Botnet, DDoS, Security, Uncategorised

Mirai IoT botnet up close

Since the release of the Mirai source code and the recent DDoS attacks on Dyn the telnet cyberspace has exploded in scanners and ddosers.

This is what a telnet session from an infected Mirai host looks like:

Notice how it grabs the malware from this url? hxxp://137.74.49.209:80/bins/mirai.x86

Here is the information on the binary caught:

SHA256: e8289b100ebbac7243895bdbe3cc57cd36e1c5e2ac055d275a5a082f4aca4e79
File name: mirai.x86_578f88f69e5b53cb726d17d530284551

https://virustotal.com/en/file/e8289b100ebbac7243895bdbe3cc57cd36e1c5e2ac055d275a5a082f4aca4e79/analysis/

Once the loader has dropped the binary and run it, the malware then begins to randomly scan the ipv4 space for open and insecure telnet services. (obviously I am skipping out a lot of steps here)

You can see that happening in this code snippet:

 

Also make sure to checkout SpoofIT’s writeup on Miai here: http://www.spoofit.org/new-mirai-cc-deployed/  and http://www.spoofit.org/mirai-samples/

 

Uncategorised

Semalt.com referrer spam and botnet infections

The other day I was notified by one of my clients that they were receiving a lot of random hits to their server. The odd thing about these hits was that the referrer was the same throughout.

I noticed 2 different referrer urls which to be honest I kinda assumed were the same bad actor (I replaced http with hxxp so they don’t get any traffic haha):

hxxp://keywords-monitoring-your-success.com/try.php?u=hxxp://some-website-here.com

hxxp://buttons-for-website.com

Here are some of the IP’s which hit the server with the corresponding user-agents:

I wont go too far into describing what semalt.com is and what they are doing that is bad, as there are plenty of other articles describing this anyway:

https://www.incapsula.com/blog/semalt-botnet-spam.html

http://www.infosecurity-magazine.com/news/semalt-hijacks-hundreds-of/

http://blog.nabble.nl/post/93306955157/semalt-infecting-computers-to-spam-the-web

But basically they are a SEO company that offer help with getting your website indexed better in search engines, by abusing http referrers and tricking google into thinking your site is more popular than it is. (Which can have a negative effect on SEO and analytics, BTW.)

To generate the traffic, this company abuse common software like youtube downloaders and music players to trick innocent people into installing it without realizing they are going to be apart of a botnet. Unfortunately it says in the terms and conditions exactly what these bits of software do, but who the fuck reads that shit anyway, huh?!

OK lets have a look to see what they are hosting (on the same server or a similar IP):

And here are some URL’s that VirusTotal picked up as suspicious or malicious:

Now if that is not suspicious I do not know what is.

More to follow.

___________________________________________________________

217.23.15.146
SoundFrost.exe

_____________________________

 

Uncategorised

My never ending battle with a Russian-Canadian scam pharmacy

https://www.scambook.com/company/view/1166/Canadian-Health-And-Care-Mall

I hate scammers; especially if they are to do with peoples health. Just like in this case with the fake Canadian pharmacy. This is a very old and famous scam, in which I remember reading at one point a botnet was sending out millions of spam emails a day to generate traffic to their websites. This could have a huge impact on vulnerable people who order medication for health reasons, and for druggos too I suppose. I do not know whether or not you get the products or not, and I do not know whether the products are legit.

Continue reading “My never ending battle with a Russian-Canadian scam pharmacy” »

Botnet, Security, Uncategorised

EZTrader.com and the email scam botnet – part 2

After being quiet for some time, the botnet appears to have been started up yet again, on a friday, keeping up with the schedule. Why is it that it seems to spike on fridays? What a horrible way to end the week.

Anyways, this time round the end-point site has changed, the HTML redirect on the hacked servers is now:

Some examples of email headers from the spoofed mail are as follows (some data is hidden):

As you can see the main culprit is still WIN-NPPN1JPV75J and also now sometimes WORLDST-UQ3K9Q0 and it is still to this very day spoofing and sending out thousands of spam mail per day.

Lets get schwifty

You know what? I have had it with this, it is illegal and unmoral and the people behind this will go down for it and I will make sure of that. My clients are constantly complaining about it and it is getting on my nerves.

