A new round of PDF exploits are being pushed by websites pretending to be the US Federal Reserve. Several spammed email messages were intercepted starting last week advertising these fake Federal Reserve pages.
Figure 1. Sample email message.
This spam run is still continuing as of this writing, and it is now advertising more bogus sites. So far, the said malicious sites are using following domains:
These domains resolve to a single IP address with a relatively short TTL (time to live) of 3600 seconds. What’s peculiar with the above domains is that when one is using OpenDNS and browses to the prepared site, OpenDNS will report that the site is not loading. However the DNS requests over other ISP’s nameservers loaded the bogus Fed pages.
Figure 1.Bogus US Federal Reserve website.
After restart, the infected machine lounches out regularly malformed HTTPS transactions (with an interval of 6.5 seconds) to a certain server. The transaction can be considered malformed because the SSL handshake, used by normal SSL websites, is missing in this particular HTTPS traffic. Even though, the traffic is somehow still encrypted. This type of HTTPS bot has been spotted a few months earlier.
The regularity of the HTTPS traffic suggests that this is a botnet having a Web-based C&C. This is certainly an improvement over the Web-based bots of old, where traffic are seen in plaintext. The botherders have actually made it a point to hide the network actions of their bots from IDSes (intrusion detection systems) by encrypting their network traffic. Makes one wonder what else the bad guys have in store for us.
Trend Micro Smart Protection Network already blocks the spammed message as well as the malicious URLs involved in this and previous PDF exploit threats.