Monday, November 23, 2009

UAB Spam Data Mine finds Social Security Statement Zeus Bot

I'm frequently asked how it is that the UAB Spam Data Mine is consistently among the first in reporting new spam campaigns that contain harmful malware. I thought I would show you the manual version of the process this morning.

We start by finding the "top subjects" for the current time period. Because the UAB Spam Data Mine now processes inbound spam every 15 minutes, we can do searches to identify the top spam campaigns in the previous 15 minutes such as:

select count(subject), subject from spam where message_id like '%09Nov23.0715%' group by subject order by count(subject) desc;

Look for something interesting, such as:

53 | Watch for errors on Social Security statement
53 | Watch for errors on your Social Security statement
45 | Review your annual Social Security statement

In the previous 15 minutes period, nothing with "Social Security" showed up in the top 100 subjects. Now we have three items in the top 25. By the time I finished writing this article, the 0730 and 0745 runs were complete, and we now have more than 600 samples of the spam. However, using the techniques we've developed for "emerging threat detection", we were aware of the campaign immediately when the 0715 run showed something that was not present in the 0700 run.

Then we may dig in with a subject specific search:

select a.subject, b.machine, b.path from spam a, spam_link b where a.message_id = b.message_id and a.subject like '%Social Security statement%';


Bingo! 200 results with domains like:

statements.ssa.gov.fawaazq.be | /acu/IPS_INTR/controller.php
statements.ssa.gov.reedask.be | /acu/IPS_INTR/controller.php

Let's get JUST the list of machines used:

select machine from spam_link where machine like 'statements.ssa.gov%' group by machine;
machine
-------------------------------
statements.ssa.gov.reedasn.be
statements.ssa.gov.fawaazv.be
statements.ssa.gov.fawaazc.be
statements.ssa.gov.reedasg.be
statements.ssa.gov.ujbhgk.be
statements.ssa.gov.ujbhgx.be
statements.ssa.gov.fawaazs.be
statements.ssa.gov.fawaaza.be
statements.ssa.gov.ujbhgv.be
statements.ssa.gov.fawaaze.be
statements.ssa.gov.reedasu.be
statements.ssa.gov.reedasv.be
statements.ssa.gov.reedask.be
statements.ssa.gov.ujbhgz.be
statements.ssa.gov.fawaazz.be
statements.ssa.gov.reedasj.be
statements.ssa.gov.fawaazx.be
statements.ssa.gov.reedasb.be
statements.ssa.gov.fawaazf.be
statements.ssa.gov.ujbhgq.be
statements.ssa.gov.reedaso.be
statements.ssa.gov.ujbhgb.be
statements.ssa.gov.fawaazq.be
statements.ssa.gov.reedasm.be
statements.ssa.gov.ujbhgm.be
statements.ssa.gov.reedast.be
statements.ssa.gov.fawaazr.be
statements.ssa.gov.fawaazd.be
statements.ssa.gov.reedash.be
statements.ssa.gov.ujbhga.be
statements.ssa.gov.fawaazw.be
statements.ssa.gov.reedasy.be
(32 rows)

(Update: There are now 80 known machines for this campaign . . . here's how many emails we've seen for each one as of 8:20 PM, Central time)

