Blog for hpHosts, and whatever else I feel like writing about ....

Thursday 26 November 2009

Facebook botnet: Is your computer helping it?

I've just received several more Facebook e-mails that point to URL's hosted on a botnet, and both steal your information, load an iFrame to an exploit, and finally, offer you an "update tool", that is the well known Zbot infection.

Sadly, Outlook 2007 isn't letting my Outlook Export application work properly, so I've had to grab the IP's and such manually (well, via hpObserver ;)).

hpObserver Results
http://hosts-file.net/misc/hpObserver_Results_-_Facebook_botnet.html

The URL's

The URL in the e-mail, points to the following;

http://www.facebook.com.hyffvsr.be/usersdirectory/LoginFacebook.php?ref=4926033691635326753606845546830365677951122&email=jane@it-mate.co.uk
http://www.facebook.com.hyffvsz.be/usersdirectory/LoginFacebook.php?ref=4926033691635326753606845546830365677951122&email=jane@it-mate.co.uk
http://www.facebook.com.hyffvsa.be/usersdirectory/LoginFacebook.php?ref=2351587239519038887182277672158321779383780&email=allen@osq.co.uk
http://www.facebook.com.hyffvsf.be/usersdirectory/LoginFacebook.php?ref=2351587239519038887182277672158321779383780&email=allen@osq.co.uk
http://www.facebook.com.hyffvsb.be/usersdirectory/LoginFacebook.php?ref=57467464426814918763552441458339127080764214890&email=baldybrothersfannn@it-mate.co.uk
http://www.facebook.com.ferdasxs.be/usersdirectory/LoginFacebook.php?ref=57467464426814918763552441458339127080764214890&email=baldybrothersfannn@it-mate.co.uk


LoginFacebook.php, besides stealing your information, loads an exploit via a hidden iFrame, from;

http://193.104.27.234/sv/in.php



Wepawet results
http://wepawet.cs.ucsb.edu/view.php?hash=72212c145e1fb054a556719a8c2ab499&type=js

Once you've been exploited, and handed over your information, you're taken to;

http://www.facebook.com.hyffvsr.be/usersdirectory/MyAccount.php
http://www.facebook.com.hyffvsz.be/usersdirectory/MyAccount.php
http://www.facebook.com.hyffvsa.be/usersdirectory/MyAccount.php
http://www.facebook.com.hyffvsf.be/usersdirectory/MyAccount.php
http://www.facebook.com.hyffvsb.be/usersdirectory/MyAccount.php
http://www.facebook.com.ferdasxs.be/usersdirectory/MyAccount.php


Which claims;

In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security.
Before you are able to use the new login system, you will be required to update your account.
A new Facebook Update Tool has been released for your account. Please download and install the tool using the link below:


Which leads to the Zbot infection at;

http://www.facebook.com.hyffvsr.be/usersdirectory/updatetool.exe
http://www.facebook.com.hyffvsz.be/usersdirectory/updatetool.exe
http://www.facebook.com.hyffvsa.be/usersdirectory/updatetool.exe
http://www.facebook.com.hyffvsf.be/usersdirectory/updatetool.exe
http://www.facebook.com.hyffvsb.be/usersdirectory/updatetool.exe
http://www.facebook.com.ferdasxs.be/usersdirectory/updatetool.exe


The e-mail

The e-mail is of course, in HTML format originally, but the plain text (you do use plain text e-mail, right?) contains;

facebook

Dear Facebook user,

In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security.
Before you are able to use the new login system, you will be required to update your account.
Click here <http://www.facebook.com.hyffvsr.be/usersdirectory/LoginFacebook.php?ref=4926033691635326753606845546830365677951122&email=jane@it-mate.co.uk> to update your account online now.

If you have any questions, reference our New User Guide.

Thanks,
The Facebook Team

Update your Facebook account

Update <http://www.facebook.com.hyffvsz.be/usersdirectory/LoginFacebook.php?ref=4926033691635326753606845546830365677951122&email=jane@it-mate.co.uk>

This message was intended for jane@it-mate.co.uk.
Facebook's offices are located at 1601 S. California Ave., Palo Alto, CA 94304.


VirusTotal results
http://www.virustotal.com/analisis/adf92f1a474c566747823f2b28f5f4cee1cb819e927b1f6e24e5ca50ee527df0-1259245687

PLEASE ensure you are checking your machine for signs of infection, and if you need any help, ASK!

http://www.malwarebytes.org/forums/index.php?showforum=7
http://temerc.com/forums/viewforum.php?f=12&sid=57ac7d193ad4621fc23f78ebed2969eb

/edit

Received another one with 2 new URL's in it.

http://www.facebook.com.de11dke.be/usersdirectory/LoginFacebook.php?ref=877506342249875780348654703370389063&email=web@studiomold.co.uk
http://www.facebook.com.hyffvss.be/usersdirectory/LoginFacebook.php?ref=877506342249875780348654703370389063&email=web@studiomold.co.uk


IP's;

