cutwail spambot.

This malicious page contained 4 javascripts as shown below:

<script type=”text/javascript” src=”hxxp://firmowa.malopolska.pl/WVfNMNHn/js.js”></script>
<script type=”text/javascript” src=”hxxp://egerak.ipislam.edu.my/vp0BYhy2/js.js”></script>
<script type=”text/javascript” src=”hxxp://humas.poltek-malang.ac.id/w28K6pb6/js.js”></script>

Eventually these malicious JS redirects victim to a Blackhole Exploit kit at 173.255.228.171.

This Blackhole exploit kit was hosting at least 14 different malicious payloads. Detected malware payloads identified by MD5 hash included the following:

  • e6341e75dc5413720cbb03f6836ac39d
  • 1277be3dfecd932a1b4b32b1f0942146
  • 13b08f673c05c81b1f5b3344b23f79a2
  • 53fdca7c26b10de657cb4a4906cf6510
  • 488559808a353430357f4c3db9fb126f
  • 13b08f673c05c81b1f5b3344b23f79a2
  • 48a89c2e1816e2f8ec38071b45c72e6e
  • fe05f07e54adbf2d55946643f9a76f83
  • bee7603e2fb3dcb9dcf1c5589d551cb5
  • 1b1bbf726902beb3b25d11fbdc58720f
  • 017c71a4f156df3300d01ace4e01087a
  • e11534af5bb6a69726524e6851d8136d
  • 017c71a4f156df3300d01ace4e01087a
  • ced5d89b3d27b85e9418a94ef2aac990

All of these binaries appear, upon initial inspection, to be Pony downloaders.
Pony downloader posts to its dropzone at hxxp://182.23.41.18/pony/gate.php and also downloads 3 identical Gameover Zeus from following locations:

1. hxxp://ftp.fundwaysofmo.com/pdqPv.exe
2. hxxp://www.artevoz.com.br/9D0JP.exe
3. hxxp://diclebaliksepeti.com/fJoqfYi.exe

Twitter received a request to reset the password for your account.

We analyzed following malicious URL which is used in Twitter themed spam on May 17 2012:

hxxp://lakshmiparthasarathyathreya.com/nwFzPsjZ/index.html

Twitter - Reset Password

This malicious page contained 4 javascripts as shown below:

<script type=”text/javascript” src=”hxxp://www.houard.eu/D2ec6Q6S/js.js”></script>
<script type=”text/javascript” src=”hxxp://egerak.ipislam.edu.my/vp0BYhy2/js.js”></script>
<script type=”text/javascript” src=”hxxp://hardinggraphics.com/ZRRV8K9w/js.js”></script>
<script type=”text/javascript” src=”hxxp://portaldomarmoreegranito.com.br/69zecvvX/js.js”></script>

Eventually these malicious JS redirects victim to a Blackhole Exploit kit at hxxp://69.194.192.218/showthread.php?t=d7ad916d1c0396ff

BlackHole kit first droppes Pony from the following location:

hxxp://69.194.192.218/q.php?f=ba33e&e=4
File: readme.exe
MD5: cc696f9ac857c59be3940791f1dfa9c1
Size: 99,808 bytes

Pony downloader posts to its dropzone at hxxp://50.57.121.196/pony/gate.php. It was also configured to download 2 identical Gameover Zeus payloads from following locations:

1. hxxp://hosting1554269.az.pl/j5EGyoC.exe
2. hxxp://spiritfinancial.net/JqLBEaNt.exe

Gameover installes in %APPDATA%\Micyu\viunbu.exe

MD5: 1a518087bc0cbc1efd869012b2b1a7bd
Size: 3,05,120 bytes
Timestamp: 2010:10:29 20:57:49+02:00
Signature: This file is digitally signed by ‘gHA6’
Certificate Validity: 05/16/2012 to 01/01/2040

This Gameover Zeus variant posts to a dropzone at 189.78.66.155:29620. Webinjects were downloaded from 87.23.103.64:19802. The Gameover variant had a botid of “NRm18”.

As we have been seeing for past few weeks, Pony Downloader and Gameover Zeus both payloads share same file properties indicating both these payloads were built by same group/people, around same time(?):

Signature: This file is digitally signed by ‘gHA6’
Certificate Validity: 05/16/2012 to 01/01/2040
Company Name: bhq93888888888 Corporation
File Description: CTF Loader
Internal Name: CTFMON
Legal Copyright: © bhq93888888888 Corporation. All rights reserved.
Original Filename: CTFMON.EXE
Product Name: bhq93888888888® Windows® Operating System
Product Version: 6.1.7600.16385
Ole Self Register: D

ACH Transfer Rejected

We analyzed following malicious URL which is used in ACH spam on April 25 2012:

hxxp://ft000267.ferozo.com/HbusWmxz/index.html

ACH Transfer rejected

This malicious page contained 4 javascripts as shown below:

<script type=”text/javascript” src=”hxxp://crowclub.ca/nRDnUrDq/js.js”></script>
<script type=”text/javascript” src=”hxxp://zadar.hr/aAyhw3ey/js.js”></script>
<script type=”text/javascript” src=”hxxp://giupban24h.com/v3NcYEV4/js.js”></script>
<script type=”text/javascript” src=”hxxp://pacilg.org/RaQhf32L/js.js”></script>

Eventually these malicious JS redirects victim to a Blackhole Exploit kit at hxxp://216.119.142.235/showthread.php?t=34c79594e8b8ac0f

BlackHole kit first droppes Pony from the following location:

hxxp://216.119.142.235/q.php?f=2fcad&e=2
File: contacts.exe
MD5: 242e28a23fbea9dc1e1939eea326a0d2
Size: 1,10,176 bytes

Pony downloader posts to its dropzone at 91.121.84.204/pony/gate.php. It was also configured to download 2 identical Gameover Zeus payloads from following locations:

1. hxxp://power-tec.sk/D8aoPu86/XPVqAGE.exe
2. hxxp://valuemerge.com/aXS0mRNT/KXj.exe

Gameover was installed in %APPDATA%\Ucnye\azufyv.exe

MD5: 647c62cd30f6fb4ea00e8829359b0a82
Size: 2,74,016 bytes
Timestamp: 2010:11:03 14:49:13+01:00
Signature: This file is digitally signed by ‘tNzquyHloA4n3FFctsvudWw7x’
Certificate Validity: 04/24/2012 to 01/01/2040

This Gameover Zeus variant posts to a dropzone at 89.44.245.126:17711. Webinjects were downloaded from 64.60.155.138:21835. The Gameover variant had a botid of “mf222a25″ and cid of “3005″.

Fwd: Scan from a Hewlett-Packard ScanJet #468974

We analyzed following malicious URLs which are used in HP Scan spams:

hxxp://eksitonas.lt/KzHz5BzZ/index.html
hxxp://casagustosa.gr/zo799HVs/index.html

This malicious page contained 3 javascripts as shown below

hxxp://yasonrafilm.com/ZAsUDjH1/js.js
hxxp://lsdkft.hu/bC1BxCbJ/js.js
hxxp://www.aafaq.ca/sxuvf5jV/js.js

Eventually these malicious JS redirects victim to a Blackhole Exploit kit at hxxp://208.117.43.8/showthread.php?t=34c79594e8b8ac0f

BlackHole kit first droppes Pony from the following location:

hxxp://208.117.43.8/q.php?f=2fcad&e=2
File: about.exe
MD5: 9b196853650fcb8ac182be05b627f07c
Size: 1,10,688 bytes

Pony downloader posts to its dropzone at 91.121.84.204/pony/gate.php. It was also configured to download 4 identical Gameover Zeus payloads from following locations:

1. hxxp://power-tec.sk/D8aoPu86/XPVqAGE.exe
2. hxxp://synergieassurance.com/AnJVfWxx/aFa.exe
3. hxxp://20272.w72.wedos.net/w7y74z3H/Hzt.exe
4. hxxp://electrosa.com/8zvW2XE.exe

