Sadly, Outlook 2007 isn't letting my Outlook Export application work properly, so I've had to grab the IP's and such manually (well, via hpObserver ;)).
hpObserver Results
http://hosts-file.net/misc/hpObserver_Results_-_Facebook_botnet.html
The URL's
The URL in the e-mail, points to the following;
http://www.facebook.com.hyffvsr.be/usersdirectory/LoginFacebook.php?ref=4926033691635326753606845546830365677951122&email=jane@it-mate.co.uk
http://www.facebook.com.hyffvsz.be/usersdirectory/LoginFacebook.php?ref=4926033691635326753606845546830365677951122&email=jane@it-mate.co.uk
http://www.facebook.com.hyffvsa.be/usersdirectory/LoginFacebook.php?ref=2351587239519038887182277672158321779383780&email=allen@osq.co.uk
http://www.facebook.com.hyffvsf.be/usersdirectory/LoginFacebook.php?ref=2351587239519038887182277672158321779383780&email=allen@osq.co.uk
http://www.facebook.com.hyffvsb.be/usersdirectory/LoginFacebook.php?ref=57467464426814918763552441458339127080764214890&email=baldybrothersfannn@it-mate.co.uk
http://www.facebook.com.ferdasxs.be/usersdirectory/LoginFacebook.php?ref=57467464426814918763552441458339127080764214890&email=baldybrothersfannn@it-mate.co.uk
http://www.facebook.com.hyffvsz.be/usersdirectory/LoginFacebook.php?ref=4926033691635326753606845546830365677951122&email=jane@it-mate.co.uk
http://www.facebook.com.hyffvsa.be/usersdirectory/LoginFacebook.php?ref=2351587239519038887182277672158321779383780&email=allen@osq.co.uk
http://www.facebook.com.hyffvsf.be/usersdirectory/LoginFacebook.php?ref=2351587239519038887182277672158321779383780&email=allen@osq.co.uk
http://www.facebook.com.hyffvsb.be/usersdirectory/LoginFacebook.php?ref=57467464426814918763552441458339127080764214890&email=baldybrothersfannn@it-mate.co.uk
http://www.facebook.com.ferdasxs.be/usersdirectory/LoginFacebook.php?ref=57467464426814918763552441458339127080764214890&email=baldybrothersfannn@it-mate.co.uk
LoginFacebook.php, besides stealing your information, loads an exploit via a hidden iFrame, from;
http://193.104.27.234/sv/in.php
Wepawet results
http://wepawet.cs.ucsb.edu/view.php?hash=72212c145e1fb054a556719a8c2ab499&type=js
Once you've been exploited, and handed over your information, you're taken to;
http://www.facebook.com.hyffvsr.be/usersdirectory/MyAccount.php
http://www.facebook.com.hyffvsz.be/usersdirectory/MyAccount.php
http://www.facebook.com.hyffvsa.be/usersdirectory/MyAccount.php
http://www.facebook.com.hyffvsf.be/usersdirectory/MyAccount.php
http://www.facebook.com.hyffvsb.be/usersdirectory/MyAccount.php
http://www.facebook.com.ferdasxs.be/usersdirectory/MyAccount.php
http://www.facebook.com.hyffvsz.be/usersdirectory/MyAccount.php
http://www.facebook.com.hyffvsa.be/usersdirectory/MyAccount.php
http://www.facebook.com.hyffvsf.be/usersdirectory/MyAccount.php
http://www.facebook.com.hyffvsb.be/usersdirectory/MyAccount.php
http://www.facebook.com.ferdasxs.be/usersdirectory/MyAccount.php
Which claims;
In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security.
Before you are able to use the new login system, you will be required to update your account.
A new Facebook Update Tool has been released for your account. Please download and install the tool using the link below:
Before you are able to use the new login system, you will be required to update your account.
