[nsp-sec] [FICORA #123493] Nordea Finland webbank targeted with a major spamrun and Trojan-Spy:W32/ZBot.HS -torjan
Stephen Gill
gillsr at cymru.com
Thu Feb 21 13:05:04 EST 2008
Hi Chris,
>From that prefix we've seen malicious activity at these Ips in 2008:
>From malicious URLs
88.255.94.2 | 1
88.255.94.246 | 5
88.255.94.250 | 15
88.255.94.83 | 18
88.255.94.210 | 43
88.255.94.114 | 45
>From malware Flows:
88.255.94.22 | 2
88.255.94.58 | 9
88.255.94.74 | 2
88.255.94.83 | 29
88.255.94.86 | 3
88.255.94.99 | 4
88.255.94.114 | 35
88.255.94.116 | 6
88.255.94.178 | 15
88.255.94.210 | 156
88.255.94.226 | 11
88.255.94.246 | 2
88.255.94.250 | 30
Passive DNS from malware activity only:
88.255.94.226 | 238594.info
88.255.94.83 | candy-country.com
88.255.94.83 | ctrlalt.info
88.255.94.114 | dns.blacksun-sl.com
88.255.94.114 | drinkvodka.ru
88.255.94.83 | guetta-club.org
88.255.94.114 | hack-off.info
88.255.94.210 | hq-pharma.org
88.255.94.116 | ihos.info
88.255.94.74 | iloveie.info
88.255.94.210 | loads.cc
88.255.94.178 | megadwarf.com
88.255.94.83 | nikitka.org
88.255.94.114 | www.blacksun-sl.com
88.255.94.114 | www.ddoservice.com
88.255.94.114 | x-poreva.com
We've seen malware reaching out to URLs behind the following Ips/hosts:
88.255.94.22 | 88.255.94.22
88.255.94.74 | iloveie.info
88.255.94.83 | 88.255.94.83
88.255.94.83 | candy-country.com
88.255.94.83 | ctrlalt.info
88.255.94.83 | guetta-club.org
88.255.94.83 | nikitka.org
88.255.94.114 | 88.255.94.114
88.255.94.114 | dns.blacksun-sl.com
88.255.94.114 | drinkvodka.ru
88.255.94.114 | hack-off.info
88.255.94.114 | www.blacksun-sl.com
88.255.94.114 | www.ddoservice.com
88.255.94.114 | x-poreva.com
88.255.94.116 | 88.255.94.116
88.255.94.116 | ihos.info
88.255.94.178 | megadwarf.com
88.255.94.210 | 88.255.94.210
88.255.94.210 | hq-pharma.org
88.255.94.210 | loads.cc
88.255.94.226 | 238594.info
88.255.94.246 | 88.255.94.246
88.255.94.250 | 88.255.94.250
Nearest IP/hostname relatives based on Urls seen via sandboxing cross
referenced by SHA1 with flows containing 150 or more hits:
game4all.biz | 156
208.73.212.12 | 159
204.160.122.124 | 161
toolbarbucks.biz | 162
iframetraff.biz | 172
205.128.91.124 | 173
local.sexnet.com | 173
toolbarbest.biz | 175
194.126.193.132 | 179
66.240.130.204 | 179
traffnew.biz | 182
64.111.220.170 | 189
60.169.0.185 | 192
85.255.113.242 | 204
88.255.94.22 | 210
adtctqypoa.com | 218
207.172.16.155 | 220
216.8.177.28 | 231
143.215.15.145 | 248
216.40.219.141 | 256
59.34.131.54 | 296
dload.ipbill.com | 317
205.177.122.104 | 328
iframebiz.biz | 357
traffbucks.biz | 378
www.zabosaltd.biz | 397
toolbarbiz.biz | 399
toolbarurl.biz | 420
liveupdatesnet.com | 503
194.54.90.246 | 506
pcsecuritylab.com | 592
212.1.226.50 | 651
66.45.237.222 | 1326
208.75.226.34 | 1353
216.65.1.200 | 1401
66.45.237.220 | 1405
www.if.ee | 1828
74.125.19.147 | 1865
74.125.19.103 | 2055
74.125.19.99 | 2238
74.125.19.104 | 2434
66.220.17.154 | 2800
66.94.229.254 | 3740
209.202.229.100 | 5506
74.6.146.119 | 6114
66.220.17.200 | 6117
64.34.228.126 | 12170
82.165.177.200 | 20115
72.55.140.184 | 32160
By SHA1 we've seen 634 distinct AV names for trojans heading in that
direction so I won't list them all here but the flavors are wide and varied.
If you have specific questions about some of the above please let us know.
Hope that helps!
Cheers,
Steve, Team Cymru.
On 2/21/08 7:04 AM, "Christoph Sprongl" <ch at it-austria.net> wrote:
> ----------- nsp-security Confidential --------
>
> Hi Kauto!
