Friday, August 06, 2010

Spam Campaign: Zeus's Greatest Hits spreads malware

Yesterday I had the pleasure of speaking on the subject of phishing to the Association of Certified Fraud Examiners Alabama chapter conference, hosted at the UAB School of Business, where my friend Tommie Singleton teaches Forensic Accounting.

After talking about the traditional phishing, and the statistics that we have about phishing through our UAB Phishing Operations and UAB Phishing Intelligence teams, I shared with the group that while phishing is continuing to be on the rise, compromise of banking credentials through malware is an ever growing threat.

To demonstrate the problem with malware, I opened one of my spam receiving email accounts as a user and clicked on several email messages.

I clicked on an email from July 30th that warned me that "FDIC has officially named your bank failed bank", clicked the attachment, and demonstrated my anti-virus product (on this machine I was using Microsoft Forefront) successfully protected me from the malware.

Then I clicked on an email from July 31st that claimed to have details on "Your order from". Again, my AV popped on the attachment.

Then I clicked on an email from August 2nd with the subject "DHL Tracking number 080231". Pop! Virus!

Then I clicked on an email from August 3rd with the subject "Notice of Underreported Incomeir" - "yeah, Incomeir" not Income. Those guys at IRS apparently don't have a spell-checker. Pop! Virus!

Then I clicked on an email that was about four hours old - "You have received a file from (email) via YouSendIt." No warning. So we unpacked the zip file and sent it to VirusTotal. 11 of 42 detections. Note that at VirusTotal, Microsoft was described as being a product that detected the malware, but VirusTotal was running a slightly newer (by a few hours) version of the AV than my laptop. Symantec and Trend and several other "big players" weren't detecting yet, but I told my audience that really didn't mean one was better than another - it was more or less a shooting of the dice who would be the "first detector."

So, what's going on with all of these new malware attachments? I would describe it as a "Zeus's Greatest Hits" campaign. Some of the most successful "Zbot spreading" spam campaigns are all being re-issued, only as attached-malware spam instead of "sending to website" spam. I've linked previous blog posts about Zeus campaigns to some of the top spam subjects in the list below. If we just look at spam for this week in the UAB Spam Data Mine, we see things like:

515 copies - "An unauthorized transaction billed to your bank account"
16,606 copies - DHL Tracking number #######
353 copies - FDIC has officially named your bank failed bank
17,143 copies - Hello
553 copies - Notice of Underreported Incomeir
10,829 copies - report
2,089 copies - Review your annual Social Security statement
166 copies - SALE OF BUSINESS Document
6,256 copies - Scan from a Xerox WorkCentre Pro N #######
412 copies - Unauthorized ACH transaction
387 copies - Welcome to Friendster
10,852 copies - You have received a file from (email) via YouSendIt.
2,479 copies - You have received an Greeting eCard
1,224 copies - Your Flight Ticket #####
301 copies - Your internet access is going to get suspended
7,513 copies - Your Order with

How do we know that these emails might be related to one another? The primary reason is how I selected the list that you see above. In the UAB Spam Data Mine, I picked one of the common subjects that are being used to spread this malware, and said "Show me all the email subjects sent from the same IP address as emails which sent me the subject 'You have received an Greeting eCard' and limit myself to only consider emails from August 2010."

All of the subjects in the list above were part of the response. Now, there were also hundreds of thousands of other emails - mostly selling Viagra and watches, but ALL of the subjects above were sent from computers that also sent at least one email with the "You have received an Greeting eCard" email.

