Wednesday, January 27, 2010

Minipost: VISA Zeus

This is not the first time we've seen a Zeus dropper acting like a VISA phish . . . recently we've had the December 21st VISA and December 12th VISA campaigns. The emails are the same as the previous campaigns.

We've seen these 53 domain names so far today in the UAB Spam Data Mine:

They are used in an assortment of hostnames, including:

as well as a variety of patterns with random numbers in the middle, such as:

As usual, these are "Fast Flux" hosted, meaning that, for example, all of these IP addresses have been seen to resolve the domains today . . .

(More complete list of machines:

Tuesday, January 26, 2010

American Bankers Association version of Zeus Bot / Zbot

Today our top spam-delivered malware is coming to us in the guise of a message from the American Bankers Association.

Subject lines seen in the UAB Spam Data Mine include:

An unauthorized transaction billed from your bank account
An unauthorized transaction billed from your bank card
An unauthorized transaction billed to your bank account
An unauthorized transaction billed to your bank card
unauthorized transaction
unauthorized transaction billed from your bank account
unauthorized transaction billed from your bank card
unauthorized transaction billed to your bank account
unauthorized transaction billed to your bank card

While most of the emails come from the email address:

others are arriving with a message_id in the from address, such as:

The emails look like this:

An unauthorized transaction billed from your bank card.

Amount of transaction: $1781.30
Transaction ID: 7980-9779263

Please review the transaction report by clicking the link below:

get the transaction report

Letter ID 9996-0347362324-49929775497-69019696317-70662423061-65867724-18065800918

where the "Amount of transaction" and "Transaction ID"

The website looks like this:

Hostnames that we saw in the spam include:


The malware that is dropped from this website, "transactionreport.exe" is almost entirely undetected according to this VirusTotal Report. Only six of forty-one AV products currently detect this malware, and only two of them are properly identifying it as Zeus.

Kaspersky calls it "Trojan-Spy.Win32.Zbot.gen", as does Sunbelt.

Authentium and F-Prot heuristically detect it as "El dorado", which is pretty close behavior-wise to Zbot. F-Secure and McAfee identify it as a risk, but don't classify it further.

Besides the obvious "transactionreport.exe", there is also a drive-by infector which originates at the IP address "" on the path "/us01d/in.php". I'll update this post later this evening with more details about that malware path, but I would assume at this point its going to drop a PDF that leads to a fake AV product.

That IP address is famously associated with Zeus through the owner of its network - actually called in the WHOIS data "VISHCLUB" and described as being "Kanyovskiy Andriy Yuriyovich" of Kazakhstan - Perhaps send him an email and ask him how the life of crime is treating him. Apparently there are no laws against providing hosting for cybercriminals in Kazakhstan, but several sources say this IP address is actually in Great Britain, and I'm pretty sure they don't stand for this kind of behavior. Criminal emails such as:
Natalia Ilina -
Polina Kuznetsova -
Mikhail Vorobiev -

all show up when you investigate previous Zeus infections that use this netblock with domain names like:

and that's just so far in January 2010!

A Facebook version of the Zeus malware was active last night and this morning, but that's an on-going extension of the previously mentioned version.

Saturday, January 23, 2010

AOL Update spreads Zeus / Zbot

The UAB Spam Data Mine has been receiving emails like these all weekend . . .

Dear AOL Instant Messenger (AIM) user,

Your AIM account is flagged as inactive. Within the following 72 hours it’ll be deleted from the system.

If you plan to use this account in the future, you have to download and launch the latest update for the AIM. This update is critical.

In order to install the update use the following link. This link is generated exclusively for your account and is available within a certain period of time. As soon as this link is not available anymore you will get another letter.

Thank you,

AIM Service Team

This e-mail has been sent from an e-mail address that is not monitored. Please do not reply to this message. We are unable to respond to any replies.

The email subjects today are primarily three:

AOL Instant Messenger critical update
Your AOL Instant Messenger account is flagged as inactive
Your AOL Instant Messenger account will be deleted

The download link points to a file called:


File size: 130048 bytes
MD5 : 506b74fab91958e0a9714c4ef5a9f24d
SHA1 : bdb3ecffb2245a6a3f4bda3880aa562a13bff421

VirusTotal of course informs us that this is a Zeus / Zbot infector:

(See VirusTotal Report)

Before you even download the "executable", there is drive-by malware that hits the visitor.