729 | statements.ssa.gov.reedasv.be
431 | statements.ssa.gov.reedasm.be
395 | statements.ssa.gov.fawaaze.be
386 | statements.ssa.gov.fawaazx.be
378 | statements.ssa.gov.reedasg.be
360 | statements.ssa.gov.fawaazf.be
337 | statements.ssa.gov.fawaazz.be
317 | statements.ssa.gov.fawaazd.be
304 | statements.ssa.gov.ujbhgm.be
281 | statements.ssa.gov.reedasb.be
271 | statements.ssa.gov.ujbhgz.be
263 | statements.ssa.gov.reedast.be
254 | statements.ssa.gov.reedask.be
253 | statements.ssa.gov.fawaazw.be
242 | statements.ssa.gov.fawaaza.be
224 | statements.ssa.gov.ujbhgv.be
222 | statements.ssa.gov.fawaazv.be
209 | statements.ssa.gov.ujbhgc.be
199 | statements.ssa.gov.reedasj.be
197 | statements.ssa.gov.ujbhga.be
186 | statements.ssa.gov.reedaso.be
183 | statements.ssa.gov.fawaazq.be
181 | statements.ssa.gov.ujbhgj.be
170 | statements.ssa.gov.ujbhgq.be
166 | statements.ssa.gov.ujbhgx.be
161 | statements.ssa.gov.ujilld.be
160 | statements.ssa.gov.fawaazs.be
160 | statements.ssa.gov.ujillv.be
154 | statements.ssa.gov.ujillx.be
153 | statements.ssa.gov.uhyuhd.be
152 | statements.ssa.gov.ujbhgn.be
149 | statements.ssa.gov.fawaazr.be
147 | statements.ssa.gov.uhyuhu.be
144 | statements.ssa.gov.ujilln.be
136 | statements.ssa.gov.uhyuhl.be
132 | statements.ssa.gov.ujillc.be
131 | statements.ssa.gov.uhyuha.be
129 | statements.ssa.gov.ujillb.be
125 | statements.ssa.gov.ujills.be
125 | statements.ssa.gov.uhyuhj.be
125 | statements.ssa.gov.ujille.be
119 | statements.ssa.gov.uhyuhq.be
117 | statements.ssa.gov.ujillr.be
116 | statements.ssa.gov.gredfe.be
110 | statements.ssa.gov.reedasn.be
108 | statements.ssa.gov.ujillf.be
107 | statements.ssa.gov.uhyuhe.be
105 | statements.ssa.gov.gredve.be
101 | statements.ssa.gov.fawaazc.be
97 | statements.ssa.gov.reedasy.be
94 | statements.ssa.gov.grezfe.be
91 | statements.ssa.gov.uhyuho.be
86 | statements.ssa.gov.reedasu.be
83 | statements.ssa.gov.uhyuhg.be
76 | statements.ssa.gov.ujillw.be
75 | statements.ssa.gov.grenfe.be
74 | statements.ssa.gov.grewfe.be
72 | statements.ssa.gov.ujbhgk.be
58 | statements.ssa.gov.uhyuht.be
49 | statements.ssa.gov.ytttdsj.be
46 | statements.ssa.gov.ytttdsv.be
43 | statements.ssa.gov.ujbhgb.be
43 | statements.ssa.gov.ytttdsn.be
39 | statements.ssa.gov.reedash.be
38 | statements.ssa.gov.ytttdsk.be
38 | statements.ssa.gov.ytttdse.be
37 | statements.ssa.gov.ytttdsb.be
36 | statements.ssa.gov.ytttdsh.be
34 | statements.ssa.gov.ytttdsm.be
32 | statements.ssa.gov.ytttdsf.be
29 | statements.ssa.gov.ytttdso.be
29 | statements.ssa.gov.nionuie.be
28 | statements.ssa.gov.ytttdsy.be
27 | statements.ssa.gov.ytttdsu.be
27 | statements.ssa.gov.nionuis.be
26 | statements.ssa.gov.nionuia.be
25 | statements.ssa.gov.nionuig.be
22 | statements.ssa.gov.nionuiq.be
21 | statements.ssa.gov.nionuib.be
21 | statements.ssa.gov.nionuid.be


Looks serious. Let's pull a list of all the unique subjects:

select a.subject from spam a, spam_link b
where a.message_id = b.message_id and
b.machine like 'statements.ssa.gov%'
group by a.subject order by a.subject;

subject
----------------------------------------------------
Review annual Social Security statement
Review your annual Social Security statement
Watch for errors on Social Security statement
Watch for errors on your Social Security statement
(4 rows)

Pulling up some samples in an email tool shows us what the original emails looked like:



The emails claim that
Due to possible calculation errors, your annual Social Security statement may contain errors.

Use the link below to review your annual Social Security statement:


The emails say they came from:

"Social Security Administration auto-notifications@ssa.gov"

Next we visit the website to pull screen shots there as well:



After entering a (fake) Social Security Number, we are taking to another screen that offers us the option of "Generating a Report".



Clicking on "Generate Report" prompts us to download the malware:



Throwing that "statement.exe" to VirusTotal shows us a current detect rate of 5 out of 41 anti-virus products. This is very early in the detection cycle. There is no agreement on what this malware may be:

Authentium: W32/Bifrost.C.gen!Eldorado
AVG: Win32/Cryptor
F-Prot: W32/Bifrost.C.gen!Eldorado
McAfee-GW-Edition: Heuristic.BehavesLike.Win32.Trojan.H
Sunbelt: Trojan-Spy.Win32.Zbot.gen (v)

At this point none of the other AV products have a signature in place for this malware.

The malware file statistics:

File size: 129536 bytes
MD5...: 40469349c5be9033fd57f6e021e7d06e

Because so little is known about this malware, we then queue it as a "high priority item" for the UAB Malware Analysis group to look at. We'll be sure to update the blog with more information about the malware when it is available.

UAB Malware Brian Tanner confirmed for us that this is a Zbot trojan, and that it connects to the IP address 193.104.27.42, which has been used to deliver Zbot configuration files since at least October 26th.

No comments:

Post a Comment

Turning comments back on. I will censor, so please be polite! If you would like to share information privately, please leave a "Contact Me" post and I will reach out. Thank you!