[nsp-sec] [FICORA #123493] Nordea Finland webbank targeted with a major spamrun and Trojan-Spy:W32/ZBot.HS -torjan (AUSCERT#2008ba020)
Matthew McGlashan
matthew at auscert.org.au
Fri Feb 22 01:01:38 EST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
G'day Kauto,
We've had a report of this site being used as part of a mule recruitment
run:
AUSCERT#2008ba020
Type: mules
Org: not_selected
URL: http://88.255.94.87/job/
Current status: down
Reported: Mon Feb 18 14:52:27 2008
Closed at: Mon Feb 18 15:40:13 2008
Total uptime: < 1h
(ignore the references to times above - there could be many reasons as to
why our system closed the incident for us)
I've got a couple of samples of the spam mule recruitment email if you
want them. We've not taken any action against the site.
Hope this helps,
- -- Matthew McGlashan --
Coordination Centre Team Leader | Hotline: +61 7 3365 4417
Australian Computer Emergency Response Team | Direct: +61 7 3365 7924
(AusCERT) | Fax: +61 7 3365 7031
The University of Queensland | WWW: www.auscert.org.au
Qld 4072 Australia | Email: auscert at auscert.org.au
> Since yesterday morning Finnish time CERT-FI has been handling a major
> targeted (target =3D Finland) spamrun and spyware attack towards Nordea
> Bank=20
> Finland. A typical spam mail in the attachment.=20
>
> Message type #1 claimed that a nuclear power plant was about to explode
> in Mikkeli,
> central Finland. Too bad for the miscreants, there ain't a nuclear=20
> plant in Mikkeli.. :) Message type #2 was from Tatjana, looking for some
> sex company.=20
>
> Interesting about these two messages is that language was perfect
> Finnish. A native
> Finn must have been doing the translations - no machine translators
> here. =20
>
> The spamrun used numerous Geocities-accounts as the lure URL:s. We've
> delivered
> a sample of these URL:s to Yahoo/Geocities to look after - there must be
> a lot more
> then we've seen.=20
>
> The affected pages contained the following:
>
> <meta http-equiv=3D'refresh'
> content=3D'0;URL=3Dhxxp://88.255.94.87/alice_fi/'>
>
> (http -> hxxp to protect incidents :) )
>
> which loaded Trojan-Spy:W32/ZBot.HS to the system.=20
>
> WHOIS information:
>
> inetnum: 88.255.94.0 - 88.255.94.255
> netname: AbdAllah_Internet
> descr: AbdAllah Internet Hizmetleri
> descr: Etnografya Muze mevkii Kirazlik Mh. No:32 Rize
> country: tr
> admin-c: MAG87-RIPE
> tech-c: MAG87-RIPE
> status: assigned pa
> mnt-by: as9121-mnt
> source: RIPE # Filtered
>
> person: Mahmod AbdAllah el Gashmi
> address: SISTEMNET TELEKOM BLACKLISTED PERSON
> e-mail: admin at sistemnet.com.tr
> phone: +902122666060
> remarks: ------------------------------------------------------
> remarks: SISTEMNET TELEKOM BLACKLISTED PERSON
> remarks: For Abuse Contact : abuse at sistemnet.com.tr
> remarks: SISTEMNET TELEKOM BLACKLISTED PERSON
> remarks: SISTEMNET TELEKOM BLACKLISTED PERSON
> remarks: ------------------------------------------------------
> nic-hdl: MAG87-RIPE
> mnt-by: sistem-net-mnt
> source: RIPE # Filtered
>
> BFK passive DNS data on this address:
>
> 2008-02-15 11:12:23 2008-02-17 09:49:58
> 87.94.255.88.sbl.spamhaus.org TXT
> "http://www.spamhaus.org/SBL/sbl.lasso?query=3DSBL59691"
> 2008-02-15 11:32:28 2008-02-17 09:49:58
> 87.94.255.88.multi.uribl.com A
> 127.0.0.2
>
> The Spamhaus report is entertaining reading.=20
>
> Now things get very interesting. Nordea netbank uses two-factor
> authentication at
> login (username, password and one-time PIN list) _AND_ a separate
> rotating PIN=20
> list in transaction confirmation phase. It is going to be _very_
> interesting to=20
> see how the miscreants MITM'ed this.=20
>
> The MITM functionality of the trojan has been very well engineered. Toni
> from
> F-secure commented to us "these people knew exactly what they were
> doing".=20
>
> According to Toni, following domains have been used in the MITM phase of
> the attack:
>
> guns-fi-logs.ru
> guns-fi-reserv.ru
>
> WHOIS information:
>
> domain: GUNS-FI-LOGS.RU
> type: CORPORATE
> nserver: ns7.zoneedit.com.
> nserver: ns9.zoneedit.com.
