Jump to bottom for update list of malicious URLs
If you drive in a city with toll roads, you are familiar with the E-Z Pass System. If you are, you may have been tempted to click on an email that looked like this:
But the destination websites are certainly not on E-Z Pass's domains!
date | subject | sender_name
------------+---------------------------------------+---------------------------------
2014-07-08 | In arrears for driving on toll road | E-ZPass Collection Agency
2014-07-08 | In arrears for driving on toll road | E-ZPass Info
2014-07-08 | In arrears for driving on toll road | E-ZPass Customer Service Center
2014-07-08 | In arrears for driving on toll road | E-ZPass Info
2014-07-08 | Indebted for driving on toll road | E-ZPass Service Center
2014-07-08 | Indebted for driving on toll road | E-ZPass Service Center
2014-07-08 | Indebted for driving on toll road | E-ZPass Collection Agency
2014-07-08 | Indebted for driving on toll road | E-ZPass Customer Service Center
2014-07-08 | Indebted for driving on toll road | E-ZPass Info
2014-07-08 | Indebtedness for driving on toll road | E-ZPass Collection Agency
2014-07-08 | Indebtedness for driving on toll road | E-ZPass Customer Service Center
2014-07-08 | Indebtedness for driving on toll road | E-ZPass Customer Service Center
2014-07-08 | Pay for driving on toll road | E-ZPass Info
2014-07-08 | Payment for driving on toll road | E-ZPass Info
2014-07-08 | Payment for driving on toll road | E-ZPass Info
2014-07-08 | Payment for driving on toll road | E-ZPass Info
When we visit one of the URLs, we are prompted to download a .zip file, containing a .exe file.
machine | path
---------------------------+-------------------------------------------------------------------
www.federalparts.com.ar | /tmp/api/3eLv aFKXBvmuxydKFVfEZIMWSl7f4VJfOpfcdAHPeo=/toll
www.fiestasnightclub.com | /tmp/api/kJ1a5XRhE7MM9YhRVR1186why1TgPCPH7aieECyjb I=/toll
www.flavazstylingteam.com | /tmp/api/vBrLdEDWRK4sXs6KaHEbWzHnbEYIFSo42BZvGd4crCY=/toll
www.fleavalley.com | /tmp/api/ycI2IRHcInDd1/cetyLMZMjwyxKxTAEHFkjk1dRUfYs=/toll
www.frazeryorke.com | /wp-content/api/LtvaZdAvP3GFuaqyulY/C3haFCeID3krbtMHt52cdnM=/toll
www.fsp-ugthuelva.org | /tmp/api/fMVyiIXcbY9gamr17zPrnhTgz2Zvs825GTmvvRjlTIA=/toll
www.fyaudit.eu | /components/api/yiBOsvUdvftbCd4Fa1zmVtIkbs4x3ThiUnFoIgwyI9Q=/toll
www.giedrowicz.pl | /tmp/api/R4a4iKmACUtWoRHq1DsCiQ1aH 3J7QgBMfp1zq8gqj8=/toll
www.gostudy.ca | /components/api/Q/sV7HtfnZGOW4lzlLSfFuKM/lLu8LQmOlT TVXKb2o=/toll
www.graphiktec.com | /tmp/api/nZbX6I6vYQrsTlY4OAw44Qq96Lnw/JOoLDdBmdLh21M=/toll
www.h2oasisinc.com | /components/api/BivlBt/AhVodCMM9zRuvcQpIyG2X6Knd8sERnP1 QDA=/toll
www.habicher.eu | /tmp/api/yra96tiDlyYbYxsbJpr/hDVSPmwh6GKYLF6PaD3nUAI=/toll
www.grupoancon.com | /components/api/6jI99hwDmjAvkEvuX8JvVSkS3InPtLii ZN3dbIVkOM=/toll
www.happymaree.com.au | /tmp/api/d4ik5Y2GvCVSSJQhXI9wYYpBvxjLS78peeRYMKV0V7c=/toll
www.headspokerfest.com | /tmp/api/RTuPCuYLjaj1KnTeJrMlCoH9HL4IixR eBvajB6TCeE=/toll
www.headspokerfest.com | /tmp/api/43J6l5G/CkNp6kmGl0b jUY/oOL4411pPds8nylDE5g=/toll
Both are conveniently named for the City and ZIP Code from which we are connected.
For example:
At Malcovery Security, we've been tracking the ASProx botnet for some time. Most of these IP addresses were already known to belong to the ASProx botnet for some time. This is the same botnet that sent the Holiday Delivery Failure spam imitating Walmart, CostCo, and BestBuy over the holidays and that send the Court Related Malware through the early months of 2014.
76.74.184.127:443
113.53.247.147:443
50.57.139.41:8080
188.165.192.116:8080
82.150.199.140:8080
203.157.142.2:8080
212.45.17.15:8080
92.240.232.232:443
188.165.192.116:8080
Thanks to some updates from new friends on Twitter, we wanted to give an update on what we are seeing in the Malcovery Spam Data Mine. Because every advertised URL is unique, we have taken the approach of replacing the "unique stuff" with "...STUFF..." in the URLs below. The important part is that we realize that anything that you see in your logs that includes either "tmp/api" or "wp-content/api" or "components/api" and then some "STUFF" and then "=/toll" is going to be one of these URLs that is part of the current E-Z Pass spam, which began on July 8th and is still continuing here on July 12th. If you have access to Very Large Logs, we'd love to get YOUR URLs of this pattern to see if we can help webmasters identify and shut this stuff down. Note the alphabetical progression through compromised domain names? These are sorted by timestamp, not by domain name. It just so happens those are the same thing. We believe the criminals have a very large list of pre-compromised domains that they can use at will. Possibly these are just harvested passwords from other malware campaigns.
