Saturday, December 12, 2009

Ongoing VISA scam drop Zeus Zbot

I guess the UAB Spam Data Mine is having a bad day! Our VISA card is being used in Kuwait!

Dear VISA card holder,

A recent review of your transaction history determined that your card was used at an ATM located in Kuwait, but for security reasons the requested transaction was refused.Please carefully review electronic report for your VISA card


Its also being used at an ATM located in:

Albania, Angola, Argentina, Australia, Bahamas, Cambodia, Central African Republic, China, Cuba, Cyprus, Egypt, Ethiopia, France, Greenland, Guam, Honduras, Italy, Jamaica, Japan, Jordan, Korea, Liberia, Lithuania, Luxembourg, Mauritania, Monaco, Mozambique, Nepal, New Zealand, Niger, Oman, Palau, Panama, Paraguay, Peru, Philippines, Romania, Russian Federation, Rwanda, Seychelles, Somalia, Sri Lanka, Switzerland, Taiwan, Tajikistan, Thailand, Turkmenistan, United Arab Emirates, United Kingdom, Uruguay, Zambia, and probably others.



We know that its real, because for security purposes they X'ed out part of our number, as you can see on this destination website below.



Of course, EVERY VISA card starts with a "4", so that isn't actually a very useful hint.

The subject lines in our emails were:

possible fraudulent transaction
possible fraudulent transaction and/or collusion
possible fraudulent transaction and/or collusion with your VISA card
possible fraudulent transaction has been executed
possible fraudulent transaction has been executed with your VISA card
possible fraudulent transaction is identified
possible fraudulent transaction is identified with your VISA card
possible fraudulent transaction occurred
possible fraudulent transaction occurred with your VISA card
possible fraudulent transaction with your VISA card


The "STATEMENT" link on the website is for an executable named "cardstatement.exe".

The copy we sent to VirusTotal was detected by 16 of 41 AV products according to this VirusTotal Report.

Its a big file. File size: 131072 bytes
MD5 : 1560a00d7e83a085ac76b5d514761baa

Several majors are already detecting it as "zbot".

We've seen the malware spammed on 118 different domain names since the start of the campaign, with more than 17,000 copies of the spam received in the UAB Spam Data Mine. In front of the domain name are several possible prefixes:

alerts.visa.com.(domain)
reports.visa.com.(domain)
statements.visa.com.(domain)
transactions.visa.com.(domain)
sessionid_(random).visa.com.(domain)
sessionid(random).visa.com.(domain)
sessionid-(random).visa.com.(domain)

Here are the 118 domain names we've seen so far:

lotet0.co.uk
lotet1.co.uk
lotet2.co.uk
loteti0.co.uk
luuuuud.co.uk
luuuuuk.co.uk
luuuuul.co.uk
luuuuuo.co.uk
miinu001.co.uk
miinui01.co.uk
miinuo01.co.uk
miinuoo1.co.uk
minutu11.co.uk
minutul1.co.uk
minuty11.co.uk
minutyi1.co.uk
mrreggh.co.uk
mrreggi.co.uk
mrreggj.co.uk
mrreggk.co.uk
nteeeera1.co.uk
ntueeepi1.co.uk
ntueeera1.co.uk
ntueeeri1.co.uk
thhfyb.co.uk
thhfym.co.uk
thhfys.co.uk
thhfyv.co.uk
umr1eep1.co.uk
umr1iep0.co.uk
umr1iep1.co.uk
umrteep1.co.uk
lotet0.me.uk
lotet1.me.uk
lotet2.me.uk
loteti0.me.uk
luuuuud.me.uk
luuuuuk.me.uk
luuuuul.me.uk
luuuuuo.me.uk
miinu001.me.uk
miinui01.me.uk
miinuo01.me.uk
miinuoo1.me.uk
minutu11.me.uk
minutul1.me.uk
minuty11.me.uk
minutyi1.me.uk
mrreggh.me.uk
mrreggi.me.uk
mrreggj.me.uk
mrreggk.me.uk
nteeeera1.me.uk
ntueeepi1.me.uk
ntueeera1.me.uk
ntueeeri1.me.uk
thhfyb.me.uk
thhfym.me.uk
thhfys.me.uk
thhfyv.me.uk
umr1eep1.me.uk
umr1iep0.me.uk
umr1iep1.me.uk
umrteep1.me.uk
lotet0.org.uk
lotet1.org.uk
lotet2.org.uk
loteti0.org.uk
luuuuud.org.uk
luuuuuk.org.uk
luuuuul.org.uk
luuuuuo.org.uk
miinu001.org.uk
miinui01.org.uk
miinuo01.org.uk
miinuoo1.org.uk
minutu11.org.uk
minutul1.org.uk
minuty11.org.uk
minutyi1.org.uk
mrreggh.org.uk
mrreggi.org.uk
mrreggj.org.uk
mrreggk.org.uk
nteeeera1.org.uk
ntueeepi1.org.uk
ntueeera1.org.uk
ntueeeri1.org.uk
thhfyb.org.uk
thhfym.org.uk
thhfys.org.uk
thhfyv.org.uk
umr1eep1.org.uk
umr1iep0.org.uk
umr1iep1.org.uk
umrteep1.org.uk
teh10ll1.be
teh11ll1.be
tehh1ll1.be
tehhtll1.be
tehhtpl1.be
tehhttl1.be
tih11ll1.be
luuuuuk.eu
luuuuul.eu
luuuuuo.eu
mrreggh.eu
mrreggi.eu
mrreggj.eu
nteeeera1.eu
ntueeera1.eu
ntueeeri1.eu
thhfyb.eu
thhfym.eu
thhfyv.eu
umr1eep1.eu
umr1iep1.eu
umrteep1.eu

