Wednesday, March 21, 2012

Zeus still a Spam Threat

Tonight's Rock Center with Brian Williams episode talked about the September 2010 "Trident BreACH" case. One of the things that the students in the UAB Computer Forensics Research Laboratory learn is that Cybercrime investigation is a community event. Hundreds of researchers around the world have been tracking cybercriminals who use malware, including Zeus.

UAB now provides a daily report to law enforcement called "Emerging Threats by Email" which regularly documents continued Zeus-related malware threats delivered by spam email. This week there have been several new "social engineering" scams that attempt to convince the email recipient to click on a link.

The UAB Spam Data Mine currently gathers and analyzes more than a million new spam messages each day. Here are some of the Zeus threats we've seen in the spam in the past 72 hours.

The spam message here uses the subject:

J.P. Morgan ACCESS Action Required-Password Reset

The email says that the "Security Administrator" has reset your password to a temporary password, and now you need to logon at ""

Only the link doesn't actually go to JP Morgan. There are more than fifty websites that are actually linked here, each one hacked to include a new subdirectory that contains a file full of redirectors. Those redirectors end up at a "Black Hole Exploit Kit" which then infects the visitor with the Zeus trojan.

The Black Hole Exploit Kit is "crimeware" - criminals sell the software as a service that allows the "renter" of the crimeware to infect visitors with the malware of their choice. Brian Krebs has a nice write up about Black Hole Exploit kits and Crimevertising.

This spam message claims to be a notice from the "Commercial Electronic Office" and tells the recipient they need to access their "Deposit Adjustment Notice" by signing on to "the CEO Portal".

This one works exactly like the JP Morgan version. Forty-five different destinations, each a hacked website, contain redirectors which also send visitors to a Black Hole Exploit kit that drops Zeus.

One of the broader social engineering scams this week says that you are about to fly from the Washington DC airport and that it's time to Check-in online. After receiving such an email, the temptation would be to just "take a peek" and figure out whether you've been charged for a flight!

You might have figured out by now that if you click the link, it's going to take you to one of 140 compromised websites which all have redirectors on them that will automatically take your web browser to a Black Hole Exploit kit that will infect your computer with Zeus.

On March 19th we saw around 9,000 of these messages using the following subjects:

2239 | open positions suggestion.
2188 | New position found for you at
2106 | has found an open position for you
1930 | has found a vacant position for you
1842 | open position notification.

Some of the templates were a bit screwed up, so, while there was a position of "Chief Legal Officer" being offered at "Security Finance Corporation." But another message offers the position of "Chief commercial officer Chief Communications Officer" at "%." (Apparently the variable name for the company didn't match up.)

There's also a "Chief Customer Officer" (whatever that is.)

When the email recipient clicks on the job title, perhaps while saying to themselves "How silly, why would anyone want me to be the Chief Legal Officer? I'm not even a lawyer!" they aren't taken to CareerBuilder, but to one of the 100+ websites that have each been hacked to place a set of redirectors that sends the visitor to a Black Hole Exploit kit, which will infect the visitor with Zeus.

In the very most recent of these "BlackHole to Zeus" malware campaigns, LinkedIn is being imitated. The LinkedIn invitation claims to be from "Your classmate", but guess what happens if you click one of the 820 advertised URLs, each disguised as your "friend's" name?

Yes, it loads several redirectors, and then sends them to a Black Hole Exploit kit that infects the visitor with Zeus!

As an example, one of the links:


contains three redirectors: / ACwhfZ0X / js.js / tx96TETB / js.js / 5GUVH5Sz / js.js

Each of these points to the Black Hole Exploit kit at: / showthread.php ?t= 73a07bcb51f4be71

The Black Hole Exploit kit caused my test machine to download:
- a 111,129 byte executable (two times)
- a 17,476 byte Java JAR file
- a 283,160 byte executable (three times)

The 283,160 byte file is the Zeus malware. It was pulled from:

- ( a computer in New Jersey
- ( a computer in Brea, California
- ( a computer in France

But all of those computers are also compromised by the criminal to host the malware. Two of the domains are more than four years old!

The copy of Zeus that gets downloaded is 283,160 bytes in size and has an MD5 of 424c6b3afcde978b05cef918f04df759.

The current VirusTotal report shows that 15 of 43 current anti-virus products will detect this file as malware, although currently only Kaspersky, Microsoft, and Norman call it by ZeuS's most common name, Zbot.

Prospective students might want to learn more about UAB's Master's Degree in Computer Forensics and Security Management (MSCFSM)

Businesses interested in supporting our research are invited to learn more about the Center for Information Assurance and Joint Forensics Research (CIA|JFR)

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.