A new Facebook Update Tool has been released for your account. Please download and install the tool using the link below:
Which leads to the Zbot infection at;
http://www.facebook.com.hyffvsr.be/usersdirectory/updatetool.exe
http://www.facebook.com.hyffvsz.be/usersdirectory/updatetool.exe
http://www.facebook.com.hyffvsa.be/usersdirectory/updatetool.exe
http://www.facebook.com.hyffvsf.be/usersdirectory/updatetool.exe
http://www.facebook.com.hyffvsb.be/usersdirectory/updatetool.exe
http://www.facebook.com.ferdasxs.be/usersdirectory/updatetool.exe
http://www.facebook.com.hyffvsz.be/usersdirectory/updatetool.exe
http://www.facebook.com.hyffvsa.be/usersdirectory/updatetool.exe
http://www.facebook.com.hyffvsf.be/usersdirectory/updatetool.exe
http://www.facebook.com.hyffvsb.be/usersdirectory/updatetool.exe
http://www.facebook.com.ferdasxs.be/usersdirectory/updatetool.exe
The e-mail
The e-mail is of course, in HTML format originally, but the plain text (you do use plain text e-mail, right?) contains;
facebook
Dear Facebook user,
In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security.
Before you are able to use the new login system, you will be required to update your account.
Click here <http://www.facebook.com.hyffvsr.be/usersdirectory/LoginFacebook.php?ref=4926033691635326753606845546830365677951122&email=jane@it-mate.co.uk> to update your account online now.
If you have any questions, reference our New User Guide.
Thanks,
The Facebook Team
Update your Facebook account
Update <http://www.facebook.com.hyffvsz.be/usersdirectory/LoginFacebook.php?ref=4926033691635326753606845546830365677951122&email=jane@it-mate.co.uk>
This message was intended for jane@it-mate.co.uk.
Facebook's offices are located at 1601 S. California Ave., Palo Alto, CA 94304.
Dear Facebook user,
In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security.
Before you are able to use the new login system, you will be required to update your account.
Click here <http://www.facebook.com.hyffvsr.be/usersdirectory/LoginFacebook.php?ref=4926033691635326753606845546830365677951122&email=jane@it-mate.co.uk> to update your account online now.
If you have any questions, reference our New User Guide.
Thanks,
The Facebook Team
Update your Facebook account
Update <http://www.facebook.com.hyffvsz.be/usersdirectory/LoginFacebook.php?ref=4926033691635326753606845546830365677951122&email=jane@it-mate.co.uk>
This message was intended for jane@it-mate.co.uk.
Facebook's offices are located at 1601 S. California Ave., Palo Alto, CA 94304.
VirusTotal results
http://www.virustotal.com/analisis/adf92f1a474c566747823f2b28f5f4cee1cb819e927b1f6e24e5ca50ee527df0-1259245687
PLEASE ensure you are checking your machine for signs of infection, and if you need any help, ASK!
http://www.malwarebytes.org/forums/index.php?showforum=7
http://temerc.com/forums/viewforum.php?f=12&sid=57ac7d193ad4621fc23f78ebed2969eb
/edit
Received another one with 2 new URL's in it.
http://www.facebook.com.de11dke.be/usersdirectory/LoginFacebook.php?ref=877506342249875780348654703370389063&email=web@studiomold.co.uk
http://www.facebook.com.hyffvss.be/usersdirectory/LoginFacebook.php?ref=877506342249875780348654703370389063&email=web@studiomold.co.uk
http://www.facebook.com.hyffvss.be/usersdirectory/LoginFacebook.php?ref=877506342249875780348654703370389063&email=web@studiomold.co.uk
IP's;
IP: 180.149.222.48 [Failed resolution]
IP: 120.105.18.26 [Failed resolution]
IP: 116.34.65.43 [Failed resolution]
IP: 115.240.49.243 [Failed resolution]
IP: 61.46.204.37 [zaq3d2ecc25.zaq.ne.jp]
IP: 210.112.142.61 [Failed resolution]