Gameover was installed in %APPDATA%\Ociw\ilji.exe

MD5: 80bd579d484ac4742b75952fb1a2d694
Size: 2,74,016 bytes
Timestamp: 2010:11:03 04:51:09+01:00
Signature: This file is digitally signed by ‘tNzquyHloA4n3FFctsvudWw7x’
Certificate Validity: 04/24/2012 to 01/01/2040

This Gameover Zeus variant posts to a dropzone at 86.35.218.231:17554. Webinjects were downloaded from 189.78.203.103:29161. The Gameover variant had a botid of “MF222a24″ and cid of “3005″.

IRS spams

We analyzed following malicious URLs which we believe are used in IRS spams:

hxxp://9×18.com/1FrYnHUV/index.html
hxxp://9×18.com/6GkXis2t/index.html
hxxp://9×18.com/7zSj5u8N/index.html
hxxp://9×18.com/9sfGpVaP/index.html
hxxp://9×18.com/DcXTY95c/index.html
hxxp://9×18.com/EdVTFHRy/index.html
hxxp://9×18.com/H37jjL6S/index.html
hxxp://9×18.com/JLdSGm4e/index.html
hxxp://9×18.com/KirxGAkT/index.html
hxxp://9×18.com/M7vrQsUT/index.html
hxxp://9×18.com/N7kkDdho/index.html
hxxp://9×18.com/U8nC5QAL/index.html
hxxp://9×18.com/Y1aFsgBk/index.html
hxxp://9×18.com/bFdJryZB/index.html
hxxp://9×18.com/igc6smeH/index.html
hxxp://9×18.com/jUyLton1/index.html
hxxp://9×18.com/pHbH0hzY/index.html
hxxp://9×18.com/rPWsV1Cp/index.html
hxxp://9×18.com/tjUQVqbC/index.html
hxxp://beinsync.in/1FrYnHUV/index.html
hxxp://9×18.com/wVKshGdP/index.html
hxxp://beinsync.in/6GkXis2t/index.html
hxxp://alcopaz.com/1FrYnHUV/index.html
hxxp://beinsync.in/7zSj5u8N/index.html
hxxp://alcopaz.com/6GkXis2t/index.html
hxxp://beinsync.in/9sfGpVaP/index.html

Although 9×18.com was restricting these URL access, other malicious URLs were up and serving the purpose redirecting victim to Blackhole exploit kit through following 3 javascripts:

<script type=”text/javascript” src=”hxxp://anydemo.in/ox8rWBHG/js.js”></script>
<script type=”text/javascript” src=”hxxp://Darsshan.com/8n9SXXoy/js.js”></script>
<script type=”text/javascript” src=”hxxp://www.moverpackermart.com/3F634op7/js.js”></script>

Blackhole kit was running at hxxp://85.25.189.174/showthread.php?t=34c79594e8b8ac0f. It first drops Pony downloader from the following location:

hxxp://85.25.189.174/q.php?f=2fcad&e=2
File: info.exe
MD5: 9b196853650fcb8ac182be05b627f07c
Size: 1,31,168 bytes

Pony downloader posts to its dropzone at 91.121.84.204/pony/gate.php. It was also configured to download 3 identical Gameover Zeus payloads from following locations:

1. hxxp://electrosa.com/8zvW2XE.exe
2. hxxp://arteyciencia.es/AUq5p7Sm/4VLks.exe
3. hxxp://hotelsatmatheran.com/0Pvo9Hnu/EpJbWNWD.exe
4. hxxp://poetesa.ro/0SbvQR5X/5op0.exe

Gameover was installed in %APPDATA%\Enze\izvuo.exe

MD5: 4105a615d658d89e836c125844be5f39
Size: 3,41,600 bytes
Timestamp: 2010:10:31 08:13:32+01:00
Payload Build Time: 2012-04-16 03:12:58

This Gameover Zeus variant posts to a dropzone at 86.124.117.250:16824. Webinjects were downloaded from 125.166.213.114:25137. The Gameover variant had a botid of “MF222a20″ and cid of “5555″.

