BlockersNorthWe.info Another MSN Spam Domain

December 20, 2008

Hi,

Here reported a fast analysis of the latest domain catched by my MSN-HoneyPot

Today I received the following advisory by my offline contact:

Xxx scrive:
%random2% hello
http://www.BlockersNorthWe.info/ %random3%

Let’s dissect BlockersNorthWe.info

Source code for: http://www.BlockersNorthWe.info/
Server IP: 67.228.41.183 [ 67.228.41.183-static.reverse.softlayer.com ]
hpHosts Status: Not Checked
MDL Status: Not Checked
PhishTank Status: Not Checked
Date: sabato 20 dicembre 2008
Time: 18.01.52.01

<meta HTTP-EQUIV=”REFRESH” content=”0; url=http://reklam.softreklam.com/affiliates/manage.php?affid=2&o=17&c=17&d=1094″>

As you can see its used a Metarefresh = 0 that silently redirects you to

http://reklam.softreklam.com/affiliates/manage.php?affid=2&o=17&c=17&d=1094

<script language=”JavaScript”>
self.moveTo(0,0);self.resizeTo(screen.availWidth,screen.availHeight);setInterval(“x()”,10);setInterval(“y()”,500000);self.focus();
function x(){window.status=”SOHBET”}
function y(){self.focus()};
</script>

<meta http-equiv=”refresh” content=”0;url= http://www.flycell.it/offer/?ref=2900&transid=IT2“>

Another Metarefresh for http://www.flycell.it/offer/?ref=2900&transid=IT2

This is the Destination URL..

as you can understand this time we are in front off an MSN Spam Domain..

Server Type: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7a
mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
PHP/5.2.6
IP Address: 67.228.41.183
Whois
|

Reverse-IP
|

Ping
|

DNS Lookup
|

Traceroute

IP Location Malaysia
– Wilayah Persekutuan – Kuala Lumpur – Whei Meng Wong
Response Code: 200
Domain Status: Registered And Active Website

MSN Credentials Theft nustuff4u.com

December 6, 2008

Hi,

My MSN-honeypot catched in these moments another classical MSN Credentials theft.

The system used is the classical Offline Message sent by an already compromised contact.

Here the message:

___________________________

Xxx scrive:
Xxx check out these awesome pics from the awesome party LOL   http://Yyy.nustuff4u.com

__________________________

nustuff4u.com presents a classical form that asks for

MSN E-Mail

MSN Password

and as usual the already see (please refer to my previous MSN releated blog posts) a disclaimer..

Now let’s investigate a bit on this domain..

ICANN Registrar: ENOM, INC.
Created: 2008-12-04
Expires: 2009-12-04
Updated: 2008-12-04
Registrar Status: clientTransferProhibited
Name Server: DNS1.REGISTRAR-SERVERS.COM (has 151,962 domains)

IP Address: 202.64.61.208 Whois | Reverse-IP | Ping | DNS Lookup | Traceroute
IP Location Hong Kong – Hong Kong (sar) – Hong Kong – Ta_kung_pao

And finally we can see that is Whois Protected
Domain name: nustuff4u.com

Registrant Contact:
WhoisGuard
WhoisGuard Protected ()


Another MSN Privacy / Spam Threat awesomezz.com

August 21, 2008

Hi,

Thanks to the signalation of Roberta I’ve identified another MSN spreading Spam/Privacy threat.

The structure is completely equal to ultimatestufff, but changes the End-Point Domain.

Online contacts receives an offline message composed in this way http://_mail_address.awesomezz.com

Let’s dissect it!

From HTTP headers we can see that this domain is runned by a little Webserver

HTTP/1.0 200 OK
Connection: close
X-Powered-By: PHP/4.4.8
Content-type: text/html
Content-Length: 242
Date: Thu, 21 Aug 2008 15:00:41 GMT
Server: lighttpd/1.4.19

And this is the html code

<html>
<head>
<title></title>
</head>
<frameset rows=”*,30,1″ frameborder=0>
<frame src=”indexx.php” name=””>
<frame src=”abuse.html” name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
<frame src=”counter.php” name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
</frameset>
</html>

-> counter.php

<img src=”http://www.ipcounter.de/count.php?u=52572355&amp;color=pink” alt=”” border=”0″ width=0 height=0></a></noscript><img src=”http://www.ipcounter.de/count.php?u=54136814&amp;color=pink&#8221; alt=”” border=”0″ width=0 height=0></a></noscript>

-> abuse.html

<center><b>Send Abuses to <a href=”mailto:abuse@cpashield.com“>abuse@cpashield.com</a></b>

-> indexx.php

The way is always the same, the user lands to a certain Website by passing from another Website that installs some Tracking Cookies. Indeed as we can see indexx.php points to Incentaclick

http://www.incentaclick.com/nclick.php?id=17133&cid=4804&sub=newadx_ita

that trasparently (a common user will not see that passage) installs some cookie:

Set-Cookie: IncentaclickUC480417133=480417133newadx_ita; expires=Sat, 20-Sep-2008 07:00:43 GMT; path=/; domain=.incentaclick.com
Set-Cookie: IncentaclickUC480417133=480417133newadx_ita; expires=Sat, 20-Sep-2008 07:00:43 GMT; path=/; domain=www.incentaclick.com
Set-Cookie: IncentaclickTrackCookie4804=17133-newadx_ita; expires=Wed, 19-Nov-2008 07:00:43 GMT; path=/; domain=.incentaclick.com
Set-Cookie: IncentaclickTrackCookie4804=17133-newadx_ita; expires=Wed, 19-Nov-2008 07:00:43 GMT; path=/; domain=www.incentaclick.com

