{"id":8675,"date":"2012-11-21T00:00:49","date_gmt":"2012-11-21T07:00:49","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=8675"},"modified":"2018-10-05T11:49:19","modified_gmt":"2018-10-05T17:49:19","slug":"cybercriminals-spamvertise-bogus-microsoft-license-orders-serve-client-side-exploits-and-malware","status":"publish","type":"post","link":"https://www.webroot.com/blog/2012\/11\/21\/cybercriminals-spamvertise-bogus-microsoft-license-orders-serve-client-side-exploits-and-malware\/","title":{"rendered":"Cybercriminals spamvertise bogus ‘Microsoft License Orders’ serve client-side exploits and malware"},"content":{"rendered":"

Cybercriminals are currently mass mailing millions of emails impersonating Microsoft Corporation in an attempt to trick users into clicking on a link in a bogus ‘License Order” confirmation email. Upon clicking on the link, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit<\/strong><\/a>.<\/p>\n

More details:<\/p>\n

<\/p>\n

Sample screenshot of the spamvertised email:<\/strong><\/p>\n

\"\"<\/a><\/p>\n

Sample compromised URL used in the campaign:<\/strong> hxxp:\/\/kalender.mn-welt.de\/page2.htm<\/em><\/p>\n

Sample client-side exploits serving URL:<\/strong> hxxp:\/\/fidelocastroo.ru:8080\/forum\/links\/column.php<\/em><\/p>\n

Sample payload serving URL:<\/strong> hxxp:\/\/fidelocastroo.ru:8080\/forum\/links\/column.php?sojhnkxv=030a380233&vjmm=3307093738070736060b&qkzwsj=03&jqgvx=hszplzo&maxtgox=obazeot<\/em><\/p>\n

Sample client-side exploit served:<\/strong> CVE-2010-0188<\/em><\/a><\/p>\n

Malicious domain name reconnaissance:<\/strong>
\nfidelocastroo.ru<\/strong> – 209.51.221.247; 203.80.16.81
\nName server: ns1.fidelocastroo.ru<\/strong> – 85.143.166.170
\nName server: ns2.fidelocastroo.ru<\/strong> – 132.248.49.112
\nName server: ns3.fidelocastroo.ru<\/strong> – 84.22.100.108
\nName server: ns4.fidelocastroo.ru<\/strong> – 213.251.171.30<\/p>\n

The following domains also respond to 209.51.221.247<\/strong>:
\nkennedyana.ru<\/strong>
\nleprasmotra.ru<\/strong>
\nwindowonu.ru<\/strong>
\nbakface.ru<\/strong>
\nwikipediastore.ru<\/strong>
\nlinkrdin.ru<\/strong>
\nsecondhand4u.ru<\/strong><\/p>\n

We’ve already seen secondhand4u.ru<\/strong> and linkrdin.ru<\/strong> used in the previously profiled “‘Fwd: Scan from a Xerox W. Pro’ themed emails lead to Black Hole Exploit Kit<\/strong><\/a>” malicious campaign, indicating that both campaigns have been launched by the same party.<\/p>\n

Upon successful client-side exploitation, the Microsoft Windows License themed campaign drops MD5: d5211a7882c3c3e66f4a7db04c2a0280<\/strong><\/a> – detected by 37 out of 44 antivirus scanners as Trojan.Win32.Bublik.obv<\/p>\n

Once executed, the sample creates the following file on the affected host:\u00a0%AppData%KB00121600.exe – MD5: D5211A7882C3C3E66F4A7DB04C2A0280<\/strong><\/a> – detected by 37 out of 44 antivirus scanners as Trojan.Win32.Bublik.obv<\/p>\n

It then phones back to 188.40.0.138:8080\/AJtw\/UCygrDAA\/Ud+asDAA<\/strong> (AS24940). We’ve already seen the same pseudo-random characters used in the “\u2018American Express Alert: Your Transaction is Aborted\u2019 themed emails serve client-side exploits and malware<\/strong><\/a>” campaign.<\/p>\n

