[nsp-sec] [FICORA #123493] Nordea Finland webbank targeted with a major spamrun and Trojan-Spy:W32/ZBot.HS -torjan

Huopio Kauto Kauto.Huopio at ficora.fi
Thu Feb 21 08:21:33 EST 2008 

Since yesterday morning Finnish time CERT-FI has been handling a major
targeted (target = Finland) spamrun and spyware attack towards Nordea
Bank 
Finland. A typical spam mail in the attachment. 

Message type #1 claimed that a nuclear power plant was about to explode
in Mikkeli,
central Finland. Too bad for the miscreants, there ain't a nuclear 
plant in Mikkeli.. :) Message type #2 was from Tatjana, looking for some
sex company. 

Interesting about these two messages is that language was perfect
Finnish. A native
Finn must have been doing the translations - no machine translators
here.  

The spamrun used numerous Geocities-accounts as the lure URL:s. We've
delivered
a sample of these URL:s to Yahoo/Geocities to look after - there must be
a lot more
then we've seen. 

The affected pages contained the following:

<meta http-equiv='refresh'
content='0;URL=hxxp://88.255.94.87/alice_fi/'>

(http -> hxxp to protect incidents :) )

which loaded Trojan-Spy:W32/ZBot.HS to the system. 

WHOIS information:

inetnum:        88.255.94.0 - 88.255.94.255
netname:        AbdAllah_Internet
descr:          AbdAllah Internet Hizmetleri
descr:          Etnografya Muze mevkii Kirazlik Mh. No:32 Rize
country:        tr
admin-c:        MAG87-RIPE
tech-c:         MAG87-RIPE
status:         assigned pa
mnt-by:         as9121-mnt
source:         RIPE # Filtered

person:         Mahmod AbdAllah el Gashmi
address:        SISTEMNET TELEKOM BLACKLISTED PERSON
e-mail:         admin at sistemnet.com.tr
phone:          +902122666060
remarks:        ------------------------------------------------------
remarks:        SISTEMNET TELEKOM BLACKLISTED PERSON
remarks:        For Abuse Contact : abuse at sistemnet.com.tr
remarks:        SISTEMNET TELEKOM BLACKLISTED PERSON
remarks:        SISTEMNET TELEKOM BLACKLISTED PERSON
remarks:        ------------------------------------------------------
nic-hdl:        MAG87-RIPE
mnt-by:         sistem-net-mnt
source:         RIPE # Filtered

BFK passive DNS data on this address:

2008-02-15 11:12:23     2008-02-17 09:49:58
87.94.255.88.sbl.spamhaus.org  TXT
"http://www.spamhaus.org/SBL/sbl.lasso?query=SBL59691"
2008-02-15 11:32:28     2008-02-17 09:49:58
87.94.255.88.multi.uribl.com   A
        127.0.0.2

The Spamhaus report is entertaining reading. 

Now things get very interesting. Nordea netbank uses two-factor
authentication at
login (username, password and one-time PIN list) _AND_ a separate
rotating PIN 
list in transaction confirmation phase. It is going to be _very_
interesting to 
see how the miscreants MITM'ed this. 

The MITM functionality of the trojan has been very well engineered. Toni
from
F-secure commented to us "these people knew exactly what they were
doing". 

According to Toni, following domains have been used in the MITM phase of
the attack:

guns-fi-logs.ru
guns-fi-reserv.ru

WHOIS information:

domain:     GUNS-FI-LOGS.RU
type:       CORPORATE
nserver:    ns7.zoneedit.com.
nserver:    ns9.zoneedit.com.
state:      REGISTERED, DELEGATED
person:     Private Person
phone:      +7 933 7898898
e-mail:     isupport at safe-mail.net
registrar:  NAUNET-REG-RIPN
created:    2008.01.24
paid-till:  2009.01.24
source:     TC-RIPN

domain:     GUNS-FI-RESERV.RU
type:       CORPORATE
state:      REGISTERED, NOT DELEGATED
person:     Private Person
phone:      +7 933 7898898
e-mail:     isupport at safe-mail.net
registrar:  NAUNET-REG-RIPN
created:    2008.01.24
paid-till:  2009.01.24
source:     TC-RIPN

Passive DNS:

