The Latest in IT Security

Zeus Bot likes Canada

18
May
2011

Being in Canada, I thought I should take a look at a particular infection derived from two sites hosted in this country.

First, an infected page from:

haroldwest.ca/invoice_download.html
(IP: 65.39.242.99, location: Canada)

The page triggers exploits from the following URLs:

orjbhasqs.co.be/forum.php?tp=371e07c7063d940f
orjbhasqs.co.be/games/java_trust.php?f=30
orjbhasqs.co.be/games/2fdp.php?f=30
orjbhasqs.co.be/games/mario.jar
orjbhasqs.co.be/games/hcp_vbs.php?f=30

193.218.156.83/patcher.php
orjbhasqs.co.be/k.php?f=30&e=0
orjbhasqs.co.be/k.php?e=7&f=30

orjbhasqs.co.be (IP: 193.218.156.83, location: Kiev, Ukraine)

There’s a lot of say about AS16109, AKA “Informational and Commercial Agency “INCA” LTD“, Ukraine.

CleanMX has a long list of ‘Java Downloaders’. Indeed they are good at that:

So, who is behind “INCA”? How about the good old RBN? That’s right. Here is a list of IPs, domains and ASN from Emerging threats.

Moving on with the payload, there is something rather strange that happens midway through the infection process:

www.canadapost.ca/cpotools/apps/track/personal/findByTrackNumber

I can’t quite figure out what the purpose is… This is a page where you can track the progress of a parcel from Canada Post. My first thought was a possible phishing or spear phishing attempt… but I’m not entirely convinced.

Edit:

While the display of the page surprised me (being that this PC was already infected), it has been pointed out to me that this is linked to spam emails with malicious attachments (similar to DHL parcels etc…)

In fact, I did find such a phish targeting Canada Post (note the URL is similar to the one from the page above). In the end, it makes sense that the infected PC is spamming away to get more victims…

End of edit

Later on is a binary download from:

madaboutvisuals.com/clients/canada.exe

(IP: 69.90.162.10, location: Canada) VirusTotal report (8/41).

You’d agree that it’s a lot of Canada love isn’t it? ;-)

Anyway, the final command of a long process is the initiation of a connection with:

212.150.164.204/email/squirrelmail.php

hpHosts info about 212.150.164.204.

This is a server located in Israel which is a known Zeus Command & Control center. It is reported by our friends at malwaredomainlist:

The ASN shows up as bad as well:

Google SafeBrowsing report for AS1680:

It’s amazing how many different parts of the world malware jumps from. We started in Canada, went to the Ukraine then Israel…

I made a quick video showing the exploit and its payload:

Jerome Segura

Leave a reply


Categories

SUNDAY, SEPTEMBER 24, 2017

Featured

Archives

Latest Comments

Social Networks