> state: REGISTERED, DELEGATED
> person: Private Person
> phone: +7 933 7898898
> e-mail: isupport at safe-mail.net
> registrar: NAUNET-REG-RIPN
> created: 2008.01.24
> paid-till: 2009.01.24
> source: TC-RIPN
>
> domain: GUNS-FI-RESERV.RU
> type: CORPORATE
> state: REGISTERED, NOT DELEGATED
> person: Private Person
> phone: +7 933 7898898
> e-mail: isupport at safe-mail.net
> registrar: NAUNET-REG-RIPN
> created: 2008.01.24
> paid-till: 2009.01.24
> source: TC-RIPN
>
> Passive DNS:
>
> 2008-02-20 10:21:16 2008-02-21 12:15:29 guns-fi-logs.ru A
> 79.135.166.132
> 2008-02-20 13:46:38 2008-02-20 13:46:38 guns-fi-logs.ru MX
> 0 mail6.zoneedit.com
> 2008-02-20 13:46:38 2008-02-20 13:46:38 guns-fi-logs.ru MX
> 0 mail7.zoneedit.com
> 2008-02-20 10:21:16 2008-02-21 12:15:29 guns-fi-logs.ru NS
> ns7.zoneedit.com
> 2008-02-20 10:21:16 2008-02-21 12:15:29 guns-fi-logs.ru NS
> ns9.zoneedit.com
> 2008-02-20 13:40:57 2008-02-21 12:15:29 guns-fi-logs.ru SOA
> ns7.zoneedit.com soacontact.zoneedit.com 1201708245 14400
> 7200 950400 7200
>
> WHOIS on the A-record:
>
> inetnum: 79.135.165.0 - 79.135.166.255
> netname: Sistemnet-Telecom-Blackholed-IP
> descr: Sistemnet Telecom Blackholed IP
> descr: Sistemnet Telecom Blackholed IP
> descr: Sistemnet Telecom Blackholed IP
> remarks: Sistemnet Telecom Blackholed IP
> country: TR
> admin-c: SSB1907-RIPE
> tech-c: FED1907-RIPE
> status: ASSIGNED PA
> mnt-by: SISTEM-NET-MNT
> source: RIPE # Filtered
>
> person: Selcuk BAYDUT
> address: Sistemnet Telecom
> address: Buyukdere Rd.
> address: Muselles St.
> address: Santa Plaza 3th Floor Esentepe
> address: Istanbul - Turkey
> remarks: Do not contact me for abuse issues
> phone: +90.2122666060
> nic-hdl: SSB1907-RIPE
> mnt-by: SISTEM-NET-MNT
> source: RIPE # Filtered
>
> person: Ferdi DAL
> address: Sistemnet Telecom
> address: Buyukdere Rd.
> address: Muselles St.
> address: Santa Plaza 3th Floor Esentepe
> address: ISTANBUL - TURKEY
> phone: +90.2122666060
> fax-no: +90.2122666010
> nic-hdl: FED1907-RIPE
> source: RIPE # Filtered
> abuse-mailbox: abuse at sistemnet.com.tr
> mnt-by: SISTEM-NET-MNT
>
> Passive DNS on the IP:
>
> 2008-01-22 22:09:53 2008-02-06 23:09:47 huiasdsad.hk A
> 79.135.166.132
> 2008-01-23 20:09:10 2008-01-24 07:08:53 richmediacanada.com
> A 79.135.166.132
> 2008-01-23 21:08:57 2008-01-24 07:08:51 opulentrich.com A
> 79.135.166.132
> 2008-01-23 20:09:07 2008-01-24 07:08:52 opulentwealthy.com
> A 79.135.166.132
> 2008-01-18 00:10:57 2008-02-06 23:11:16 pharmgame.ru A
> 79.135.166.132
> 2008-01-18 12:34:00 2008-02-06 17:14:10 www.pharmgame.ru
> A 79.135.166.132
> 2008-02-20 10:21:16 2008-02-21 12:15:29 guns-fi-logs.ru A
> 79.135.166.132
> 2008-02-08 14:13:20 2008-02-21 12:14:39 bazuka-nl-logs.ru
> A 79.135.166.132
>
> Our request:=20
>
> Please provide all relevant information you can find on this case and
> submit it to either
> via this list or preferably directly to cert at ficora.fi, please put tag
> [FICORA #123493] to the
> Subject: line. If you prefer, you can email via the Vetted Three of
> CERT-FI:
>
> johanna.kinnari at ficora.fi
> juhani.eronen at ficora.fi
> kauto.huopio at ficora.fi
>
> ..and we can anonymise if needed, but we'd _really_ prefer direct
> information via=20
> cert at ficora.fi on this case. =20
>
> If you have log data that you can't share without a court order, please
> indicate this too.=20
> Needless to say, this case is under LE investigation in Finland.=20
>
> Best regards,
>
> Kauto Huopio - kauto.huopio at ficora.fi
> Senior information security adviser
> Finnish Communications Regulatory Authority / CERT-FI
> tel. +358-9-6966772, fax +358-9-6966515, mobile +358-50-5826131
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)
Comment: http://www.auscert.org.au/render.html?it=1967
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBR75lQih9+71yA2DNAQKpngP9EadLT+rzopRLd4fQAzA3aWnI0h0AHqfl
FguggyDFC9IUbbeBbZxiuF7rVC2a2HHDWnL3Iq5BdzU7g4H1eO5MLxQQ/ro5DNn+
i4IYAMBmlf2l5m0phqM2E3Iw6v5hYB54jRTsTaWJtr1ITbkVkgUyuXu8kFv8MXbU
Ny2sfTxK4QY=
=jlD2
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list