2008-02-20 10:21:16     2008-02-21 12:15:29     guns-fi-logs.ru A
79.135.166.132
2008-02-20 13:46:38     2008-02-20 13:46:38     guns-fi-logs.ru MX
0      mail6.zoneedit.com
2008-02-20 13:46:38     2008-02-20 13:46:38     guns-fi-logs.ru MX
0      mail7.zoneedit.com
2008-02-20 10:21:16     2008-02-21 12:15:29     guns-fi-logs.ru NS
ns7.zoneedit.com
2008-02-20 10:21:16     2008-02-21 12:15:29     guns-fi-logs.ru NS
ns9.zoneedit.com
2008-02-20 13:40:57     2008-02-21 12:15:29     guns-fi-logs.ru SOA
ns7.zoneedit.com        soacontact.zoneedit.com 1201708245      14400
7200    950400 7200

WHOIS on the A-record:

inetnum:        79.135.165.0 - 79.135.166.255
netname:        Sistemnet-Telecom-Blackholed-IP
descr:          Sistemnet Telecom Blackholed IP
descr:          Sistemnet Telecom Blackholed IP
descr:          Sistemnet Telecom Blackholed IP
remarks:        Sistemnet Telecom Blackholed IP
country:        TR
admin-c:        SSB1907-RIPE
tech-c:         FED1907-RIPE
status:         ASSIGNED PA
mnt-by:         SISTEM-NET-MNT
source:         RIPE # Filtered

person:         Selcuk BAYDUT
address:        Sistemnet Telecom
address:        Buyukdere Rd.
address:        Muselles St.
address:        Santa Plaza 3th Floor Esentepe
address:        Istanbul - Turkey
remarks:        Do not contact me for abuse issues
phone:          +90.2122666060
nic-hdl:        SSB1907-RIPE
mnt-by:         SISTEM-NET-MNT
source:         RIPE # Filtered

person:         Ferdi DAL
address:        Sistemnet Telecom
address:        Buyukdere Rd.
address:        Muselles St.
address:        Santa Plaza 3th Floor Esentepe
address:        ISTANBUL - TURKEY
phone:          +90.2122666060
fax-no:         +90.2122666010
nic-hdl:        FED1907-RIPE
source:         RIPE # Filtered
abuse-mailbox:  abuse at sistemnet.com.tr
mnt-by:         SISTEM-NET-MNT

Passive DNS on the IP:

2008-01-22 22:09:53     2008-02-06 23:09:47     huiasdsad.hk    A
79.135.166.132
2008-01-23 20:09:10     2008-01-24 07:08:53     richmediacanada.com
A      79.135.166.132
2008-01-23 21:08:57     2008-01-24 07:08:51     opulentrich.com A
79.135.166.132
2008-01-23 20:09:07     2008-01-24 07:08:52     opulentwealthy.com
A      79.135.166.132
2008-01-18 00:10:57     2008-02-06 23:11:16     pharmgame.ru    A
79.135.166.132
2008-01-18 12:34:00     2008-02-06 17:14:10     www.pharmgame.ru
A      79.135.166.132
2008-02-20 10:21:16     2008-02-21 12:15:29     guns-fi-logs.ru A
79.135.166.132
2008-02-08 14:13:20     2008-02-21 12:14:39     bazuka-nl-logs.ru
A      79.135.166.132

Our request: 

Please provide all relevant information you can find on this case and
submit it to either
via this list or preferably directly to cert at ficora.fi, please put tag
[FICORA #123493] to the
Subject: line. If you prefer, you can email via the Vetted Three of
CERT-FI:

johanna.kinnari at ficora.fi
juhani.eronen at ficora.fi
kauto.huopio at ficora.fi

..and we can anonymise if needed, but we'd _really_ prefer direct
information via 
cert at ficora.fi on this case.  

If you have log data that you can't share without a court order, please
indicate this too. 
Needless to say, this case is under LE investigation in Finland. 

Best regards,

Kauto Huopio - kauto.huopio at ficora.fi
Senior information security adviser
Finnish Communications Regulatory Authority  / CERT-FI
tel. +358-9-6966772, fax +358-9-6966515, mobile +358-50-5826131
 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: nordea-spamrun-20080220-sample.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080221/dc5ba34a/attachment-0001.txt>

More information about the nsp-security mailing list