Author Topic: hxxp://laenas.org/serv/in.php; Zbot infection site  (Read 5247 times)

0 Members and 1 Guest are viewing this topic.

August 06, 2009, 06:19:28 pm
Read 5247 times

Winston Smith

  • Jr. Member

  • Offline
  • **

  • 10
hxxp://laenas.org/serv/in.php and hxxp://laenas.org/serv/pdf.php

Sites are part of an active email phishing attack targeting large banks. Users who enter data are sent to a page to download a new "Security Certificate"  name certificate.exe.  Even if the user does not download the executable, a hidden iframe on the page attempts to download several pieces of malware including a rootkit and back door

http://wepawet.cs.ucsb.edu/view.php?hash=f50b11f68576bad71d547793da52b8b9&t=1249582835&type=js

http://www.virustotal.com/analisis/0636ed2b6e066ed6a92ac2adbec1cbd0a8d33631aa4df07c3645f246c9eaf0aa-1249582124



August 06, 2009, 08:06:55 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Thanks. Can you give us the phishing url ?
Ruining the bad guy's day

August 06, 2009, 08:29:08 pm
Reply #2

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

August 06, 2009, 09:13:26 pm
Reply #3

Winston Smith

  • Jr. Member

  • Offline
  • **

  • 10
Confidentiality issue there.

The phishers use a variety of sites set up yesterday.  The links (at least the ones I deal with) are structured like this:

hxxp://OURSITE.OURCOMPANY.com.heryswi.com/ibs####/cmserver/ccare/default/cform.cfm?id=50957485169957807751718084384151236318517423286436648315422844&email=TARGET'S EMAIL ADDRESS

The site heryswi.com hosting the phish page changes, sites registered yesterday and being used to target at least 3 banks with different phish based on the code and emails I've seen.  This site is among several registered yesterday, list at bottom of message.

Once they reach the site they are asked for name, user id, acct number and password.

When they submit, the data above plus theiremail address is sent somewhere, the client is directed to the second page which will be in the structure

hxxp://OURSITE.OURCOMPANY.com.heryswi.com/ibs####/cmserver/ccare/default/cform.cfm/account.php

This page has the iframe attempting to download the malware, as well as a link to download the executable "certificate.exe"


All of the malware is being downloaded from laenas.org

Some of the domains hosting phish:

hxxp://tewasds.com
hxxp://hytrqwe.net
hxxp://www.tewasdi.com
hxxp://www.tewasdi.net
hxxp://www.tewasdl.com
hxxp://www.tewasdo.com
hxxp://www.tewasdv.com
hxxp://www.tewasdy.net
hxxp://heraswy.net
hxxp://hotrkwe.com
hxxp://hytrkwe.com
hxxp://hotrkwe.net
hxxp://hytrkwe.net
hxxp://tewasda.net
hxxp://tewasde.com

August 06, 2009, 09:28:39 pm
Reply #4

Winston Smith

  • Jr. Member

  • Offline
  • **

  • 10
Just checked, looks like our service has already knocked most if not all of the phish sites offline.

August 07, 2009, 03:00:48 am
Reply #5

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Just checked, looks like our service has already knocked most if not all of the phish sites offline.

which service?
Mal-Aware

August 07, 2009, 06:19:47 am
Reply #6

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
hxxp://laenas.org/serv/in.php and hxxp://laenas.org/serv/pdf.php

Suspended.
Ruining the bad guy's day