[botnets] wachovia phish... or more malicious?

Gadi Evron
Wed, 27 Aug 2008 18:30:05 -0700

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
Live malware URL.  Wachovia "phish" page (not really):

http://commercial.wachovia.online.financial.service.doexte.updatesessiondqvciirbte9vjbq.configlogin.viewcontent.moerde.com/verify.html?/Secure/rnalid/OSL.htm?LOB=3712470458&refer=qVciirbTe9Vjbqe


...trying to con victims into d/l'ing:

http://commercial.wachovia.online.financial.service.doexte.updatesessiondqvciirbte9vjbq.configlogin.viewcontent.moerde.com/WachoviaDigicertx_509.exe


...which is, itself, a binary downloader that snags:

h ttp://s pacestormsinc.com/cb_4.exe

It's one of those bogus "to improve security of your online transactionswith us you need to install new certificates"

As to AV detection... cb4.exe already submitted to VT by someone else, sothat's easy:


http://www.virustotal.com/analisis/26917950a0987fc0a10505bb90032439

And the .EXE from the website:
http://www.virustotal.com/analisis/a5cd05390c94eee03b8fb78feb7ddf42

VERY spotty detection.. what else is new.

        Gadi.
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

Reply via email to