LinkedIn spam mail campaigns have been around for at least 3 years: you receive a bogus invitation to connect on LinkedIn leading to a compromised page which lands on an Exploit Kit-laden server that eventually drops malware on your machine. The past spam campaigns combined Blackhole Exploit with Cridex or Zeus malware as it was reported in  and well discussed in .
In this particular case, if you click the “Accept” button, you are redirected to hxxp://champagnefuif.klammehand.be/modules/wp-enter.php?xV72H17G11U7AT2AA, a compromised WordPress page and from there you land on hxxp://languagespreferably.biz/closest/i9jfuhioejskveohnuojfir.php, a Blackhole Exploit landing page. The exploit inspects your machine’s plugins for any vulnerabilities and, if successful, places a file named calc.exe on your machine, which is a ZeroAccess dropper. You just became part of the ZeroAccess botnet! The binary matches this VirusTotal signature.
In the figure below, we can see the spike in traffic on Monday Sep 2nd, when the spam campaign started.
Looking at the behavioral section of the VirusTotal report of the dropped ZeroAccess sample, we see these DNS requests:
The bot looks up google.com to test for internet connectivity, and resolves maxmind.com so that it can call the geoip service with this HTTP request:
USER AGENT: None
The GeoIP callbacks to maxmind are a typical Sirefef/ZeroAccess trademark, because the malware needs to find out what country it is located in. ZeroAccess is known to be used to download other malware on an infected machine; once the malware detects where it is, it knows where to connect next so it can download further payload (mostly Medfos malware).
In this campaign, ZeroAccess is dropped by a Blackhole version dubbed ”closest” which was first well described by MalwareMustDie in . Similar spam campaigns such as those targeting Facebook and redirecting to Blackhole were observed to drop Trojan Zbot/Pony (Credential Stealer), MedFos (downloader) and Zero Access, as reported in .
ZeroAccess callback IPs
Once installed, ZeroAccess tries to connect to a peer-to-peer network to download plugin files to enrich the payload functionality. In the behavioral section of the VirusTotal report, we can see a list of supernode callback IPs the ZeroAccess sample tries to contact on UDP port 16464. Running the sample locally in a VM also produces a larger list of supernode callback IPs. Supernodes are the internet-facing nodes of the botnet that distribute files and IP lists to other nodes in the botnet. On the other hand, normal botnet nodes might be sitting behind NAT and can only communicate through the supernodes with the outside CnCs. We checked the larger list of 89 callback IPs, and we found out that a few of these IPs have hosted 17 Kelihos Fast flux domains (or subdomains) in the past, that we list here: abeeu.bobpawa.com, aqa.renuncam.nl, cx3r5.nigucgu.com, cych.zymofevy.me, dahadkyz.ru, davujuz.com, fcegrrtc.mapuhxaf.ru, flowsre.com, hsej0rr7.insomtab.nl, huznejex.ru, nenkudyf.ru, ogfonis.org, powerwik.ru, teeply.info, widerat.com, xexumyb.com, ximirsex.ru.
These domains have already been blocked a while ago, and reported for suspension or sinkholing.
The overlap between the IP pools of the ZeroAccess and Kelihos botnets is an indication that botnets are a commodity shared among criminal campaigns to speed up the spread of infections and information stealing. More good resources on ZeroAccees can be found in .
Discovering related domains with Security Graph
Starting from the landing domain languagespreferably.biz, and using a domain reputation algorithm applied on the SGraph DNS database, we uncover a large set of 200+ related new suspicious domains serving Blackhole Exploit kit, other Exploit kits, and other malicious campaigns (such as trojan CnC). We also cross check domain registration dates, and check DNS traffic spikes to these domains.
This constitutes a fast early detection system of Exploit-weaponized domains (or soon to be weaponized ones, or related new suspicious domains destined for other purposes). A lot of these EK landing domains are rather unstable on purpose. We observed that shortly after they are registered, these domains start resolving to an IP hosting an EK server, then they trigger a surge in DNS traffic for a few hours followed by a complete silence. Oftentimes, the domain stops serving the exploits or it just stops resolving. This is a clear indication that these domains are used in “hit and run” spam mail campaigns. A lot of these domains are also quickly sinkholed or suspended by registrars, hence the tendency of criminals to register these “throw-away” domains, swiftly use them, and move to a new set. We also observed examples of such domains that were registered a couple months ago and after their initial spike in activity have since gone silent. This could possibly be another trick to stay under the “radar,” evade suspension or sinkholing, and potentially come back later to be used in future malicious campaigns. In the figure below, we can see the surge in traffic for this Blackhole landing domain spotted very recently.
Furthermore, we can consult url databases such as VirusTotal, or urlquery to identify known active urls on these domains. With that, one can identify EK landing pages and eventually milk them for malware payloads for further analysis. These EK servers were seen to block certain IP ranges belonging to security companies or Tor proxies, therefore, other measures should be taken to circumvent these protective tricks and still be able to retrieve live payloads. This can be discussed in a future blog.
Below, we show a sample of some confirmed Exploit Kit or suspicious domains:
Acknowledgments: Special thanks to all the great friends from MalwareMustDie (@RazorEQX and @VriesHd and more) for their valuable contribution to the discussion on ZeroAccess and discovery of the initial Blackhole landing domains.