RFI's and Phishing Tricks
Our Honeypots have been hit with a rash of RFI's lately - we count over 1600 attempts from Feb 20-Feb 29. Some of the higher numbered attempts are listed below.
These are likely automatic crawlers - botnet stuff. We've seen attacks on honeypots that haven't been indexed in almost 6 months.
Thankfully most of these sites quickly removed the exploit code. There are still some that are live as of this post. A few of these RFI's are located on sites that have been compromised by attackers only hours earlier.
Following some code like this, we spoke with a system administrator who asked to remain anonymous. He kindly offered system logs from a site that we identified as compromised. The site was serving a paypal phish (and has been taken offline).
In the logs were several attempts to download packages from enache.3x.ro. Some investigation revealed that this site held a number of phishing and exploit packages for both windows and unix. The site has been removed by the hosting provider, 3x.ro. Some of the binaries tripped the following AV signatures:
In total there were over 80 packages on the site. Of those, 14 of them were phishkits:
This image plays on the statements IT people have made for years: Watch for the padlock icon to identify secure sites.
I think we need to modify our statement: Click the padlock icon, and verify who you're doing business with.
Who knows how many users this has fooled - and how many phishing sites have/will follow suite.
(71) http://www[dot]gumgangfarm[dot]com/shop/data/id[dot]txt
(53) http://www[dot]geocities[dot]com/giwel/file/id[dot]txt
(48) http://www[dot]tuttoscemo[dot]com/administrator/components/com_juser/id[dot]txt
(44) http://www[dot]tirateuncentro[dot]com/components/com_extcalendar/safe1[dot]txt
(44) http://mensagenss[dot]hospedagemdesite[dot]com/bot/safe[dot]txt
(42) http://www[dot]upload2world[dot]com/pic76/upload2world_e439c[dot]gif
(42) http://www[dot]upload2world[dot]com/pic76/upload2world_85356[dot]gif
(40) http://www[dot]upload2world[dot]com/pic76/upload2world_4d669[dot]gif
(38) http://proxysx[dot]t35[dot]com/cmd2[dot]txt
(37) http://www[dot]tukangbecak[dot]com/ban[dot]gif
(36) http://www[dot]upload2world[dot]com/pic76/upload2world_4d669[dot]gif
(36) http://anjink[dot]co[dot]cc/gen/mix[dot]txt
(33) http://heidik[dot]org/canar/cmdaff
(32) http://horseshoebendarkansas[dot]net/blog/nucleus/libs/include/safe[dot]txt
(32) http://heidik[dot]org/canar/safe[dot]txt
(29) http://www[dot]watbowon[dot]org/Joomla1011th/cache/id[dot]txt
(29) http://jobarte[dot]t35[dot]com/cmdtotal[dot]txt
(26) http://www[dot]iblon[dot]it/images/stories/test1[dot]txt
(23) http://www[dot]scrappysonline[dot]com/store/skin1/can
(21) http://www[dot]pricetrim[dot]com/counter/auction[dot]txt
(21) http://stmikx[dot]freehoxt[dot]com/Sekip/id[dot]txt
(20) http://www[dot]rangersales[dot]com/images/can
These are likely automatic crawlers - botnet stuff. We've seen attacks on honeypots that haven't been indexed in almost 6 months.
Thankfully most of these sites quickly removed the exploit code. There are still some that are live as of this post. A few of these RFI's are located on sites that have been compromised by attackers only hours earlier.
Following some code like this, we spoke with a system administrator who asked to remain anonymous. He kindly offered system logs from a site that we identified as compromised. The site was serving a paypal phish (and has been taken offline).
In the logs were several attempts to download packages from enache.3x.ro. Some investigation revealed that this site held a number of phishing and exploit packages for both windows and unix. The site has been removed by the hosting provider, 3x.ro. Some of the binaries tripped the following AV signatures:
Backdoor.Linux.Phobi.A, Backdoor.Linux.Zorg.B, DOS.Linux.Blitz, Generic.Slapper.E69A1FF5, Generic.XPL.Samba.E2FFD420, Linux.RST.B, Trojan.Dos.Linux.Slice.B, Trojan.Exploit.Linux.Brk.C, Trojan.Exploit.Linux.Brk.D, Trojan.Exploit.Linux.Brk.E, Trojan.Exploit.Linux.Race.B Trojan.Exploit.Linux.Race.C, Trojan.Flooder.Linux.Silly.B, Trojan.Flooder.Linux.Smurf.B, Trojan.Hacktool.Flood.A, Trojan.Hacktool.Linux.Bf.B Trojan.Hacktool.Linux.Pscan.A, Trojan.Hacktool.Linux.Small.B, Trojan.Horse.(AV|BU|BY|CA|CB|CC|CE|CF|CI), Trojan.Linux.Hacktop.B Trojan.Linux.Mircforce.B, Trojan.Linux.Rootkit.C, Trojan.Linux.Rootkit.N, Trojan.Linux.Rootkit.SA, Trojan.Rootkit.Linux.Agent.SH Trojan.Rootkit.Linux.Agent.Y, Virtool.Linux.Shark.A, Virtool.Linux.Sshscan.A, Win32.Parite.B, Win32.Worm.Linux.Adore.A, Worm.Linux.Lion.A
In total there were over 80 packages on the site. Of those, 14 of them were phishkits:
Arsenal Credit Union (Account Information emailed to mefy12345@gmail.com)While none of these kits used it, we've noticed that the ED/Pharmacy site spams hitting our mailboxes are using favicon.ico files of a padlock icon and sporting hacker safe logos. - A trick said to be coined by L. Jean Camp
E-Trade (Account information emailed to giianny@yahoo.com)
Paypal (Account information emailed to proces.verbal@yahoo.com or micumicu1@gmail.com)
Banca Intesa (Account information emailed to muielagaborisilavoi@gmail.com)
Mid America Bank (Account information emailed to varu2005@gmail.com or telefon.mobil@yahoo.com)
Poste Italiane (Account information emailed to catalinum@yahoo.com)
First Interstate Bank (Account information emailed to sbrns51@gmail.com)
Gesa Credit Union (Account information emailed to mefy12345@gmail.com)
USF Federal Credit Union (Account information emailed to mist3ry@evoreal.net and k0rd1t@yahoo.com)
Wachovia (Account information emailed to telefon.mobil@yahoo.com or m3fystutzu@yahoo.com)
Capital One (Account information emailed to hai.cu.spamu@gmail.com)
ICBA (Account information emailed to mefy12345@gmail.com)
Oregon Community Credit Union (no email address assigned)
UCCU (Account information emailed to proces.verbal@yahoo.com)
This image plays on the statements IT people have made for years: Watch for the padlock icon to identify secure sites.
I think we need to modify our statement: Click the padlock icon, and verify who you're doing business with.
Who knows how many users this has fooled - and how many phishing sites have/will follow suite.
Labels: malware research, phishing, RFI, trickery
posted by Nicholas at
15:48
0 Comments