Redirection points to

http://www.flycell.it/offer/?ref=2650&transid=17133-newadx_ita

The Pattern is totally similar to Ultimatestufff.com, with the difference that the End-Points seems to be a Website for Cellulars, but probabily user is asked to give MSN Credentials

Here the Domain Analysis:

Registry Data

ICANN Registrar: ENOM, INC.
Created: 2008-08-20
Expires: 2009-08-20
Updated: 2008-08-20
Registrar Status: clientTransferProhibited
Name Server: DNS1.REGISTRAR-SERVERS.COM (has 96,391 domains)
Name Server: DNS2.REGISTRAR-SERVERS.COM
Name Server: DNS3.REGISTRAR-SERVERS.COM
Whois Server: whois.enom.com

jQuery(‘#registryDataContainer’).show();

Server Data

IP Address: 210.56.53.73
IP Location Hong Kong – Hong Kong (sar) – Hong Kong – Sun Network (hong Kong) Limited
Response Code: 200
Domain Status: Registered And Active Website

See you to the next post


New MSN Privacy Threat – ultimatestufff.com

August 17, 2008

Hi,

Today I was informed of a new Privacy Threat spreaded through MSN.

Offline contacts sends to all online contacts the following link http://ultimatestufff.com/

Let’s see how ultimatestufff works..

At a first analysis dissection we can see that this Webservice is runned surely from
a little private server;

HTTP/1.0 200 OK
Connection: close
X-Powered-By: PHP/4.4.8
Content-type: text/html
Content-Length: 345
Date: Sun, 17 Aug 2008 13:04:33 GMT
Server: lighttpd/1.4.19

Because lighttpd is used.

The content of the first page is similar to my previous MSN-Malicious-Website discovery,
indeed we have:

<html>
<head>
<title></title>
</head>
<frameset rows=”*,30,1″ frameborder=0>

<frame src=”indexx.php” name=””>
<frame src=”abuse.html” name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
<frame src=”counter.php” name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>

</frameset>
</html>

-> abuse.html

<center><b>Send Abuses to <a href=”mailto:abuse@cpashield.com“>abuse@cpashield.com</a></b>

Looks perfectly similar to the previous case, but without java obfuscation.

-> counter.php

<img src=”http://www.ipcounter.de/count.php?u=52572355&amp;color=pink&#8221; alt=”” border=”0″ width=0 height=0></a></noscript><img src=”http://www.ipcounter.de/count.php?u=54136814&amp;color=pink&#8221; alt=”” border=”0″ width=0 height=0></a></noscript>

And finally the most intersting, indexx.php that performs a redirection to:

http://www.incentaclick.com/nclick.php?id=14955&cid=3674&sub=newadx

This time the entity of the Webservice is more important, is used a famous service Incentaclick
that installs some Tracking Cookies:

HTTP/1.1 200 OK
Date: Sun, 17 Aug 2008 05:06:08 GMT
Server: Apache
Set-Cookie: IncentaclickUC367414955=367414955newadx; expires=Tue, 16-Sep-2008 05:06:08 GMT; path=/; domain=.incentaclick.com
Set-Cookie: IncentaclickUC367414955=367414955newadx; expires=Tue, 16-Sep-2008 05:06:08 GMT; path=/; domain=www.incentaclick.com
Set-Cookie: IncentaclickTrackCookie3674=14955-newadx; expires=Sat, 15-Nov-2008 05:06:08 GMT; path=/; domain=.incentaclick.com
Set-Cookie: IncentaclickTrackCookie3674=14955-newadx; expires=Sat, 15-Nov-2008 05:06:08 GMT; path=/; domain=www.incentaclick.com
P3P: CP=”NOI DSP COR NID”
Content-Length: 184
Connection: close
Content-Type: text/html; charset=UTF-8

And this is the source code:

<html><head><title>Incentaclick Media</title><meta http-equiv=’refresh’ content=”0;url=http://www.perfspot.com/join.asp?LanguageID=1&p=98958&t=14955-newadx“></head><body></body></html>

As you can see there is a Meta Renfresh that redirects (instantly!) the user to another
website:

http://www.perfspot.com/join.asp?languageid=1&p=98958&t=14955-newadx

A common visitor will not see the passage from Incentaclick, but will have its cookies..

Perfspot is a Website that offers a Meeting Service.

It’s interesting to see that during registration the user is asked to provide MSN/Linkedin/Live account, and is this the point where dumb user allows perfspot to reach other users.

Another interesting point is that, after you have completed the registration you’re automatically prompted to a geo-location that corresponds to the location of the Offline user that sent you the Advisory.

Here the Domain Informations for ultimatestufff.com

Domain Informations

ICANN Registrar: ENOM, INC.
Created: 2008-08-15
Expires: 2009-08-15
Updated: 2008-08-15
Registrar Status: clientTransferProhibited
Name Server: DNS1.REGISTRAR-SERVERS.COM (has 94,989 domains)
Name Server: DNS2.REGISTRAR-SERVERS.COM
Name Server: DNS3.REGISTRAR-SERVERS.COM
Whois Server: whois.enom.com

jQuery(‘#registryDataContainer’).show();

Server Data

IP Address: 210.56.53.73
IP Location Hong Kong – Hong Kong (sar) – Hong Kong – Sun Network (hong Kong) Limited
Response Code: 200
Domain Status: Registered And Active Website

What to say..I’m a proud paranoid!!! 🙂

See you to the next post..

PS: I’m open to job offerings! 🙂