Spam offering Russian Girls A Plenty!

20 01 2011

Our readers are reporting that the Cyber Criminals are sending Spam with malicious links. The criminals are trying to entice users with

Russian Girls and Sex.

“Beware these sites are crawling with Malware!”

—————-——-<Spam Sample>—————–
From: Fance@Franceroo.ru

<Malware Spam>
To: All MS

Hi dear! I am for a decent man.

As for me, I am a young Russian girl
Do you like Russian women?

They are not just beautiful and smart, but very tolerant too.
Russian women value family and try to be with their husbands as much as possible.

It’s time to get to know each other!
See you on marriage agency. Cheerio!

Please, visit this site!

<Malware Link>
URL=http://1.beersexchix.ru/

—————–<>>———————–

Malware Files Created:

  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4X23OP2B\jquery.pack[1].js
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GPURSX23\girls_photos[1].jpg
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GPURSX23\style[1].css
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODM3O1U3\footer_girls[1].jpg
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODM3O1U3\ie_style[1].css
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODM3O1U3\x1[1].png
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\1.beersexchix[1].htm

<DNS TRaffic>

  • 1.beersexchix.ru
    IP: 178.208.81.55
    imgs.blyadgirl.ru
    IP: 72.9.107.43
    img.sexforfun.ru
    IP: 72.9.107.43

Malware Site: hxxp://datingwithlove.ru

  • IP:194.85.105.17
    IP:91.216.141.173
    IP:178.208.76.153

Hostmaster.rumacsun.ru point to 72.9.107.43.

Blacklisted – URIBL.com

Malware Found:

* Trojan+FakeVimes
* Trojan.JS
* FakeUpdates
* Fake Antivirus /”free-spy-software.net”
* Trojan-Downloader.Win32.Genome
* TDSS/Rootkit
* Trojan Zeus/ZBOT

Malware DNS Queries:

  • datingwithlove.ru
    IP: 178.208.76.153
    imgs.blyadgirl.ru
    IP: 72.9.107.43
    img.blyadgirl.ru
    IP: 178.208.76.153

More Malware Sites:

* *.cross-the-best.com
* *.gogetsuperr.com
* *.privenowtoo.com
* americangirls.ru
* afur.ru
* dateyourdream.ru
* datingextazy.ru
* datingsasha.ru
* f*-ckmyrussianwife.ru
* lovedatig.ru
* ns1.privenowtoo.com
* ns2.privenowtoo.com
* ns3.gogetsuperr.com
* ns4.gogetsuperr.com
* ns4.iknarr.ru
* ns4.nsxine.ru
* ns4.tiniee.ru
* sexbeerdating.ru
* http://www.cross-the-best.com
* pevo.ru
* sexyputana.ru
* pornorate.ru
* wantedunitedsex.ru

Good Luck!





Casino Spam is a Phish

19 01 2011

Our readers sent us a copy of the new Casino Spam that points to Russia.

The Spam includes Phishing and Malware Sites.

<Sample>

From: “555″ <vidagbjbnkvpp@andrewsmemorial-umc.org>
To: Joe6@123x.com

Your 555USD bonus has just arrived, Claim it in here -
hxxp://stars-play-777.ru
———————————<>—————

Malware Site:

  • hxxp://stars-play-777.ru
  • Points to: 175.121.56.57

Malware Files Created:

  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4X23OP2B\royalpalaceca_03[1].jpg
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4X23OP2B\royalpalaceca_06[1].jpg

Nameservers are via: castime.ru
ns1.castime.ru
ns2.castime.ru
ns3.castime.ru
ns4.castime.ru

IP 175.121.56.57 – Address Points to Multiple Domain Names:

  • castime.ru
  • *.extra-game-888.ru
  • *.extragameslots.ru
  • *.game-extra-lux.ru
  • *.hot-game-888.ru
  • 888-game-extra.ru
  • eduinomed.in
  • extra-game-888.ru
  • extra-game-royal.ru
  • extra-game-top.ru
  • extragameslots.ru
  • finmed.in
  • game-extra-lux.ru
  • game888extra.ru
  • getrxpill.in
  • gorxshop.in
  • hankmed.in
  • hansonline.in
  • hot-game-888.ru
  • hotgoldgame.ru
  • jeddtab.ru
  • maconline.in
  • mortenmed.in
  • newtonmed.in
  • nollymed.in
  • pharmhank.in
  • robbymed.in
  • salmed.in
  • saymed.in
  • tabluke.in
  • tabwald.in
  • viced.in
  • vip-play-stars.ru
  • vip-stars-play.ru
  • http://www.extra-game-888.ru
  • http://www.extragameslots.ru
  • http://www.game-extra-lux.ru
  • http://www.hot-game-888.ru

Reference:  R obtex.com and MyWot





Funky Fire Site Spewing Trojan Attacks

17 01 2011

One of our readers informs that a site called Fireboys.com is spewing some banking Trojan attacks.

