Friday, December 27, 2013

ASProx spamming Court-Related malware

Court-related malware from ASProx

Update - new version of malware December 27th @6:15AM. see bottom

The same spamming botnet that is sending the Delivery spam that imitates Walmart, CostCo and BestBuy has also been busy sending out Court-related spam.

So far, there have been 9 different malware samples distributed by this campaign, which began on December 23rd at approximately 7:45 AM (US Central Time GMT -6)

Here are the relative distributions of each, where the first number is the number of spam samples collected in the Malcovery Security Spam Data Mine. The second column is the domain name used, the third is the MD5 of the .zip attachment, and lastly, in 15 minute increments, the first and last time period in which spam bearing this attachment was seen.


11633 | jonesday.com | 442e746ad1d185dd1683b1aa964f6e56 (2013-12-23 07:45 to 2013-12-23 21:00)
5979 | jonesday.com | 267d9f829ea2e3620ee62c52fcb4ebe9 (2013-12-23 16:30 to 2013-12-24 05:15)

Email subjects with counts for JonesDay were:

5050 of Subject: Urgent court notice NR#
4738 of Subject: Hearing of your case in Court NR#
4150 of Subject: Notice of appearance in court NR#
3640 of Subject: Notice to appear in court NR#


4365 | lw.com | b2f8e5d86d7c50b5017e88527d8ce334 (2013-12-24 07:45 to 2013-12-24 20:00)
142 | lw.com | 76cdb2bad9582d23c1f6f4d868218d6c (2013-12-24 08:00 to 2013-12-24 16:00)
651 | lw.com | 0f0bb7b4f67b3bd90e944fcf7473b9d8 (2013-12-24 14:15 to 2013-12-24 20:00)

Email subjects with counts for Latham Watkins were:

1477 of Subject: Urgent court notice No#
1319 of Subject: Hearing of your case in Court No#
1251 of Subject: Notice of appearance in court No#
1110 of Subject: Notice to appear in court No#


3054 | hoganlovells.com | 30336df44c6808175bf4a7c212d3e2f8 (2013-12-25 14:15 to 2013-12-26 03:00)
3236 | hoganlovells.com | f97795c2124f60596eb8faf18307ac35 (2013-12-25 05:15 to 2013-12-25 23:00)

Email subjects with counts for Hogan Lovells were:

1785 of Subject: Urgent court notice WA#
1615 of Subject: Hearing of your case in Court WA#
1547 of Subject: Notice of appearance in court WA#
1334 of Subject: Notice to appear in court WA#


3500 | mwe.com | d181af2b32830119c0538851a8b53af8 (2013-12-26 06:00 to 2013-12-26 16:30)
484 | mwe.com | 7c572385f09773237805a52e2fc106e9 (2013-12-26 12:00 to 2013-12-26 17:15)

Email subjects with counts for McDermett Will and Emery were:

1172 of Subject: Urgent court notice CH#
1009 of Subject: Hearing of your case in Court CH#
962 of Subject: Notice of appearance in court CH#
838 of Subject: Notice to appear in court CH#


I think this might make a good time to talk about malware detection rates. I'm going to do a "re-analyze" of each of these files on VirusTotal. Let's start with the oldest one first.

My "442e7" jonesday sample is: Court_Notice_Jones_Day_Wa#3358.zip which contains the file "Court_Notice_Jones_Day_Washington.exe" with an internal timestamp of 12/23/2013 5:24 PM and a size of 121,344 bytes and an MD5 of 6933c76f0fbabae32d9ed9275aa60899.

VirusTotal says? 33 of 48.

My "267d9" jonesday sample is Court_Notice_Jones_Day_Wa#8877.zip which contains the file "Court_Notice_Jones_Day__Washington.exe" with an internal timestamp of 12/23/2013 8:40 PM and a size of 123,904 bytes and an MD5 of 84fae8803a2fcba2d5f868644cb55dd6.

VirusTotal says? 35 of 48. Please note that seven of the AV's correctly identify this as Kuluoz while some call it DoFoil, and one of the majors calls it "FakeAVLock". (This malware does NOT act like a Fake anti-virus, and does not lock your computer.

My "b2f8e5" Latham & Watkins sample is: Court_Notice_Latham_and_Watkins___NY88756.zip which contains the file "Court_Notice_Latham_and_Watkins__New_York.exe" with an internal timestamp of 12/24/2013 5:13PM 123,904 bytes in size and an MD5 of ac572ca741df1bbcc88183e27e7fce6c.

VirusTotal says? 34 of 48. After 2 days and 19 hours since first submission.

My "30336" Hogan & Lovells sample is: Court_Notice_Hogan_Lovells_WA29377.zip which contains the file "Court_Notice_Hogan_Lovells_WA_Washington.exe" with an internal timestamp of 12/25/2013 05:05 PM and 167,936 bytes in size and an MD5 of ebcb90d14904d596531fc8989c057f40.

