Malc0de » Spam

Fake UPS spam distributes Trojan Bredolab

JD — Wed, 13 Jan 2010 04:15:51 +0000

Early December I wrote about a fake DHL spam campaign which was found to be distributing Trojan Bredolab. The new spam campaign is very similar to the last but this time appears to be from UPS.

Example

Subject: UPS Tracking Number 5845190

“Hello!
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly!

Please attention!
The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox.

Thank you.
United Parcel Service of America.

[attachment UPS_invoice_NR12944.zip"

VirusTotal results for the attachment can be found here. Domains known to be contacted by Trojan Bredolab listed below.

20091217:http://mmsfoundsystem.ru, 193.104.12.20
20091227:http://preflopp.com, 95.211.8.170
20100105:http://greatmoder.cn, 122.115.63.19
20100108:http://213.108.56.125, 213.108.56.125

Fake DHL Spam Distributes Bredolab

JD — Thu, 17 Dec 2009 20:20:09 +0000

Watch out for the fake DHL emails claiming your item wasn’t shipped.

e.g.

“Hello!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly.

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Services.”

The email contains the following attachment

“DHL_Office_Get_Your_Parcel_NR.4957.zip”

Which is detected as TrojanDownloader:Win32/Bredolab.AB. Win32/Bredolab is a downloader which is able to download and execute arbitrary files from a remote host. Additional information can be found here Currently this sample is detected by 27 out of 41 antivirus vendors.

List of Bredolab drop sites being used.

20091201:hxxp://greatmoder.cn, 125.65.110.46
20091201:hxxp://greatmoder.cn, 125.65.110.46
20091201:hxxp://statcount.cn, 218.93.205.228
20091201:hxxp://statcount.cn, 218.93.205.228
20091202:hxxp://greatmoder.cn, 125.65.110.46
20091202:hxxp://youaskedthedomain.cn, 91.213.126.93
20091203:hxxp://greatmoder.cn, 125.65.110.46
20091203:hxxp://youaskedthedomain.cn, 91.213.126.93
20091204:hxxp://greatmoder.cn, 125.65.110.46
20091204:hxxp://youaskedthedomain.cn, 91.213.126.93
20091205:hxxp://greatmoder.cn, 125.65.110.46
20091205:hxxp://youaskedthedomain.cn, 91.213.126.93
20091205:hxxp://youaskedthedomain.cn, 91.213.126.93
20091206:hxxp://91.213.126.93, 91.213.126.93
20091206:hxxp://greatmoder.cn, 125.65.110.46
20091206:hxxp://greatmoder.cn, 125.65.110.46
20091206:hxxp://greatmoder.cn, 125.65.110.46
20091206:hxxp://greatmoder.cn, 125.65.110.46
20091206:hxxp://youaskedthedomain.cn, 91.213.126.93
20091206:hxxp://youaskedthedomain.cn, 91.213.126.93
20091207:hxxp://youaskedthedomain.cn, 91.213.126.93
20091207:hxxp://youaskedthedomain.cn, 91.213.126.93
20091207:hxxp://youaskedthedomain.cn, 91.213.126.93
20091208:hxxp://mmsfoundsystem.ru, 193.104.12.20
20091208:hxxp://mmsfoundsystem.ru, 193.104.12.20
20091208:hxxp://mmsfoundsystem.ru/, 193.104.12.20
20091208:hxxp://mmsfoundsystem.ru, 193.104.12.20
20091217:hxxp://mmsfoundsystem.ru, 193.104.12.20

List of Zeus/Zbot Command and Control Servers

JD — Thu, 17 Dec 2009 04:26:14 +0000

Over the past few months there has been a number of ongoing spam campaigns that have been distributing Zeus/Zbot. You might have read about a few of them or you may have fallen victim. A good source of information regarding the zbot/zeus spam campaigns can be found here.

When Zbot/Zeus is executed it will drop a copy of itself in the system folder (c:/windows/system32). It also modifies the registry in order to execute each time Windows starts. Examples of which registry keys are added/modified can be found here

The bot uses covert methods of injecting additional fields into online Internet banking websites, asking users to answer questions that the authentic website would not ask. This information is then forwarded to a remote database silently in the background with the victim never realizing what happened. The image below is a graphical representation that gives you an idea how this works.

Example of injected HTML

Zbot/Zeus sends information and receives instructions by contacting specific IP’s that are hardcoded into the binary. From the samples I have seen the following file names are being used by zbot/zeus to phone home.

/rec.php
/ip.php
/config.bin
/cfg.bin
/cfg2.bin

Searching the malware database I maintain reveals a list of C&C servers geographically dispersed around the globe. The list of domains/IP’s is rather large so I just consolidated into a text file that can be found here. Converting the IP addresses to latitude and longitude generate the red dots on the map below which represent the C&C servers.

An updated list of domains distributing Zeus/Zbot can be found at the following link: malc0de.com Zbot Domains

promed-net[dot]com acting as malware distribution point

JD — Wed, 02 Dec 2009 05:23:44 +0000

The domain promed-net[dot]com which is currently registered/hosted with Go-Daddy has been acting as a malware distribution point for at least the past 30 days. Malware such as Win32.Krap.ah and Trojan:Win32/Hiloti.genA. I’ve also seen this domain participating in several of the many ongoing Trojan Zeus/Zbot Spam campaigns. The latest being Fake CDC emails claiming you need to set up a H1N1 profile.

Example

“You need to create your personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website. The Vaccination is not obligatory, but every person that has reached the age of 18 has to have his personal Vaccination Profile on the cdc.gov site. This profile has to be created both for the vaccinated people and the not-vaccinated ones. This profile is used for the registering system of vaccinated and not-vaccinated people”

If you happen to click the link you now have the notorious Trojan Zbot installed on your system which will then contact promed-net[dot]com to install additional malware. One example can be seen in this ThreatExpert report. More information can be found here.

Fake Verizon Wireless Spam Distributes Trojan.Sasfis

JD — Thu, 19 Nov 2009 02:35:15 +0000

A fake Verizon Wireless email with the subject “Your credit balance is over its limit” is currently making rounds.

Dear Verizon Wireless customer,

Your credit balance is over its limit. Please use the attached Verizon Wireless Balance Checker Tool to review and analyze your payments.

Yours sincerely,
Verizon Wireless Customer Services

The email contains an attachment called “balancechecker.zip” which is really Trojan Sasfis/Oficla. If executed Sasfis will run silently in the background and download and install additional malware.

http://www.virustotal.com/analisis/c98767c0a51b0ca83d1708beb89f03296394f11f4fd17fc93f3b6d6fbf1686a9-1258535039

Fake IRS sites distribute Zbot Variants

JD — Fri, 02 Oct 2009 02:08:40 +0000

The distribution of Zbot continues, this time by a file called tax-statement.exe and domains named (irs.gov.fedas1ao.com, irs.gov.y11derd.com, irs.gov.juhh1wo.com). Its unclear what the initial vector is however given the way the domains and file name have been crafted its likely related to spam. All the domains being used so far and the dates they were first seen can be found here.

Upon execution of tax-statement.exe the following changes will be made to the registry.

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
UID = “%ComputerName%_0002DE7F”

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}]

{3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D
{33373039-3132-3864-6B30-303233343434} = 47 09 F2 0D

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
ProxyEnable = 0×00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Userinit =

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
Cookies =
History =

From a network perspective the following GET requests are generated

http://195.93.208.18/lcc/ip.gif

http://195.93.208.18/ip.php

Threat characteristics of ZBot – banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.