== is called as a result of an iframe on the page.

This leads to the download and loading of:

and then
== /usr5432/xd/sNode.php
and /usr5432/xd/swfobject.js

and then
which downloads

abs.exe is only detectable by 5 of 41 anti-virus products according to VirusTotal, most of them detecting them as "Hiloti":

VirusTotal Report on Hiloti - abs.exe

Websites that have been used in this campaign, all using the path "products/aimController.php", include:

(116 rows)

Monday, January 18, 2010

Sendspace Zbot spreader a Flashback to Dec 15-20

From December 15th to December 20th, the top Zbot or "Zeus" trojan spreader was a spam email campaign which claimed to have news about a photo that may depict the recipient. The "photo" was actually called "photo.exe" and the website from which it was to be downloaded was intended to look like "", a popular file sharing service.

Beginning early in the morning of January 16th, the UAB Spam Data Mine began to notice that the Sendspace version of Zeus may be making a return. On January 16th, we received six copies of the spam, nearly identical to those received December 15-20. They came between 6:15 and 8:30 AM, and then stopped.

The spam messages ask a variation of question such as:

Hey! Is this photo yours?

Subject such as:
Fw:your photo
Re:your photo

and provide a link supposedly to a "sendspace" page for you to see the photo.

On January 17th, we saw another burst, beginning shortly after 8:00 AM, and ending about 10:15 AM, with 90 messages being received.

Then at 11:15 PM on January 17th the real campaign began, and has been flowing steadily ever since, although the spam is definitely on a rising trend - we've seen just over 700 copies today so far.

The URLs we've seen in the spam are these:

Note the two pairs of typos? Some ".compl" instead of "" and some "sendspacecom" instead of "" and the "wwwsendspace" instead of "www.sendspace". Those are the reasons bad guys do test runs such as we saw on the 16th and 17th. They need to get their bugs worked out.

The webpage looks like this:

While they are at it, perhaps they'll remember to update their malware as well. The version being distributed in this campaign is the same version that was being distributed when the campaign ended on December 20th, which means that 34 out of 41 anti-virus products can detect it, according to this Virus Total Report.

The websites have a secondary infector. An IFRAME in the code calls a malicious website from "". Last go-around it was pulling a file from the "/2img/" subdirectory there. This time around its pulling a file from "/3img/in.php", which when loaded causes "pdf.pdf" to be dropped on the machine, which leads to a Fake Anti-Virus product being installed within a few minutes.

The Zeus bot uses "" as its Command & Control - just as it has since December 9th.

The computers hosting the "sendspace" version of this webpage are also hosting the "USAA" version that we discussed in yesterday's article - USAA Bank Latest Avalanche Scam.

If you want to see the December version websites, they are listed below:

Sunday, January 17, 2010

USAA Bank latest Avalanche Scam

Another major spam campaign has been seen in the "avalanche" group. This one seems to be a "phishing only" spam, as opposed to recent versions that also infect with malware. We've seen more than 5,000 copies of the email in the UAB Spam Data Mine today.

The emails look like this:

We've seen 95 base subject lines:

account notification: security alert
automatic notification
automatic reminder
Customer notification
Enhanced online security measures
Important alert
Important announce
Important banking mail from USAA
important banking mail
Important information
important instructions
important notice from USAA
Important notification from USAA
important notification
Important security alert from USAA
important security update
important USAA mail
information from USAA customer service team
information from USAA customer service
Instructions for customer
instructions for our customers
instructions for USAA customer
instructions for USAA customers
instructions from customer service team
instructions from customer service
message from customer service team
message from customer service
New enhanced online security measures
New online security measures
New security measures
new security notification
new USAA form released
New USAA form
notification from USAA
official information
official update
online banking alert
Our enhanced online security measures
our new security measures
safeguarding customer information
scheduled security maintenance
Security alert
security issues
Security maintenance
security measures
Service message from USAA
service message
service notification from USAA
software updating
Urgent message for USAA customer
Urgent message from USAA
Urgent notification from customer service
urgent notification
Urgent security notification
USAA customer service informs you
USAA customer service team informs you
USAA customer service: account notification
USAA customer service: important information
USAA customer service: important message
USAA customer service: important notification
USAA customer service: important security update
USAA customer service: instructions for customer
USAA customer service: new online form released
USAA customer service: notification
USAA customer service: official information
USAA customer service: official update
USAA customer service: security alert
USAA customer service: security issues
USAA customer service: service message
USAA customer service: urgent notification
USAA notification
USAA online form
USAA reminder: notification
USAA reminder: online form
USAA reminder: please complete online form
USAA security upgrade
USAA: alert - online form released
USAA: customer alert
USAA: important announce
USAA: important information
USAA: important message
USAA: important notification
USAA: important security update
USAA: instructions for customer
USAA: notification
USAA: online form released
USAA: security alert
USAA: security issues
USAA: service message
USAA: software updating
USAA: urgent message
USAA: urgent notification
USAA: urgent security notification
we have released new version of USAA form