What is the malware? If you are "into" MD5s, you can check them out yourself. In the emails above, the technique is to send an executable file within a ZIP file attached to the email. Here are the most popular '.zip' attachments so far in August:

11075 | 21c4690e291dfa09cc2eef89501fd9b9 | dhl_viewer (35)
10415 | 3e11b5374aaf019fc091d51be43bfdfc | yousendit_reader (23)
7403 | a170953b22815478083d4853f7ebfe57 | report (33)
6018 | 3a88a7fdeac36395bd6b1f6185b13b2c | report.document.doc (33)
5332 | 57eaeb400b49774533c45099877911f8 | dhl_viewer (33)
4738 | bae1fff9774a4366ef73247fcf6cb394 | 08-05-2010(10).pdf (30)
3234 | d0c9552a39d20576f50bbcdc692a187c | amazon_invoice_viewer (30)
3212 | 8f025c1c63e1d11d3a5444eaba978ce7 | xerox workcentrereader (31)
2509 | ccf81bcb37af7cc0835904ec2a49c6ce | report (33)
1617 | 347d3c44ba6c3f6501406e697170192c | statement (32)
1099 | d8fbbf60aafaf400f008b3b8f2b32a41 | transaction report (28)
736 | 02154aba2c9ad2e2bcbe80b7a31246f3 | ecard (34)
576 | 4fa198977d4d3a10a7282a71cb315955 | invoice_viewer (30)
563 | 5cbcc4e1a1f1c2c37149e8db953213b0 | statement (29)
421 | 58d62a8c7fc5a690d4ff18c752a20eb6 | doc (27)
409 | 1c4031ae6c0e327f86dc4201a3532468 | facebook_passw_31.07.2010 (21)
393 | 7ce7bdbc4ce52261ba2f8773d2c196e7 | statement (27)
371 | 02857e7260d3e73811093c8826efe37e | tax report (28)
367 | 802871fdc77c47ff398de9bae8548635 | invoice_viewer (32)
362 | d410ba8345407ab17f2f3b0c98b225d0 | invoice_viewer (26)
361 | 8f0e7810523e1f9d715f951150e9c845 | tax statement (29)
341 | 5eab651ded4b0f9f949beac0dda62146 | report (28)
275 | 0acdecd08273284ce26cd99a0beed1fe | tax statement (33)
202 | 83234d04953e4b8e3f5688ec62567fe1 | changelog_30.07.2010 (35)
198 | 9a02b55cb88acf80b840504d672c21da | resume (23)
179 | d747c2928f1205c69e459b308a35fe1e | transaction report (14)
177 | 8b357aca247a729e07f0ee935c578c81 | transaction report (33)
175 | d5083f3dfefe3d6a9dc3ccd9c2fd622f | changelog_30.07.2010 (26)
138 | 3100bc960f80e8b078c3f8dd6d53de7b | dhl_tracking_ (24)
76 | 5e5b596bdf2f39b1fdfeb23821c75f41 | dhl_viewer (2)
73 | 68b13b6ecbb24322c9fe183b064eef9d | financial summary.xls (27)
51 | 5667dba64be7749c23148b564303fd11 | invoice (11)
37 | 5f2515a06e45acf9e3429ed78447e6a7 | core business advice notice ccc[1].doc (12)
33 | bbc7b06a0f0e6b09b8b7b07f3dab3b6b | statement (7)
31 | 489e4d09253414a8884fcf70326c81b9 | 090508 ccc equipment inventory v4.xls (11)
30 | 477a292406bfbbc474c35efdc92462a6 | business report.doc (12)
30 | 5bd1fb667558da6945518c28d485a37d | tax report (31)
28 | aaead684fe45133c628d3388451b7b6e | invoice_viewer (29)

The ones with low counts are mostly going to be the very newest versions (or ones that were sent in July and ended early on August 1st).

Some detects are pretty good ... for instance, that final "invoice_viewer" was first seen on August 5th (yesterday) and currently as 29 of 42 detects at VirusTotal. However, the number of malware detections on VirusTotal - RIGHT NOW - is the number in Parentheses after the malware attachment name. See the 7? and the 11? Remember that these are WORST when the email is FRESH. Some of these are from August 1st.

What about RIGHT NOW?

I'm going to scan the next two email atttached zips that arrive and show you the detections of FRESH email-delivered malware.

Oh - since the three most recent ".zip" attached emails were in this category, I'll mention this here. Another current email-delivered .zip campaign is "Your private photo attached" and contains a zip named with a random word (My last one was ""). It had a zero of 42 detect as a zip file.

That's because it's not malware. Its the "randomly created image" showing that I should buy pills from "".

Here are some of the emails from the campaign above:

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.