Early December I wrote about a fake DHL spam campaign which was found to be distributing Trojan Bredolab. The new spam campaign is very similar to the last but this time appears to be from UPS.

Example

Subject: UPS Tracking Number 5845190

“Hello!
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly!

Please attention!
The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox.

Thank you.
United Parcel Service of America.

[attachment UPS_invoice_NR12944.zip"

VirusTotal results for the attachment can be found here. Domains known to be  contacted by Trojan Bredolab listed below.

Watch out for the fake DHL emails claiming your item wasn’t shipped.

e.g.

“Hello!

Thank you,
DHL Services.”

The email contains the following attachment

“DHL_Office_Get_Your_Parcel_NR.4957.zip”

Which is detected as TrojanDownloader:Win32/Bredolab.AB. Win32/Bredolab is a downloader which is able to download and execute arbitrary files from a remote host. Additional information can be found here Currently this sample is detected by 27 out of 41 antivirus vendors.

List of Bredolab drop sites being used.

20091201:hxxp://greatmoder.cn, 125.65.110.46
20091201:hxxp://greatmoder.cn, 125.65.110.46
20091201:hxxp://statcount.cn, 218.93.205.228
20091201:hxxp://statcount.cn, 218.93.205.228
20091202:hxxp://greatmoder.cn, 125.65.110.46
20091202:hxxp://youaskedthedomain.cn, 91.213.126.93
20091203:hxxp://greatmoder.cn, 125.65.110.46
20091203:hxxp://youaskedthedomain.cn, 91.213.126.93
20091204:hxxp://greatmoder.cn, 125.65.110.46
20091204:hxxp://youaskedthedomain.cn, 91.213.126.93
20091205:hxxp://greatmoder.cn, 125.65.110.46
20091205:hxxp://youaskedthedomain.cn, 91.213.126.93
20091205:hxxp://youaskedthedomain.cn, 91.213.126.93
20091206:hxxp://91.213.126.93, 91.213.126.93
20091206:hxxp://greatmoder.cn, 125.65.110.46
20091206:hxxp://greatmoder.cn, 125.65.110.46
20091206:hxxp://greatmoder.cn, 125.65.110.46
20091206:hxxp://greatmoder.cn, 125.65.110.46
20091206:hxxp://youaskedthedomain.cn, 91.213.126.93
20091206:hxxp://youaskedthedomain.cn, 91.213.126.93
20091207:hxxp://youaskedthedomain.cn, 91.213.126.93
20091207:hxxp://youaskedthedomain.cn, 91.213.126.93
20091207:hxxp://youaskedthedomain.cn, 91.213.126.93
20091208:hxxp://mmsfoundsystem.ru, 193.104.12.20
20091208:hxxp://mmsfoundsystem.ru, 193.104.12.20
20091208:hxxp://mmsfoundsystem.ru/, 193.104.12.20
20091208:hxxp://mmsfoundsystem.ru, 193.104.12.20
20091217:hxxp://mmsfoundsystem.ru, 193.104.12.20

Over the past few months there has been a number of ongoing spam campaigns that have been distributing Zeus/Zbot. You might have read about a few of them or you may have fallen victim. A good source of information regarding the zbot/zeus spam campaigns can be found here.

When Zbot/Zeus is executed it will drop a copy of itself in the system folder (c:/windows/system32). It also modifies the registry in order to execute each time Windows starts. Examples of which registry keys are added/modified can be found here

The bot uses covert methods of injecting additional fields into online Internet banking websites, asking users to answer questions that the authentic website would not ask. This information is then forwarded to a remote database silently in the background with the victim never realizing what happened.  The image below is a graphical representation that gives you an idea how this works.

Example of injected HTML

Zbot/Zeus sends information and receives instructions by contacting specific IP’s that are hardcoded into the binary. From the samples I have seen the following file names are being used by zbot/zeus to phone home.

/rec.php
/ip.php
/config.bin
/cfg.bin
/cfg2.bin

Searching the malware database I maintain reveals a list of C&C servers geographically dispersed around the globe. The list of domains/IP’s is rather large so I just consolidated into a text file that can be found here. Converting the IP addresses to latitude and longitude generate the red dots on the map below which represent the C&C servers.

An updated list of domains distributing Zeus/Zbot can be found at the following link:  malc0de.com Zbot Domains

The domain promed-net[dot]com which is currently registered/hosted with Go-Daddy has been acting as a malware distribution point for at least the past 30 days.  Malware such as Win32.Krap.ah and Trojan:Win32/Hiloti.genA. I’ve also seen this domain participating in several of the many ongoing Trojan Zeus/Zbot Spam campaigns. The latest being Fake CDC emails claiming you need to set up a H1N1 profile.

Example

“You need to create your personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website. The Vaccination is not obligatory, but every person that has reached the age of 18 has to have his personal Vaccination Profile on the cdc.gov site. This profile has to be created both for the vaccinated people and the not-vaccinated ones. This profile is used for the registering system of vaccinated and not-vaccinated people”

If you happen to click the link you now have the notorious Trojan Zbot installed on your system which will then contact promed-net[dot]com to install additional malware. One example can be seen in this ThreatExpert report. More information can be found here.

A fake Verizon Wireless email with the subject “Your credit balance is over its limit” is currently making rounds.

Dear Verizon Wireless customer,

Your credit balance is over its limit. Please use the attached Verizon Wireless Balance Checker Tool to review and analyze your payments.

Yours sincerely,
Verizon Wireless Customer Services

The email contains an attachment called “balancechecker.zip” which is really Trojan Sasfis/Oficla. If executed Sasfis will run silently in the background and download and install additional malware.

http://www.virustotal.com/analisis/c98767c0a51b0ca83d1708beb89f03296394f11f4fd17fc93f3b6d6fbf1686a9-1258535039