IP: 180.149.222.48 [Failed resolution]
IP: 120.105.18.26 [Failed resolution]
IP: 116.34.65.43 [Failed resolution]
IP: 115.240.49.243 [Failed resolution]
IP: 61.46.204.37 [zaq3d2ecc25.zaq.ne.jp]
IP: 210.112.142.61 [Failed resolution]
IP: 201.160.198.41 [201.160.198.41.cable.dyn.cableonline.com.mx]
IP: 201.68.198.81 [201-68-198-81.dsl.telesp.net.br]
IP: 201.68.34.185 [201-68-34-185.dsl.telesp.net.br]
IP: 190.53.139.62 [Failed resolution]
IP: 190.7.132.216 [static-adsl190-7-132-216.epm.net.co]
IP: 189.195.140.90 [Failed resolution]
IP: 189.105.95.34 [189105095034.user.veloxzone.com.br]
IP: 186.80.123.13 [Dynamic-IP-1868012313.cable.net.co]
IP: 186.0.43.103 [Failed resolution]
IP: 201.37.56.91 [c925385b.virtua.com.br]
IP: 190.7.132.216 [static-adsl190-7-132-216.epm.net.co]
IP: 189.195.140.90 [Failed resolution]
IP: 189.105.95.34 [189105095034.user.veloxzone.com.br]
IP: 186.80.123.13 [Dynamic-IP-1868012313.cable.net.co]
IP: 186.0.43.103 [Failed resolution]
IP: 180.149.222.48 [Failed resolution]
IP: 120.105.18.26 [Failed resolution]
IP: 116.34.65.43 [Failed resolution]
IP: 61.46.204.37 [zaq3d2ecc25.zaq.ne.jp]
IP: 41.140.42.183 [Failed resolution]
IP: 210.112.142.61 [Failed resolution]
IP: 201.160.198.41 [201.160.198.41.cable.dyn.cableonline.com.mx]
IP: 201.68.34.185 [201-68-34-185.dsl.telesp.net.br]
IP: 201.43.183.107 [201-43-183-107.dsl.telesp.net.br]


/edit 23:54

We've got some more folks. Shazza over at Web of Trust's forums, asked if I could provide any info on the IRS botnet, and during my initial analysis, I discovered (and I suspect many others have discovered before me), that the Facebook botnet is also the IRS botnet;

http://irs.gov.hyffvsr.be/fraud_application/directory/statement.php
http://irs.gov.hyffvsz.be/fraud_application/directory/statement.php
http://irs.gov.hyffvsa.be/fraud_application/directory/statement.php
http://irs.gov.hyffvsf.be/fraud_application/directory/statement.php
http://irs.gov.hyffvsb.be/fraud_application/directory/statement.php
http://irs.gov.ferdasxs.be/fraud_application/directory/statement.php
http://irs.gov.de11dke.be/fraud_application/directory/statement.php
http://irs.gov.hyffvss.be//fraud_application/directory/statement.php
http://irs.gov.kiooojn.be/fraud_application/directory/statement.php
http://irs.gov.kiooojq.be/fraud_application/directory/statement.php
http://irs.gov.kiooojx.be/fraud_application/directory/statement.php
http://irs.gov.kiooojv.be/fraud_application/directory/statement.php
http://irs.gov.kiooojz.be/fraud_application/directory/statement.php
http://irs.gov.hyffvsr.be/fraud_application/directory/tax-statement.exe
http://irs.gov.hyffvsz.be/fraud_application/directory/tax-statement.exe
http://irs.gov.hyffvsa.be/fraud_application/directory/tax-statement.exe
http://irs.gov.hyffvsf.be/fraud_application/directory/tax-statement.exe
http://irs.gov.hyffvsb.be/fraud_application/directory/tax-statement.exe
http://irs.gov.ferdasxs.be/fraud_application/directory/tax-statement.exe
http://irs.gov.de11dke.be/fraud_application/directory/tax-statement.exe
http://irs.gov.hyffvss.be//fraud_application/directory/tax-statement.exe
http://irs.gov.kiooojn.be/fraud_application/directory/tax-statement.exe
http://irs.gov.kiooojq.be/fraud_application/directory/tax-statement.exe
http://irs.gov.kiooojx.be/fraud_application/directory/tax-statement.exe
http://irs.gov.kiooojv.be/fraud_application/directory/tax-statement.exe
http://irs.gov.kiooojz.be/fraud_application/directory/tax-statement.exe
http://www.facebook.com.kiooojn.be/usersdirectory/MyAccount.php
http://www.facebook.com.kiooojq.be/usersdirectory/MyAccount.php
http://www.facebook.com.kiooojx.be/usersdirectory/MyAccount.php
http://www.facebook.com.kiooojv.be/usersdirectory/MyAccount.php
http://www.facebook.com.kiooojz.be/usersdirectory/MyAccount.php


hpObserver results
http://hosts-file.net/misc/hpObserver_Results_-_Facebook_botnet-2.html

References

Are you helping the Facebook botnet?
http://hphosts.blogspot.com/2009/11/are-you-helping-facebook-botnet.html

No comments: