Friday, November 21, 2008

AsProx: The Phisher King?

The most spammed phish on the planet took a brief respite after the McColo network was shut down, but the Phisher King is back again.

We see as many as ten thousand reports per day and more of the Asprox spammed phish, and sadly this has been going on non-stop for as long as we can remember, with the brief exception of last week.

The typical scenario is that ten domain names are chosen and used to spam URLs which contain a high degree of randomization. Abbey Bank has been their favorite target for nearly all of 2008. The first "word" of the URL is followed by a number, then the brand name, then a random string, and then the domain name. The path portion of the URL is consistent for each brand currently spammed. Following the path there is a question mark, and then what seems like random characters, but which actually can be decoded into the email address of the person who received the spam. (We'll leave the encoded email address portion off in our examples).

The "Abbey" path for some time has been "/CentralLogonWeb/Confirm?"



The current "Associated Bank" path is "/web_bank/confirm.asp?"



http://myonlineaccounts0.abbey.co.uk.html650963.input2.cc/CentralLogonWeb/Confirm?srvid=
http://myonlineaccounts0.abbey.co.uk.http60319982.code11.ca/CentralLogonWeb/Confirm?update=
http://myonlineaccounts1.abbey.co.uk.doc618591.root71.ws/CentralLogonWeb/Confirm?confirm=
http://myonlineaccounts1.abbey.co.uk.fast35837924.3update.eu/CentralLogonWeb/Confirm?file=
http://myonlineaccounts2.abbeynational.co.uk.browse9701521.sslweb5.bz/CentralLogonWeb/Confirm?version=
http://myonlineaccounts2.abbey-national.co.uk.comm2053275.code11.ca/CentralLogonWeb/Confirm?service=
http://myonlineaccounts2.abbey-national.co.uk.control790833.3update.eu/CentralLogonWeb/Confirm?cipher=
http://myonlineaccounts2.abbeynational.co.uk.err9962057184.5version.mobi/CentralLogonWeb/Confirm?debug=
http://ww2.abbeynational.com.server3610179.input2.cc/CentralLogonWeb/Confirm?bin=
http://ww2.abbeynational.com.sslcom670006.8locate.tk/CentralLogonWeb/Confirm?lang=
http://ww2.abbeynational.com.sys2481.offset9.name/CentralLogonWeb/Confirm?check=

http://bolb1.associatedbank.com.pif02.jp/web_bank/confirm.asp?log-in=
http://bolb1.associatedbank.com.root71.ws/web_bank/confirm.asp?version=
http://bolb1.associatedbank.com.sslweb5.bz/web_bank/confirm.asp?spool=
http://bolb1.associatedbank.com.sys17.name/web_bank/confirm.asp?set=

http://www8.associatedbank.com.sslcom5.cc/web_bank/confirm.asp?tag=
http://www8.associatedbank.com.sys17.name/web_bank/confirm.asp?locate=
http://www8.associatedbank.com.sys17.name/web_bank/confirm.asp?offset=
http://www8.associatedbank.com.sys17.name/web_bank/confirm.asp?script=

Just in the last twenty-four hours, we saw more than 25,000 variations of these URL patterns.

How does the Phisher King keep his domains alive? Part of it is his use of a wide and ever-shifting set of Registrars. For example, consider today's domains:

Abbey Domains:

sslweb5.bz
code11.ca (registered 29oct08 with Internic.ca)
input2.cc (registered 06NOV08 with Moniker)
2r2cw3a8u.com (registered 12NOV08 with XIN NET Technology)
3jk2p84x1.com (registered 12NOV08 with XIN NET Technology)
topmango.com (registered in 2001 with TuCows)
3update.eu (registered 06NOV08 with PublicDomainRegistry.com)
ide08.gs (registered 12NOV08 with Key-Systems)
48filt.jp (funky .jp whois gives no useful data)
4logon.jp (funky .jp whois gives no useful data)
pif02.jp (funky .jp whois gives no useful data)
5version.mobi (registered 06NOV08 with Directi Internet Solutions)
25uid.name (registered 06NOV08 with Directi Internet Solutions)
sys17.name (registered 05NOV08 with UK2 Group)
8locate.tk ("locked" by the clueless idiots at "Dot TK" with the phish live)
15load.tv (registered 04NOV08 with UK2 Group)
17gdi.tv (registered 11NOV08 with UK2 Group)
manage5.tv (registered 29OCT08 with UK2 Group)
root71.ws (registered 06NOV08 with Directi Internet Solutions)
udp96.ws (registered 04NOV08 with Directi Internet Solutions)