>
> I was told about the AbdAllah network, at beginning of this year.
> It is handled as the new RBN as i have heard so far - with several
> uplinks; be careful.
> At the moment i do not have any logs or evidence.
> I will try to get some and find the right contact for you to FICORA directly.
>
> What makes me really curious, why nordea (2 factor protection!) and why
> only 1bank MITM specific trojan.
> Since we do provide service for 2 banks in austria (2 factor protection,
> too), it's a very hot topic for me. If there is a possibility way of
> getting intelligence-technical trojan information directly for further
> protection or search in our online-logs would be great!
>
> regards,
> christoph
>
>
>> ----------- nsp-security Confidential --------
>>
>> Since yesterday morning Finnish time CERT-FI has been handling a major
>> targeted (target = Finland) spamrun and spyware attack towards Nordea
>> Bank
>> Finland. A typical spam mail in the attachment.
>>
>> Message type #1 claimed that a nuclear power plant was about to explode
>> in Mikkeli,
>> central Finland. Too bad for the miscreants, there ain't a nuclear
>> plant in Mikkeli.. :) Message type #2 was from Tatjana, looking for some
>> sex company.
>>
>> Interesting about these two messages is that language was perfect
>> Finnish. A native
>> Finn must have been doing the translations - no machine translators
>> here.
>>
>> The spamrun used numerous Geocities-accounts as the lure URL:s. We've
>> delivered
>> a sample of these URL:s to Yahoo/Geocities to look after - there must be
>> a lot more
>> then we've seen.
>>
>> The affected pages contained the following:
>>
>> <meta http-equiv='refresh'
>> content='0;URL=hxxp://88.255.94.87/alice_fi/'>
>>
>> (http -> hxxp to protect incidents :) )
>>
>> which loaded Trojan-Spy:W32/ZBot.HS to the system.
>>
>> WHOIS information:
>>
>> inetnum: 88.255.94.0 - 88.255.94.255
>> netname: AbdAllah_Internet
>> descr: AbdAllah Internet Hizmetleri
>> descr: Etnografya Muze mevkii Kirazlik Mh. No:32 Rize
>> country: tr
>> admin-c: MAG87-RIPE
>> tech-c: MAG87-RIPE
>> status: assigned pa
>> mnt-by: as9121-mnt
>> source: RIPE # Filtered
>>
>> person: Mahmod AbdAllah el Gashmi
>> address: SISTEMNET TELEKOM BLACKLISTED PERSON
>> e-mail: admin at sistemnet.com.tr
>> phone: +902122666060
>> remarks: ------------------------------------------------------
>> remarks: SISTEMNET TELEKOM BLACKLISTED PERSON
>> remarks: For Abuse Contact : abuse at sistemnet.com.tr
>> remarks: SISTEMNET TELEKOM BLACKLISTED PERSON
>> remarks: SISTEMNET TELEKOM BLACKLISTED PERSON
>> remarks: ------------------------------------------------------
>> nic-hdl: MAG87-RIPE
>> mnt-by: sistem-net-mnt
>> source: RIPE # Filtered
>>
>> BFK passive DNS data on this address:
>>
>> 2008-02-15 11:12:23 2008-02-17 09:49:58
>> 87.94.255.88.sbl.spamhaus.org TXT
>> "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL59691"
>> 2008-02-15 11:32:28 2008-02-17 09:49:58
>> 87.94.255.88.multi.uribl.com A
>> 127.0.0.2
>>
>> The Spamhaus report is entertaining reading.
>>
>> Now things get very interesting. Nordea netbank uses two-factor
>> authentication at
>> login (username, password and one-time PIN list) _AND_ a separate
>> rotating PIN
>> list in transaction confirmation phase. It is going to be _very_
>> interesting to
>> see how the miscreants MITM'ed this.
>>
>> The MITM functionality of the trojan has been very well engineered. Toni
>> from
>> F-secure commented to us "these people knew exactly what they were
>> doing".
>>
>> According to Toni, following domains have been used in the MITM phase of
>> the attack:
>>
>> guns-fi-logs.ru
>> guns-fi-reserv.ru
>>
>> WHOIS information:
>>
>> domain: GUNS-FI-LOGS.RU
>> type: CORPORATE
>> nserver: ns7.zoneedit.com.
>> nserver: ns9.zoneedit.com.