VirusTotal says? 26 of 48 We still have one group calling it Zeus and one FakeAVLock. It's been on VT for 1 day and 12 hours at this point.

My "f9779" H&L sample is: Court_Notice_Hogan_Lovells_WA34711.zip which contains the file "Court_Notice_Hogan_Lovells_WA_Washington.exe" with an internal timestamp of 12/25/2013 9:42 AM and 167,936 bytes in size and an MD5 of bd4255eacbf47649570c58061d81f018.

VirusTotal says? 25 of 48.

And now the ones from today. My "d181a" sample from MWE is Court_Notice_Chicago_CN83259.zip which contains the file "Court_Notice_Chicago_McDermott_Will_and_Emery.exe" with an internal timestamp of 12/26/2013 at 12:41 PM and a size of 163,328 bytes and an MD5 of 225b15d05fe6f5d24d23b426fcfd7a2d.

VirusTotal says? 21 of 45 .

And the most recent sample from MWE, "7c572", is Court_Notice_Chicago_CN56910.zip which contains the file Court_Notice_McDermott_Will_and_Emery.exe with a timestamp of 12/26/2013 at 7:33 PM and a size of 163,328 bytes and an MD5 of c77ca2486d1517b511973ad1c923bb7d.

VirusTotal says? 21 of 46.

The AV Question

So, if we KNOW this is the same botnet, delivering the same malware, from the same family, why is the detection rate after three days only 75%? Why is the detection rate for Day four of the campaign still only 50% or less? Recently my friend Graham Cluley ran a guest-blog on his personal blog called The Massive Lie about Anti-Virus Technology. His guest blogger, Stephen Cobb, made this statement in the blog, his big prediction for 2014:
The media will repeat a massive lie about anti-virus technology. I predict that in 2014 every major newspaper and magazine will perpetuate, to the detriment of data security and human understanding, the grossly erroneous notion that “for an anti-virus firm to spot malware, it first needs to have seen the malware, recognized that it’s malicious code, and written a corresponding virus signature for its products.”

He goes on to say that anyone who believes that Anti-Virus has to develop a signature in order to detect malware would be similar to Car & Driver magazine assuming that automobiles must still be starting by turning a crank at the front of the car. The problem is, Stephen is wrong.

On day one of the "Court" version of this Kuluoz malware, would you like to see what the detection rate was of the malware that is now "33 of 48" on VirusTotal? Here's a clip from the Malcovery Security "Today's Top Threat" report for that day, which featured the "JonesDay" version of the malware mentioned above.

In that report, Malcovery malware analyst Brendan Griffin points out that beginning at 7:45 that morning we had seen 167 spam messages from this campaign in a single 15 minute period with the volume hitting 8932 messages by 2 PM.

The problem, of course, was that at 2 PM, only FOUR of the 48 Anti-virus products were detecting the malware as being something bad that should be blocked. Here's the VirusTotal report showing 4 of 47 detects at the time of Malcovery's report. Note the MD5's and assure yourself it is the same one that, three days later, is showing 33 of 48 above.

But wait! Didn't Mr. Cobb assure us that anti-virus products now detect malware in many clever ways that don't rely on writing signatures? Perhaps they do, but they certainly weren't doing it on this sample. I'm not sure which heuristic was supposed to be protecting us as we successfully infected ourselves and watched our traffic flow to the C&C server at 91.227.4.27 on port 8080. I certainly agree that AV products should always be installed "in the suite" of security protections. Hostile URLs should be blocked, but the problem is that in a great many cases, no one is blocking anything. We *DID* report our C&C server's URL to URLQuery.net, who assured us there was nothing malicious going on there (See URLQuery report for 91.227.4.27). We also noted that the spam we were receiving was from IP addresses that were not being blocked by reputation at the beginning of this campaign, though later a good many of them were.

I told Graham that when I saw his headline "The Massive Lie about Anti-Virus" I was assuming it was THE OTHER massive lie. The one where we tell consumers, "please make sure you let your AV update itself automatically and everything will be ok!"

Updated - December 27, 2013 @ 6:15 AM Central time

The spam campaign has reverted back to JonesDay.com senders. We've seen 50 new copies already this morning, with a new MD5.

The zip file is 195db522bfbf399ec4f89455e9f05088. My sample was named Court_Notice_Jones_Day_Wa#4677.zip which contained the exe file Court_Notice_Jones_Day__Washington.exe which is 162,816 bytes in size and had an internal timestamp of 12/27/2013 08:52 AM. The .exe has an MD5 of 48e4b1e322e7c5fd53b6745e8b2409e6. VirusTotal is reported 12 of 46 detection rate.