Saturday, August 30, 2008

Banking Digital Certificate Malware in Spam

Recently we've been seeing more and more of the Digital Certificate malware. In the past week, we've seen Bank of America, Capital One, Colonial Bank, SunTrust, TD Bank North, and Wachovia all hit with spam campaigns attempting to infect the spam recipients with a keylogger to send their login information to the criminals.

As an example, here is a screenshot of this week's Bank of America digital certificate website.



The malware varies regularly, which makes it quite difficult for the anti-virus companies to keep up. For instance, here is the VirusTotal scan for the Bank of America version of the malware:



Only 8 of 36 anti-virus products are currently detecting this malware.

The patterns of the machine names used by these spam messages look like these:

Three brands used "verify.html" as their path, with very distinctive machine names.

Bank of America:

commercialandbusiness.bankofamerica.usanationwide.memberverify.UpdateSessionYScI4av8Xx6XyZA.selfservice.privatelogin.rashidalocher.com

Sun Trust:

onlinetreasurymanager.suntrust.comibswebsuntrust.siteminderagent.certificateUpdate.memberverify.communitypage.CommunityID779487708.membersLogin.classmm.com

Wachovia:

commercial.wachovia.online.financial.service.communitypage.UpdateSessionnyU4wDDSOMRKI5C.ptcontrol.selfservice.keredi.com

The two other patterns used different paths.

TD BankNorth used the path "/TDBankNorthCertificate.htm" with machine names like:

webexpress.tdbanknorth.ecosystem.productsremote.UpdateSessionhgdWqQlW2v1bJVo.encrypted.comreportid.wilsonioa.com\

and Colonial Bank used /Colonial_Bank.htm with machine names like:

update.colonialbank.webbiz.sitesurvey.encrypted.privatelogin.e4y6.com


Using the UAB Spam Data Mine, we made a query to find how many Digital Certificate spam messages were received containing "*verify.htm*" in the path portion of their URL. We found that we had 4,417 messages,

1,531 Bank of America messages were sent from 688 unique machines
2,535 Sun Trust messages were sent from 1396 unique machines
351 Wachovia messages were sent from 243 unique machines

The Bank of America spam used these domains:


acc1254c.com
acc1254ccs11.com
alyciahasch.com
bellamaster.com
bellamastersr.com
bikoem.com
bkjblgb80.com
bnyril.com
bryondeckelman.com
bryondeckelmang.com
caloshe.com
dnreru.com
eirinf.com
eljaikhalid.com
ewahwrh.com
farahlacaille.com
fgyfyfif.com
fgyfyfiffrg.com
fhrtrfjggj.com
floydhoffer.com
gamanzi.com
gwlevssv.com
hsshroi4w.com
hyevestal.com
imrero.com
jerriin.com
jhf88ujf.com
jiolof.com
keikoaragoni.com
kelrfo.com
kjbh876y.com
kjhgljkhg8y9.com
knezzei.com
ksdeaaz.com
lavvis.com
lkjggoyg.com
lulangenberg.com
megdlabajhy.com
miefjko.com
miogef.com
nainuibnq9.com
narcisawickenh.com
nefgie.com
nutrolo.com
oleviacamp.com
qioche.com
rahimaabdulla.com
rashidalocher.com
rosettalaur.com
sefiddo.com
shavonallton.com
shshwhr.com
shshwhrnoi.com
sonnyferen.com
sonnyferenc.com
tyived.com
vellazanis.com

The Sun Trust domains were:

34iuyrd.com
asopwi.com
bamtyf.com
brijfy.com
bvnvnv.com
classmm.com
cs12xc.com
cvbcv.com
cvbcvr.com
cvht54r.com
cvnbvt.com
dfsasd12ds.com
dgfhjdbg.com
dmnbgdj.com
dsroler.com
ertuyl.com
esdroi.com
ewriaij.com
ewroled.com
gdfed.com
gewrfu.com
gfeeinxo.com
gi6tff.com
hyewd.com
ioesach.com
iyg4d.com
iyggeed.com
jiuhf.com
juyrdeo.com
juytdo.com
jwiejo.com
kiufrq.com
kiuxs.com
koudver.com
liseqo.com
loifde.com
loiuf.com
mnxcbv.com
mreeik.com
msouna.com
muydew.com
nneesa.com
nrfeal.com
nurfef.com
oeirf.com
ogfauun.com
oifgrev.com
oinges.com
oofdees.com
opxex.com
qedsa.com
rekjtyieu.com
rtfghj.com
safbvbv.com
sduoud.com
uiyvcx.com
ureocv.com
vchgd.com
vcvoolow.com
vfhtfdf.com
vntdff.com
vvsamerica.com
wertod.com

And the Wachovia domains were:

dsooler.com
ferunqe.com
feudej.com
fferber.com
geoorlre.com
geyyune.com
keredi.com
kirewu.com
kiured.com
kiweuuyc.com
loremoid.com
moerde.com
nitrrolle.com
nniedew.com
nuteer.com
oeirfeg.com
vretrol.com

UAB Computer Forensics students were able to "unpack" the malware, showing that both the August 29th Bank of America malware and the August 22nd SunTrust malware sent its keylogged data to:

124.217.248.174 - Malaysia, PIRADIUS NET


Both the August 28th Capital One Bank malware and the August 29th Colonial Bank malware was slightly different, although very similar in structure. It made connection instead to a Ukranian IP address:

91.203.92.81 - http://www.spacestormsinc.com/cb_4.exe

The malware analysis shows that we have two separate Command & Control points, but VirusTotal reports that both families of malware are actually the "Papras" virus.


755 copies of Colonial Bank malware spam were received in August from 567 unique sending IP addresses. There were several versions of the malware, which we received on August 1, 7-9, 12-13, 21, 26, and 28th.

These three patterns:
connect.colonialbank.webbiz.securitychallenge.bankonenet.siteminderagent.1R4RV76FGJ52QSItrue.chmtrueph.TWIC5ZVP01AYVE0.webbanking.comreportid219661038.standard.cnvbesa.com
update.colonialbank.webbiz.sitesurvey.securitychallenge.bankonline.nxcvjd.com
Colonialbank.webbiz.wirebiz.globalupdate.memberverify.UpdateSession8xtlTQP0nbvuHV3.privatelogin.communitypage.kifrola.com

included spam for these domains:

cnvbesa.com
dnmsbds.com
pzvsbl.com
vbnvrdx.com
bvnvrx.com
eg3x.com
nxcvjd.com
e4y6.com
kiufce.com
refolfi.com
writreseses.com
kiredew.com
redossa.com
hwwjkrnh6.com
latashabeaber.com
susancasolary.com
carismulders.com
eusebiolemler.com
kifrola.com
senafonua.com
rerefofolo.com
bilerex.com
urterc.com
qakigro.com
jrievrol.com
sgwewr465.com
codefd.com
sgwewr464.com
niytec.com
nbiueh.com

31 of the machines which sent the "verify" version of the malware also sent 48 copies of the Capital One malware. These domains were used for Capital One.

dexoim.com
jimmedy.com
jioece.com
jioeres.com
klainey.com
maginele.com
mkeiop.com
niytec.com
nnerdix.com
poemils.com

No comments:

Post a Comment