From Canadian Pharmacy to scareware to RBN?
February 14, 2009 - 22:00 — Rune
To start in the middle:
New version of a known malware (or scareware, rogue security software or whatever you prefer to call it) called MalwareDoc, hosted at malware-doc. com.
The file downloaded is called MDSetup.exe, VirusTotal score is 0/39.
A present from the same gang using the name "AntispyKnight".
This is going to be a bit messy.
The starting point
It all started with a spam:
"How many girls you will be able to do happy eating one only pill!"
Sent via 91.121.94.95 which is ovh.net in France. Too much nastyness coming from that place lately. Not to mention that they are also hosting their share of nasty stuff.
The spam contained a link to a page at denon6.t35. com (a free host).
Which again redirected to a "Canadian" Pharmacy site automatically:
Location: h||p://sheaglow. com
I leave "Canadian" Pharmacy and Glavmed here, just notes that this was a spam intended to lead me to their site.
From Canadian Pharmacy to malware
If you already had a look at denon6.t35. com, you have probably found the same files as I did. A folder listing:
denon6.t35. com: 1: index.html atop.html images: bar.jpg button.jpg danya.html dochelp1.html ideskintro.html index.html ipodsuxx.html iu2.html logo.jpg MsHelpDict.html Thumbs.db index.html p: images: bar.jpg button.jpg index.html logo.jpg index.html proxy: images: bar.jpg button.jpg ideskintro.html index.html ipodsuxx.html iu2.html logo.jpg Thumbs.db index.html
The file atop.html is only redirecting to another Canadian Pharmacy site, peacefulhard.com.
There are some links common in some of the files that I ignore (at this point).
Possible smokescreens, but you never know.
Some of the code found in several of the files were a bit more interesting, like this one:
h||p://91.203.93. 49/cgi-bin/index.cgi?user3
That is UATELECOM/ZHITOMIR-NET and it timed out for me.
But searching for that IP showed some hits, like this one from malwaredomainlist.com, from October 2008:
malwarefront. info/cgi-bin/index.cgi?user1 91.203.93.49 - Exploits malwarefront@hotmail.com
Which means that last October a domain called malwarefront.info was living at that IP.
So I had a walk over there, now malwarefront. info lives at 91.211.64.180, Ural-NET/Ural Industrial Limited Company.
It claimed I was infected:
"Warning: Your computer is infected with spyware!"
And gave a link further to h||p://malware-doc. com/
Not the same elegant use of javascript this time (I think, but be careful anyway).
Screenshot from malware-doc. com (click on the image for a bigger one):
Most of the links on malware-doc lead to an automatic download of the malware.
In addition there is a payment link called "buy.html" which lead to
secure.best-internet-payments. com (209.8.45.148 - see below):
A couple of notes here:
The "product" is called "AntiSpyKnight" and "Your statement will be under the name of PNRA".
malware-doc .com lives at 193.138.172.5 (BALTCONN-NET1/Baltconn SIA).
At the same IP there is/was a domain called antispyknight.biz in January 2009.
With mainly the same whois info as malware-doc.
Their malware has changed since that time, at least threatexpert found it a bit harmful back then.
malware-doc's IP - 193.138.172.5
A list of domains from bfk.de talks for itself.
At least one of those, iframestats.org is believed to be connected to Russian Business Network. I have not taken the time to wade through the list.
| 416085305.yandex2.cn | A | 193.138.172.5 |
| pop.yandex2.cn | A | 193.138.172.5 |
| www.tube2009.cn | A | 193.138.172.5 |
| mirital.cn | A | 193.138.172.5 |
| microsoftprogram.cn | A | 193.138.172.5 |
| unkn0wn.cn | A | 193.138.172.5 |
| 392.metago.cn | A | 193.138.172.5 |
| 293029553.metago.cn | A | 193.138.172.5 |
| 377258584.metago.cn | A | 193.138.172.5 |
| 559565.metago.cn | A | 193.138.172.5 |
| 4816816.metago.cn | A | 193.138.172.5 |
| 541986.metago.cn | A | 193.138.172.5 |
| gt.metago.cn | A | 193.138.172.5 |
| test.metago.cn | A | 193.138.172.5 |
| glebgogo.cn | A | 193.138.172.5 |
| traffuniq.cn | A | 193.138.172.5 |
| kriziss.cn | A | 193.138.172.5 |
| upd-windows-microsoft.cn | A | 193.138.172.5 |
| www.upd-windows-microsoft.cn | A | 193.138.172.5 |
| css-csript.cn | A | 193.138.172.5 |
| workeveryday24.info | A | 193.138.172.5 |
| ahack.info | A | 193.138.172.5 |
| www.ahack.info | CNAME | ahack.info |
| bobthejoker.info | A | 193.138.172.5 |
| www.00usa.net | A | 193.138.172.5 |
| kva-kva.net | A | 193.138.172.5 |
| photosfriend.net | A | 193.138.172.5 |
| femoffice.net | A | 193.138.172.5 |
| globaltotalpage.net | A | 193.138.172.5 |
| www.cheapbestoemonline.net | A | 193.138.172.5 |
| datingmore.net | A | 193.138.172.5 |
| 1bestoemsite.net | A | 193.138.172.5 |
| livetubeportal.net | A | 193.138.172.5 |
| matchxmaker.net | A | 193.138.172.5 |
| upsphotos.net | A | 193.138.172.5 |
| videoanswers.net | A | 193.138.172.5 |
| meetcontacts.net | A | 193.138.172.5 |
| kernet.net | A | 193.138.172.5 |
| lastsoft.net | A | 193.138.172.5 |
| www.farmhut.net | A | 193.138.172.5 |
| catch-you.net | A | 193.138.172.5 |
| globalprivatepagesex.net | A | 193.138.172.5 |
| vpornuxe.ru | A | 193.138.172.5 |
| mail.vpornuxe.ru | A | 193.138.172.5 |
| www.postellmag.ru | A | 193.138.172.5 |
| www.film-xxx-ok.ru | A | 193.138.172.5 |
| www.xxx-cool-video.ru | A | 193.138.172.5 |
| www.nice-xxx-video.ru | A | 193.138.172.5 |
| www.best-xxx-video.ru | A | 193.138.172.5 |
| www.nice-xxxvideo.ru | A | 193.138.172.5 |
| www.callpartner.ru | A | 193.138.172.5 |
| pornofoto-pizdi-genshini.vessexzdes.ru | A | 193.138.172.5 |
| porno-xyi.vessexzdes.ru | A | 193.138.172.5 |
| oralnoe-porno.vessexzdes.ru | A | 193.138.172.5 |
| www.vessexzdes.ru | A | 193.138.172.5 |
| pornobums.ru | A | 193.138.172.5 |
| tds.pornobums.ru | A | 193.138.172.5 |
| www.nicevideoforyou.ru | A | 193.138.172.5 |
| date.flirplanetnew.ru | A | 193.138.172.5 |
| www.multikxx.ru | A | 193.138.172.5 |
| videoallxxx.ru | A | 193.138.172.5 |
| www.xxx-videoxxx.ru | A | 193.138.172.5 |
| sutra.aleby.ru | A | 193.138.172.5 |
| javascript.bz | A | 193.138.172.5 |
| www.callpartner.biz | A | 193.138.172.5 |
| antispyknight.biz | A | 193.138.172.5 |
"Your statement will be under the name of PNRA"
A search for the phrase above results in the following:
- secure.digibilling.com (dead), "SpywareRemover2009"
- securepay.adioro.com (209.8.45.157), "Adio Registry Optimizer"
- secure.goeasybill.com (209.8.25.202), "Internet Antivirus Pro"
- secure.innovagest2000s.com (dead), "Spy Guard 2008"
- secure.propayments.org (209.8.45.120), "Spy Protector"
- secure.softsales-discount.com (209.8.45.114), "Virus Doctor"
- secure-plus-payments.com (209.8.25.204), "Antivirus Plus"
In addition to secure.best-internet-payments.com above at 209.8.45.148.
Nicely spread across various IP's of something called Beyond The Network America, Inc, pccwglobal.com.
And if you take a closer look, you will also find that pccwglobal.com is hosting something at 207.226.175.xxx too. Sandi at Spyware Sucks has a nice list of domains from November 2008:
http://msmvps.com/blogs/spywaresucks/archive/2008/11/18/1654421.aspx
("Pandora" definitely is a keyword.)
And Spamhaus has something to say too:
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL67537
"fast flux DNS host & malware block (unidentified)"
Which raises the question:
What/who is actually Beyond The Network America/pccwglobal.com?
Should we rename it to Beyond The Network Russia?
A nice bouquet:
A "Canadian" Pharmacy spammer leading to malware leading to payment processors in USA.
With a little touch of the Russian Bussiness Network.
And there are still a couple of IP-addresses and domains to have a look at in the files above if you are willing to spend the time.
Syndicate
Recent comments
11 weeks 1 day ago
11 weeks 5 days ago
12 weeks 1 day ago
12 weeks 1 day ago
13 weeks 4 days ago
44 weeks 3 days ago
44 weeks 3 days ago
46 weeks 6 days ago
46 weeks 6 days ago
48 weeks 1 day ago