Comments on: ZeuS Trojan Attack Spoofs IRS, Twitter, Youtube http://krebsonsecurity.com/2010/06/zeus-trojan-attack-spoofs-irs-twitter-youtube/ In-depth security news and investigation Wed, 23 May 2012 21:31:36 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: CS http://krebsonsecurity.com/2010/06/zeus-trojan-attack-spoofs-irs-twitter-youtube/comment-page-1/#comment-7083 CS Thu, 24 Jun 2010 18:47:01 +0000 http://krebsonsecurity.com/?p=3484#comment-7083 Oops, sorry about that; I must've grabbed the wrong link. VT seems to be having some issues recently too. I was stoked when they added the comment and login features, but that seems to have only lasted about a day. Hopefully they will bring it back at some point. Anyway, I put up a fairly detailed post about this topic here: http://www.redcondor.com/blog/?p=246 That has the correct VT links... ;) Oops, sorry about that; I must’ve grabbed the wrong link. VT seems to be having some issues recently too. I was stoked when they added the comment and login features, but that seems to have only lasted about a day. Hopefully they will bring it back at some point.

Anyway, I put up a fairly detailed post about this topic here: http://www.redcondor.com/blog/?p=246

That has the correct VT links… ;)

Like or Dislike: Thumb up 0 Thumb down 0
]]> By: TheGeezer http://krebsonsecurity.com/2010/06/zeus-trojan-attack-spoofs-irs-twitter-youtube/comment-page-1/#comment-7042 TheGeezer Wed, 23 Jun 2010 14:16:50 +0000 http://krebsonsecurity.com/?p=3484#comment-7042 Domain "srvdll" was up and down all morning today. It appears to have finally gone offline at about 10:00 (UTC -400). I know of no other active NauNet domains referencing the botnet hosting the Zeus trojan. Domain “srvdll” was up and down all morning today. It appears to have finally gone offline at about 10:00 (UTC -400). I know of no other active NauNet domains referencing the botnet hosting the Zeus trojan.

Like or Dislike: Thumb up 0 Thumb down 0
]]> By: TheGeezer http://krebsonsecurity.com/2010/06/zeus-trojan-attack-spoofs-irs-twitter-youtube/comment-page-1/#comment-7036 TheGeezer Wed, 23 Jun 2010 11:28:13 +0000 http://krebsonsecurity.com/?p=3484#comment-7036 Early this morning, domains "msdll", "pdll" and "filedrv" became inactive, leaving "srvdll" as the only NauNet active domain. Early this morning, domains “msdll”, “pdll” and “filedrv” became inactive, leaving “srvdll” as the only NauNet active domain.

Like or Dislike: Thumb up 0 Thumb down 0
]]> By: TheGeezer http://krebsonsecurity.com/2010/06/zeus-trojan-attack-spoofs-irs-twitter-youtube/comment-page-1/#comment-7020 TheGeezer Tue, 22 Jun 2010 19:34:46 +0000 http://krebsonsecurity.com/?p=3484#comment-7020 The domain “srvdll” has been re-activated this afternoon. That makes at least 4 active domains referencing the fast-flux server on this botnet. So the zeus trojan is still being delivered using the IRS ‘fraud statement’ exploit and several banks are being faked. The same ccTLD of “ru” is being used. This is still compliments of registrar “NAUNET-REG-RIPN (NauNet SP)”. Registrar URL: http://www.naunet.ru. Registrar Email: domreg@naunet.ru This makes the fifth straight day that this registrar has had active domains to deliver the zeus trojan. The domain “srvdll” has been re-activated this afternoon. That makes at least 4 active domains referencing the fast-flux server on this botnet. So the zeus trojan is still being delivered using the IRS ‘fraud statement’ exploit and several banks are being faked.

The same ccTLD of “ru” is being used. This is still compliments of registrar “NAUNET-REG-RIPN (NauNet SP)”.

Registrar URL: http://www.naunet.ru.
Registrar Email: domreg@naunet.ru

This makes the fifth straight day that this registrar has had active domains to deliver the zeus trojan.

Like or Dislike: Thumb up 0 Thumb down 0
]]> By: TheGeezer http://krebsonsecurity.com/2010/06/zeus-trojan-attack-spoofs-irs-twitter-youtube/comment-page-1/#comment-6960 TheGeezer Sun, 20 Jun 2010 12:36:32 +0000 http://krebsonsecurity.com/?p=3484#comment-6960 The domain names "pdll" and "msdll" have been re-registered this morning. So the zeus trojan is still being delivered using the IRS 'fraud statement' exploit and banks are being faked. The same ccTLD of "ru" and same registrar are being used. Registrar URL: http://www.naunet.ru. Registrar Email: domreg@naunet.ru It appears as long as a registrar pays their dues they are allowed to participate in internet criminal activity with no interference by any governing body. The domain names “pdll” and “msdll” have been re-registered this morning. So the zeus trojan is still being delivered using the IRS ‘fraud statement’ exploit and banks are being faked.

The same ccTLD of “ru” and same registrar are being used.

Registrar URL: http://www.naunet.ru.
Registrar Email: domreg@naunet.ru

It appears as long as a registrar pays their dues they are allowed to participate in internet criminal activity with no interference by any governing body.

Like or Dislike: Thumb up 2 Thumb down 0
]]> By: TheGeezer http://krebsonsecurity.com/2010/06/zeus-trojan-attack-spoofs-irs-twitter-youtube/comment-page-1/#comment-6939 TheGeezer Fri, 18 Jun 2010 21:16:23 +0000 http://krebsonsecurity.com/?p=3484#comment-6939 They came back again this afternoon. This time the domain "filedrv", same ccTLD of "ru", same registrar "NAUNET-REG-RIPN (NauNet SP)". They are using a fast-flux server with 8 sites per domain. They have added BBVA bank to their American Express, Banco de Espana and IRS exploits on these sites. Registrar URL: http://www.naunet.ru. Registrar Email: domreg@naunet.ru They came back again this afternoon. This time the domain “filedrv”, same ccTLD of “ru”, same registrar “NAUNET-REG-RIPN (NauNet SP)”.

