Classmates dot com Fast Flux Malware

The Gozi infostealer is running around, this time using new domains and a new lure: a “video invitation from your classmates”. This has been going on all week, too. In an email purporting to be from Classmates.com, you’re told to go look at a web page and join up. To view the video you need to .. you guessed it, download a new Flash player. Don’t worry, they’ll help you out.

please_join_classmates.png

They insist, really!

please_download_adobe10_exe.png

If you don’t “click here” you’ll have it auto-loaded, so don’t worry.

saving_adobe10_exe.png

The domain in use for this past hour, christmasclasses.com, is fast fluxing. If you can, block the hosts via a DNS server or some similar filter.

Via the BFK passive DNS logger we can see one more domain:

ns1.peopleself.com	 A 	91.199.50.211
meeteingchristams.com	 NS 	ns1.peopleself.com
classmatesus.com	 NS 	ns1.peopleself.com

All worth axing.

The malcode you download, “AdobePlayer10.exe”, is a Gozi downloader (note that the MD5 may change):

MD5: ad2d90eb7c91a316e447358f9e6ed5e2
SHA1: 93d8f3af06bb3f80629bdae1abea4504e8f0eb83
File type: application/x-ms-dos-executable
File size: 3177 bytes

AV detection is fair (from VirusTotal). Same basic thing as the Obama malcode from last month:

  • downloads addons2.exe from a fast flux host using the domain name albertonixl.com.
  • sends the Gozi data to a host in AS44997, BTG transit route block.

Our friends at Secure Works have an excellent writeup on Gozi. This threat is not dead.

One Response to “Classmates dot com Fast Flux Malware”

December 08, 2008 at 12:24 pm, BelchSpeak » Post Topic » Obama Phishers Now Targeting Classmates.Com said:

[…] again to Jose Nazario at Arbor here for the analysis: The Gozi infostealer is running around, this time using new domains and a new […]

Comments are closed.