Only a small handful of these are live. We're seeing mostly the ".be" domains right now, such as:

sessionidP2Q8MFCEG7EU5.visa.com.teh10ll1.be
sessionidLWIV86A.visa.com.teh11ll1.be
reports.visa.com.tehh1ll1.be
reports.visa.com.tehhtll1.be
sessionidOI26B5OXFSCBTV.visa.com.tehhtpl1.be
alerts.visa.com.tehhttl1.be
sessionid_5HR4GA8G3.visa.com.tih11ll1.be

but, those are the URLs seen in the freshest spam. The criminal seems pretty reliable about shifting to new domains when the old ones go offline.

Be very careful about visiting these pages . . . the new Zbot distribution websites also contain driveby infectors. The current one is being dropped via an IFRAME which points here:

"bersdf.com/grsfx/in.php"

That drops a malicious PDF called "pdf.pdf" and a malicious flash file called "swf.swf". It also looks like it calls a file called "sNode.php".

Here is a VirusTotal report for pdf.pdf (12 of 41 detects)

File size: 21784 bytes
MD5 : 254f1479f6546ad62651ae572a16b4e8

and a VirusTotal report for swf.swf (0 of 41 detects)

File size: 10735 bytes
MD5...: 48a36eaf2ca13802f539c9bf065781af

Seems rather strange that they would be pushing a "safe" Flash file. Could it really be a totally undetectable .SWF file exploit? Professional researchers, please help yourselves. Opinions wanted.

The additional droppers are currently fetching two files:

1file.exe (Virus report here - is a Zbot infector with 17 of 41 detects.
File size: 131072 bytes
MD5 : 1560a00d7e83a085ac76b5d514761baa

file.exe (Virus Report here) - is also a Zbot infector with 14 of 41 detects.
File size: 130048 bytes
MD5 : ded54d739fa2e4c66d4a488d3b855861

I guess the nice thing about that directory is that its an open browsable directory, complete with "ReadMe_!!!.txt" file.

Here's the source code for a nice little file called "install.sql". Perhaps we can learn a bit about how the Avalanche spammer works from this file.



======================================================
http://bersdf.com/grsfx/install.sql
======================================================

-- phpMyAdmin SQL Dump
-- version 2.6.1
-- http://www.phpmyadmin.net
--
-- Хост: localhost
-- Время создания: Июл 17 2009 г., 22:57
-- Версия сервера: 5.0.45
-- Версия PHP: 5.2.4
--
-- БД: `123321`
--

-- --------------------------------------------------------

--
-- Структура таблицы `browsers`
--

CREATE TABLE IF NOT EXISTS `browsers` (
`id` tinyint(4) NOT NULL auto_increment,
`name` varchar(16) default NULL,
PRIMARY KEY (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=12 DEFAULT CHARSET=cp1251 AUTO_INCREMENT=12 ;

--
-- Дамп данных таблицы `browsers`
--

INSERT INTO `browsers` VALUES (1, 'Opera');
INSERT INTO `browsers` VALUES (2, 'Konqueror');
INSERT INTO `browsers` VALUES (3, 'Lynx');
INSERT INTO `browsers` VALUES (4, 'Links');
INSERT INTO `browsers` VALUES (5, 'MSIE etc');
INSERT INTO `browsers` VALUES (6, 'Netscape');
INSERT INTO `browsers` VALUES (7, 'Mozilla');
INSERT INTO `browsers` VALUES (8, 'Firefox');
INSERT INTO `browsers` VALUES (9, 'Unknown');
INSERT INTO `browsers` VALUES (10, 'MSIE 7');
INSERT INTO `browsers` VALUES (11, 'MSIE 8');

