Archive for the 'Malware & Virus Analysing' Category

Page 3 of 44

Fake hotel.de Booking Emails Hitting CH and DE

Around 09:00 UTC, the cutwail spam botnet started to send out a new spam campaign targeting Swiss and German internet users. This spam campaign seems to be linked to the fake Swisscom and T-Mobile emails we have seen recently.

This time, the criminals send out fake hotel.de booking emails that looks like this:

From: “hotel.de” Reserv@hotel.de
To: spamtrap
Subject: Hotel.de Reservierung [98588048], Mon, 18 Mar 2013 17:23:24 +0800

Reservierung

Buchungsnummer: SN2699862
Buchungsdatum: Mon, 18 Mar 2013 17:23:24 +0800
Mehr Details in der beigefugten Datei

Anreise: 23.03.2013 Anzahl Nächte: 1
Abreise: 24.03.2013 Gesamtanzahl Personen: 1
Preis: 73,89 EUR
Der Gesamtpreis beinhaltet 3,93 EUR Steuern und Abgaben.

Hinweis: Diese Buchung ist per Bankkarte gesichert.
——————————————————————————–
Mit freundlichen grüßen
Ihr hotel.de/hotel.info-Team
hotel.de AG – www.hotel.de – www.hotel.info

The email contains an attachment called HotelReservierung8266035.pdf.zip that contains an Windows executable:

Filename: HotelReservierung8300754911.PDF.exe
Filesize: 124’287 bytes
MD5 hash: 9b81080a24495269caf15637fe3908c1
VirSCAN.org: 2 / 37

The file contains the same dropped that we have already seen in the recent Swisscom / T-Mobile spam mails, called Andromeda (also known as Gamarue). Once the file gets executed, the Trojan installs itself on the system and tries to connect to the following botnet command&control server (C&C):

POST /wp-rss2.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Connection: close
User-Agent: Mozilla/4.0
Host: kitro.pl
Content-Length: 80
Cache-Control: no-cache
Pragma: no-cache

*encrypted-data*

The domain name kitro.pl is registered through a in Poland based domain registrar called “Domain Silver Inc”:

DOMAIN NAME: kitro.pl
registrant type: individual
nameservers: ns1.nextbookz.com.
ns1.menorca24.com.
created: 2012.12.10 15:11:20
last modified: 2013.03.14 07:15:00
renewal date: 2013.12.10 15:11:20

no option

dnssec: Unsigned
TECHNICAL CONTACT: data restricted

REGISTRAR:
Domain Silver Inc.
1st Floor, Sham-Peng-Tong
Plaza Building, Victoria, Mahe
Seychelles
e-mail: support@domainsilver.pl
tel.: +1.3236524343

Based on the geo location of the victim, the Trojan drops additional malware like Torpig/Mebroot, Citadel or Feodo/Cridex.

Since the domain name hotel.de published an SPF record and the sending IP addresses are already listed on Spamhaus ZEN, the impact caused by this threat should be limited (unless you use a poorly configured spam filter).

As usual, I recommend you to block the following domain names and IP addresses which are associated with this threat on your network edge / web gateway:

menorca24.com
nextbookz.com
ophia.ru
kitro.pl
177.71.251.208
163.32.75.26
2.229.105.130
130.255.190.43

Fake Swisscom And T-Mobile Emails Hitting CH and DE

This morning I’ve spotted two spam campaigns hitting German and Swiss internet users, by abusing the name and reputation of two well known players in the telephone sector: Swisscom (CH) and T-Mobile (DE).

Below is a spam sample that has been sent out by the Cutwail spam botnet this morning hitting Swiss internet users:

From: noreply@swisscom.ch
To: spamtrap
Subject: MMS

Description: Swiss Telecom

Telefonnummer +41*random-number*

Wenn der Adressat ein MMS nicht empfangen kann (weil er kein MMS-fähiges Handy hat oder wenn mit seinem Netzanbieter keine MMS ausgetauscht werden können) erhält er ein SMS mit einer MMS-ID. Auf der Website von Swisscom kann er das MMS mit dieser MMS-ID abrufen.