The subject lines are uniqued by adding either a Timestamp, a Message ID, a Reference Number. So, for example, the base subject "Account notification: security alert" was received with many patterns, including:

Account notification: security alert [message id: 6411033822]
Account notification: security alert [message id: 8829877625]
Account notification: security alert
account notification: security alert [message ref: 1976348562]
Account notification: security alert [message ref: 2573324226]
account notification: security alert [message ref: 2956755073]
account notification: security alert (message ref: 4790726101)
account notification: security alert
account notification: security alert (message ref: 7771108239)
account notification: security alert [message ref: 8030440576]
account notification: security alert Mon, 18 Jan 2010 00:11:54 +0100
account notification: security alert Mon, 18 Jan 2010 00:48:19 +0100
account notification: security alert Mon, 18 Jan 2010 09:30:38 +1000
Account notification: security alert - Ref No. 511853
Account notification: security alert Sun, 17 Jan 2010 14:14:28 -0300
Account notification: security alert Sun, 17 Jan 2010 14:18:53 -0300
account notification: security alert Sun, 17 Jan 2010 14:35:54 -0300
Account notification: security alert Sun, 17 Jan 2010 17:15:30 +0000

The actual website looks like this:

The URL contains:


Websites we've seen used in spam today (Jan 17) include:

Wednesday, January 13, 2010

This Week in Avalanche / Zbot / Zeus Bot: HSBC & eBay

Today as I was reviewing the work of the UAB Phishing Operations team, I noticed an unusually high number of HSBC phish. I ran a quick check in the daily report and I thought I detected a pattern:

hostname path
------------------------------------+--------------------------------- | /1/2/HSBCINTEGRATION/banking.php | /1/2/HSBCINTEGRATION/banking.php | /1/2/HSBCINTEGRATION/banking.php | /1/2/HSBCINTEGRATION/banking.php | /1/2/HSBCINTEGRATION/banking.php | /1/2/HSBCINTEGRATION/banking.php | /1/2/HSBCINTEGRATION/banking.php | /1/2/HSBCINTEGRATION/banking.php | /1/2/HSBCINTEGRATION/banking.php | /1/2/HSBCINTEGRATION/banking.php | /1/2/HSBCINTEGRATION/banking.php | /1/2/HSBCINTEGRATION/banking.php | /1/2/HSBCINTEGRATION/banking.php | /1/2/HSBCINTEGRATION/banking.php | /1/2/HSBCINTEGRATION/banking.php | /1/2/HSBCINTEGRATION/banking.php | /1/2/HSBCINTEGRATION/banking.php | /1/2/HSBCINTEGRATION/banking.php | /1/2/HSBCINTEGRATION/banking.php

Pretty subtle, but perhaps you noticed it too?

I checked today's spam in the UAB Spam Data Mine to see what domains we had seen in actual spam messages as well, and as you can see, we actually added a few since the last check by the Phishing Operations folks:

The email body that we're seeing says this:

As part of the new security measures, all HSBC customers are required to complete "Digital Certificate Form". Please complete the form as soon as possible.

To access the form please click on the following link:

Subjects used by this email include:

Enhancements: New Release
Obtain Digital Certificate
Please Read: This Document Contains Important Information
Please read this important information concerning your privacy
This Document Contains Important Information

All of those websites and spam messages seem to point to a phishing page:

But in reality, as we see on page two of the scam, what they hope to do is encourage the creation of a "Digital Certificate" using the program they provide.

