Fujacks Variant Using ACH Lure (more accurately Blackhole spreading Zeus via ACH Lure)
During my shift we received and email claiming to be from "The Electronic Payments Association" with the subject of "Rejected ACH transfer." It informed us that our ACH transfer was "canceled by the other financial institution," and provided a link to the supporting documentation.
If you click on the link (hXXp://masterwall.com.au/8ymksg/index.html -- I'm sharing the link so you can check you logs) you'll go off on a short trip through a few sites (and pull down some Google Ads-- you might want to look at who's making money off of that Google,) and eventually if you're running a system vulnerable to CVE-2010-1885 you'll eventually install a loader for what Ikarus is calling Worm.Win32.Fujack.o.
I've spent more time informing webmasters than really analyzing the code, but that's usually how it goes.
The defaced sites have all be informed. I've sent a message to the main hosting site as well (but don't expect and answer.)
The particular indicators for this event:
Initial defaced site: hXXp://masterwall.com.au/8ymksg/index.html
Intermediate sites can be pulled from the wepawet report here: http://wepawet.iseclab.org/view.php?hash=26a057f6807d39560631bfe7039d78ad&t=1321628919&type=js
The endpoint (the one you want to block and search your logs for: hXXp://aquasrc.com/w.php?f=100&e=8
The MD5 of what I pulled down: b4d9e3639b1bb326938efd9b6700f26d
This will install itself on the victim's machine and autostart after reboot, it will also try to spread via internal network shares.
I haven't spotted what it uses for it's command and control yet, so all I know for certain is that it spreads. I hope to update this later with the C&C server details.
Update:
The malware looks to be a variant of the banking trojan Zeus. Look in your DNS logs for systems requesting quiversea.com.
Update 2:
As Chris W points out below, this appears to be a Blackhole exploit kit. So the cited CVE above is simply the exploit that was appropriate for the honey-monkey visiting the site, it'll identify the victim's system and send an appropriate exploit.
Comments
Al of Your Data Center
Nov 18th 2011
1 decade ago
Fri Nov 18 2011
Nov 18th 2011
1 decade ago
/[a-z].php?f=[0-9]+e=[0-9]+ (payload binaries: f=file number, e=successful exploit number)
/[12]ddfp.php?f=[0-9]+ (PDF exploits -> e=6)
also (with more risk of false positives):-
/content/field.swf (Flash exploit -> e=8)
/content/*.jar (Java exploits -> e=1, e=10; names vary)
/main.php?page=[0-9a-f]{16} (exploit kit landing page, but other URL forms exist)
plus files fetched from integer "hosts" (e.g. "hXXp://521014283/Gmail") by Java < 1.6.0_24 (exploit -> e=0, but more than just Blackhole uses this!)
Chris W
Nov 18th 2011
1 decade ago
The one we saw last night: http://mysubmissionservice.com/~sabaidee/f5e3zpp/index.html
Also, FWIW, I had multiple unrelated email accounts hit with the ACH themed messages last night.
nick
Nov 18th 2011
1 decade ago