Lets start with the website you get redirected too “avazunic.com” some details for that domain are:

IP address 185.22.173.161
Host name
IP range 185.22.172.0 – 185.22.175.255 CIDR
ISP OOO Fishnet Communications
Organization OOO Fishnet Communications
Country Russian Federation (RU)

Unfortunately I was unable to get the source code for this website, whenever I tried to grab it I revived a HTTP error. The website must be some proxy for the redirection stage. I will try and gather more information about this domain but for now, lets focus on the site it is redirecting too.

UPDATE 02/11/15

The hacked sites now redirect you too “http://clicksdealer.com/?PID=1&file_id=4b8fa8f7&offer_id=72724bb93&offerID=635&app=4fa068&sub=4b7f4916&dir=cece7” as of this date. They must be  getting taken down so they need to keep switching urls.

And to my surprise, its a Russian based url with exactly the same IP as before:

IP address 185.22.173.161
Host name
IP range 185.22.172.0 – 185.22.175.255 CIDR
ISP OOO Fishnet Communications
Organization OOO Fishnet Communications
Country Russian Federation (RU)

This redirect service takes you to the hook, the part that is supposed to draw your attention to the site and make you want to find out more.
It is designed like any other news portal, although I feel like I need to douse my eyes with bleach after looking at this one.

business24pro.net

 

As you can see from the image, it is a dreadful website. I cannot believe that people actually fall for this, but it happens, and I want to prevent it from happening as it is not fair IMO.

If you examine the source (https://pastebin.com/8YrYMXKp) you can see all hyperlinks redirect to the same bloody page:

http://business24pro.net/go.php?s=2260900354&o=1

Which is yet another redirect… fun times…

This redirect takes you to a page where it asks for information to sign up to a broker or “money making scheme”:

They are using a service called: http://www.searchingprofits.me/ or as the botnet uses:

http://searchprofits.me/index.php/user/register?aff_id=cfd841fd&st=GB&S=GB-42260921108&AffiliateID=4804&SubAffiliateID=0j6jqns12

Im not entirely certain what the difference is between searchingprofits.me and searchprofits.me except one is protected via cloudflare and the other is not.

After you fill out this form (its badly coded so, you don’t need to try hard) it takes you to the final stage of the scam. The trader.

This is what is funding the crime, this is what influences the criminals to do what they do. They get commission for every affiliated registration they get.

EZTrader.com, the bad guy

screencapture-www-eztrader-com-1446478704287

No matter how legit sites seem, you can never be 100% certain they are trustworthy.

As you can see from this screenshot, it looks very legit and trustworthy, but this is what they want you to think.  It is all apart of the same scam.

With a few google searches I can already see the fail of this operation. In November 2014 they had their license revoked by the CySEC.

https://leaprate.com/2014/11/cysec-suspends-cif-license-of-binary-options-broker-eztrader-com/

Because:

  1. Safeguarding of clients’ funds,
  2. Own Funds, regarding the capital adequacy of investment firms. and
  3. Large exposures.

Only to have it handed back to them in December the same year:

https://leaprate.com/2014/12/cysec-withdraws-suspension-of-binary-options-broker-eztrader-com/

They have the worst reviews I have ever seen, looking on trustpilot I can see a few that paint a pretty good picture of how this company operates:

You can view the reviews on trustpilot here:

https://uk.trustpilot.com/review/eztrader.com

Some more reviews:

http://www.sitejabber.com/reviews/www.eztrader.com

So that brings us to the end, or the beginning of a shitstorm for this company, however. I will begin reporting EVERYTHING and giving all evidence to the appropriate authorities and I will get this shut down for good.

Here is a small fraction of hacked servers from wave 2:

And here is a small fraction of hacked routers or computers that are sending out spam emails:

 

 

http://www.onlinethreatalerts.com/article/2015/7/28/scam-single-mom-from-london-makes-a-staggering-7-650month-from-finances24-news-com/ (A link regarding the fake news portals)

https://www.scamwarners.com/forum/viewtopic.php?f=34&p=211971 (Threads regarding Wuxi Yilian LLC the spammer and scammer)

Botnet, Security, Uncategorised

New Threat: The WIN-NPPN1JPV75J Botnet

Over the past month I have been monitoring a sophisticated botnet which I have now called the WIN-NPPN1JPV75J botnet (as I am unable to find any info about it anywhere else).