>> state: REGISTERED, DELEGATED
>> person: Private Person
>> phone: +7 933 7898898
>> e-mail: isupport at safe-mail.net
>> registrar: NAUNET-REG-RIPN
>> created: 2008.01.24
>> paid-till: 2009.01.24
>> source: TC-RIPN
>>
>> domain: GUNS-FI-RESERV.RU
>> type: CORPORATE
>> state: REGISTERED, NOT DELEGATED
>> person: Private Person
>> phone: +7 933 7898898
>> e-mail: isupport at safe-mail.net
>> registrar: NAUNET-REG-RIPN
>> created: 2008.01.24
>> paid-till: 2009.01.24
>> source: TC-RIPN
>>
>> Passive DNS:
>>
>> 2008-02-20 10:21:16 2008-02-21 12:15:29 guns-fi-logs.ru A
>> 79.135.166.132
>> 2008-02-20 13:46:38 2008-02-20 13:46:38 guns-fi-logs.ru MX
>> 0 mail6.zoneedit.com
>> 2008-02-20 13:46:38 2008-02-20 13:46:38 guns-fi-logs.ru MX
>> 0 mail7.zoneedit.com
>> 2008-02-20 10:21:16 2008-02-21 12:15:29 guns-fi-logs.ru NS
>> ns7.zoneedit.com
>> 2008-02-20 10:21:16 2008-02-21 12:15:29 guns-fi-logs.ru NS
>> ns9.zoneedit.com
>> 2008-02-20 13:40:57 2008-02-21 12:15:29 guns-fi-logs.ru SOA
>> ns7.zoneedit.com soacontact.zoneedit.com 1201708245 14400
>> 7200 950400 7200
>>
>> WHOIS on the A-record:
>>
>> inetnum: 79.135.165.0 - 79.135.166.255
>> netname: Sistemnet-Telecom-Blackholed-IP
>> descr: Sistemnet Telecom Blackholed IP
>> descr: Sistemnet Telecom Blackholed IP
>> descr: Sistemnet Telecom Blackholed IP
>> remarks: Sistemnet Telecom Blackholed IP
>> country: TR
>> admin-c: SSB1907-RIPE
>> tech-c: FED1907-RIPE
>> status: ASSIGNED PA
>> mnt-by: SISTEM-NET-MNT
>> source: RIPE # Filtered
>>
>> person: Selcuk BAYDUT
>> address: Sistemnet Telecom
>> address: Buyukdere Rd.
>> address: Muselles St.
>> address: Santa Plaza 3th Floor Esentepe
>> address: Istanbul - Turkey
>> remarks: Do not contact me for abuse issues
>> phone: +90.2122666060
>> nic-hdl: SSB1907-RIPE
>> mnt-by: SISTEM-NET-MNT
>> source: RIPE # Filtered
>>
>> person: Ferdi DAL
>> address: Sistemnet Telecom
>> address: Buyukdere Rd.
>> address: Muselles St.
>> address: Santa Plaza 3th Floor Esentepe
>> address: ISTANBUL - TURKEY
>> phone: +90.2122666060
>> fax-no: +90.2122666010
>> nic-hdl: FED1907-RIPE
>> source: RIPE # Filtered
>> abuse-mailbox: abuse at sistemnet.com.tr
>> mnt-by: SISTEM-NET-MNT
>>
>> Passive DNS on the IP:
>>
>> 2008-01-22 22:09:53 2008-02-06 23:09:47 huiasdsad.hk A
>> 79.135.166.132
>> 2008-01-23 20:09:10 2008-01-24 07:08:53 richmediacanada.com
>> A 79.135.166.132
>> 2008-01-23 21:08:57 2008-01-24 07:08:51 opulentrich.com A
>> 79.135.166.132
>> 2008-01-23 20:09:07 2008-01-24 07:08:52 opulentwealthy.com
>> A 79.135.166.132
>> 2008-01-18 00:10:57 2008-02-06 23:11:16 pharmgame.ru A
>> 79.135.166.132
>> 2008-01-18 12:34:00 2008-02-06 17:14:10 www.pharmgame.ru
>> A 79.135.166.132
>> 2008-02-20 10:21:16 2008-02-21 12:15:29 guns-fi-logs.ru A
>> 79.135.166.132
>> 2008-02-08 14:13:20 2008-02-21 12:14:39 bazuka-nl-logs.ru
>> A 79.135.166.132
>>
>> Our request:
>>
>> Please provide all relevant information you can find on this case and
>> submit it to either
>> via this list or preferably directly to cert at ficora.fi, please put tag
>> [FICORA #123493] to the
>> Subject: line. If you prefer, you can email via the Vetted Three of
>> CERT-FI:
>>
>> johanna.kinnari at ficora.fi
>> juhani.eronen at ficora.fi
>> kauto.huopio at ficora.fi
>>
>> ..and we can anonymise if needed, but we'd _really_ prefer direct
>> information via
>> cert at ficora.fi on this case.
>>
>> If you have log data that you can't share without a court order, please
>> indicate this too.
>> Needless to say, this case is under LE investigation in Finland.
>>
>> Best regards,
>>
>> Kauto Huopio - kauto.huopio at ficora.fi
>> Senior information security adviser
>> Finnish Communications Regulatory Authority / CERT-FI
>> tel. +358-9-6966772, fax +358-9-6966515, mobile +358-50-5826131
>>
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security
>> counter-measures.
>> _______________________________________________
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
--
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com
More information about the nsp-security
mailing list