Subject lines seen in the UAB Spam Data Mine include:
An unauthorized transaction billed from your bank account
An unauthorized transaction billed from your bank card
An unauthorized transaction billed to your bank account
An unauthorized transaction billed to your bank card
unauthorized transaction billed from your bank account
unauthorized transaction billed from your bank card
unauthorized transaction billed to your bank account
unauthorized transaction billed to your bank card
While most of the emails come from the email address:
others are arriving with a message_id in the from address, such as:
The emails look like this:
An unauthorized transaction billed from your bank card.
Amount of transaction: $1781.30
Transaction ID: 7980-9779263
Please review the transaction report by clicking the link below:
get the transaction report
Letter ID 9996-0347362324-49929775497-69019696317-70662423061-65867724-18065800918
where the "Amount of transaction" and "Transaction ID"
The website looks like this:
Hostnames that we saw in the spam include:
The malware that is dropped from this website, "transactionreport.exe" is almost entirely undetected according to this VirusTotal Report. Only six of forty-one AV products currently detect this malware, and only two of them are properly identifying it as Zeus.
Kaspersky calls it "Trojan-Spy.Win32.Zbot.gen", as does Sunbelt.
Authentium and F-Prot heuristically detect it as "El dorado", which is pretty close behavior-wise to Zbot. F-Secure and McAfee identify it as a risk, but don't classify it further.
Besides the obvious "transactionreport.exe", there is also a drive-by infector which originates at the IP address "18.104.22.168" on the path "/us01d/in.php". I'll update this post later this evening with more details about that malware path, but I would assume at this point its going to drop a PDF that leads to a fake AV product.
That IP address is famously associated with Zeus through the owner of its network - actually called in the WHOIS data "VISHCLUB" and described as being "Kanyovskiy Andriy Yuriyovich" of Kazakhstan - firstname.lastname@example.org. Perhaps send him an email and ask him how the life of crime is treating him. Apparently there are no laws against providing hosting for cybercriminals in Kazakhstan, but several sources say this IP address is actually in Great Britain, and I'm pretty sure they don't stand for this kind of behavior. Criminal emails such as:
Natalia Ilina - email@example.com
Polina Kuznetsova - firstname.lastname@example.org
Mikhail Vorobiev - email@example.com
all show up when you investigate previous Zeus infections that use this netblock with domain names like:
and that's just so far in January 2010!
A Facebook version of the Zeus malware was active last night and this morning, but that's an on-going extension of the previously mentioned version.