I will be dumping all my research and findings here.

How does it work?

The botnet itself appears to be mainly about spam and traffic, using hacked servers to send spoofed emails that link to a bad actor. The initial hack must had been sent in a email attachment which users unknowingly opened thus infecting their system. Once opened, it grabs your contact lists and your email address and begins sending out spam to everyone on your contacts. Now it appears that even if you get rid of the virus and change your password it still sends emails out. This is because the emails are not being sent from your system. They are being sent elsewhere via spoofing your email address to make it seem legit. This is unstoppable without setting up third party software or SPF records on your DNS.

Unfortunately I do not know much about how this attack took place to start with, so I will dive straight in to the second stage of the attack (spoofed emails).

What do the emails look like?

The emails are mostly the same, alternating between different linked websites. The main body text goes as follows: New message, please read, or Important message, please visit

ss+(2015-10-13+at+10.59.32)

You will notice if you view the email header source that every time it has a similar header:

Received: from [85.250.149.205] (port=57932 helo=WIN-NPPN1JPV75J)
by sulis.instanthosting.com.au with esmtpsa (UNKNOWN:DHE-RSA-AES256-GCM-SHA384:256)

Notice the WIN-NPPN1JPV75J? The HELO command is used by the sending SMTP client to identify itself. This HELO command is the same for every single spam mail. Hence why I have called it the WIN-NPPN1JPV75J botnet.

What the hell is going on?!

The botnet utilizes your contact lists which it stole from your email client (most likely most recent CC attachments) and sends an email to everyone on that list, with a different link each time, each directing you to a hacked website.

The links are interesting, they normally contain the website itself (http://freshandcleanservicesva.com) and then a randomly generated PHP script which is just a Javascript redirect.

From what I have analysed, the hacked websites are mostly using WordPress, a free content management system. They mostly have out-of-date plugins and themes, which have multiple vulnerabilities, which is why im guessing they were easy targets.

The randomly generated PHP script contains a Javascript redirect to some dodgy news looking website:

So who’s the bad actor?

 

screenshot.php

The website they all redirect too as of now, is dailyfinancesplanet.net which is currently down as of right now.

Some details from the server are below:

IP Location Russian Federation Russian Federation Novosibirsk Llc Company Interlan Communications
ASN Russian Federation AS57494 ADMAN-AS Krek Ltd. (registered Nov 14, 2011)
Whois Server whois.ripe.net
IP Address 109.237.109.237
Reverse IP 2 websites use this address.

% Abuse contact for ‘109.237.108.0 – 109.237.111.255’ is ‘

I also found this website that is hosted on the same server, but I haven’t looked into it yet: businessexpert24.net.

Vladimir E Gnat

So we got Vlad’s name from the WHOIS of dailyfinancesplanet.net domain, that’s pretty bad right? Forget to whois guard yourself? Anyway his name has popped up elsewhere, he has also been involved in the Smoke Loader Malware using the domain name: zoneserveryu788.com.

Read more about that here: http://stopmalvertising.com/rootkits/analysis-of-smoke-loader.html

He also owns these domains:

He uses these email addresses:

He used these phone numbers:

Address details?

He is associated with hundreds of servers, some of which are:

 

Is your server infected?

Below is a very small fraction of infected servers I have found which have been involved in the spreading of this email virus. Do not click on these links unless you know what you are doing!

