Classmates dot com Fast Flux Malware
The Gozi infostealer is running around, this time using new domains and a new lure: a “video invitation from your classmates”. This has been going on all week, too. In an email purporting to be from Classmates.com, you’re told to go look at a web page and join up. To view the video you need to .. you guessed it, download a new Flash player. Don’t worry, they’ll help you out.
They insist, really!
If you don’t “click here” you’ll have it auto-loaded, so don’t worry.
The domain in use for this past hour, christmasclasses.com, is fast fluxing. If you can, block the hosts via a DNS server or some similar filter.
Via the BFK passive DNS logger we can see one more domain:
ns1.peopleself.com A 126.96.36.199 meeteingchristams.com NS ns1.peopleself.com classmatesus.com NS ns1.peopleself.com
All worth axing.
The malcode you download, “AdobePlayer10.exe”, is a Gozi downloader (note that the MD5 may change):
MD5: ad2d90eb7c91a316e447358f9e6ed5e2 SHA1: 93d8f3af06bb3f80629bdae1abea4504e8f0eb83 File type: application/x-ms-dos-executable File size: 3177 bytes
- downloads addons2.exe from a fast flux host using the domain name albertonixl.com.
- sends the Gozi data to a host in AS44997, BTG transit route block.
Our friends at Secure Works have an excellent writeup on Gozi. This threat is not dead.