Thursday, November 06, 2008

Yesterday's Obama Spammer Now Imitates Colonial Bank

In yesterday's blog, we talked about Obama spam spreading a virus. In that attack there were five domain names, all registered in China on Bizcn.com, being used to download a computer program which would steal your passwords and send them to criminals.

Today we have a new spam campaign which uses five domain names, all registered in China on Bizcn.com, being used to download a computer program which would steal your passwords and send them to criminals.

Both of the groups of five domains used a nameserver which was located on the IP address 69.162.111.11 (which is in Dallas, Texas).

When you visited the webpage yesterday, a pop up box asked you to download a video player. Today when you visit one of the Colonial webpages, a pop up box asks you to download a digital certificate.

Yesterday we received over 500 copies of the Obama spam with various subjects.

Today we've received over 300 copies of the Colonial Bank spam with subjects including:Colonial Bank - authorized users performing appropriate functions
Colonial Bank Warning: services specific high-risk geographical areas.
Colonial Bank - Display of Information
Colonial Bank Warning: system disables passwords that haven't been used by a customer in 90 days.
Colonial Bank Warning: subject to monitoring and validation for authenticity and appropriateness.
Colonial Bank Treasury Services
Colonial Bank Warning: terminate your Internet banking session
Colonial Bank Warning: Electronic requests received over the Internet
Colonial Bank has developed an update for log in page
Colonial Bank also provides extensive information regarding identity theft prevention
Colonial Bank would like to announce latest update
Colonial Bank Warning: access the Bank's servers.
Colonial Bank Warning: software designed to protect against inappropriate requests.
Colonial Bank security # latest patches and updates installation.
Colonial Bank recommend that you use fraud prevention procedures
Colonial Bank Update.
Colonial Bank - Network Security and Monitoring
Colonial Bank - your password will never be displayed on your computer screen
Colonial Bank Warning: retrieving web pages or sending inquiries
Colonial Bank security # Ensure that your operating system has all latest patches and updates installed.
Colonial Bank Alert: SERVER UPDATE.
Colonial Bank recommend that you use security update
Colonial Bank - data sent over the encrypted connection has been altered in transit.
Colonial Bank has developed a Fraud Prevention Checklist
Colonial Bank recommend to review your account security
Colonial Bank Security and Identity Protection Newsletter
Colonial Bank Warning: prevent access to online banking from an IP network
Colonial Bank has developed special file protection
Colonial Bank Warning: ur Internet banking system encrypts stored password files
Colonial Bank Commercial Customer Service
Colonial Bank has developed new free protection tool
Colonial Bank - all information sent between a client and a server encrypted
Colonial Bank Warning: initial registration
Colonial Bank would like to inform you security updates
Colonial Bank security # Ensure that your operating system updated.
Colonial Bank Alert - Update.
Colonial Bank has developed a new 128 bit sofware
Colonial Bank security # apply updates
Colonial Bank - providing a high degree of confidentiality.
Colonial Bank News - security development
Colonial Bank - effort to limit access to its servers
Colonial Bank Java Update Includes Security Fixes - Security Fix.
Colonial Bank Warning: using the Secure Sockets Layer (SSL) protocol.
Colonial Bank Customer Warning.
UPDATE ALERT CONFIGURATION Colonial Bank.
Colonial Bank - Secure Data Transfer
Colonial Bank would like to inform you
Colonial Bank - the user and the server are in a secure environment.
Colonial Bank would like to inform you lates development
Colonial Bank Online server update.
Colonial Bank Warning: Your Password, and certain other private information
Colonial Bank has developed new anti-Fraud feature
Colonial Bank Update Alert.
Colonial Bank Security Response Center (MSRC) : UPDATE.
Colonial Bank Warning: termination of Inactive Connections
Colonial Bank Emergency Alert System.
Colonial Bank Connection Security
Colonial Bank upgrade warning.
Colonial Bank Warning: allowing only the traffic that is necessary to send acceptable data requests
Colonial Bank Warning: if you are not actively using the system.
Colonial Bank Warning: this is accomplished by filtering Internet traffic
Colonial Bank Update - News.
Colonial Bank would like to stop fraud practice
Colonial Bank - these actions may include the implementation of restrictions
Colonial Bank - Data traveling between the user and the server is encrypted
Colonial Bank Warning: suspicious or potentially harmful activity
Colonial Bank Time Warner Security - Customer Service.
Colonial Bank Installation and Upgrade Warning.
Server Update Services Colonial Bank.
Colonial Bank has developed serious protection
Colonial Bank Urgent Customer Alert: "Joomla!" Security Update.
Colonial Bank - Other Security Measures
Colonial Bank WindowsXP/2000 customers Attention!
Colonial Bank - Security Fix.
Colonial Bank Warning: the sending software
Colonial Bank Guards and Protects Your Information
Colonial Bank would like to make you aware of online fraud
Colonial Bank - Our Internet banking system
Colonial Bank Security
Colonial Bank - an encrypted SSL connection required
Colonial Bank is committed to providing you with a convenient, safe and secure online banking
Colonial Bank Warning: we also monitor Internet traffic
Colonial Bank - takes several measures.
Visit a Colonial Bank Financial Center
Colonial Bank Services
Colonial Bank Warning: Electronic requests are filtered through a combination of computer hardware and software
Colonial Bank would like to open new security features
Colonial Bank Warning: automatically determining
Colonial Bank - an encrypted SSL connection is equipped with a mechanism for detecting tampering
Colonial Bank recommend that you use updated browser
Colonial Bank recommend that you use 128 bit file
Colonial Bank Regular Update Alert.
Colonial Bank Customer Support - Security Updates.

Here is today's webpage:



The domain names used today are:

coloneldi.com/security.php
gdieuntso.com/security.php
porentud.com/security.php
reteinr.com/security.php
rutriyn.com/security.php

Each of these domains was registered today (November 6, 2008) on Bizcn.com.

Visiting the Colonial pages above drops ColonialSETUP.exe

VirusTotal (17/36)

http://www.virustotal.com/analisis/9dfd058ab879365aa719e4a0055b2b46

File size: 3369 bytes

MD5...: 60e39dd91cd4676c70d4ee844eb5a6c7

The phase one malware makes connection to the following URL to download
the phase two malware:

chload.com/u1.exe

chload.com was registered TODAY on Register.com

the nameserver for chload.com is ns1.ldern.com

That is also the nameserver for:

customlod.com
upgradell.com
solecokes.com
lodnew.com

which have all ALSO been used to download Phase Two malware for Digital
Certificate spam.

The second phase malware (u1.exe) was also analyzed by VirusTotal.

http://www.virustotal.com/analisis/a0c5718489e7022da2f5bf35ef03adc8

It showed a 21/36 detection rate:
File size: 25161 bytes
MD5...: 6a1e70482b86500229ebdc99b13792ba

u1.exe installs itself as "comctl32.dll" and includes root kit and
keylogging technology. I have not had a chance yet to see where the
keylogged data is sent.

A request to terminate chload.com and ldern.com has been sent to
register.com.

A request to terminate the following domains has been sent to bizcn.com.

coloneldi.com
gdieuntso.com
porentud.com
reteinr.com
rutriyn.com

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.