Thursday, September 02, 2010

Don't check that CV! Major Zeus Spam Campaign

In a bold new spam campaign, the criminals behind the Zeus Botnet have been distributing a spam email with a link to an executable file.

We first noticed this campaign in the UAB Spam Data Mine with a spam email message with the subject "you vacancy".

The body of that email read:


Thank you for the chat yesterday, it really helped me get a clearer idea
of recruitment as well as exploring any potential opportunity.

I have just spotted a mistake on the CV I sent in which my email was incorrect.

Apologies for any inconvenience caused if you have already sent me any information on anything we discussed.

My CV is an updated!
CV with the correct email on this link: http://good-resume.info/mycv.docx


The exact same email has also been seen in the UAB Spam Data Mine with several other subjects today:
908you vacancy
869Re: CV
864for CV
370Welcoming speech
115Greetings
112Hello
111Compliments
110Salutation
108Speech of welcome
100Civilities
99Hello message


The final link there that LOOKS like its going to download a Microsoft Word document, actually retrieves a file with the name:

mycv.doc.exe

The properties on that document claim to be:

BitDefender Management Console
SOFTWIN S.R.L.

The current detection rate on the malware at VirusTotal is 16/43, meaning that only 16 of 43 anti-virus products identify this as malware, although only one is calling it "zbot". Here's the VirusTotal Report for md5 = 10fd124206b15f878240f22a30eaf9fe

Our copy of the malware came from a computer with the IP address 58.222.143.148, which has been in bad company for some time. The IP is located on China Beijing Chinanet Jiangsu Province Network. Another example of Russian-speaking crooks hosting their malicious servers in China.

According to those great guys at ZeusTracker, that IP has been used for some really bad stuff.

caseoffinance.cc
dowsonstoke.cc
leadingcase.cc (Confirmed Zeus)
goldfieldforu.cc (Confirmed Zeus 8/24)
youmoneyway.cc (Confirmed Zeus 8/24)
a8228djjnedu7e8hd83ndd43d3d3.com
mikkymouse.com
first-wave-aug.com
iwfybfywi.com (Confirmed Zeus 8/19)
whiteagngo.com (Confirmed Zeus 9/2)
ekuns.com
fasterbuyers.com
hotsku.com (COnfirmed Zeus 9/1)
askuv.com (Confirmed Zeus 9/2)
good-resume.info
roundhome.net (Confirmed Zeus 8/24)
caramelloinze.net (Confirmed Zeus 9/2)
plitkinski.net
olandik.net (Confirmed Zeus 8/20)
instamfan.net (Confirmed Zeus 7/28)
tjkleen.net (Confirmed Zeus 8/9)
incornew.net (Confirmed Zeus 7/30)
autasienga.ru
jocudaidie.ru (Confirmed Zeus 7/15)
dahzunaeye.ru (Confirmed Zeus 6/23)
vohphozeeg.ru
eexiziedai.ru
railuhocal.ru (Confirmed Zeus 6/11)
blackfuril.ru
purplepron.ru (Confirmed Zeus 8/15)
cahgofoneu.ru (Confirmed Zeus 8/31)
iveeteepew.ru (Confirmed Zeus 6/23)
hazelpay.ru (Confirmed Zeus = 5/27)

We've got quite a few more details that we've already shared with law enforcement, but we wanted the public to be advised as well.

If you are a spam researcher and can tell me what botnet this is, please shoot me a note at 'gar at cis dot uab dot edu'. Here are some of the top sending IPs for this group:

72.16.178.42
81.180.66.34
187.36.133.238
186.82.57.113
186.112.107.35
77.127.135.151
195.135.239.5
76.97.210.124
195.228.164.14
24.36.173.168
93.32.50.228
211.17.116.17
24.80.8.180
190.48.237.121
212.29.192.202

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.