The program is of course a Zbot or Zeus Bot installer program.

We ran the file, called "certificate.exe" through VirusTotal to learn some facts about it, including the fact that only six of forty-one anti-virus products detect this as malware:

VirusTotal Report here

File size: 130048 bytes
MD5 : 21de77648ebf5cd70e3ddd92f172b9a5
SHA1 : bdb1819004cfff9a6829be26dd715542983d5129

I uploaded the zbot infector to Anubis, the excellent "Analyzing Unknown Binaries" project.

They produced this beautiful 24 page PDF report (Anubis Report of Certificate.exe, which tells us that the malware gets copied to c:\windows\system32\sdra64.exe, which makes sure its going to load in memory every time you login by tying itself to the "user init" process through the Registry key: HKLM\software\microsoft\windows nt\currentversion\winlogon

Nice trick.

I threw up a VM and followed one of the HSBC spam links. There was code on the HSBC-look-alike page that decoded and tried to force me to download a file called "pdf.pdf" from a website called "". The real action came from launching "certificate.exe" however, which immediately connects to "" and downloads a file "/asd/elnasa.ble".

(Dancho Danchev has an excellent blog today which also mentions how "" is responsible for serving up a variety of exploits to grow the "Pushdo" botnet, (which I normally refer to as "Cutwail", same bot, different AV company name), Please visit Dancho's Blog for more details. So, if you visited this page, not only are the criminal stealing all of your personal information with the data theft aspects of Zeus, you are probably also spamming for them through the Pushdo botnet.

Sadly, according to ZeusTracker, that particular Command & Control has been live since at least December 16th. The Ukrainian IP address its on,, is part of the "Vesteh-Net" AS47560, which is a fairly common host of Zeus C&C servers, including: (January 1) (January 1) (January 1) (January 1) (December 25) (December 16) (December 9)

All of those are currently online. was registered by (Alexsey V Kijanskiy), probably an alias, on December 14th, and has nameserver on and

That last one's an interesting IP. It also serves as the nameserver for: ( - Zeus - ( - Zeus - ( - Zeus - ( - unknown - in Moldova) ( - Zeus - ( - unknown - in Kazakhstan) is on a single Class C ASN - AS49934.
Its only upstream is AS31366, Stebluk Vladimir Vladimirovich.

I wonder if other crappy little Ukrainian Zeus Bot hosters buy their network services from Stebluk?

EuroAccess, AS34305, currently has 27 live C&C servers, including what looks like near neighbor IPs,,,,, and,, Doesn't seem connected.

Root eSolutions, AS5577, currently has 3 live C&C servers, including what looks like near neighbor IPs,, but its also not really that connected.

Nope, I guess its entirely a coincidence there are so many Zeus Bot C&C's in the Ukraine.

eBay Phishing

Yesterday the big Avalanche target was actually eBay, with domains like this:

The eBay phishing page was also a drive-by infector, launching malware through several attempted attacks of your browser from:


(yeah, don't go there!)

(That network is in Kazakhstan, seriously, "VishClub"???)

inetnum: -
netname: VISHCLUB
descr: Kanyovskiy Andriy Yuriyovich
country: KZ
ASN: AS50369

Although we didn't grab a screen capture yesterday, as the ultimate evidence that these campaigns are related, we can put yesterday's "eBay path" onto today's "HSBC hostname" and still see the eBay content. Notice the URL in this screen shot:

Huge variety of subjects for the eBay version in our email, but the basic patterns were:

