This BofA Demo Thing Got Big Fast

The Obama spam and malcode gang is back at it with a new fast flux phishing and malcode ruse. This time it’s a demo from the Bank of America that requires the classic “Flash Upgrade”.

bofa_demo.png

At the peak I was seeing 400 unique URLs for this run an hour. The URLs were unique strings, possibly for tracking purposes or possibly to stress URL blacklists. But, when you look more closely you see they are just a handful of domain names. This is a lot like the Rock Phish of old.

Let’s have a look at the domains and their associated name server via the BFK passive DNS system:

onlineservices777.com	 NS 	ns1.directclieck.com
directclieck.com	 NS 	ns1.directclieck.com
ns1.directclieck.com	 A 	66.197.233.140
ns1.directclieck.com	 A 	208.77.98.103
ieenttio.com	 NS 	ns1.directclieck.com
inyans.com	 NS 	ns1.directclieck.com
frerins.com	 NS 	ns1.directclieck.com
neeunt.com	 NS 	ns1.directclieck.com

So, no more domains at present associated with these name servers.

The malcode download routine is very typical. If you don’t follow the lure, a meta-refresh will get ya.

bofa_demo_src.png

Nothing special here, just the usual crap. Here’s some of the info about one of the samples we saw here:

BASIC INFO:
-----------------------------------------------
FILE TYPE: 	application/x-ms-dos-executable
FILE SIZE: 	3225 bytes
PACKER/S:
FSG v2.0 -> bart/xt
-----------------------------------------------
.
CHECKSUMS:
-----------------------------------------------
MD5: 		2ef0de5993873f26529ac34012eb97d9
SHA1: 		4e9aa725fa887cf65d9f6d1cebbd0a13d48320ab
PEHash: 	a8c73378f9c4a2fb57a5658e09d69bbf4bae0998
-----------------------------------------------

.
A/V INFO:
-----------------------------------------------
SCANNER: VScanner                      VIRUS: Unknown, file is "suspicious"
SCANNER: AVG                           VIRUS: No virus found.
SCANNER: ClamAV                        VIRUS: Trojan.OnlineGames-1517
SCANNER: BDC                           VIRUS: No virus found.
-----------------------------------------------

The malcode is tiny, but downloads hxxp://silviocash.com/usp.exe, aka Paparus or Urlsnif. Driver file, rootkitted, and now the box will send info from IE (ie form data) to the hacker. Owned.

Gary Warner has a nice writeup on his blog worth reading.

One Response to “This BofA Demo Thing Got Big Fast”

December 01, 2008 at 2:08 pm, BelchSpeak » Post Topic » Obama Spammers Now Using BofA Phishing Attack said:

[…] ArborNetworks here: The Obama spam and malcode gang is back at it with a new fast flux phishing and malcode ruse. This […]

Comments are closed.