The malware site fireboys.com has one IP number (66.96.130.133) , but the reverse is 133.130.96.66.static.eigbox.net, Berner.org and fabcor.com point to the same IP and also shares name servers. Bizfit.net, atmainteractive.com, vitalwellnessinc.com, mybimmer.com, reincarnationforte.net and at least 200 other hosts point to the same IP.

Malware Site:
hxxp://fireboys.com
IP: 66.96.130.133

Malware Found:

  • Trojans Zeus/Zbot
  • Backdoor attacks.
  • Command and Control

Suspicious Files:

  • C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer
  • C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
  • C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012009070220090703\index.dat
  • c:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\disclaimer-reg_09[1].gif
  • c:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\fireboys[1].htm

Host names sharing IP with A records (219) -  go to Robtex to see the entire list.

  • aboutlimo.com
  • abstractbay.com
  • adventuresofary.net
  • allchoiceins.com
  • americanhominsp.com
  • andeverythingnice.net
  • arenalrealestatedevelopment.com
  • bioaspect.com
  • bizfit.net
  • bluegrasspainmanagement.com
  • bulldoghockey.net
  • buyahomeinbocaraton.com
  • commentsusa.com
  • crosspaint.com
  • davidfhardy.com
  • designfordesign.net
  • disenoyfotos.com
  • dlnews.net
  • editorialnote.net
  • filmasylum.net
  • fireboys.com
  • firewok.com
  • floridasleepinns.com
  • frankwykoff1.com
  • frederickprecast.com
  • mtinstruments.com
  • nrgpublications.com
  • oceaner.net
  • oceangrovecondos.com
  • offdutycharters.net
  • officeanesthesiology.com
  • officialsos.net
  • robertmoylan.com
  • rollyrichert.com
  • rslfinancial.com
  • seankirklin.com
  • secretpokerclub.net
  • tangfamily.net
  • taxkool.com
  • unlimitedsightandsound.com
  • webpagesbybob.com
  • winkinglizardproductions.com
  • wiraonline.com
  • wonalancet.net
  • http://www.swat-clan.net
  • yahooindian.com
  • zebella.com




DHL and UPS Spam Includes Trojan SPYEYE

13 01 2011

We are getting reports of some our readers getting spam that includes the Trojan SPYEYE and Bot attack. The payload will attempt to connect to malicious sites to download  updated Trojan and backdoor files.

The Spam includes zip files that may include subjects for DHL and UPS Deliveries.

Also, Our friends at McAfee are detecting the malware as Generic.bfr!a!BC834E044192.

Good Luck!

<Payload>

  • DHL-01122011-TRACKING.exe
  • UNITED_PARCEL_SERVICE-TRK-CP01132011.zip

The Following files have been added to the system:

•%TEMP%\512011.dmp
•%APPDATA%\Xibox\ikgyq.uho
•%APPDATA%\Xibox\ikgyq.tmp
•%TEMP%\510034.dmp
•%TEMP%\tmpebbcaf51.bat
•%APPDATA%\Afufd\xaymk.exe

The applications attempted the following malware connection(s):

  • 91.200.188.191
  • blogspotstone.com
  • •hxxp://www.blogspotstone.com/*****
  • fingertoblog.com




zBOT points to Russia

11 01 2011

One of our poor reader’s  Windows  7.0 machine is dialing back to a site in the Russian Federation!

The process logs show IP 194.63.144.81. We have flagged  the site as  a Trojan Zbot/ZeuS Attack.

The poor reader ran his favorite AV program but it is not detecting anything.

Here is the Solution: Kill the Machine and Re-image!

Malware Site: 194.63.144.81

———————-< Snip>——————

Trace IP  194.63.144.81
15   190 ms   190 ms   190 ms  tele-1-gw.sth.runnet.ru [194.85.40.242]
16   190 ms   190 ms   190 ms  tele-1-gw.sth.runnet.ru [194.85.40.174]
17   190 ms   190 ms   190 ms  b57-1-gw.spb.runnet.ru [194.85.40.129]
18   190 ms   190 ms   190 ms  m9-1-gw.msk.runnet.ru [194.85.40.133]
19   190 ms   190 ms   190 ms  m9-2-gw.msk.runnet.ru [194.85.40.214]
20   213 ms   211 ms   212 ms  vline.msk.runnet.ru [194.190.254.218]
21   211 ms   212 ms   218 ms  109.196.132.14
22   271 ms   279 ms   265 ms  194.63.144.81