http://proformancesportsacademy.com/else.php?6x8x
http://labdigital.cl/above.php?mh
http://discoverroundrock.com/struck.php?hhv
http://www.hytvmedia.com/brother.php?01
http://garagedoorrepairbrooklyn.com/saw.php?9w
http://dgwsoftware.com/respect.php?l
http://chateaustalbain.com/next.php?0yaik
http://KathyRogilliopianotuning.com/by.php
http://readsuccess.com/affection.php
http://mixmajorinsurance.com/master.php
http://freshandcleanservicesva.com/act.php
http://mobile-pharma.com/received.php
http://www.afriendofthearts.com/by.php
http://icongraphics.co.za/condition.php?f
http://indocanadaartscouncil.com/watched.php?i80gj
http://locksmithinnyc.com/anxious.php?uzayl
http://nwcc-mt.com/told.php?cixeh
http://lovivol.com/greatest.php?1qvt
http://msmkerala.org.in/note.php?tq1l
http://tandarts-in-arnhem.nl/give.php?subyr
http://coffeemana.com/proud.php?bkv
http://yuvamdekor.com/hold.php?yyl
http://alohaithai.com/scarcely.php?q
http://somaticyoga.com/general.php?7
http://doctorfordiabetes.com/same.php?n
http://eklepro.com/or.php?x
http://behowardofficial.com/whom.php?d
http://coloradocreditscore.com/evening.php?3m6
http://gauravmohan.com/offer.php?f
http://rtpact.org/shall.php?u01
http://bancadatialiquote.it/kitchen.php?4ika
http://azeferforje.com/times.php?nme
http://creatorsparadize.com/allow.php?1o5
http://scottavechurch.com/tell.php?zm8
http://gameonline3.com/week.php?6a4f
http://gumusdekorasyon.com/alone.php?hfjq
http://thietkewebhuyhoang.com/joy.php?wfoky
http://recoverytek.com/town.php?tgm
http://rrtc2015.com/meeting.php?uqzf
http://hottypotty.in/health.php?b6
http://athleticrevolutionroswell.com/third.php?bf
http://dessertnomad.com/pride.php?j04o4
http://radioformia.com/possible.php?hg2y
http://pomodoriitalissima.com/through.php?eq4
http://pleksikorkuluk.net/little.php?oabx
http://bookdomainer.com/that.php?w9lh
http://winrar.rs/far.php?dpojg
http://web.nil2million.com/ways.php?iyi
http://gauravmohan.com/lose.php?280
http://dessertnomad.com/speaking.php?0
http://zenciporno-izle.com/hold.php?d
http://initiativemobileinsights.com/laughed.php?izsl5
http://mindtrickattack.com/time.php?4
http://farkimizbu.com/laughed.php?umia
http://sekuritkorea.net/pretty.php?xdx1c
http://coloradocreditscore.com/evening.php?3m6
http://bookdomainer.com/soul.php?z
http://privatepleasuresclub.com/laid.php?mc4v
http://yanztech.com/because.php?mk
http://organised.hsw.com.au/nearly.php?p1y0
http://hotelmysliwski.eu/friends.php?9lqx
http://creatives360.com/body.php?ycn
http://transports-dupas-lebeda.eu/away.php?dup
http://buyanyconditionhome.com/met.php?n
http://l-mon.com/account.php?3
http://farkimizbu.com/laughed.php?umia
http://casinoenlignesansdepot.net/your.php?l91
http://alohaithai.com/knowing.php?lfhy2
http://valleyclinicaltrials.com/she.php?ft2i
http://spasoleilmassage.com/entered.php?y
http://jcsc123.com/safe.php?17p86
http://pmvibration.com/sad.php?2aq
http://cbpillars.com/hearing.php?q
http://recoverytek.com/into.php?n
http://muslimacrossamerica.net/deal.php?wnt
http://voodoominimarathon.net/our.php?q3
http://estanfordmagic.com/talk.php?74
http://mayordomiasanblas.es/they.php?

Conclusion

There isnt really much we can do about this unfortunately, we can only report malicous domains and hope for the best. In the meantime I am going to be researching this a lot more, trying to discover the root of the botnet.

More to come.

Check out Wardline’s blog post about the very same issue:

*http://wardinewrock.blogspot.co.uk/2015/09/email-sent-under-my-name-not-from-me.html

Apple, Phishing, Security, Uncategorised

Another day, another Apple phisher…

Hi there!

While cruising through my email spam folder (as one does) I came across a bit of spam that stood out in front of the others, mainly by copying Apple Inc. completely. I had to see what it was. Luckily enough, upon opening the email I could clearly see that this was a phishing attempt to get my apple ID and possibly my card information, lets take a closer look shall we?

The email itself looks very dodgy and tbh I don’t use any Apple product what so ever, I hate them, so how could I be receiving emails about my Apple account being abused?

Continue reading “Another day, another Apple phisher…” »