-- --------------------------------------------------------

--
-- Структура таблицы `countries`
--

CREATE TABLE IF NOT EXISTS `countries` (
`abrev` char(2) NOT NULL default '',
`name` varchar(44) character set cp1251 collate cp1251_general_cs default NULL,
KEY `abrev` (`abrev`)
) ENGINE=MyISAM DEFAULT CHARSET=cp1251;

--
-- Дамп данных таблицы `countries`
--

INSERT INTO `countries` VALUES ('AP', 'Asia/Pacific Region');
INSERT INTO `countries` VALUES ('EU', 'Europe');
INSERT INTO `countries` VALUES ('AD', 'Andorra');
INSERT INTO `countries` VALUES ('AE', 'United Arab Emirates');
INSERT INTO `countries` VALUES ('AF', 'Afghanistan');
INSERT INTO `countries` VALUES ('AG', 'Antigua and Barbuda');

(Gar-Note: Skipping Big Long Country List here)
--
-- Дамп данных таблицы `hit2plug`
--


-- --------------------------------------------------------

--
-- Структура таблицы `loads`
--

CREATE TABLE IF NOT EXISTS `loads` (
`id` int(11) NOT NULL auto_increment,
`sploit_id` int(11) NOT NULL default '0',
`time` varchar(16) NOT NULL default '',
`hash` varchar(32) NOT NULL default '',
PRIMARY KEY (`id`),
KEY `hash` (`hash`)
) ENGINE=MyISAM AUTO_INCREMENT=4231 DEFAULT CHARSET=latin1 AUTO_INCREMENT=4231 ;

--
-- Дамп данных таблицы `loads`
--


-- --------------------------------------------------------

--
-- Структура таблицы `os`
--

CREATE TABLE IF NOT EXISTS `os` (
`id` tinyint(4) NOT NULL auto_increment,
`name` varchar(32) NOT NULL default '',
PRIMARY KEY (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=16 DEFAULT CHARSET=cp1251 AUTO_INCREMENT=16 ;

--
-- Дамп данных таблицы `os`
--

INSERT INTO `os` VALUES (1, 'Linux');
INSERT INTO `os` VALUES (2, 'Windows 95');
INSERT INTO `os` VALUES (3, 'Windows 98');
INSERT INTO `os` VALUES (4, 'Windows XP SP2');
INSERT INTO `os` VALUES (5, 'Windows 2000');
INSERT INTO `os` VALUES (6, 'Windows XP');
INSERT INTO `os` VALUES (7, 'Windows 2003');
INSERT INTO `os` VALUES (8, 'Windows Vista');
INSERT INTO `os` VALUES (9, 'Windows Mobile');
INSERT INTO `os` VALUES (10, 'Macintosh');
INSERT INTO `os` VALUES (11, 'FreeBSD');
INSERT INTO `os` VALUES (12, 'Unknown');

-- --------------------------------------------------------

-- --------------------------------------------------------

--
-- Структура таблицы `sploits`
--

CREATE TABLE IF NOT EXISTS `sploits` (
`id` int(11) NOT NULL auto_increment,
`name` varchar(32) NOT NULL default '',
`loads` int(11) NOT NULL default '0',
PRIMARY KEY (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=667 DEFAULT CHARSET=latin1 AUTO_INCREMENT=667 ;

--
-- Дамп данных таблицы `sploits`
--

INSERT INTO `sploits` VALUES (1, 'RDS.DataSpace', 0);
INSERT INTO `sploits` VALUES (2, 'PDF.Collab', 0);
INSERT INTO `sploits` VALUES (3, 'PDF.Printf', 0);
INSERT INTO `sploits` VALUES (4, 'PDF.Icon', 0);
INSERT INTO `sploits` VALUES (5, 'Other', 0);

-- --------------------------------------------------------
============================
The guys at MaxMind will be excited to know that these criminals are customers of theirs for Geocoding the locations of their infected bots.

The creators of the "FSPACK" malware engine will also be proud to count these guys as customers.

It looks like we've got four exploits that are going to try to run when we visit, if you can trust the loader. RDS.DataSpace is OLD, like MS06-014. A note on SecurityFocus in 2007 says that the MPack Hacker Tool uses it. Apparently the FSPack hacker tool does too!

No comments:

Post a Comment

Turning comments back on. I will censor, so please be polite! If you would like to share information privately, please leave a "Contact Me" post and I will reach out. Thank you!