Arbor Networks: Security to the Core

The Gozi infostealer is running around, this time using new domains and a new lure: a “video invitation from your classmates”. This has been going on all week, too. In an email purporting to be from Classmates.com, you’re told to go look at a web page and join up. To view the video you need to .. you guessed it, download a new Flash player. Don’t worry, they’ll help you out.

They insist, really!

If you don’t “click here” you’ll have it auto-loaded, so don’t worry.

The domain in use for this past hour, christmasclasses.com, is fast fluxing. If you can, block the hosts via a DNS server or some similar filter.

Via the BFK passive DNS logger we can see one more domain:

ns1.peopleself.com	 A 	91.199.50.211
meeteingchristams.com	 NS 	ns1.peopleself.com
classmatesus.com	 NS 	ns1.peopleself.com

All worth axing.

The malcode you download, “AdobePlayer10.exe”, is a Gozi downloader (note that the MD5 may change):

MD5: ad2d90eb7c91a316e447358f9e6ed5e2
SHA1: 93d8f3af06bb3f80629bdae1abea4504e8f0eb83
File type: application/x-ms-dos-executable
File size: 3177 bytes

AV detection is fair (from VirusTotal). Same basic thing as the Obama malcode from last month:

• downloads addons2.exe from a fast flux host using the domain name albertonixl.com.
• sends the Gozi data to a host in AS44997, BTG transit route block.

Our friends at Secure Works have an excellent writeup on Gozi. This threat is not dead.

This entry was posted on Friday, December 5th, 2008 at 2:19 pm and is filed under Malware, Spyware, Trojan Horses. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.