account notification: security alert
Automatic notification
automatic notification
customer notification
eBay customer service informs you
eBay customer service team informs you
eBay notification
eBay online form
eBay reminder: notification
eBay reminder: online form
eBay security upgrade
eBay: alert - online form released
eBay: customer alert
eBay: important announce
eBay: important message
eBay: important notification
eBay: important security update
eBay: instructions for customer
eBay: security issues
eBay: service message
eBay: urgent message
eBay: urgent notification
Enhanced online security measures
important alert
important announce
Important eBay mail
important information
Important instructions
Important notice from eBay
important notification
important notification from eBay
Important security update
Information from eBay customer service
Instructions for customer
instructions for eBay users
instructions for our customers
instructions from customer service
instructions from customer service team
Message from customer service
Message from customer service team
New eBay form
new eBay form released
new enhanced online security measures
new online security measures
new security measures
Notification from eBay
official information
our enhanced online security measures
Our new security measures
Scheduled security maintenance
Security alert
Security issues
security maintenance
Security measures
service message from eBay
Service notification from eBay
Urgent message for eBay user
urgent message from eBay
Urgent notification from customer service
Urgent notification
Urgent security notification
we have released newe version of eBay form

All of those subjects also can be followed by:
- a timestamp including date, such as: Tue, 12 Jan 2010 19:54:25 +0200
- a message id, such as: (message id:3924375238)
- a reference number, such as: Ref No. 947990

Minipost: #CNIRcyberwar ? ? ?

Several Chinese hacker groups have decided to retaliate for the "Iranian Cyber Army" attack against the Chinese search engine,, which we reported yesterday in our story Iranian Cyber Army Returns - Target: Baidu.

A few sources (thanks especially @packetninjas), have sent me links to Chinese webpages where their hacker community is expressing outrage by hacking back. One twitter hashtag seen with regards to this effort has been #CNIRcyberwar .

Despite the hashtag, there is no evidence whatsoever that there are GOVERNMENTS involved in this so-called CyberWar. On the Chinese side, this is the action of some patriotic but mis-guided youth who believe they can change world opinion by trashing a few insignificant websites. On the Iranian side, there is no evidence that any malice was intended towards the nation of China - it seemed their objective was to just place their message before a large audience - a goal they seem to have accomplished. I consider it highly unlikely that additional Iranian attacks on Chinese servers will result from this "CyberWar".

A hacker who claims membership in the "Honker Union for China" has posted many defacements of Iranian sites, along with lists of "official Iranian government sites" that he believes should be targeted, on the site:

There is certainly debate going on, even within his own hacker community. One post this morning on "" argued that the Iranians may not be behind the attack, but that it might really be the "dark Yankees" trying to stir up trouble. The rationale of that poster was that the attack came the day before a Chinese government missile interception test. ??? really ???

(from 自强不息 on

There is also an attempt to improve the image of Chinese hackers in the world with a little grammatical help from their friends. Another "honker" in the room suggests some help with one defacer's wording, suggesting that they replace:

The big national power spurs strong corps!


Our nation has internet experts who aren't afraid to fight back.


we are Oppose the special prganization of IR


We oppose this special organization of IR.

The Iranian attacks are being discussed in a thread on Baidu as well:

This "soldier" is listing stored images of defaced Iranian websites, which he's actually pulling from the posts of "soping" on the site "": - Defaced image, including the text:

chinese honker team[H.U.C.]

I'm very sorry for this Testing!
Because of this morning your Iranian Cyber Army
Maybe you haven't konw this thing!
This morning your Iranian Cyber Army intrusion our
So i'm very unfortunate for you
Please tell your so-called Iranian Cyber Army
Don't intrusion chinese website about The United States authoritires to intervene
This is a warning!
Khack by toutian from Honker Union For China

Other sites on his list include: - Defacement image

CHINA Honker
China do not hear any foreign hacker!
The big national power spurs strong corps!
we are Oppose the special prganization of

Another version of the text read:

We are Red_hacker
Let the world hear the voice of China
The state is higher than the dignity of all!

f*** ir !
china up !
(archived image)

That same text, with a different background image, also appeared on - (archived image)

An earlier version of the text (another hacker probably using the same vulnerability) read:

High-profile work being
Viruses, anti-virus, invasion, the invasion
The darkness of night, slowly permeates the wing?
The third area information security group By: h4ck3ber

The People's Republic of China Long Live
The great Chinese people long live
Domestic safety inspection
Oppose splkitting Safeguarding unity - Defacement image - Defacement image

Each of these sites is being tagged repeatedly by various hackers, as you can see documented in this thread:

Tuesday, January 12, 2010

Iranian Cyber Army returns - target:

Many Americans are not familiar with Baidu, but in China its the word people say when we would say Google. Baidu is a Chinese search engine that commands a powerful 60% of the marketplace. And this morning, their website looked liked this:

The white line of Persian text on the website is a statement that reads:

« ارتش سایبری ایران در اعتراض به دخالت های سايتهاي بيگانه و صهیونیستی در امور داخلی کشورمان و پخش اخبار دروغ و تفرقه برانگیز راه اندازي شده است

Google Translate tells us that that says:

Army of cyber-sites has been established to protest intervention in the internal affairs of our country and broadcast of false and divisive news by Foreigners and Israel.

