DDoS and Security Reports

The Gozi infostealer is running around, this time using new domains and a new lure: a “video invitation from your classmates”. This has been going on all week, too. In an email purporting to be from Classmates.com, you’re told to go look at a web page and join up. To view the video you need to .. you guessed it, download a new Flash player. Don’t worry, they’ll help you out.

They insist, really!

If you don’t “click here” you’ll have it auto-loaded, so don’t worry.

The domain in use for this past hour, christmasclasses.com, is fast fluxing. If you can, block the hosts via a DNS server or some similar filter.

Via the BFK passive DNS logger we can see one more domain:

ns1.peopleself.com	 A 	91.199.50.211
meeteingchristams.com	 NS 	ns1.peopleself.com
classmatesus.com	 NS 	ns1.peopleself.com

All worth axing.

The malcode you download, “AdobePlayer10.exe”, is a Gozi downloader (note that the MD5 may change):

MD5: ad2d90eb7c91a316e447358f9e6ed5e2
SHA1: 93d8f3af06bb3f80629bdae1abea4504e8f0eb83
File type: application/x-ms-dos-executable
File size: 3177 bytes

AV detection is fair (from VirusTotal). Same basic thing as the Obama malcode from last month:

• downloads addons2.exe from a fast flux host using the domain name albertonixl.com.
• sends the Gozi data to a host in AS44997, BTG transit route block.

Our friends at Secure Works have an excellent writeup on Gozi. This threat is not dead.

Popularity: 1% [?]

This entry was posted on Friday, December 5th, 2008 at 2:19 pm and is filed under Arbor Networks - DDoS Experts, ATLAS, Attacks and DDoS Attacks, Botnets, Interesting Research, Malware, Spyware, Trojan Horses. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.