Botnet, Security, Uncategorised

New Threat: The WIN-NPPN1JPV75J Botnet

Over the past month I have been monitoring a sophisticated botnet which I have now called the WIN-NPPN1JPV75J botnet (as I am unable to find any info about it anywhere else).

I will be dumping all my research and findings here.

How does it work?

The botnet itself appears to be mainly about spam and traffic, using hacked servers to send spoofed emails that link to a bad actor. The initial hack must had been sent in a email attachment which users unknowingly opened thus infecting their system. Once opened, it grabs your contact lists and your email address and begins sending out spam to everyone on your contacts. Now it appears that even if you get rid of the virus and change your password it still sends emails out. This is because the emails are not being sent from your system. They are being sent elsewhere via spoofing your email address to make it seem legit. This is unstoppable without setting up third party software or SPF records on your DNS.

Unfortunately I do not know much about how this attack took place to start with, so I will dive straight in to the second stage of the attack (spoofed emails).

What do the emails look like?

The emails are mostly the same, alternating between different linked websites. The main body text goes as follows: New message, please read, or Important message, please visit

ss+(2015-10-13+at+10.59.32)

You will notice if you view the email header source that every time it has a similar header:

Received: from [85.250.149.205] (port=57932 helo=WIN-NPPN1JPV75J)
by sulis.instanthosting.com.au with esmtpsa (UNKNOWN:DHE-RSA-AES256-GCM-SHA384:256)

Notice the WIN-NPPN1JPV75J? The HELO command is used by the sending SMTP client to identify itself. This HELO command is the same for every single spam mail. Hence why I have called it the WIN-NPPN1JPV75J botnet.

What the hell is going on?!

The botnet utilizes your contact lists which it stole from your email client (most likely most recent CC attachments) and sends an email to everyone on that list, with a different link each time, each directing you to a hacked website.

The links are interesting, they normally contain the website itself (http://freshandcleanservicesva.com) and then a randomly generated PHP script which is just a Javascript redirect.

From what I have analysed, the hacked websites are mostly using WordPress, a free content management system. They mostly have out-of-date plugins and themes, which have multiple vulnerabilities, which is why im guessing they were easy targets.

The randomly generated PHP script contains a Javascript redirect to some dodgy news looking website:

So who’s the bad actor?

 

screenshot.php

The website they all redirect too as of now, is dailyfinancesplanet.net which is currently down as of right now.

Some details from the server are below:

IP Location Russian Federation Russian Federation Novosibirsk Llc Company Interlan Communications
ASN Russian Federation AS57494 ADMAN-AS Krek Ltd. (registered Nov 14, 2011)
Whois Server whois.ripe.net
IP Address 109.237.109.237
Reverse IP 2 websites use this address.

% Abuse contact for ‘109.237.108.0 – 109.237.111.255’ is ‘

I also found this website that is hosted on the same server, but I haven’t looked into it yet: businessexpert24.net.

Vladimir E Gnat

So we got Vlad’s name from the WHOIS of dailyfinancesplanet.net domain, that’s pretty bad right? Forget to whois guard yourself? Anyway his name has popped up elsewhere, he has also been involved in the Smoke Loader Malware using the domain name: zoneserveryu788.com.

Read more about that here: http://stopmalvertising.com/rootkits/analysis-of-smoke-loader.html

He also owns these domains:

He uses these email addresses:

He used these phone numbers:

Address details?

He is associated with hundreds of servers, some of which are:

 

Is your server infected?

Below is a very small fraction of infected servers I have found which have been involved in the spreading of this email virus. Do not click on these links unless you know what you are doing!