As we have been nothing here, Pony Downloader and Gameover Zeus both payloads share same properties indicating both these payloads were built by same group/people, around same time(?):

Signature: Digitally signed by ‘wU5sF34khy4k0DMt30RspNOOm’
Certificate Validity: 04/20/2012 to 01/01/2040
Company Name: Microsoft Corporation
File Description: Windows Disk Diagnostic User Resolver
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Internal Name: DFDWiz.exe
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: DFDWiz.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 6.1.7600.16385

ACH Transaction Rejected

The samples we analyzed had a link to a malicious page at hxxp://cayambeturismo.gob.ec/zHyxgRft/index.html & hxxp://doctors.eyes.org/a6qYbbvX/index.html

ACH transaction rejected

This malicious page contained javascript that redirected victims to a Blackhole Exploit kit at

hxxp://85.25.189.174/showthread.php?t=34c79594e8b8ac0f

BlackHole kit first droppes Pony from the following location:

hxxp://85.25.189.174/q.php?f=2fcad&e=2
File: about.exe
MD5: 9b196853650fcb8ac182be05b627f07c
Size: 1,31,168 bytes

Pony downloader posts to its dropzone at 91.121.84.204/pony/gate.php. It was also configured to download 3 identical Gameover Zeus payloads from following locations:

1. hxxp://electrosa.com/8zvW2XE.exe
2. hxxp://arteyciencia.es/AUq5p7Sm/4VLks.exe
3. hxxp://electrosa.com/8zvW2XE.exe
4. hxxp://poetesa.ro/0SbvQR5X/5op0.exe

Gameover was installed in %APPDATA%\Yblaa\duoju.exe

MD5: a898d910ac17e2dc00333a410daeaa68
Size: 3,47,744 bytes
Timestamp: 2010:10:28 19:52:20+02:00

This Gameover Zeus variant posts to a dropzone at 190.200.120.150:17663. Webinjects were downloaded from 210.4.72.124:13525. The Gameover variant had a botid of “mf222a20″ and cid of “5555″.

Again, as noted in past few days Pony Downloader and Gameover Zeus both shared same properties:

Signature: Digitally signed by ‘wU5sF34khy4k0DMt30RspNOOm’
Certificate Validity: 04/20/2012 to 01/01/2040
Company Name: Microsoft Corporation
File Description: Windows Disk Diagnostic User Resolver
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Internal Name: DFDWiz.exe
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: DFDWiz.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 6.1.7600.16385

Scan from a Xerox WorkCentre Pro #315614

The sample we analyzed had a link to a malicious page at http://shopdreambags.com/FD6YBhNw/index.html

Scan from Xerox 315614

This malicious page contained javascript that redirected victims to a Blackhole Exploit kit at

hxxp://184.22.115.24/showthread.php?t=34c79594e8b8ac0f

BlackHole kit first droppes Pony from the following location:

hxxp://184.22.115.24/q.php?f=2fcad&e=2
File: contacts.exe
MD5: ce1e4177bb2605a8637e386c6f7ab737
Size: 1,29,632 bytes

Pony downloader posts to its dropzone at 200.72.183.54//pony/gate.php. It was also configured to download 3 identical Gameover Zeus payloads from following locations:

1. hxxp://poetesa.ro/0SbvQR5X/5op0.exe
2. hxxp://arteyciencia.es/AUq5p7Sm/4VLks.exe
3. hxxp://redman.com.br/zqDQMaNF/SRivXt.exe

Gameover was installed in %APPDATA%\Jysah\gaihyl.exe

MD5: a898d910ac17e2dc00333a410daeaa68
Size: 3,47,744 bytes
Timestamp: 2010:10:31 04:27:18+01:00

This Gameover Zeus variant posts to a dropzone at 187.105.228.200:11752. Webinjects were downloaded from 71.80.237.121:14268. The Gameover variant had a botid of “MF222a19″ and cid of “5555″.

