Connecting the dots on the ransomware case
Posted by: Jacques Erasmus
Below we see a perfectly crafted "Spearphish" email sent to a victim. This email is very well articulated, and will fool a lot of people, and it did.
All the links except the Jobseeker tool download link is legitimate. This link hxxp://www.google.com/pagead/iclk?sa=l&ai=DOWNLOAD_MONSTER_SOFTWARE_&uni_link_
id=%25ID%25%25ID%25&num=1&adurl=hxxp://audio****sound.com/tmp/index.php?
lid=3495c4865cd6a86d556c9a057399195a5a02206 will download the file, it appears at the time of writing that this link is dead, and the server used to serve the link has been secured.
This specific email was spread on July the 6th, we know that the first infections occurred on late afternoon July the 5th, the first big name was infected July the 6th.
Now for the second vector, which is more sinister, so bare with me!
There has been a lot of talk lately about the "Russian Business Network" or RBN, who run "bulletproof hosting" from sunny Panama. A lot of malware we see has various ties to this organized unit. They are very high up in the malware food chain. From our database we can track a lot of things, which is a blog post for another day, but using the data we have within our database, we found that NTOS.EXE has ties back to a dropper used by a malware operation run by the RBN.
A brief overview of what happens follows -
You visit a malicious website, you get redirected to one of a few "autorooters" one located on hxxp://s[xx].*siesettings.com, this will probe your browser for a myriad of exploits, and if successful will deploy a single file onto your machine. This file does many things, including checking what Operating system you have, what security software you have, where you are from etc. Once this is done you will get your own personalized batch of malware deployed to your machine. We can see that a few select users were infected with NTOS.EXE via this method, on the 8th of July based on their Location . Only users within the USA were served this file using this method.
This attack was semi targeted, using modern day personalized malware deployment methods, we will see a lot more of this in the months to come.
4 comments so far
- gl hoffman on Aug 21 20:27, 2007
- Patrick on Aug 25 22:11, 2007
I can't believe people still use Monster after stuff like this happens every few months.
A friend of mine's machine went down, caused by a file XXY.exe that was self replicating on her machine (I found 400 files in her myDoc folder). The program came from 81.95.146.98, which is rented from RIPE in the NL by RBN out of Panama. I'm not sure how she got it yet, but I appreciate the info on this site.
Excellent connecting the dots Jacques, a few more dots to add:
gdfcnt (dot) info - a few facts - Ref: SBL51152 - 194.146.204.0/22 is listed on the Spamhaus Block List (SBL) hxxp://www.spamhaus.org/sbl/sbl.lasso?query=SBL51152
Spamhaus = "20-Jun-2007 06:50 GMT | SR04 - Yet another part of Russian Business Network / iframe cash gang. Endless malware and PC hijacking."
Estimated = 400+ infected sites via forum based virulent spam
Reverse DNS = 1. Dinacnt info 2. Domicnt com 3. Gdfcnt info 4. Grigcnt info 5. Grizicnt com 6. Hoicnt info 7. Joimcnt net 8. Konicnt com 9. Lenicnt info 10. Nocicnt com 11. Prado7 com 12. Soncnt info 13. Unicnt info
Location = Panama, Nevacon Ltd., same stable as Lyunicoming and RBN related.
Alexa Trend/Rank: 1,789,684 (current) 3,396,523 (3 Months Ago) Compete Rank: #69,753 with 24,065 U.S. visitors per month Quantcast Rank: 411,381