http://proformancesportsacademy.com/else.php?6x8x
http://labdigital.cl/above.php?mh
http://discoverroundrock.com/struck.php?hhv
http://www.hytvmedia.com/brother.php?01
http://garagedoorrepairbrooklyn.com/saw.php?9w
http://dgwsoftware.com/respect.php?l
http://chateaustalbain.com/next.php?0yaik
http://KathyRogilliopianotuning.com/by.php
http://readsuccess.com/affection.php
http://mixmajorinsurance.com/master.php
http://freshandcleanservicesva.com/act.php
http://mobile-pharma.com/received.php
http://www.afriendofthearts.com/by.php
http://icongraphics.co.za/condition.php?f
http://indocanadaartscouncil.com/watched.php?i80gj
http://locksmithinnyc.com/anxious.php?uzayl
http://nwcc-mt.com/told.php?cixeh
http://lovivol.com/greatest.php?1qvt
http://msmkerala.org.in/note.php?tq1l
http://tandarts-in-arnhem.nl/give.php?subyr
http://coffeemana.com/proud.php?bkv
http://yuvamdekor.com/hold.php?yyl
http://alohaithai.com/scarcely.php?q
http://somaticyoga.com/general.php?7
http://doctorfordiabetes.com/same.php?n
http://eklepro.com/or.php?x
http://behowardofficial.com/whom.php?d
http://coloradocreditscore.com/evening.php?3m6
http://gauravmohan.com/offer.php?f
http://rtpact.org/shall.php?u01
http://bancadatialiquote.it/kitchen.php?4ika
http://azeferforje.com/times.php?nme
http://creatorsparadize.com/allow.php?1o5
http://scottavechurch.com/tell.php?zm8
http://gameonline3.com/week.php?6a4f
http://gumusdekorasyon.com/alone.php?hfjq
http://thietkewebhuyhoang.com/joy.php?wfoky
http://recoverytek.com/town.php?tgm
http://rrtc2015.com/meeting.php?uqzf
http://hottypotty.in/health.php?b6
http://athleticrevolutionroswell.com/third.php?bf
http://dessertnomad.com/pride.php?j04o4
http://radioformia.com/possible.php?hg2y
http://pomodoriitalissima.com/through.php?eq4
http://pleksikorkuluk.net/little.php?oabx
http://bookdomainer.com/that.php?w9lh
http://winrar.rs/far.php?dpojg
http://web.nil2million.com/ways.php?iyi
http://gauravmohan.com/lose.php?280
http://dessertnomad.com/speaking.php?0
http://zenciporno-izle.com/hold.php?d
http://initiativemobileinsights.com/laughed.php?izsl5
http://mindtrickattack.com/time.php?4
http://farkimizbu.com/laughed.php?umia
http://sekuritkorea.net/pretty.php?xdx1c
http://coloradocreditscore.com/evening.php?3m6
http://bookdomainer.com/soul.php?z
http://privatepleasuresclub.com/laid.php?mc4v
http://yanztech.com/because.php?mk
http://organised.hsw.com.au/nearly.php?p1y0
http://hotelmysliwski.eu/friends.php?9lqx
http://creatives360.com/body.php?ycn
http://transports-dupas-lebeda.eu/away.php?dup
http://buyanyconditionhome.com/met.php?n
http://l-mon.com/account.php?3
http://farkimizbu.com/laughed.php?umia
http://casinoenlignesansdepot.net/your.php?l91
http://alohaithai.com/knowing.php?lfhy2
http://valleyclinicaltrials.com/she.php?ft2i
http://spasoleilmassage.com/entered.php?y
http://jcsc123.com/safe.php?17p86
http://pmvibration.com/sad.php?2aq
http://cbpillars.com/hearing.php?q
http://recoverytek.com/into.php?n
http://muslimacrossamerica.net/deal.php?wnt
http://voodoominimarathon.net/our.php?q3
http://estanfordmagic.com/talk.php?74
http://mayordomiasanblas.es/they.php?

Conclusion

There isnt really much we can do about this unfortunately, we can only report malicous domains and hope for the best. In the meantime I am going to be researching this a lot more, trying to discover the root of the botnet.

More to come.

Check out Wardline’s blog post about the very same issue:

*http://wardinewrock.blogspot.co.uk/2015/09/email-sent-under-my-name-not-from-me.html

PWN3d, Security

That one guy…

Whats going on?

This post wont be too long, I just wanted to publicly shame people who attempted to do anything “phishy” to my blog. So here goes.

I receive notifications when something is going on, and I noticed I had a few of these:

ss+(2015-10-13+at+10.06.07)

So why are you trying to log into my blog as “admin” 193.201.227.133? Let me dump some of your info and see if that will stop you 🙂

Looks as though this IP address is involved in a lot of shit: http://www.spamhaus.org/sbl/query/SBL256161 

IP address 193.201.227.133
Host name
IP range 193.201.225.0 – 193.201.227.255 CIDR
ISP PE Tetyana Mysyk
Organization PE Tetyana Mysyk
Country Ukraine (UA)
Region
City
Time zone
Local time
Postal Code