Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday, 3 November 2009

Are you helping the Facebook botnet?

We've had various phishing botnets over the years, and this one is no different, well, almost. I received several e-mails claiming to be from Facebook, with the following content;

facebook

Dear Facebook user,
In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security.
Before you are able to use the new login system, you will be required to update your account.

Click here to update your account online now.
If you have any questions, reference our New User Guide.
Thanks,

The Facebook Team Update your Facebook account

Update

This message was intended for a1aaa1azzzz1zaaaaa@it-mate.co.uk.
Facebook's offices are located at 1601 S. California Ave., Palo Alto, CA 94304.


Plain text is a little messy, so here's a screenshot;



Once you load this, and pop in your password etc, you're taken to the following screen;



http://www.facebook.com.vvvaszxx.eu/globaldirectory/MyAccount.php
http://www.facebook.com.pppiod.eu/globaldirectory/MyAccount.php
http://www.facebook.com.pppioz.eu/globaldirectory/MyAccount.php

This tells you;

In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security. Before you are able to use the new login system, you will be required to update your account.
A new Facebook Update Tool has been released for your account. Please download and install the tool using the link below:


The file offered, updatetool.exe (MD5: b245eb505f49f88e124c0ae2988d2fe9), is of course malware.

Payload:
http://www.facebook.com.vvvaszxx.eu/globaldirectory/updatetool.exe
http://www.facebook.com.pppiod.eu/globaldirectory/updatetool.exe
http://www.facebook.com.pppioz.eu/globaldirectory/updatetool.exe

hpHosts entry:

http://hosts-file.net/?s=www.facebook.com.vvvaszxx.eu
http://hosts-file.net/?s=www.facebook.com.pppiod.eu
http://hosts-file.net/?s=www.facebook.com.pppioz.eu

Someone's already beaten me to VT with this one (not surprisingly, it's a Zbot variant), and it shows a measly 7 vendors detecting it;

VirusTotal result:
http://www.virustotal.com/analisis/12f028e654dd35182905a3413082cee0e92df22099739f6516143986c9628e6a-1257207933

Anubis result:
http://anubis.iseclab.org/?action=result&task_id=1e18837e806b75744e57310de488fba61

Incase you're wondering by the way, the folks responsible for this are the same folks responsible for both the previous phishing and malware campaigns, and for the current IRS phishing and malware campaign;

http://hosts-file.net/?s=www.irs.gov.pppiod.eu/fraud_application/directory/statement.php

Payload (VT #1 VT #2):
http://www.irs.gov.pppiod.eu/fraud_application/directory/tax-statement.exe
http://www.irs.gov.vvvaszxx.eu/globaldirectory/tax-statement.exe
http://www.irs.gov.pppioz.eu/globaldirectory/tax-statement.exe



IP's seen thus far:

IP Address AS# Hostname
112.152.65.97 (0) 17858 Resolution failed
114.37.100.39 (2) 3462 114-37-100-39.dynamic.hinet.net
115.22.11.185 (1) 4766 Resolution failed
117.195.238.67 (0) 9829 Resolution failed
119.201.184.155 (0) 4766 Resolution failed
122.124.130.158 (2) 3462 122-124-130-158.dynamic.hinet.net
122.254.241.9 (0) 17871 Resolution failed
123.195.226.68 (2) 9924 123-195-226-68.dynamic.kbronet.com.tw
124.120.17.143 (0) 17552 ppp-124-120-17-143.revip2.asianet.co.th
125.208.81.28 (1) 17849 Resolution failed
190.174.24.185 (0) 22927 190-174-24-185.speedy.com.ar
201.239.155.181 (1) 22047 pc-181-155-239-201.cm.vtr.net
211.172.68.226 (0) 18310 Resolution failed
211.203.144.69 (0) 9318 Resolution failed
211.58.98.242 (2) 9318 Resolution failed
218.158.65.44 (0) 4766 Resolution failed
220.91.81.239 (2) 4766 Resolution failed
222.157.114.2 (1) 7482 Resolution failed
71.11.234.135 (3) 20115 71-11-234-135.dhcp.ftwo.tx.charter.com
77.239.70.153 (1) 42571 153-70.telrad.net
77.52.52.167 (0) 21497 77-52-52-167.dialup.umc.net.ua
85.202.49.44 (0) 43939 cb44.osiedle.net.pl
88.216.136.50 (1) 33922 c-136-50.marinet.lt
89.208.248.251 (1) 12695 Resolution failed
91.89.60.107 (2) 29562 HSI-KBW-091-089-060-107.hsi2.kabelbw.de
92.115.218.172 (7) 8926 host-static-92-115-218-172.moldtelecom.md
93.89.214.131 (3) 45025 as45025-93-89-214-131.mol.net.ua
94.189.154.183 (0) 31042 cable-94-189-154-183.dynamic.sbb.rs
95.111.215.187 (0) 31343 Resolution failed
95.68.71.163 (1) 12578 Resolution failed

You're going to be seeing alot of these if the past campaigns are anything to go by, and it's pretty much a guarantee that there's going to be more than just the afformentioned domains involved. If you receive any of these, please do forward them to me (with the original headers if possible);

phishing @ it-mate.co.uk

No comments: