Malware Domain List

Malware Related => Malicious Domains => Topic started by: Winston Smith on August 06, 2009, 06:19:28 pm

Title: hxxp://laenas.org/serv/in.php; Zbot infection site
Post by: Winston Smith on August 06, 2009, 06:19:28 pm

hxxp://laenas.org/serv/in.php and hxxp://laenas.org/serv/pdf.php

Sites are part of an active email phishing attack targeting large banks. Users who enter data are sent to a page to download a new "Security Certificate"  name certificate.exe.  Even if the user does not download the executable, a hidden iframe on the page attempts to download several pieces of malware including a rootkit and back door

http://wepawet.cs.ucsb.edu/view.php?hash=f50b11f68576bad71d547793da52b8b9&t=1249582835&type=js

http://www.virustotal.com/analisis/0636ed2b6e066ed6a92ac2adbec1cbd0a8d33631aa4df07c3645f246c9eaf0aa-1249582124

Title: Re: hxxp://laenas.org/serv/in.php; Zbot infection site
Post by: SysAdMini on August 06, 2009, 08:06:55 pm

Thanks. Can you give us the phishing url ?

Title: Re: hxxp://laenas.org/serv/in.php; Zbot infection site
Post by: MysteryFCM on August 06, 2009, 08:29:08 pm

Sounds like a variation on the Microsoft one currently floating round;

http://hphosts.blogspot.com/2009/08/yab-yet-another-botnet-microsoft.html

Title: Re: hxxp://laenas.org/serv/in.php; Zbot infection site
Post by: Winston Smith on August 06, 2009, 09:13:26 pm

Confidentiality issue there.

The phishers use a variety of sites set up yesterday.  The links (at least the ones I deal with) are structured like this:

hxxp://OURSITE.OURCOMPANY.com.heryswi.com/ibs####/cmserver/ccare/default/cform.cfm?id=50957485169957807751718084384151236318517423286436648315422844&email=TARGET'S EMAIL ADDRESS

The site heryswi.com hosting the phish page changes, sites registered yesterday and being used to target at least 3 banks with different phish based on the code and emails I've seen.  This site is among several registered yesterday, list at bottom of message.

Once they reach the site they are asked for name, user id, acct number and password.

When they submit, the data above plus theiremail address is sent somewhere, the client is directed to the second page which will be in the structure

hxxp://OURSITE.OURCOMPANY.com.heryswi.com/ibs####/cmserver/ccare/default/cform.cfm/account.php

This page has the iframe attempting to download the malware, as well as a link to download the executable "certificate.exe"


All of the malware is being downloaded from laenas.org

Some of the domains hosting phish:

hxxp://tewasds.com
hxxp://hytrqwe.net
hxxp://www.tewasdi.com
hxxp://www.tewasdi.net
hxxp://www.tewasdl.com
hxxp://www.tewasdo.com
hxxp://www.tewasdv.com
hxxp://www.tewasdy.net
hxxp://heraswy.net
hxxp://hotrkwe.com
hxxp://hytrkwe.com
hxxp://hotrkwe.net
hxxp://hytrkwe.net
hxxp://tewasda.net
hxxp://tewasde.com

Title: Re: hxxp://laenas.org/serv/in.php; Zbot infection site
Post by: Winston Smith on August 06, 2009, 09:28:39 pm

Just checked, looks like our service has already knocked most if not all of the phish sites offline.

Title: Re: hxxp://laenas.org/serv/in.php; Zbot infection site
Post by: CkreM on August 07, 2009, 03:00:48 am

Quote from: Winston Smith on August 06, 2009, 09:28:39 pm

Just checked, looks like our service has already knocked most if not all of the phish sites offline.

which service?

Title: Re: hxxp://laenas.org/serv/in.php; Zbot infection site
Post by: SysAdMini on August 07, 2009, 06:19:47 am

Quote from: Winston Smith on August 06, 2009, 06:19:28 pm

hxxp://laenas.org/serv/in.php and hxxp://laenas.org/serv/pdf.php

Suspended.