[AusNOG] Recent "National Bank" hook trojan run (AUSCERT#20068883a)
matthew at auscert.org.au
matthew at auscert.org.au
Thu Jun 15 10:59:59 EST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Greetings all,
We are seeing a large spam run for a trojan site using the hook of the
National Bank supposedly going bankrupt. Apologies if you have seen this
before but I thought I'd bring it up as we are interested in details of
other domains being used for this other than what I've listed below. A
sample of the spam follows:
--BEGIN SAMPLE EMAIL--
From: "xxx" <xxx at xxx.xxx>
To: <xxx at xxx.org.au>
Subject: National Bank goes bankrupt?!
People starting panic withdrawals, some of the accounts were reported
closed due to technical reasons, many ATMs are not operating.
Does it seem that one of the Australia's greatest goes bankrupt?
The full story could be found here: http://www. saltnlight-e. com/news.php
Well, hope that isn't true... Anyway You'd rather check your balance...
--END SAMPLE EMAIL--
So far we have seen domains spammed of:
AUSCERT#20068883a http://www. suriko. net/news.php
reverse lookup: server2.sidns.com
AUSCERT#200646dd4 http://www. saltnlight-e. com/news.php
reverse lookup: host123.yourconnect.com
The infection process appears to be along the lines of
http://www. saltnlight-e. com/news.php
302 redirect to
http://www. saltnlight-e. com/cgi-bin/ie0606.cgi?homepage
302 redirect to
http://www. saltnlight-e. com/demo.php
Which is Haywyre encoded. The main dropper comes down via web-attacker
control panel at ie0606.cgi?MS06-006 for example and more. This dropper
goes to:
AUSCERT#2006741b1 http://www. powwowtowel. com
reverse lookup: server1.unifiedns.com
For the main executable and this seems to detect as (according to
virustotal):
AntiVir 6.35.0.13 06.14.2006 no virus found
Authentium 4.93.8 06.15.2006 no virus found
Avast 4.7.844.0 06.13.2006 no virus found
AVG 386 06.14.2006 no virus found
BitDefender 7.2 06.15.2006 no virus found
CAT-QuickHeal 8.00 06.14.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 06.14.2006 no virus found
DrWeb 4.33 06.14.2006 BackDoor.Haxdoor.294
eTrust-InoculateIT 23.72.38 06.15.2006 no virus found
eTrust-Vet 12.6.2256 06.14.2006 Win32/Haxdoor!generic
Ewido 3.5 06.14.2006 no virus found
Fortinet 2.77.0.0 06.15.2006 suspicious
F-Prot 3.16f 06.13.2006 no virus found
Ikarus 0.2.65.0 06.14.2006 no virus found
Kaspersky 4.0.2.24 06.15.2006 no virus found
McAfee 4784 06.14.2006 no virus found
Microsoft 1.1441 06.15.2006 no virus found
NOD32v2 1.1599 06.14.2006 a variant of Win32/Haxdoor
Norman 5.90.21 06.14.2006 no virus found
Panda 9.0.0.4 06.14.2006 Suspicious file
Sophos 4.06.0 06.14.2006 no virus found
Symantec 8.0 06.15.2006 no virus found
TheHacker 5.9.8.159 06.14.2006 no virus found
UNA 1.83 06.14.2006 no virus found
VBA32 3.11.0 06.14.2006 suspected of Trojan-Downloader.Agent.83
VirusBuster 4.3.7:9 06.14.2006 no virus found
So any other domains used would be of great interest to us.
Thanks for your time,
- -- Matthew McGlashan --
Coordination Centre Team Leader | Hotline: +61 7 3365 4417
Australian Computer Emergency Response Team | Direct: +61 7 3365 7924
(AusCERT) | Fax: +61 7 3365 7031
The University of Queensland | WWW: www.auscert.org.au
Qld 4072 Australia | Email: auscert at auscert.org.au
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)
Comment: http://www.auscert.org.au/render.html?it=1967
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRJCxDih9+71yA2DNAQKXFgP/ZfU9rDn7e+tg4MGycZf6v2bunZ+HWD83
fl/AtZGt29NTRyLfeHB3M4RqeSerpbo+4ladJ1iuoacSe/jhqyMfJqGiba2ROjAR
9oWcYT7Xlxw0P3jxxO4WkV3Tg5Ld9L/l/mJysZX0PtneLNiu9c83Mx1lLjx8VcQl
A6dYt7hYucs=
=9Bff
-----END PGP SIGNATURE-----
More information about the AusNOG
mailing list