Host Info:

  • inetnum:    194.63.144.0 – 194.63.147.255
  • netname:    PROMIRANET
  • descr:    LLC Promiranetru
  • country:    RU (Russian Federation)

This IP is Blacklisted

Google shows us the Malware Host “tele-1-gw.sth.runnet.ru” with a few suspicious sites!
1. http://www.Pereplet.ru

2. hxxtp://orwell.ru/a_life/lords100/russian/r_lbk 3. http://eyecenter.com.ua/doctor/virus/59.htm …. 9 tele-1-gw.sth.runnet.ru (194.85.40.174), 162.326 ms …
3. http://www.Macvspc.ru
читать дальше hxxp://www.macvspc.ru/macintosh-virus-free.html P.S.
bizinformatsiya.ru/www.macvspc.ru – Cached
3. http://www.Softogen.ru
… “Kaspersky Virus Removal Tool 900722 10122010 Portable Rus”, …
bizinformatsiya.ru/www.softogen.ru – Cached
Show more results from bizinformatsiya.ru
4. http://www.Gfxstuff.ws
-815349,gfxstuff.ws 815350,rmoms.net 815351,stop-virus-070.com 815352,granfondo.com.au 815353 …

Good Luck!





2010 in review

11 01 2011

Thanks to all of our Malware Survival Readers and Fans! We will keep on crunching more useful malware articles and new tools for 2011!

The stats helper monkeys at WordPress.com mulled over how this blog did in 2010, and here’s a high level summary of its overall blog health:

Healthy blog!

The Blog-Health-o-Meter™ reads Wow.

Crunchy numbers

Featured image

About 3 million people visit the Taj Mahal every year. This blog was viewed about 36,000 times in 2010. If it were the Taj Mahal, it would take about 4 days for that many people to see it.

In 2010, there were 301 new posts, growing the total archive of this blog to 334 posts. There were 395 pictures uploaded, taking up a total of 20mb. That’s about a malware picture per day.

Please continue to send us the  malware URLS and Spam! Our team loves this kind of stuff!

Where did they come from?

The top referring sites in 2010 were Google.com, en.wordpress.com, Dogpile.com and Bing.com.

Some visitors came searching, mostly for akva progressive llc, ups postbox-manager, raceobject.ru, z0g7ya1i0.com, and pink slip bot.

Attractions in 2010

These are the posts and pages that got the most views in 2010.

  1. Malicious Spam Spoofing Amazon!
  2. Fake Anti-Virus and the TDSS Root-kit
  3. Spam with the UPS Invoice Malware
  4. Updated Pink-Slip Bot Attack






Funky Facebook Polling Site

11 01 2011

Some of our readers have informed about qwanz.com a funky Facebook Polling site that is redirecting unsuspecting users to malware sites.

Malware Site:

< hxxp://www.qwanz.com>

Suspicious Activity and Ethical issues on this Site:
* Web Tracking
* Redirects
* Cookie Tracking

Suspicious Files Created:

  • File Name: [ C:\Documents and Settings\Administrator\Cookies\administrator@www.qwanz[1].txt ]
  • File Name: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODM3O1U3\packed_jq_main[1].js ]
  • File Name: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\jqtransform[1].css ]
  • File Name: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\style[1].css ]

DNS Queries:

  • Name: [ http://www.qwanz.com ], Query Type: [ DNS_TYPE_A ],
  • Query Result: [ 184.106.28.125 ], Successful: [ YES ], Protocol: [ udp ]
  • Name: [ wpad ], Query Type: [ DNS_TYPE_A ],
  • Query Result: [  ], Successful: [ NO ], Protocol: [  ]
  • Name: [ static.qwanz.com ], Query Type: [ DNS_TYPE_A ],
  • Query Result: [ 184.106.28.122 ], Successful: [ YES ], Protocol: [ udp ]

Site Analyzed: mv.bidsystem.com(204.137.28.195)

* “This site is notoriously malicious”
* Found Zbot, Trojan Downloaders, Backdoor Agents and Web Hijack scripts.
* Runs Javascript code
* Visits web sites on your PC without you knowing
* It Uses hidden browser windows to connect to web sites without telling you

Malware Found:

* Trojan-Downloader.Tibs.CNA
* Email-Worm.Zhelatin
* Backdoor.Stupa Trojans
* TROJAN Banker PWS/Infostealer
* Trojan Zeus/Bonet
* Keyloggers

Malware Host Names Sharing IP:

* atl.xmlsearch.miva.com
* bs.miva.com
* kc.mv.bidsystem.com
* kc.xmlsearch.miva.com








Follow

Get every new post delivered to your Inbox.