Tuesday, 13 October 2009

The Multitasking Fast-Flux Botnet that Wants to Bank With You

From a Chase phishing campaign, to a bogus Microsoft update, and an exploit serving spam campaign using a "Who Killed Michael Jackson?" theme prior to his death (go through related Michael Jackson malware campaigns), to a currently ongoing phishing campaign impersonating the United Services Automobile Association (USAA), the gang behind this botnet has been actively multitasking during the past two months.

The spam message is as follows:
"Michael Jackson Was Killed... But Who Killed Michael Jackson? Visit X-Files to see the answer: MJackson.kilijj .com/x-files", upon clicking on it the user is redirected to two exploit serving domains - ogzhnsltk .com/plugins/index.php (94.199.200.125 Email: osaltik@windowslive.com); and dogankomurculuk .com/stil/index.php (91.191.164.100 - Email: by.yasin@msn.com).

Through the use of an Office Snapshot Viewer exploit the user is the exposed to a downloader (x-file-MJacksonsKiller.exe) which attempts to drop a copy of the Zeus malware from labormi .com/lbrc/lbr.bin (91.206.201.6). The following is an extensive list of the participating domains, as well as the currently active and fast-fluxing DNS servers part of the botnet:


List of participating domains:
kilij1 .com
ilkil1 .com
ilkifi .com
kili1j .com
kil1jj .com
ki1ijj .com
kikijj .com
k1lijj .com
kilijj .com
1ilikj .com
ilki1k .com
ilk1lk .com
i1kilk .com
ilkilk .com


kilij1 .net
ilkil1 .net
kili1j .net
kil1jj .net
ki1ijj .net
k1lijj .net
kilijj .net
1ilikj .net
ilki1k .net
ilk1lk .net
i1kilk .net
ilkilk .net
ilifi.com .mx
1ffli.com .mx
iljihli.com .mx
hhili.com .mx
hilli.com .mx
kiffil.com .mx


Michael Jackson related subdomains:
mjackson.ijjik1 .com
mjackson.ijjil1. com
mjackson.kjjil1 .com
mjackson.ikjil1 .com
mjackson.ijkil1 .com
mjackson.ijjkl1 .com
mjackson.ikilij .com
mjackson.ikklij .com
mjackson.ikilkj .com
mjackson.ikilfk .com


mjackson.ijjilk .com
mjackson.ijjill .com
mjackson.ijjik1 .net
mjackson.ijjil1 .net
mjackson.ikjil1 .net
mjackson.ijkil1 .net
mjackson.ijjkl1 .net
mail.ikilij .net
mjackson.ikilij .net
mjackson.ilifi .com.mx
mjackson.iljihli .com.mx
mjackson.hhili .com.mx
mjackson.hilli .com.mx


Microsoft related subdomains:
update.microsoft.com .h1hili.com
update.microsoft.com .ijlk1j.com
update.microsoft.com .hillij.com
update.microsoft.com .hillkj.com
update.microsoft.com .ikillif.net
update.microsoft.com .jikikji.net
update.microsoft.com .hillij.net
update.microsoft.com .hillik.net
update.microsoft.com .ikihill.net
update.microsoft.com .ilifi.com.mx
update.microsoft.com .iljihli.com.mx
update.microsoft.com .hilli.com.mx
update.microsoft.com .kiffil.com.mx


USAA.com related phishing subdomains:
www.usaa.com.kihhif .com
www.usaa.com.kihhih .com
www.usaa.com.kihhik .com
www.usaa.com.kihhil .com
www.usaa.com.kihhik .net
www.usaa.com.kihhil .net
www.usaa.com.hilli.com .mx
www.usaa.com.frtll.com .mx
www.usaa.com.mrtll.com .mx


DNS Servers of notice:
ns1.vine-prad .com
ns2.vine-prad .com
ns1.blacklard .com
ns1.fax-multi .com
ns2.fax-multi .com
ns1.rondonman .com
ns2.rondonman .com
ns1.host-fren .com
ns2.host-fren .com
ns1.hotboxnet .com
ns2.hotboxnet .com
ns1.free-domainhost .com
ns2.free-domainhost .com
ns1.sunthemoow .com


ns2.sunthemoow .com
ns1.high-daily .com
ns2.high-daily .com
ns1.otorvald .net
ns1.red-bul .net
ns2.red-bul .net
ns1.footdoor .net
ns1.bestdodgeros .net
ns2.bestdodgeros .net
ns1.azdermen .com
ns2.azdermen .com
ns1.departconsult .com
ns2.departconsult .com
ns1.torentwest .com
ns2.torentwest .com
ns1.downlloadfile .net
ns2.downlloadfile .net


Due to this botnet's involvement with several other malware campaigns of notice, as well as its evident connection with the ongoing monitoring of several particular cybecrime groups, analysis and updates will be posted as soon as they emerge.

emails

a

The Register - Security

IQ test

The Register - Security: Anti-Virus

HackWire - Hacker News