[AusNOG] Recent "National Bank" hook trojan run (AUSCERT#20068883a)

matthew at auscert.org.au matthew at auscert.org.au
Thu Jun 15 10:59:59 EST 2006

Hash: SHA1

Greetings all,

We are seeing a large spam run for a trojan site using the hook of the
National Bank supposedly going bankrupt.  Apologies if you have seen this
before but I thought I'd bring it up as we are interested in details of
other domains being used for this other than what I've listed below.  A
sample of the spam follows:

  From: "xxx" <xxx at xxx.xxx>
  To: <xxx at xxx.org.au>
  Subject: National Bank goes bankrupt?!
  People starting panic withdrawals, some of the accounts were reported
  closed due to technical reasons, many ATMs are not operating.
  Does it seem that one of the Australia's greatest goes bankrupt?
  The full story could be found here: http://www. saltnlight-e. com/news.php
  Well, hope that isn't true... Anyway You'd rather check your balance...

So far we have seen domains spammed of:

AUSCERT#20068883a	http://www. suriko. net/news.php
			reverse lookup:	server2.sidns.com

AUSCERT#200646dd4	http://www. saltnlight-e. com/news.php
			reverse lookup: host123.yourconnect.com

The infection process appears to be along the lines of

  http://www. saltnlight-e. com/news.php 

302 redirect to

  http://www. saltnlight-e. com/cgi-bin/ie0606.cgi?homepage 

302 redirect to

  http://www. saltnlight-e. com/demo.php 

Which is Haywyre encoded.  The main dropper comes down via web-attacker
control panel at ie0606.cgi?MS06-006 for example and more.  This dropper
goes to:

AUSCERT#2006741b1	http://www. powwowtowel. com
			reverse lookup: server1.unifiedns.com

For the main executable and this seems to detect as (according to

AntiVir          06.14.2006  no virus found
Authentium          4.93.8          06.15.2006  no virus found
Avast               4.7.844.0       06.13.2006  no virus found
AVG                 386             06.14.2006  no virus found
BitDefender         7.2             06.15.2006  no virus found
CAT-QuickHeal       8.00            06.14.2006  (Suspicious) - DNAScan
ClamAV              devel-20060426  06.14.2006  no virus found
DrWeb                4.33           06.14.2006  BackDoor.Haxdoor.294
eTrust-InoculateIT  23.72.38        06.15.2006  no virus found
eTrust-Vet          12.6.2256       06.14.2006  Win32/Haxdoor!generic
Ewido               3.5             06.14.2006  no virus found
Fortinet          06.15.2006  suspicious
F-Prot              3.16f           06.13.2006  no virus found
Ikarus            06.14.2006  no virus found
Kaspersky         06.15.2006  no virus found
McAfee              4784            06.14.2006  no virus found
Microsoft           1.1441          06.15.2006  no virus found
NOD32v2             1.1599          06.14.2006  a variant of Win32/Haxdoor
Norman              5.90.21         06.14.2006  no virus found
Panda              06.14.2006  Suspicious file
Sophos              4.06.0          06.14.2006  no virus found
Symantec            8.0             06.15.2006  no virus found
TheHacker        06.14.2006  no virus found
UNA                 1.83            06.14.2006  no virus found
VBA32               3.11.0          06.14.2006  suspected of Trojan-Downloader.Agent.83
VirusBuster         4.3.7:9         06.14.2006  no virus found

So any other domains used would be of great interest to us.  

Thanks for your time,

- -- Matthew McGlashan --
Coordination Centre Team Leader             | Hotline: +61 7 3365 4417
Australian Computer Emergency Response Team | Direct:  +61 7 3365 7924
(AusCERT)                                   | Fax:     +61 7 3365 7031
The University of Queensland                | WWW:     www.auscert.org.au
Qld 4072 Australia                          | Email: auscert at auscert.org.au

Version: GnuPG v1.4.1 (FreeBSD)
Comment: http://www.auscert.org.au/render.html?it=1967
Comment: http://www.auscert.org.au/render.html?it=1967


More information about the AusNOG mailing list