Tuesday, January 26, 2010

American Bankers Association version of Zeus Bot / Zbot

Today our top spam-delivered malware is coming to us in the guise of a message from the American Bankers Association.

Subject lines seen in the UAB Spam Data Mine include:

An unauthorized transaction billed from your bank account
An unauthorized transaction billed from your bank card
An unauthorized transaction billed to your bank account
An unauthorized transaction billed to your bank card
unauthorized transaction
unauthorized transaction billed from your bank account
unauthorized transaction billed from your bank card
unauthorized transaction billed to your bank account
unauthorized transaction billed to your bank card

While most of the emails come from the email address:

noreply@mail.aba.com

others are arriving with a message_id in the from address, such as:

message_ODRL6039id@mail.aba.com

The emails look like this:

An unauthorized transaction billed from your bank card.

Amount of transaction: $1781.30
Transaction ID: 7980-9779263

Please review the transaction report by clicking the link below:

get the transaction report

---------
Letter ID 9996-0347362324-49929775497-69019696317-70662423061-65867724-18065800918


where the "Amount of transaction" and "Transaction ID"

The website looks like this:



Hostnames that we saw in the spam include:

machine
-----------------------------------
getreport.aba.com.edfa4.com.vc
getreport.aba.com.edfa4.vc
getreport.aba.com.edfa5.com.vc
getreport.aba.com.edfa5.vc
getreport.aba.com.edfa6.com.vc
getreport.aba.com.edfa6.vc
getreport.aba.com.edfa7.com.vc
getreport.aba.com.edfa7.vc
getreport.aba.com.edfa8.com.vc
getreport.aba.com.edfa8.vc
getreport.aba.com.ferdsae.vc
getreport.aba.com.gertfdv.am
getreport.aba.com.sawesae.vc
getreport.aba.com.sawesag.com.vc
getreport.aba.com.sawesaj.com.vc
getreport.aba.com.sawesal.com.vc
getreport.aba.com.sawesao.vc
getreport.aba.com.sawesaq.vc
getreport.aba.com.sawesat.vc
getreport.aba.com.sawesau.vc
getreport.aba.com.uifersag.no.com
getreport.aba.com.uifersag.uy.com
getreport.aba.com.uifersar.cn.com
getreport.aba.com.uifersar.no.com
getreport.aba.com.uifersar.uy.com
getreport.aba.com.uifersat.cn.com
getreport.aba.com.uifersat.no.com
getreport.aba.com.uifersat.uy.com
getreport.aba.com.yhuusd.com.vc
getreport.aba.com.yhuusd.vc
getreport.aba.com.yhuush.vc

The malware that is dropped from this website, "transactionreport.exe" is almost entirely undetected according to this VirusTotal Report. Only six of forty-one AV products currently detect this malware, and only two of them are properly identifying it as Zeus.

Kaspersky calls it "Trojan-Spy.Win32.Zbot.gen", as does Sunbelt.

Authentium and F-Prot heuristically detect it as "El dorado", which is pretty close behavior-wise to Zbot. F-Secure and McAfee identify it as a risk, but don't classify it further.

Besides the obvious "transactionreport.exe", there is also a drive-by infector which originates at the IP address "109.95.114.251" on the path "/us01d/in.php". I'll update this post later this evening with more details about that malware path, but I would assume at this point its going to drop a PDF that leads to a fake AV product.

That IP address is famously associated with Zeus through the owner of its network - actually called in the WHOIS data "VISHCLUB" and described as being "Kanyovskiy Andriy Yuriyovich" of Kazakhstan - akanyovskiy@troyak.org. Perhaps send him an email and ask him how the life of crime is treating him. Apparently there are no laws against providing hosting for cybercriminals in Kazakhstan, but several sources say this IP address is actually in Great Britain, and I'm pretty sure they don't stand for this kind of behavior. Criminal emails such as:
Natalia Ilina - try@5mx.ru
Polina Kuznetsova - wsw@maillife.ru
Mikhail Vorobiev - bombs@maillife.ru
taffy@blogbuddy.ru
and kievsk@yandex.ru

all show up when you investigate previous Zeus infections that use this netblock with domain names like:

hostingdnssite.com
quicksitehostdns.com
platinumhostingservice.com
nekovo.ru
dnsserverbackupzones.com
windowsserverinfo.com
androzo.ru

and that's just so far in January 2010!

A Facebook version of the Zeus malware was active last night and this morning, but that's an on-going extension of the previously mentioned version.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.