Associated Domains:

sslweb5.bz (error)
code11.ca (registered 29OCT08 with Interic.ca Corp)
input2.cc (registered 06NOV08 with Moniker ONline Services)
6tagid.com (registered 05NOV08 with Moniker Online services)
3update.eu (registered 06NOV08 with PublicDomainRegistry.com)
ide08.gs (registered 12NOV08 with Key-Systems)
login5.gs (registered 30OCT08 with Key-Systems)
1server.jp (registered 04NOV08 - whois.jprs.jp)
48filt.jp (registered 30OCT08 - whois.jprs.jp)
4logon.jp (registered 31OCT08 - whois.jprs.jp)
asp29.jp (registered 12NOV08 - whois.jprs.jp)
log-in1.jp (registered 27OCT08 - whois.jprs.jp)
pif02.jp (registered 06NOV08 - whois.jprs.jp)
5version.mobi (registered 06NOV08 with Directi Internet Solutions)
25uid.name (registered 06NOV08 with Directi Internet Solutions)
sys17.name (registered 05NOV08 with UK2 Group Ltd)
8default.net (registered 05NOV08 with Moniker Online Services)
8locate.tk (dot.tk does odd things with domains)
15load.tv (registered 04NOV08 with UK2 Group)
17gdi.tv (registered 11NOV08 with UK2 Group)
manage5.tv (registered 29OCT08 with UK2 Group)
root71.ws (registered 06NOV08 with Directi Internet Solutions)
udp96.ws (registered 04NOV08 with Directi Internet Solutions)




That's just the beginning though. Then we have the problem of the nameservers and Fast Flux hosting. While most domains have two or three nameservers, these domains have as many as 19. ns1.sslweb5.bz, ns2.sslweb5.bz, ns3.sslweb5.bz . . . all the way up to ns19.sslweb5.bz.

The IP addresses used for the nameservers are compromised home computers running the Asprox malware. Without the knowledge of these computer's owners, they provide the nameserver resolution for the phishing domains. Just as an example, the following IP addresses are all currently acting as nameservers for the Asprox phishing sites:

62.219.252.109
67.85.69.196
68.6.180.109
68.197.137.239
69.152.88.191
69.183.251.177
70.82.24.172
70.154.82.100
72.12.170.148
72.204.44.232
74.57.110.49
74.193.44.82
74.196.156.180
75.109.252.245
76.73.237.59
76.179.26.169
76.182.187.206
76.240.151.177
76.248.76.121
99.224.77.151

Each one of these IPs provides nameservices for dozens of domains used by this criminal. Currently they are serving:
sslweb5.bz
code11.ca
input2.cc
sslcom5.cc
3update.eu
ide08.gs
11tag.in
1server.jp
48filt.jp
4logon.jp
63root.jp
asp29.jp
pif02.jp
5version.mobi
25uid.name
offset9.name
sys17.name
berjke.ru
8locate.tk
15load.tv
17gdi.tv
libid5.tv
manage5.tv
root71.ws
udp96.ws

The Nameservers are used to direct email recipients to other infected computers where they are shown the fake bank pages. (Those computers are actually acting as a "proxy" to load the real phishing data from yet another location.)

In addition to the phishing pages, the other machines in the botnet also provide infection services.

The current domains being used for infection are:

www.berjke.ru
and
www.81dns.ru

Google Safe Browsing won't let you visit either of those sites, because they have been "an intermediary for the infection of 770 sites including ssaga-g.com, csmfilter.co.kr, parenthesis-mykonos.com". Google Safe Browsing goes on to answer the question "Has this site hosted malware?" by saying "Yes, this site has hosted malicious software over the past 90 days. It infected 3324 domains including csmfilter.co.kr, sarangsae.com, istanbulihl1991.com.

Checking Google Safe Browsing for one of those sites shows things like:

"Of the 423 pages we tested on this site over the past 90 days, 130 pages resulted in malicious software being downloaded and installed without user consent. The last time Google visited the site was 2008-11-21, and the last time suspicious content was found on the site was on 2008-11-21.

Malicious software includes 168 scripting exploits, 28 exploits, 4 trojans. Successful infection resulted in an average of 2 new processes on the target machine.

8 domains appear to be functioning as intermediaries for distributing malware to visitors of this site, including egyptgood.cn, 81dns.ru, berjke.ru


At the current moment, there are 18,400 "drive-by" infection sites just with that script site loaded in Google. Some of the infected sites are hotels, ski resorts, chemical companies, motorcycle sites, real estate sites, chemical companies, nail salons, churches, the government of Ohio (survey.workforce411.ohio.gov has many infected pages).

There have been MILLIONS of these pages . . . I'll have more details soon....

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.