[nsp-sec] [FICORA #123493] Nordea Finland webbank targeted with a major spamrun and Trojan-Spy:W32/ZBot.HS -torjan
Christoph Sprongl
ch at it-austria.net
Thu Feb 21 09:04:22 EST 2008
Hi Kauto!
I was told about the AbdAllah network, at beginning of this year.
It is handled as the new RBN as i have heard so far - with several
uplinks; be careful.
At the moment i do not have any logs or evidence.
I will try to get some and find the right contact for you to FICORA directly.
What makes me really curious, why nordea (2 factor protection!) and why
only 1bank MITM specific trojan.
Since we do provide service for 2 banks in austria (2 factor protection,
too), it's a very hot topic for me. If there is a possibility way of
getting intelligence-technical trojan information directly for further
protection or search in our online-logs would be great!
regards,
christoph
> ----------- nsp-security Confidential --------
>
> Since yesterday morning Finnish time CERT-FI has been handling a major
> targeted (target = Finland) spamrun and spyware attack towards Nordea
> Bank
> Finland. A typical spam mail in the attachment.
>
> Message type #1 claimed that a nuclear power plant was about to explode
> in Mikkeli,
> central Finland. Too bad for the miscreants, there ain't a nuclear
> plant in Mikkeli.. :) Message type #2 was from Tatjana, looking for some
> sex company.
>
> Interesting about these two messages is that language was perfect
> Finnish. A native
> Finn must have been doing the translations - no machine translators
> here.
>
> The spamrun used numerous Geocities-accounts as the lure URL:s. We've
> delivered
> a sample of these URL:s to Yahoo/Geocities to look after - there must be
> a lot more
> then we've seen.
>
> The affected pages contained the following:
>
> <meta http-equiv='refresh'
> content='0;URL=hxxp://88.255.94.87/alice_fi/'>
>
> (http -> hxxp to protect incidents :) )
>
> which loaded Trojan-Spy:W32/ZBot.HS to the system.
>
> WHOIS information:
>
> inetnum: 88.255.94.0 - 88.255.94.255
> netname: AbdAllah_Internet
> descr: AbdAllah Internet Hizmetleri
> descr: Etnografya Muze mevkii Kirazlik Mh. No:32 Rize
> country: tr
> admin-c: MAG87-RIPE
> tech-c: MAG87-RIPE
> status: assigned pa
> mnt-by: as9121-mnt
> source: RIPE # Filtered
>
> person: Mahmod AbdAllah el Gashmi
> address: SISTEMNET TELEKOM BLACKLISTED PERSON
> e-mail: admin at sistemnet.com.tr
> phone: +902122666060
> remarks: ------------------------------------------------------
> remarks: SISTEMNET TELEKOM BLACKLISTED PERSON
> remarks: For Abuse Contact : abuse at sistemnet.com.tr
> remarks: SISTEMNET TELEKOM BLACKLISTED PERSON
> remarks: SISTEMNET TELEKOM BLACKLISTED PERSON
> remarks: ------------------------------------------------------
> nic-hdl: MAG87-RIPE
> mnt-by: sistem-net-mnt
> source: RIPE # Filtered
>
> BFK passive DNS data on this address:
>
> 2008-02-15 11:12:23 2008-02-17 09:49:58
> 87.94.255.88.sbl.spamhaus.org TXT
> "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL59691"
> 2008-02-15 11:32:28 2008-02-17 09:49:58
> 87.94.255.88.multi.uribl.com A
> 127.0.0.2
>
> The Spamhaus report is entertaining reading.
>
> Now things get very interesting. Nordea netbank uses two-factor
> authentication at
> login (username, password and one-time PIN list) _AND_ a separate
> rotating PIN
> list in transaction confirmation phase. It is going to be _very_
> interesting to
> see how the miscreants MITM'ed this.
>
> The MITM functionality of the trojan has been very well engineered. Toni
> from
> F-secure commented to us "these people knew exactly what they were
> doing".
>
> According to Toni, following domains have been used in the MITM phase of
> the attack:
>
> guns-fi-logs.ru
> guns-fi-reserv.ru
>
> WHOIS information:
>
> domain: GUNS-FI-LOGS.RU
> type: CORPORATE
> nserver: ns7.zoneedit.com.
> nserver: ns9.zoneedit.com.
