Over the past month I have been monitoring a sophisticated botnet which I have now called the WIN-NPPN1JPV75J botnet (as I am unable to find any info about it anywhere else).
I will be dumping all my research and findings here.
How does it work?
The botnet itself appears to be mainly about spam and traffic, using hacked servers to send spoofed emails that link to a bad actor. The initial hack must had been sent in a email attachment which users unknowingly opened thus infecting their system. Once opened, it grabs your contact lists and your email address and begins sending out spam to everyone on your contacts. Now it appears that even if you get rid of the virus and change your password it still sends emails out. This is because the emails are not being sent from your system. They are being sent elsewhere via spoofing your email address to make it seem legit. This is unstoppable without setting up third party software or SPF records on your DNS.
Unfortunately I do not know much about how this attack took place to start with, so I will dive straight in to the second stage of the attack (spoofed emails).
What do the emails look like?
The emails are mostly the same, alternating between different linked websites. The main body text goes as follows: New message, please read, or Important message, please visit
You will notice if you view the email header source that every time it has a similar header:
Received: from [18.104.22.168] (port=57932 helo=WIN-NPPN1JPV75J)
by sulis.instanthosting.com.au with esmtpsa (UNKNOWN:DHE-RSA-AES256-GCM-SHA384:256)
Notice the WIN-NPPN1JPV75J? The HELO command is used by the sending SMTP client to identify itself. This HELO command is the same for every single spam mail. Hence why I have called it the WIN-NPPN1JPV75J botnet.
What the hell is going on?!
The botnet utilizes your contact lists which it stole from your email client (most likely most recent CC attachments) and sends an email to everyone on that list, with a different link each time, each directing you to a hacked website.
From what I have analysed, the hacked websites are mostly using WordPress, a free content management system. They mostly have out-of-date plugins and themes, which have multiple vulnerabilities, which is why im guessing they were easy targets.
<meta http-equiv="refresh" content="2; url=http://dailyfinancesplanet.net/?partner_id=1&lang_id=ff4f8e1&dirID=edc8&offer=56f2aa9c173&optionID=3bc7&language=7918675770e44">
So who’s the bad actor?
The website they all redirect too as of now, is dailyfinancesplanet.net which is currently down as of right now.
Some details from the server are below:
|IP Location||Russian Federation Novosibirsk Llc Company Interlan Communications|
|ASN||AS57494 ADMAN-AS Krek Ltd. (registered Nov 14, 2011)|
|Reverse IP||2 websites use this address.|
inetnum: 22.214.171.124 - 126.96.36.199
descr: Krek Ltd.
status: ASSIGNED PA
person: Vladimir E Gnat
address: Russia, Novosibirsk
address: Nemirovicha-Danchenko 165, 101
Vladimir E Gnat
So we got Vlad’s name from the WHOIS of dailyfinancesplanet.net domain, that’s pretty bad right? Forget to whois guard yourself? Anyway his name has popped up elsewhere, he has also been involved in the Smoke Loader Malware using the domain name: zoneserveryu788.com.
Read more about that here: http://stopmalvertising.com/rootkits/analysis-of-smoke-loader.html
He also owns these domains:
He uses these email addresses:
He used these phone numbers:
Nemirovicha-Danchenko 165, 101
Bluhera 71b - 80
He is associated with hundreds of servers, some of which are:
188.8.131.52 < MAIN HOST IP (adman.com)
Is your server infected?
Below is a very small fraction of infected servers I have found which have been involved in the spreading of this email virus. Do not click on these links unless you know what you are doing!
There isnt really much we can do about this unfortunately, we can only report malicous domains and hope for the best. In the meantime I am going to be researching this a lot more, trying to discover the root of the botnet.
More to come.
Check out Wardline’s blog post about the very same issue: