Wednesday, June 24, 2009

Malware in the Mail (Email that is!)

May was a slow month for e-mail based malware, but the cyber criminals are certainly making up for their earlier decline now!

We're currently receiving malware in at least five separate spam campaigns, with almost all of them being sent for the primary purpose of stealing login credentials.

The current campaign causing the most concern for us is the Microsoft Outlook Critical Update spam. This campaign comes in a very Official-looking email like this:


(click for larger image)

using one of these subject lines:

Critical Update for Microsoft Outlook
Install Critical Update for Microsoft Outlook
Install Update for Microsoft Outlook
Microsoft has released an update for Microsoft Outlook
Microsoft Outlook Critical Update
Microsoft Outlook Update
Update for Microsoft Outlook

which redirects the reader to a website that looks like this:



This is actually an image from one of the 79 different domain names used in this spam campaign, including these:

update.microsoft.com.11hilf.com
update.microsoft.com.11hilf.net
update.microsoft.com.1llijk.com
update.microsoft.com.1llijk.net
update.microsoft.com.hfhilf.com
update.microsoft.com.hfhilf.net
update.microsoft.com.i11lih11.net
update.microsoft.com.i11lih1h.com
update.microsoft.com.i11lih1i.net
update.microsoft.com.i11lih1l.net
update.microsoft.com.i11lihff.com
update.microsoft.com.i11lihhf.net
update.microsoft.com.i11lihjl.com
update.microsoft.com.il1if1.com.mx
update.microsoft.com.il1ifi.com.mx
update.microsoft.com.il1il1.com.mx
update.microsoft.com.il1ilf.com.mx
update.microsoft.com.il1ili.com.mx
update.microsoft.com.il1lhh.com
update.microsoft.com.il1lhh.net
update.microsoft.com.il1lkh.com
update.microsoft.com.il1lkh.net
update.microsoft.com.ilfh1l1.com
update.microsoft.com.ilfl1i1.com
update.microsoft.com.ilfl1i1.net
update.microsoft.com.ilfl1l1.com
update.microsoft.com.ilfl1l1.net
update.microsoft.com.ilkfhl.com
update.microsoft.com.ilkih1.com
update.microsoft.com.ilkihf.com
update.microsoft.com.ilkihi.com
update.microsoft.com.ilkihl.com
update.microsoft.com.ill1ki1.com
update.microsoft.com.ill1ki1.net
update.microsoft.com.ill1kil.com
update.microsoft.com.ill1kil.net
update.microsoft.com.ill1kj1.com
update.microsoft.com.ill1kj1.net
update.microsoft.com.illihil.com
update.microsoft.com.illihil.net
update.microsoft.com.illikj1.com
update.microsoft.com.illikj1.net
update.microsoft.com.illl1i1.com
update.microsoft.com.illl1i1.net
update.microsoft.com.illlhi1.com
update.microsoft.com.illlhi1.net
update.microsoft.com.illlkh.com
update.microsoft.com.illlkh.net
update.microsoft.com.kiffi1.net
update.microsoft.com.kil1i1.com
update.microsoft.com.kilji1.net
update.microsoft.com.lifl1i.com
update.microsoft.com.liflh1.com
update.microsoft.com.liflh1.net

We have now received nearly 1,000 unique copies of this email, and have shared this information with appropriate Microsoft staff.

File size: 82432 bytes
MD5 : abadbbb846c07f71d4fb16dbde1cb561

VirusTotal shows 14 of 41 detects (25JUN09 AM)

This campaign is especially significant in that it ties to the dominant password stealing malware on the planet today, called "Zbot", which is short for the "Zeus Botnet". In this particular set of malware, the stolen login credentials are sent to the Ukrainian IP address 91.206.201.6, using the domain name "labormi.com".

This malware is especially interesting because it is clearly associated with a set of phishing sites which have been the most heavily spammed phishing campaign for a long time. Currently there is an active Bank of America phishing campaign and an active JP Morgan Chase phishing campaign using the same domain names as the Microsoft Critical Update malware distribution campaign:



With domain names like:

www.bankofamerica.com.srv_17481139.ilkihl.com
www.bankofamerica.com.srv_77255264.ilkihi.com
www.bankofamerica.com.srv_26074.illihil.net
www.bankofamerica.com.srv_23785.kil1i1.com
www.bankofamerica.com.srv_38240.i11lih11.net
www.bankofamerica.com.srv_0608182.illihil.com
www.bankofamerica.com.srv_5153760.11hilf.com
www.bankofamerica.com.srv_7149153.kilji1.net
www.bankofamerica.com.srv_1200324.hfhilf.net
www.bankofamerica.com.srv_2106519.i11lihjl.com
www.bankofamerica.com.srv_868.ilkihf.com
www.bankofamerica.com.srv_61740630.ilfl1i1.com
www.bankofamerica.com.srv_8801497.kiffi1.net
www.bankofamerica.com.srv_47472.illlhi1.net
www.bankofamerica.com.srv_7270.illl1i1.net
www.bankofamerica.com.srv_93286884.i11lih1l.net
www.bankofamerica.com.srv_2008.illl1i1.com
www.bankofamerica.com.srv_18698.i11lihff.com
www.bankofamerica.com.srv_02777.ilkih1.com
www.bankofamerica.com.srv_89863570.ilfh1l1.com
www.bankofamerica.com.srv_61788547.i11lih1i.net
www.bankofamerica.com.srv_56884.ilfl1l1.net
www.bankofamerica.com.srv_3582.hfhilf.com
www.bankofamerica.com.srv_22741023.ilfl1l1.com



with domain names like:

chaseonline.chase.com.iilhiff.net
chaseonline.chase.com.11ilhjlh.net
chaseonline.chase.com.iilhifi.net
chaseonline.chase.com.11ilhj11.net
chaseonline.chase.com.11ilhjll.net
chaseonline.chase.com.iljilfi.net
chaseonline.chase.com.11ilhjjh.net
chaseonline.chase.com.1iiljf.com
chaseonline.chase.com.iljil1f.net
chaseonline.chase.com.iilhifh.net
chaseonline.chase.com.iljil1l.net
chaseonline.chase.com.iilhif1.net
chaseonline.chase.com.11ilhjl1.net
chaseonline.chase.com.iilhifl.net
chaseonline.chase.com.11ilhjlf.net
chaseonline.chase.com.iljil1i.net
chaseonline.chase.com.1iiljj.com
chaseonline.chase.com.11ilhjif.net
chaseonline.chase.com.liflhi.com
chaseonline.chase.com.11ilhjli.net
chaseonline.chase.com.iljil1l.com
chaseonline.chase.com.iljil1i.com
chaseonline.chase.com.1iilji.com
chaseonline.chase.com.iljilfi.com
chaseonline.chase.com.liflh1.net
chaseonline.chase.com.iljil1f.com
chaseonline.chase.com.i11lihjl.com
chaseonline.chase.com.liflh1.com
chaseonline.chase.com.ilkihf.com
chaseonline.chase.com.i11lih1l.net
chaseonline.chase.com.i11lihhf.net
chaseonline.chase.com.lillh1.com
chaseonline.chase.com.liljh1.com
chaseonline.chase.com.lifl1i.com
chaseonline.chase.com.liljh1.net
chaseonline.chase.com.lillh1.net
chaseonline.chase.com.11ilhjf1.net
chaseonline.chase.com.iljil11.net
chaseonline.chase.com.liflhi.net

Detecting ZBot Activity on your Network



One of the primary indicators of ZBot activity may be a computer which is fetching a ".bin" file from a remote computer. Zeus nodes do "context specific" keylogging. They are configured by updating a ".bin" file, which, after being decoded by the bot, will reveal a particular list of websites for which this node is supposed to steal passwords. In most cases, these are financial institution's websites. In addition to stealing passwords, injection of additional "personal information" questions is possible.

If you have nodes on your network downloading ".bin" files, it would be a good idea to do a google search using that domain name to see if you can find evidence that this is a Zeus node or Zbot node. For example, after being infected with the fake Microsoft Update malware above, our computers make a connection to "labormi.com" and fetch a file "lbr.bin". If we search Google for "labormi.com" and "zeus" we would quickly be able to see that this is a known Zeus controller, and we would know that the computer fetching this file is infected with a ZBot.

Other malware in the mail



There were several other malware-laden email messages we received today, just look at this inbox!!!



These messages looked like this . . .



"Unluckily we can't bring your parcel that was sent . . . "

Even more unluckily if you install the invoice they ask you to click on from:

http://ribboninn.com/ djellow.exe

Another email, pretending to be a fake "greeding card" (yeah, fooled me!) also linked to a "djellow" executable:



using the website http://76380.webhosting29.1blu.de/

Why would the malware be named "djellow.exe"? Because it also is a ZBot installer. And where is it's Zeus controller? Why on the website "djellow.com" of course!

But here is the best part . . .

The IP address for djellow.com? 91.206.201.6 ! The same as the Zeus controller for the fake Microsoft update!

We also received a ZBot claiming to be a "Statement Request".



this one asks us to "look at the statement on your account. The statement was issued today upon request, and your data has been successfully altered."

Of course the link to http://artemaliciacapoeira.be (slash) rep_7330.exe is yet another ZBot install!


Our last ZBot of the day came in looking like this:



and came from the site:

http://javiercubel.com (slash) video.exe

File size: 82432 bytes
MD5 : 4456e181232270adf022f682e8595ef3

This one turns out to be a slightly older ZBot. VirusTotal reports its detected by more than half of the 41 Anti-virus products they test -

Virus Total Report

More Naked Celebrities



The last round of malware today was naked celebrity spam. Subject lines included:

Best Hottest video! All Over The Net!
CNN NEWS.
Download video!
hottest movies updates
New portal of mad videos! Click Here!


With the entire message body as a link to the malware at:

ad-videozz.com (slash) movie.avi.exe

Message bodies included things like:

Jessica Alba Nude! The Dark Angel returns, but this time naked! Well, maybe not.
Jessica Alba nude is a fantasy for most straight men though.

Paris Hilton Video.
Information and links about the public scandal around Paris Hilton's alleged sex tape.

Private has gathered together a steamy collection of some of their best hardcore action, starring horny hotties like Sophie Evans, Patricia, Sandra Russo.

Janet Jackson Superbowl Scandal! Click below to see.

Tennis star Anna Kournikova can't play tennis, but she can strut her stuff!

Angelina Jolie Nude. Click below to see.


This malware isn't another ZBot though - this one is good old fashioned ScareWare.

File size: 132096 bytes
MD5 : 0029a989eb18e4215b122a3d565c7b3a

It currently detects at Virus Total by 10 of 41 anti-virus products:

Virus Total Report

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.