> state: REGISTERED, DELEGATED
> person: Private Person
> phone: +7 933 7898898
> e-mail: isupport at safe-mail.net
> registrar: NAUNET-REG-RIPN
> created: 2008.01.24
> paid-till: 2009.01.24
> source: TC-RIPN
>
> domain: GUNS-FI-RESERV.RU
> type: CORPORATE
> state: REGISTERED, NOT DELEGATED
> person: Private Person
> phone: +7 933 7898898
> e-mail: isupport at safe-mail.net
> registrar: NAUNET-REG-RIPN
> created: 2008.01.24
> paid-till: 2009.01.24
> source: TC-RIPN
>
> Passive DNS:
>
> 2008-02-20 10:21:16 2008-02-21 12:15:29 guns-fi-logs.ru A
> 79.135.166.132
> 2008-02-20 13:46:38 2008-02-20 13:46:38 guns-fi-logs.ru MX
> 0 mail6.zoneedit.com
> 2008-02-20 13:46:38 2008-02-20 13:46:38 guns-fi-logs.ru MX
> 0 mail7.zoneedit.com
> 2008-02-20 10:21:16 2008-02-21 12:15:29 guns-fi-logs.ru NS
> ns7.zoneedit.com
> 2008-02-20 10:21:16 2008-02-21 12:15:29 guns-fi-logs.ru NS
> ns9.zoneedit.com
> 2008-02-20 13:40:57 2008-02-21 12:15:29 guns-fi-logs.ru SOA
> ns7.zoneedit.com soacontact.zoneedit.com 1201708245 14400
> 7200 950400 7200
>
> WHOIS on the A-record:
>
> inetnum: 79.135.165.0 - 79.135.166.255
> netname: Sistemnet-Telecom-Blackholed-IP
> descr: Sistemnet Telecom Blackholed IP
> descr: Sistemnet Telecom Blackholed IP
> descr: Sistemnet Telecom Blackholed IP
> remarks: Sistemnet Telecom Blackholed IP
> country: TR
> admin-c: SSB1907-RIPE
> tech-c: FED1907-RIPE
> status: ASSIGNED PA
> mnt-by: SISTEM-NET-MNT
> source: RIPE # Filtered
>
> person: Selcuk BAYDUT
> address: Sistemnet Telecom
> address: Buyukdere Rd.
> address: Muselles St.
> address: Santa Plaza 3th Floor Esentepe
> address: Istanbul - Turkey
> remarks: Do not contact me for abuse issues
> phone: +90.2122666060
> nic-hdl: SSB1907-RIPE
> mnt-by: SISTEM-NET-MNT
> source: RIPE # Filtered
>
> person: Ferdi DAL
> address: Sistemnet Telecom
> address: Buyukdere Rd.
> address: Muselles St.
> address: Santa Plaza 3th Floor Esentepe
> address: ISTANBUL - TURKEY
> phone: +90.2122666060
> fax-no: +90.2122666010
> nic-hdl: FED1907-RIPE
> source: RIPE # Filtered
> abuse-mailbox: abuse at sistemnet.com.tr
> mnt-by: SISTEM-NET-MNT
>
> Passive DNS on the IP:
>
> 2008-01-22 22:09:53 2008-02-06 23:09:47 huiasdsad.hk A
> 79.135.166.132
> 2008-01-23 20:09:10 2008-01-24 07:08:53 richmediacanada.com
> A 79.135.166.132
> 2008-01-23 21:08:57 2008-01-24 07:08:51 opulentrich.com A
> 79.135.166.132
> 2008-01-23 20:09:07 2008-01-24 07:08:52 opulentwealthy.com
> A 79.135.166.132
> 2008-01-18 00:10:57 2008-02-06 23:11:16 pharmgame.ru A
> 79.135.166.132
> 2008-01-18 12:34:00 2008-02-06 17:14:10 www.pharmgame.ru
> A 79.135.166.132
> 2008-02-20 10:21:16 2008-02-21 12:15:29 guns-fi-logs.ru A
> 79.135.166.132
> 2008-02-08 14:13:20 2008-02-21 12:14:39 bazuka-nl-logs.ru
> A 79.135.166.132
>
> Our request:
>
> Please provide all relevant information you can find on this case and
> submit it to either
> via this list or preferably directly to cert at ficora.fi, please put tag
> [FICORA #123493] to the
> Subject: line. If you prefer, you can email via the Vetted Three of
> CERT-FI:
>
> johanna.kinnari at ficora.fi
> juhani.eronen at ficora.fi
> kauto.huopio at ficora.fi
>
> ..and we can anonymise if needed, but we'd _really_ prefer direct
> information via
> cert at ficora.fi on this case.
>
> If you have log data that you can't share without a court order, please
> indicate this too.
> Needless to say, this case is under LE investigation in Finland.
>
> Best regards,
>
> Kauto Huopio - kauto.huopio at ficora.fi
> Senior information security adviser
> Finnish Communications Regulatory Authority / CERT-FI
> tel. +358-9-6966772, fax +358-9-6966515, mobile +358-50-5826131
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list