They are using a fast-flux server with 8 sites per domain. They have added BBVA bank to their American Express, Banco de Espana and IRS exploits on these sites.

Registrar URL: http://www.naunet.ru.
Registrar Email: domreg@naunet.ru

Like or Dislike: Thumb up 1 Thumb down 0
]]> By: TheGeezer http://krebsonsecurity.com/2010/06/zeus-trojan-attack-spoofs-irs-twitter-youtube/comment-page-1/#comment-6931 TheGeezer Fri, 18 Jun 2010 19:15:49 +0000 http://krebsonsecurity.com/?p=3484#comment-6931 Thanks for the info. I got an 'object not found' on your link, however. I am going to have to start digging into the javascript myself. Zeus seems to be giving up on the ff botnets. Maybe just doesn't provide the level of protection they once enjoyed. They sure stopped using the 15 site ff servers referred to as 'avalanche'. Last time I saw them use that was late february of this year. But they are still trying ff servers with 8 sites like this last exploit. Thanks for the info. I got an ‘object not found’ on your link, however.

I am going to have to start digging into the javascript myself. Zeus seems to be giving up on the ff botnets. Maybe just doesn’t provide the level of protection they once enjoyed. They sure stopped using the 15 site ff servers referred to as ‘avalanche’. Last time I saw them use that was late february of this year. But they are still trying ff servers with 8 sites like this last exploit.

Like or Dislike: Thumb up 0 Thumb down 0
]]> By: CS http://krebsonsecurity.com/2010/06/zeus-trojan-attack-spoofs-irs-twitter-youtube/comment-page-1/#comment-6913 CS Fri, 18 Jun 2010 00:49:42 +0000 http://krebsonsecurity.com/?p=3484#comment-6913 I am not seeing the ff hosts being used to distribute the malware anymore either. They appear to have switched to using compromised hosts. These campaigns using the malicious iframe have largely switched to attaching the javascript downloader directly to the spam in various forms (.html, or zipped .html) instead of having the browser fetch the downloader via an iframe in the page linked by the call-to-action url. Also the drop site has changed from the Canadian Pharmacy to a fake Rolex site. Or at least this was the case as of Tuesday night; I've been on vacation :) One item of note that I discovered the other night was that if you deobfuscate the javascript downloader through the first level of obfuscation, VT goes from 0 detections to 3. After reversing the second layer of obfuscation to obtain the raw js, detection goes up to 13 vendors on VT. Interesting that so few AV companies can detect the fairly obvious signatures inherent in obfuscated code. Here's my scan of the raw js: http://www.virustotal.com/file-scan/report.html?id=667eb8fb323b390165539fd577d462576e8059272f0d7c282a87e7fe4457faa0-1276690545 I am not seeing the ff hosts being used to distribute the malware anymore either. They appear to have switched to using compromised hosts.

These campaigns using the malicious iframe have largely switched to attaching the javascript downloader directly to the spam in various forms (.html, or zipped .html) instead of having the browser fetch the downloader via an iframe in the page linked by the call-to-action url.

Also the drop site has changed from the Canadian Pharmacy to a fake Rolex site.

Or at least this was the case as of Tuesday night; I’ve been on vacation :)

One item of note that I discovered the other night was that if you deobfuscate the javascript downloader through the first level of obfuscation, VT goes from 0 detections to 3. After reversing the second layer of obfuscation to obtain the raw js, detection goes up to 13 vendors on VT. Interesting that so few AV companies can detect the fairly obvious signatures inherent in obfuscated code.

Here’s my scan of the raw js:

http://www.virustotal.com/file-scan/report.html?id=667eb8fb323b390165539fd577d462576e8059272f0d7c282a87e7fe4457faa0-1276690545

Like or Dislike: Thumb up 1 Thumb down 0
]]> By: TheGeezer http://krebsonsecurity.com/2010/06/zeus-trojan-attack-spoofs-irs-twitter-youtube/comment-page-1/#comment-6889 TheGeezer Thu, 17 Jun 2010 06:05:38 +0000 http://krebsonsecurity.com/?p=3484#comment-6889 All domains referencing the fast-flux server used by the botnet to deliver the zeus trojan via the IRS scam appear to have been unregistered late last night. All domains referencing the fast-flux server used by the botnet to deliver the zeus trojan via the IRS scam appear to have been unregistered late last night.

Like or Dislike: Thumb up 0 Thumb down 0
]]> By: JCitizen http://krebsonsecurity.com/2010/06/zeus-trojan-attack-spoofs-irs-twitter-youtube/comment-page-1/#comment-6887 JCitizen Thu, 17 Jun 2010 03:12:59 +0000 http://krebsonsecurity.com/?p=3484#comment-6887 I use this site with AdBlock Plus disabled. I want to help Brian's site anyway I can, although I wouldn't know if they really look at this. I doubt very seriously any crackers would be attacking this page; but I got to admit, it is probably a prime target for those that don't like educated information about web criminals getting out on the internet. I trust Brian completely. I use this site with AdBlock Plus disabled. I want to help Brian’s site anyway I can, although I wouldn’t know if they really look at this.

I doubt very seriously any crackers would be attacking this page; but I got to admit, it is probably a prime target for those that don’t like educated information about web criminals getting out on the internet.

I trust Brian completely.

Like or Dislike: Thumb up 0 Thumb down 0
]]>