iPhone Unlocking Themed Malware Campaign Spamvertised

UPDATED: Sunday, April 18, 2010: The folks at EmergingThreats pinged me on the fact that  immediately after the brief assessment went public, the cybercriminals moved iphone-iphone.info to 174.37.172.68 (SoftLayer Technologies Inc.) Currently responding to the same IP are also the following domains known to have been connected with previous malware campaigns – startexag.com – Email: venterprize@gmail.com; exposingpics.com, and animezhd.com.

Researchers from BitDefender are reporting on a currently spamvertised malware campaign, using a “Unlock, Jailbrake and “hack”tivate iPhone 3.1.3” theme.

The spamvertised domain iphone-iphone.info – 188.210.236.181 – Email: iphone-iphone.info@protecteddomainservices.com, is enticing the end user into download the malware from pepd.org/blackra1n.exe – 188.210.236.109 – Email: pepd.org@protecteddomainservices.com.

Detection rate: blackra1n.exeTrojan.BAT.AACL – Result: 10/40 (25%), with the malware itself attempting to change the default DNS settings on the infected hosts to the following IP – 188.210.236.250 (188-210-236-250.hotnet.ro), AS39443, HOTNET-AS SC Hot Net SRL Baia de Aries, Nr 3, Bl 5B, Sc A, Ap 39, Bucuresti, 6.

Creates the following registry entry in an attempt to change default DNS settings:
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParametersInterfaces{5D19E473-BE30-416B-B5C7-D8A091C41D2F} “NameServer” = 188.210.236.250

Creates Process – Filename () CommandLine: 
(C:WINDOWSsystem32NETSH.EXE: interface ip set dns “Local Area Connection” static 188.210.236.250) As User: () Creation Flags: (CREATE_DEFAULT_ERROR_MODE CREATE_SUSPENDED) interface ip set dns “wireles network connection” static 188.210.236.250) As User: () Creation Flags: (CREATE_DEFAULT_ERROR_MODE CREATE_SUSPENDED)

From Romania, with DNS changing malware. 

This post has been reproduced from Dancho Danchev’s blog. Follow him on Twitter.

Author: Dancho Danchev

Leave a Reply

Your email address will not be published. Required fields are marked *