(with a little word-re-ordering to preserve meaning)

We first heard of the Iranian Cyber Army on December 18th when they attacked Twitter with an almost identical attack. We documented the attack here in our story Who Is the Iranian Cyber Army?.

In today's attack, the nameservers for Baidu were redirected to a small network that caters to "warez" and various piracy and pornography servers. The computer became the address for,, and, and these new "unofficial" nameservers did a wild-card resolution for everything at baidu, pointing it to the same IP address

Later in the morning, that IP address shifted to, which is the address which is currently live as of this writing.

Click the image below to see the full unedited version of the original graphic that was posted on the server:

(the original file was named "-1-2.jpg")
(The EXIF data indicates that the file was saved using Adobe Photoshop CS4 Windows on December 27, 2009 at 1:41:44 PM.)

There were also two VERY interesting email addresses on the page:

The website "" is hosted on the Canadian IP address, which belongs to "Netfirms Inc".

Domain Privacy Group, Inc.
7030 Woodbine Ave. Suite 800
Markham, ON L3R 6G2

Domain name:

Administrative Contact:
Domain Privacy Group, Inc.
7030 Woodbine Ave. Suite 800
Markham, ON L3R 6G2

Technical Contact:
Domain Privacy Group, Inc.
7030 Woodbine Ave. Suite 800
Markham, ON L3R 6G2

Registrar of Record: Netfirms Inc.
Record expires on 2010-12-31.
Record created on 2009-12-31.
Database last updated on 2010-01-12 06:51:32.

The website "" is hosted on US IP address, which belongs to Yahoo! (and is currently using a Yahoo! Nameserver)

Domain Name..........
Creation Date........ 2009-12-31
Registration Date.... 2009-12-31
Expiry Date.......... 2010-12-31
Organisation Name.... Iranian Army
Organisation Address. PO Box 61359
Organisation Address.
Organisation Address. Sunnyvale
Organisation Address. 94088
Organisation Address. CA
Organisation Address. US

Admin Name........... Admin PrivateRegContact
Admin Address........ PO Box 61359
Admin Address........
Admin Address........ Sunnyvale
Admin Address........ 94088
Admin Address........ CA
Admin Address........ US
Admin Email..........
Admin Phone.......... +1.5105952002
Admin Fax............

That first IP address for today's redirect,, resolved such names as:

well, actually, resolved temporarily to this IP address.

What is that IP address normally used for? When I try a reverse resolution on that IP it tells me the server's name is ""

The site normally hosts such webservers as:

So what do we know about WarezHost? Here's what their website says about themselves:

Warez-Host is a privately-owned organization located in Dubai, UAE. At Warez-Host, we understand that our customers' web sites are important and they require reliable services to ensure that service is not interrupted. We have established a solid foundation to offer a reliable, easy to use and low cost web hosting solution for small-to-large sized businesses and helping thousands of customers get their web sites online.

Our goal is to provide a low-cost web hosting solution that is easy-to-use, and is customer service oriented. At Warez-Host, we value our customers and recognize their need for quality service and outstanding customer service.

Warez-Host web hosting is the perfect choice for all of your web hosting needs, our datacenters located in Netherlands, IRAN and Germany.

The Dedicated Server pages for each data center explain what types of content you can host on their servers. For example, its ok to host stolen software and movies ("warez") in all three locations, but the Iranian Data Center list (shown below) makes it clear you can't host pornography in Iran - although you can in their German and Netherlands based data centers.

So, if someone wants to get to the bottom of who hacked Baidu, all they have to do is slap a subpoena on the UAE-based company's Iranian data center manager to see who owns this dedicated server and get logs from it.

Yeah. Good luck with that.

More badness from "" servers: