Thursday, March 11, 2010

Facebook Phish and Zeus

There is an ongoing malware/phishing campaign using the Facebook brand. Here is a screenshot:

URLs take the form: http://downloads.domain.tld/id735rp/loginfacebook.php

Current domains include:
compoway.com fileserversg.com fileserverso.net
compoway.net fileserversg.net fileserverso.org
compoway.org fileserversh.com fileserversp.com
crymyway.net fileserversh.net fileserversp.net
crymyway.org fileserversi.com fileserversq.com
fileserversa.com fileserversi.net fileserversq.net
fileserversa.net fileserversj.com fileserversq.org
fileserversa.org fileserversj.net fileserversr.com
fileserversb.com fileserversj.org fileserversr.net
fileserversb.net fileserversk.com fileserversr.org
fileserversc.com fileserversk.net fileserverss.com
fileserversc.net fileserversk.org fileserverss.net
fileserversc.org fileserversl.net fileserverst.com
fileserversd.com fileserversm.com fileserverst.net
fileserversd.net fileserversm.net fileserverst.org
fileserversd.org fileserversm.org fileserversu.com
fileserverse.com fileserversn.com fileserversu.net
fileserverse.net fileserversn.net fileserversu.org
fileserversf.com fileserversn.org
fileserversf.net fileserverso.com

The domains were bulk registered through SpiritDomains, and the registration information is masked through PrivacyProtect.org. The domains currently resolve to 212.175.173.88 within TurkTelecom.

The login forms POST to:
hxxp://downloads.ersX.TLD/id735rp/page.php
where X corresponds to the last letter in the phishing domain and TLD corresponds to the phishing domain TLD. For example, the fileserverso.com phishing domain POSTs the Facebook credentials to the erso.com domain.

The IPs for these drop domains vary, e.g.,
downloads.erso.com => 209.50.243.18 (mauri.spb.ru)
downloads.ersq.com => 64.95.64.198 (lander.sitesense-oo.com)
downloads.ersr.com => 64.34.175.158 (64-34-175-158.linux-hosting.com)

In addition to having your Facebook credentials stolen, the victim is enticed to download photo.exe:


A Zeus/Zbot variant, detected by 25/42 anti-virus vendors.

Once installed, Zeus communicates with the command and controls (C&Cs) on AS 42229,
  • hxxp://91.201.196.76/daph5Nei.Keeph6ee
  • hxxp://91.201.196.75/ip.php
AS 42229 is a known Zeus network; ZeusTracker currently shows 14 C&Cs on this network.

UPDATE: I reached out to SpiritDomains abuse department, and they were very prompt about suspending the involved domains.
Posted by Mike Geide at 11:26 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)