FBI Seeking Victims in Operation Ghost Click/DNS Malware Investigation

Published: 2011-11-18
Last Updated: 2011-11-18 21:17:34 UTC
by Kevin Liston (Version: 1)
0 comment(s)

From their press-release:

The FBI is seeking information from individuals, corporate entities and Internet Services Providers who believe that they have been victimized by malicious software (“malware”) related to the defendants. This malware modifies a computer’s Domain Name Service (DNS) settings, and thereby directs the computers to receive potentially improper results from rogue DNS servers hosted by the defendants.

If you believe that you are a victim in this case, the FBI wishes to hear from you.  Submit your report here: https://forms.fbi.gov/dnsmalware

For more information about Operation Ghost Click:


0 comment(s)

Fujacks Variant Using ACH Lure (more accurately Blackhole spreading Zeus via ACH Lure)

Published: 2011-11-18
Last Updated: 2011-11-18 21:11:09 UTC
by Kevin Liston (Version: 3)
4 comment(s)

During my shift we received and email claiming to be from "The Electronic Payments Association" with the subject of "Rejected ACH transfer."  It informed us that our ACH transfer was "canceled by the other financial institution," and provided a link to the supporting documentation.

If you click on the link (hXXp://masterwall.com.au/8ymksg/index.html -- I'm sharing the link so you can check you logs) you'll go off on a short trip through a few sites (and pull down some Google Ads-- you might want to look at who's making money off of that Google,) and eventually if you're running a system vulnerable to CVE-2010-1885 you'll eventually install a loader for what Ikarus is calling Worm.Win32.Fujack.o.

I've spent more time informing webmasters than really analyzing the code, but that's usually how it goes.

The defaced sites have all be informed.  I've sent a message to the main hosting site as well (but don't expect and answer.)

The particular indicators for this event:

Initial defaced site: hXXp://masterwall.com.au/8ymksg/index.html

Intermediate sites can be pulled from the wepawet report here: http://wepawet.iseclab.org/view.php?hash=26a057f6807d39560631bfe7039d78ad&t=1321628919&type=js

The endpoint (the one you want to block and search your logs for: hXXp://aquasrc.com/w.php?f=100&e=8

The MD5 of what I pulled down: b4d9e3639b1bb326938efd9b6700f26d

This will install itself on the victim's machine and autostart after reboot, it will also try to spread via internal network shares.

I haven't spotted what it uses for it's command and control yet, so all I know for certain is that it spreads.  I hope to update this later with the C&C server details.


The malware looks to be a variant of the banking trojan Zeus.  Look in your DNS logs for systems requesting quiversea.com.

Update 2:

As Chris W points out below, this appears to be a Blackhole exploit kit.  So the cited CVE above is simply the exploit that was appropriate for the honey-monkey visiting the site, it'll identify the victim's system and send an appropriate exploit.

Keywords: worm
4 comment(s)

Recent VMWare security advisories

Published: 2011-11-18
Last Updated: 2011-11-18 13:50:23 UTC
by Kevin Liston (Version: 1)
0 comment(s)

VMWare released a new advisory, and updated a security advisory yesterday.


0 comment(s)
ISC StormCast for Friday, November 18th 2011 http://isc.sans.edu/podcastdetail.html?id=2143


Diary Archives