More MD5s are known to have phoned back to the same IP in the past. For instance:<\/strong>
\nMD5: 850c3b497224cee9086ad9ad6a2f71e6<\/strong><\/a> – detected by 4 out of 44 antivirus scanners as UDS:DangerousObject.Multi.Generic
\nMD5: 2c20575eb1c1ac2da222d0b47639434e<\/strong><\/a> – detected by 34 out of 44 antivirus scanners as Trojan-Ransom.Win32.PornoAsset.ascm
\nMD5: d9eaad9b06e500f7a0cd90a02f537364<\/strong><\/a> – detected by 29 out of 44 antivirus scanners as PWS:Win32\/Zbot
\nMD5: 92978246ab42f68c323c36e62593d4ee<\/strong><\/a> – detected by 31 out of 43 antivirus scanners as HEUR:Trojan.Win32.Invader
\nMD5: 03f5311ef1b9f7f09f6e13ff9599f367<\/strong><\/a> – detected by 35 out of 44 antivirus scanners as Worm:Win32\/Cridex.E
\nMD5: d343eb0ab2703ae3623eb1504f321018<\/strong><\/a> – detected by 37 out of 44 antivirus scanners as Worm:Win32\/Cridex.E
\nMD5: 7b9f0a74820a00b34cc57e7c02d1492c<\/strong><\/a> – detected by 39 out of 44 antivirus scanners as W32.Cridex
\nMD5: cdbc0ba05ce8214d8877c658b648bc7e<\/strong><\/a> – detected by 36 out of 44 antivirus scanners as W32.Cridex
\nMD5: 7515448fa3aa1ee585311b80dab7ca87<\/strong><\/a> – detected by 38 out of 44 antivirus scanners as Trojan-Ransom.Win32.PornoAsset.aaql
\nMD5: 19f481447e1adf70245582d4f4f5719c<\/strong><\/a> – detected by 40 out of 43 antivirus scanners as Worm:Win32\/Cridex.E
\nMD5: ABD0A8FCF1B728B14A9412F6ECF32586<\/strong><\/a> – detected by 27 out of 44 antivirus scanners as Heuristic.BehavesLike.Win32.Suspicious-BAY.K
\nMD5: 63F0092762566A87BE777A008CE3C511<\/strong><\/a> – detected by 31 out of 44 antivirus scanners as Trojan.Reveton.AN
\nMD5: BFFC8545808E0F5E1148BDD2A0FBF79E<\/strong><\/a> – detected by 39 out of 43 antivirus scanners as Worm:Win32\/Cridex.E
\nMD5: C83877421A4A88B38F155DF2BF786B6A<\/strong><\/a> – detected by 24 out of 44 antivirus scanners as Gen:Variant.Kazy.105014
\nMD5: C379D30CCDC4A57088F8D137DF525CCD<\/strong><\/a> – detected by 29 out of 44 antivirus scanners as Trojan.Win32.Bublik.nrz
\nMD5: 42F36DB25B25196B454771751F8C1B89<\/strong><\/a> – detected by 35 out of 44 antivirus scanners as Malware.Cridex
\nMD5: 3A8CE3D72B60B105783D74DBC65C37A6<\/strong><\/a> – detected by 33 out of 42 antivirus scanners as Trojan.Win32.Bublik.ols
\nMD5: EB242D0BFCE8DAA6CC2B45CA339512A0<\/strong><\/a> – detected by 25 out of 43 antivirus scanners as Win32:LockScreen-LV [Trj]
\nMD5: CDBC0BA05CE8214D8877C658B648BC7E<\/strong><\/a> – detected by 36 out of 44 antivirus scanners as Win32:Kryptik-KGB [Trj]
\nMD5: 733D33FF69013658D50328221254E80C<\/strong><\/a> – detected by 25 out of 43 antivirus scanners as Win32.Citadel
\nMD5: 963FE8239C00318DFF5BF55B866252C3<\/strong><\/a> – detected by 39 out of 44 antivirus scanners as Trojan:W32\/Injector.AH
\nMD5: 0D4FE02D89102B67A722027759EB40D1<\/strong><\/a> – detected by 40 out of 44 antivirus scanners as Gen:Variant.Kazy.102147
\nMD5: F8254130C26B227616C0939FBE73B9C7<\/strong><\/p>\n

Webroot SecureAnywhere<\/strong><\/a>\u00a0users are proactively protected from these threats.<\/p>\n

You can find more about Dancho Danchev at his\u00a0LinkedIn Profile<\/strong><\/a>. You can also\u00a0follow him on \u00a0Twitter<\/strong><\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

Cybercriminals are currently mass mailing millions of emails impersonating Microsoft Corporation in an attempt to trick users into clicking on a link in a bogus ‘License Order” confirmation email. Upon clicking on the link, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit. More details:<\/p>\n","protected":false},"author":65,"featured_media":17048,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[12637,12631,12633,12635,12639,12623,12557,12263,12629,6183,5811,12625,12627,5801,12641,5803,6177,10103,5813,12373],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/8675"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=8675"}],"version-history":[{"count":2,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/8675\/revisions"}],"predecessor-version":[{"id":25525,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/8675\/revisions\/25525"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17048"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=8675"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=8675"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=8675"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=8675"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}