A currently circulating malicious spam campaign, entices users into thinking that they’ve received a legitimate ‘Friend Confirmation Request‘ on Facebook. In reality thought, the campaign attempts to exploit client-side vulnerabilities, CVE-2010-0188 in particular.
Client-side exploits serving URL:
hxxp://facebook.com.n.find-friends.lindoliveryct.net:80/news/facebook-onetime.php?dpheelxa=1l:30:1l:1g:1j&pkvby=h&rzuhhh=1h:33:1o:2v:32:1o:2v:1o:1j:1m&ycxlcvr=1f:1d:1f:1d:1f:1d:1f
Detection rate for the malicious PDF: MD5: 39326c9a2572078c379eb6494dc326ab – detected by 3 out of 45 antivirus scanners as PDF/Blacole-FAA!39326C9A2572; Exploit:Win32/CVE-2010-0188; Exploit.Script.Pdfka.btvxj
Domain name reconnaissance:
facebook.com.n.find-friends.lindoliveryct.net – 66.230.163.86; 95.111.32.249; 188.134.26.172 – Email: [email protected]
Responding to the same IPs (66.230.163.86; 95.111.32.249; 188.134.26.172) are also the followig malicious domains:
actiry.com – Email: [email protected]
askfox.net – Emai: [email protected]
bnamecorni.com
briltox.com – Email: [email protected]
condalinneuwu37.net
condrskajaumaksa66.net
cyberflorists.su – Email: [email protected]
evishop.net – Email: [email protected]
exnihujatreetrichmand77.net
gondorskiedelaahuetebanj88.net
gotoraininthecharefare88.net
liliputttt9999.info – Email: [email protected]
lucams.net – Email: [email protected]
micnetwork100.com – Email: [email protected]
musicstudioseattle.net- Email: [email protected]
nvufvwieg.com – Email: [email protected]
partyspecialty.su – Email: [email protected]
pinterest.com.onsayoga.net
quill.com.account.settings.musicstudioseattle.net
seoworkblog.net – Email: [email protected]
seoworkblog.net
tigerdirect.com.secure.orderlogin.asp.palmer-ford.net
tor-connect-secure.com – Email: [email protected]
vip-proxy-to-tor.com
Name servers used in these campaigns:
Name Server: NS1.TEMPLATESWELL.NET – 94.249.254.48 – Email: [email protected]
Name Server: NS1.THEGALAXYATWORK.COM – 94.249.254.48 – Email: [email protected]
Name Server: NS1.MOBILE-UNLOCKED.NET – 91.227.220.104 – Email: [email protected]
Name Server: NS2.MOBILE-UNLOCKED.NET – 32.100.2.98
Name Server: NS1.KNEESLAPPERZ.NET
Name Server: NS1.MEDUSASCREAM.NET – 37.247.108.250 – Email: [email protected]
Name Server: NS1.CREDIT-FIND.NET – 194.209.82.222 – Email: [email protected]
Name Server: NS1.GONULPALACE.NET – 194.209.82.222 – Email: [email protected]
Name Server: NS1.NAMASTELEARNING.NET – 93.178.205.234 – Email: [email protected]
Name Server: NS2.NAMASTELEARNING.NET – 205.28.29.52
The following malicious MD5s are also known to have phoned back to the same IPs/were downloaded from the same IPs in the past:
MD5: e08c8ed751a3fc36bc966e47b76e2863
MD5: f507b822651d2fbc82a98e4cc7f735a2
MD5: e08c8ed751a3fc36bc966e47b76e2863
MD5: f88d6a7381c0bbac1b1558533cfdfd62
MD5: 11be39e64c9926ea39e6b2650624dab4
MD5: ea893fb04cc536ff692cc3177db7e66f
MD5: c8f8b4c0fced61f8a4d3b2854279b4ef
MD5: 93bae01631d10530a7bac7367458abea
MD5: 199b8cf0ffd607787907b68c9ebecc8b
MD5: 6b1bef6fb45f5c2d8b46a6eb6a2d5834
MD5: 9eb6ed284284452f7a1e4e3877dded2d
MD5: efacf1c2c6b33f658c3df6a3ed170e2d
MD5: 7c70d5051826c9c93270b8c7fc9d276f
MD5: dcb378d6033eed2e01ff9ab8936050a0
MD5: 8556f98907fd74be9a9c1b3bf602f869
This post has been reproduced from Dancho Danchev’s blog. Follow him on Twitter.
Leave a reply