Interestingly, Pony Downloader and Gameover Zeus both shared same properties indicating both these payloads were built by same group/people, around same time(?):

Signature: Digitally signed by ‘VfnHcYKXDLnVlQizT9uLI4yhP’
Certificate Validity: 04/18/2012 to 01/01/2040
Company Name: Microsoft Corporation
File Description: Windows Disk Diagnostic User Resolver
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Internal Name: DFDWiz.exe
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: DFDWiz.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 6.1.7600.16385

VALERIO Pizza Order Confirmation

Order Confirmation

The sample we analyzed had a link to a malicious page at hxxp://printingcheaper.com/page1.htm?XVUU=S1KGEAGODJ8XNNAHB48IE5UHL&ZELSDVH=J0VL2BFPNUITV68G6&ID5TU3=UA0MLSUW5R2R8GC&DT9=MXK3SEKG0JMHDAU0RZAG6P3K&4S0W2E=8MG1P4S5IGNJAPNX87C&G4YO6P6=AEPEC1D5PXXZ&CS66A7F=RNK4RSELG796VIEX0TUYQ8F9&877R2=VGZBG625JCT8Z9O2K&KQA05=5L5TW1IP247&

This malicious page contained javascript that redirected victims to a Phoenix Exploit kit at hxxp://uiwewsecondary.ru:8080/internet/fpkrerflfvd.php
Phoenix kit first drops a CVE-2010-0188 PDF payload from hxxp://uiwewsecondary.ru:8080/internet/kqbzaubpiqxnbn.pdf. PDF file had following properties:

File: kqbzaubpiqxnbn.pdf
MD5: 1b6f367a28de927e6573e803e555a297
Size: 13,163 bytes

Successful exploit in turn handed victims off to second exploit kit at hxxp://poluicenotgo.ru:8080/internet/at.php?i=15. This kit dropped a Pony downloader with following properties:

File: esfwatkocliuyn.exe
MD5: 5726463108bb6f26e6dd54763e85453b
Size: 1,35,264 bytes

Both these phoenix exploit kits are hosted at the following IP addresses on a same fast flux infrastructure:

83.170.91.152
85.214.204.32
88.190.22.72
89.31.145.154
112.78.124.115
125.19.103.198
41.168.5.140
62.85.27.129
173.203.211.157
210.56.23.100
211.44.250.173
216.24.197.66
219.94.194.138

Pony downloader posts to its dropzone at hxxp://dare2dreamz.com/pony/gate.php, hosted at IP address 109.206.180.54. It was also configured to download 3 identical Gameover Zeus payloads from following locations:

1. hxxp://dynolite.eu/7U0ASvP9/AZz.exe
2. hxxp://abbott.u4ria.co.za/HGFg1RHz/MkiZMX.exe
3. hxxp://demircioglubilgisayar.com.tr/qy3kMMxv/VgWqQm4k.exe

Gameover was installed in %APPDATA%\Meizo\ehgea.exe

MD5: a3e56f7ba6cd98b2ac87596daf74e2aa
Size: 3,71,808 bytes
Timestamp: 2010:10:29 14:08:06+02:00

This Gameover Zeus variant posts to a dropzone at 211.73.186.159:28813. Webinjects were downloaded from 76.73.52.11:25362. The Gameover variant had a botid of “MF222a17” and cid of “5555”.

Interestingly, Pony Downloader and Gameover Zeus both shared same properties indicating both these payloads were built by same group/people, around same time(?):

Signature: Digitally signed by ‘VfnHcYKXDLnVlQizT9uLI4yhP’
Certificate Validity: 04/16/2012 to 01/01/2040
Company Name: Microsoft Corporation
File Description: Windows Disk Diagnostic User Resolver
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Internal Name: DFDWiz.exe
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: DFDWiz.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 6.1.7600.16385