This malware is the ASProx malware. If anyone has more details on the "what happens next?" part of the malware, please do share. What we have observed and been told is that infected machines are primarily used for advertising click-fraud, but happy to learn more about those aspects and share what we learn.
| 2014-07-08 10:15:00-05 | www.fiestasnightclub.com | "/tmp/api/..STUFF…=/toll |
| 2014-07-08 11:15:00-05 | www.flavazstylingteam.com | "/tmp/api/..STUFF…=/toll |
| 2014-07-08 11:20:00-05 | www.fleavalley.com | "/tmp/api/..STUFF…=/toll |
| 2014-07-08 13:20:00-05 | www.fsp-ugthuelva.org | "/tmp/api/..STUFF…=/toll |
| 2014-07-08 13:30:00-05 | www.frazeryorke.com | "/wp-content/api/…STUFF…=/toll |
| 2014-07-08 14:10:00-05 | www.fyaudit.eu | "/components/api/…STUFF…=/toll |
| 2014-07-08 15:30:00-05 | www.giedrowicz.pl | "/tmp/api/..STUFF…=/toll |
| 2014-07-08 16:40:00-05 | www.gostudy.ca | "/components/api/…STUFF…=/toll |
| 2014-07-08 17:45:00-05 | www.graphiktec.com | "/tmp/api/..STUFF…=/toll |
| 2014-07-08 18:45:00-05 | www.h2oasisinc.com | "/components/api/…STUFF…=/toll |
| 2014-07-08 18:50:00-05 | www.habicher.eu | "/tmp/api/..STUFF…=/toll |
| 2014-07-08 19:00:00-05 | www.grupoancon.com | "/components/api/…STUFF…=/toll |
| 2014-07-08 19:20:00-05 | www.headspokerfest.com | "/tmp/api/..STUFF…=/toll |
| 2014-07-08 19:30:00-05 | www.happymaree.com.au | "/tmp/api/..STUFF…=/toll |
| 2014-07-09 01:10:00-05 | www.ingersollpharmasave.ca | "/components/api/…STUFF…=/toll |
| 2014-07-09 01:30:00-05 | www.improlabsa.com | "/components/api/…STUFF…=/toll |
| 2014-07-09 01:45:00-05 | www.innovem.nl | "/components/api/…STUFF…=/toll |
| 2014-07-09 02:00:00-05 | www.intelliwaste.net | "/components/api/…STUFF…=/toll |
| 2014-07-09 04:15:00-05 | www.investment-mastery.com | "/wp-content/api/…STUFF…=/toll |
| 2014-07-09 05:50:00-05 | www.islandbiblechapel.com | "/tmp/api/..STUFF…=/toll |
| 2014-07-09 06:15:00-05 | www.ironstoneranch.com | "/tmp/api/..STUFF…=/toll |
| 2014-07-09 13:00:00-05 | www.klaafalaaf.de | "/components/api/…STUFF…=/toll |
| 2014-07-09 20:00:00-05 | www.listerus-capital.com | "/components/api/…STUFF…=/toll |
| 2014-07-10 00:10:00-05 | www.learn-a-language.eu | "/components/api/…STUFF…=/toll |
| 2014-07-10 06:30:00-05 | www.mindsolutions.sk | "/components/api/…STUFF…=/toll |
| 2014-07-10 07:15:00-05 | www.mintom.it | "/components/api/…STUFF…=/toll |
| 2014-07-10 14:00:00-05 | www.moretrends.de | "/tmp/api/..STUFF…=/toll |
| 2014-07-10 15:00:00-05 | www.nortech.com.au | "/components/api/…STUFF…=/toll |
| 2014-07-10 18:30:00-05 | www.p-press.com | "/components/api/…STUFF…=/toll |
| 2014-07-11 00:00:00-05 | www.porno-sexshop.ch | "/tmp/api/..STUFF…=/toll |
| 2014-07-11 01:00:00-05 | www.powiatstargardzki.eu | "/components/api/…STUFF…=/toll |
| 2014-07-11 02:00:00-05 | www.projectstc.org | "/components/api/…STUFF…=/toll |
| 2014-07-11 08:15:00-05 | www.radmotors.com.pl | "/components/api/…STUFF…=/toll |
| 2014-07-11 10:10:00-05 | www.reportsolutions.com | "/components/api/…STUFF…=/toll |
| 2014-07-11 16:00:00-05 | www.search4staff.com | "/components/api/…STUFF…=/toll |
| 2014-07-11 18:00:00-05 | www.sirman.us | "/tmp/api/..STUFF…=/toll |
| 2014-07-11 20:30:00-05 | www.stjosephbristol.org | "/components/api/…STUFF…=/toll |
| 2014-07-11 21:15:00-05 | www.stpat.nsw.edu.au | "/components/api/…STUFF…=/toll |
| 2014-07-12 15:00:00-05 | avauncemarketing.net | "/wp-content/api/…STUFF…=/toll |