IP: 201.160.198.41 [201.160.198.41.cable.dyn.cableonline.com.mx]
IP: 201.68.198.81 [201-68-198-81.dsl.telesp.net.br]
IP: 201.68.34.185 [201-68-34-185.dsl.telesp.net.br]
IP: 190.53.139.62 [Failed resolution]
IP: 190.7.132.216 [static-adsl190-7-132-216.epm.net.co]
IP: 189.195.140.90 [Failed resolution]
IP: 189.105.95.34 [189105095034.user.veloxzone.com.br]
IP: 186.80.123.13 [Dynamic-IP-1868012313.cable.net.co]
IP: 186.0.43.103 [Failed resolution]
IP: 201.37.56.91 [c925385b.virtua.com.br]
IP: 190.7.132.216 [static-adsl190-7-132-216.epm.net.co]
IP: 189.195.140.90 [Failed resolution]
IP: 189.105.95.34 [189105095034.user.veloxzone.com.br]
IP: 186.80.123.13 [Dynamic-IP-1868012313.cable.net.co]
IP: 186.0.43.103 [Failed resolution]
IP: 180.149.222.48 [Failed resolution]
IP: 120.105.18.26 [Failed resolution]
IP: 116.34.65.43 [Failed resolution]
IP: 61.46.204.37 [zaq3d2ecc25.zaq.ne.jp]
IP: 41.140.42.183 [Failed resolution]
IP: 210.112.142.61 [Failed resolution]
IP: 201.160.198.41 [201.160.198.41.cable.dyn.cableonline.com.mx]
IP: 201.68.34.185 [201-68-34-185.dsl.telesp.net.br]
IP: 201.43.183.107 [201-43-183-107.dsl.telesp.net.br]
IP: 120.105.18.26 [Failed resolution]
IP: 116.34.65.43 [Failed resolution]
IP: 115.240.49.243 [Failed resolution]
IP: 61.46.204.37 [zaq3d2ecc25.zaq.ne.jp]
IP: 210.112.142.61 [Failed resolution]
IP: 201.160.198.41 [201.160.198.41.cable.dyn.cableonline.com.mx]
IP: 201.68.198.81 [201-68-198-81.dsl.telesp.net.br]
IP: 201.68.34.185 [201-68-34-185.dsl.telesp.net.br]
IP: 190.53.139.62 [Failed resolution]
IP: 190.7.132.216 [static-adsl190-7-132-216.epm.net.co]
IP: 189.195.140.90 [Failed resolution]
IP: 189.105.95.34 [189105095034.user.veloxzone.com.br]
IP: 186.80.123.13 [Dynamic-IP-1868012313.cable.net.co]
IP: 186.0.43.103 [Failed resolution]
IP: 201.37.56.91 [c925385b.virtua.com.br]
IP: 190.7.132.216 [static-adsl190-7-132-216.epm.net.co]
IP: 189.195.140.90 [Failed resolution]
IP: 189.105.95.34 [189105095034.user.veloxzone.com.br]
IP: 186.80.123.13 [Dynamic-IP-1868012313.cable.net.co]
IP: 186.0.43.103 [Failed resolution]
IP: 180.149.222.48 [Failed resolution]
IP: 120.105.18.26 [Failed resolution]
IP: 116.34.65.43 [Failed resolution]
IP: 61.46.204.37 [zaq3d2ecc25.zaq.ne.jp]
IP: 41.140.42.183 [Failed resolution]
IP: 210.112.142.61 [Failed resolution]
IP: 201.160.198.41 [201.160.198.41.cable.dyn.cableonline.com.mx]
IP: 201.68.34.185 [201-68-34-185.dsl.telesp.net.br]
IP: 201.43.183.107 [201-43-183-107.dsl.telesp.net.br]
/edit 23:54
We've got some more folks. Shazza over at Web of Trust's forums, asked if I could provide any info on the IRS botnet, and during my initial analysis, I discovered (and I suspect many others have discovered before me), that the Facebook botnet is also the IRS botnet;
http://irs.gov.hyffvsr.be/fraud_application/directory/statement.php
http://irs.gov.hyffvsz.be/fraud_application/directory/statement.php
http://irs.gov.hyffvsa.be/fraud_application/directory/statement.php
http://irs.gov.hyffvsf.be/fraud_application/directory/statement.php
http://irs.gov.hyffvsb.be/fraud_application/directory/statement.php
http://irs.gov.ferdasxs.be/fraud_application/directory/statement.php
http://irs.gov.de11dke.be/fraud_application/directory/statement.php
http://irs.gov.hyffvss.be//fraud_application/directory/statement.php
http://irs.gov.kiooojn.be/fraud_application/directory/statement.php
http://irs.gov.kiooojq.be/fraud_application/directory/statement.php
http://irs.gov.kiooojx.be/fraud_application/directory/statement.php
http://irs.gov.kiooojv.be/fraud_application/directory/statement.php
http://irs.gov.kiooojz.be/fraud_application/directory/statement.php