It’s an HTML email that embeds the Swisscom-Logo:

Screenshot Spammail

The email is written in German and says that if the recipient gets an MMS and his mobile phone isn’t able to display MMS or his network provider doesn’t support it, he will get an SMS with an MMS-ID. The receipient can enter this MMS-ID on the Swisscom website to view the MMS he just has received. If you Google that text you will notice that the criminals just copied that text from Swisscom’s official website:

http://www.swisscom.ch/de/privatkunden/hilfe/loesung/dienste-im-ausland-nutzen.html

The spam email has a ZIP-Archive (MMSXXXXX.zip) attached that contains a Windows executable (.exe) infected with Andromeda (also known as Gamarue):

Filename: MMS-XXXXXXXX.JPEG.exe
Filesize: 30’724 bytes
MD5 hash: 2c1a7509b389858310ffbc72ee64d501
Virustotal: 20 / 45

Once the recipient executes the Windows executable, the Trojan installs itself into the profile of All Users:

C:\Documents and Settings\All Users\dxalrjtj.exe

Andromeda/Gamarue uses some anti-VM mechanism to make sure that it only gets executed on a physical system. As soon as the Trojan infected the victims machine, it starts to communicate with the botnet C&C using the HTTP protocol:

POST /soap.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Connection: close
User-Agent: Mozilla/4.0
Host: ophia.ru
Content-Length: 80
Cache-Control: no-cache
Pragma: no-cache

*encrypted-data*

The botnet C&C server is located at ophia.ru which is registered through a Russian based domain registrar called “NAUNET”:

domain: OPHIA.RU
nserver: ns1.menorca24.com.
nserver: ns1.nextbookz.com.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: NAUNET-REG-RIPN
admin-contact: https://client.naunet.ru/c/whoiscontact
created: 2012.12.10
paid-till: 2013.12.10
free-date: 2014.01.10
source: TCI

The domain name has several A records:

59.167.122.56 [ppp59-167-122-56.static.internode.on.net.]
101.99.23.176 [static.cmcti.vn.]
2.229.105.130 [2-229-105-130.ip196.fastwebnet.it.]
177.71.251.208 [ec2-177-71-251-208.sa-east-1.compute.amazonaws.com.]
185.12.5.106 [host-106-5-12-185.cloudsigma.com.]

Googling for the mentioned botnet C&C domain will reveal an interesting forum post on Trojaner-board.de. Obviously the criminals sent out a similar spam campaign today targeting German internet users, by abuse T-Mobile’s brand. The attackers used a different subject line and email body, but sent out the same malicious file (MD5 hash: 2c1a7509b389858310ffbc72ee64d501).

Fortunately, I’ve some good news for you: All these spam emails I’ve seen hitting my spamtraps today have been blocked by Spamhaus ZEN. So if your spamfilter is checking the sending IP address of an email against ZEN, most of these spam emails should have been blocked. Secondly, Swisscom did their homework and already published an SPF record for their domain name swisscom.ch a long time ago:

$ dig +short swisscom.ch TXT
“v=spf1 ip4:193.222.81.0/24 -all”

If your spamfilter is configured to check the SPF record of the sending domain, all these spam messages should have been rejected on your email gateway.

To mitigate this threat, you should ensure that you:

  • Check incoming emails against Spamhaus ZEN
  • Enable SPF checking on your spamfilter / email gateway
  • Block the botnet C&C domain name and the associated IP addresses (see below)
  • configure your clients to show file extensions for known file types (MMS-XXX.jpg.exe)

Associated domain names / IP addresses to block on your firewall / gateway:

130.255.190.43
59.167.122.56
101.99.23.176
2.229.105.130
177.71.251.208
185.12.5.106
advstar.com
alfila.net
arbeitdeutschland.com
arteexotica.net
bestjobcousa.com
bestjobscousa.com
careerabroadinfo.com
dacortaorlando.net
encounterkaspe.pl
establishingwi.su
eyesee-lazere.pl
fearedembracin.su
flavoured.pl
followupdebate.pl
garbagethiever.su
gellax.com
goldenpick.net
greecexpatjobs.com
hemon.pl
hotlane.net
htimemanagemen.su
jobbcanada.com
jobbinamsterdam.com
lombrisa.com
machinelikeleb.su
menorca24.com
mickmalones.com
monitoreddream.su
moteasingwold.net
neo-conned.net
netfest.pl
nextbookz.com
ophia.ru
oracleutilities.net
portugaleuropa.com
purchasingdril.su
simsapprentice.pl
sppleiconicana.su
srichkeylogger.su
technojobse.com
theirspentawar.pl
thelocalsejobs.com
three-property.net
turismingeorgia.net
unpackcenterpi.su
upkeepfilesyst.su
westors.com
youpolandjobs.com
yourcareerbuilders.com



economics-recluse
Scene
Urgent!