http://irs.gov.hyffvsr.be/fraud_application/directory/tax-statement.exe
http://irs.gov.hyffvsz.be/fraud_application/directory/tax-statement.exe
http://irs.gov.hyffvsa.be/fraud_application/directory/tax-statement.exe
http://irs.gov.hyffvsf.be/fraud_application/directory/tax-statement.exe
http://irs.gov.hyffvsb.be/fraud_application/directory/tax-statement.exe
http://irs.gov.ferdasxs.be/fraud_application/directory/tax-statement.exe
http://irs.gov.de11dke.be/fraud_application/directory/tax-statement.exe
http://irs.gov.hyffvss.be//fraud_application/directory/tax-statement.exe
http://irs.gov.kiooojn.be/fraud_application/directory/tax-statement.exe
http://irs.gov.kiooojq.be/fraud_application/directory/tax-statement.exe
http://irs.gov.kiooojx.be/fraud_application/directory/tax-statement.exe
http://irs.gov.kiooojv.be/fraud_application/directory/tax-statement.exe
http://irs.gov.kiooojz.be/fraud_application/directory/tax-statement.exe
http://www.facebook.com.kiooojn.be/usersdirectory/MyAccount.php
http://www.facebook.com.kiooojq.be/usersdirectory/MyAccount.php
http://www.facebook.com.kiooojx.be/usersdirectory/MyAccount.php
http://www.facebook.com.kiooojv.be/usersdirectory/MyAccount.php
http://www.facebook.com.kiooojz.be/usersdirectory/MyAccount.php
http://irs.gov.hyffvsz.be/fraud_application/directory/statement.php
http://irs.gov.hyffvsa.be/fraud_application/directory/statement.php
http://irs.gov.hyffvsf.be/fraud_application/directory/statement.php
http://irs.gov.hyffvsb.be/fraud_application/directory/statement.php
http://irs.gov.ferdasxs.be/fraud_application/directory/statement.php
http://irs.gov.de11dke.be/fraud_application/directory/statement.php
http://irs.gov.hyffvss.be//fraud_application/directory/statement.php
http://irs.gov.kiooojn.be/fraud_application/directory/statement.php
http://irs.gov.kiooojq.be/fraud_application/directory/statement.php
http://irs.gov.kiooojx.be/fraud_application/directory/statement.php
http://irs.gov.kiooojv.be/fraud_application/directory/statement.php
http://irs.gov.kiooojz.be/fraud_application/directory/statement.php
http://irs.gov.hyffvsr.be/fraud_application/directory/tax-statement.exe
http://irs.gov.hyffvsz.be/fraud_application/directory/tax-statement.exe
http://irs.gov.hyffvsa.be/fraud_application/directory/tax-statement.exe
http://irs.gov.hyffvsf.be/fraud_application/directory/tax-statement.exe
http://irs.gov.hyffvsb.be/fraud_application/directory/tax-statement.exe
http://irs.gov.ferdasxs.be/fraud_application/directory/tax-statement.exe
http://irs.gov.de11dke.be/fraud_application/directory/tax-statement.exe
http://irs.gov.hyffvss.be//fraud_application/directory/tax-statement.exe
http://irs.gov.kiooojn.be/fraud_application/directory/tax-statement.exe
http://irs.gov.kiooojq.be/fraud_application/directory/tax-statement.exe
http://irs.gov.kiooojx.be/fraud_application/directory/tax-statement.exe
http://irs.gov.kiooojv.be/fraud_application/directory/tax-statement.exe
http://irs.gov.kiooojz.be/fraud_application/directory/tax-statement.exe
http://www.facebook.com.kiooojn.be/usersdirectory/MyAccount.php
http://www.facebook.com.kiooojq.be/usersdirectory/MyAccount.php
http://www.facebook.com.kiooojx.be/usersdirectory/MyAccount.php
http://www.facebook.com.kiooojv.be/usersdirectory/MyAccount.php
http://www.facebook.com.kiooojz.be/usersdirectory/MyAccount.php
hpObserver results
http://hosts-file.net/misc/hpObserver_Results_-_Facebook_botnet-2.html
References
Are you helping the Facebook botnet?
http://hphosts.blogspot.com/2009/11/are-you-helping-facebook-botnet.html
No comments:
Post a Comment