This week they said "spam-delivered Malware is going through the roof!" I was traveling when I got that first report but was able to spend some time in the lab with the analysts yesterday, and they weren't kidding!
The new volume levels started on Wednesday, February 5th, with a campaign imitating Bank of America. On February 6th it changed to Visa/Mastercard, and on February 7th it was imitating FedEx. When we say it was extremely high volume, we mean it!
|Date||Messages reviewed||Count||Email Subject|
|Feb 5||1,066,187||171,186||Bank of America Alert: Online Banking Security Measures|
|Feb 6||1,176,667||303,646||ATTN: Important notification for a Visa / MasterCard holder!|
|Feb 7||1,113,739||267,445||Some important information is missing|
Microsoft's Security Intelligence Report (volume 15) showed spam message breakdown for the first half of 2013 like this:
Historically, we've only seen one day, either at UAB or at Malcovery, that had a higher percentage of malware-laden spam. April 17, 2013, the day following the Boston Marathon Bombing, broke all the records for heaviest spam campaign that was distributing malware as we wrote about in Boston Marathon Explosion Spam Leads to Malware. Cisco's 2014 Annual Security Report calls attention to that spam campaign as well, saying that it accounted for 40% of all the spam messages delivered worldwide that day. Their report included this caution of "Breaking News" emails ...
Because breaking news spam is so immediate, email users are more likely to believe the spam messages are legitimate. Spammers prey on people’s desire for more information in the wake of a major event. When spammers give online users what they want, it’s much easier to trick them into a desired action, such as clicking an infected link. It’s also much easier to prevent them from suspecting that something is wrong with the message.
Here are some more details about the spam messages that were seen in the past three days:
Computers opening this attachment would try to contact the URLs listed here. The "404.php" is an exploit kit that results in the ".exe" files being dropped: (http is changed to hYYp and spaces added to URLs for your protection)
hYYp://22.214.171.124 /srt/404.php hYYp://126.96.36.199 /ssd/usa.exe hYYp://188.8.131.52 /ssd/usa2.exe hYYp://184.108.40.206 /srt/404.php hYYp://220.127.116.11 /ssd/usa.exe hYYp://18.104.22.168 /ssd/usa2.exe hYYp://22.214.171.124 /ssd/usa.exe hYYp://126.96.36.199 /ssd/usa2.exe hYYp://188.8.131.52 /ssd/usa2.exe hYYp://184.108.40.206 /srt/404.php hYYp://220.127.116.11 /ssd/usa.exe
hYYp://18.104.22.168 /srt/404.php hYYp://22.214.171.124 /ssd/usa.exe hYYp://126.96.36.199 /ssd/usa2.exe hYYp://188.8.131.52 /ssd/ust2.exe hYYp://184.108.40.206 /ssd/ust21.exe hYYp://220.127.116.11 /punta/gae.php hYYp://18.104.22.168 /srt/404.php hYYp://22.214.171.124 /ssd/usa.exe hYYp://126.96.36.199 /ssd/usa2.exe hYYp://188.8.131.52 /ssd/ust2.exe hYYp://184.108.40.206 /ssd/ust21.exe hYYp://220.127.116.11 /ssd/usa.exe hYYp://18.104.22.168 /ssd/usa2.exe hYYp://22.214.171.124 /ssd/ust2.exe hYYp://126.96.36.199 /ssd/ust21.exe hYYp://188.8.131.52 /punta/gae.php hYYp://184.108.40.206 /punta/gae.php hYYp://220.127.116.11 /srt/404.php hYYp://18.104.22.168 /ssd/usa.exe hYYp://22.214.171.124 /ssd/usa2.exe hYYp://126.96.36.199 /ssd/ust2.exe
hYYp://188.8.131.52 /srt/404.php hYYp://184.108.40.206 /ssd/ust12.exe hYYp://220.127.116.11 /srt/404.php hYYp://18.104.22.168 /ssd/ust12.exe hYYp://22.214.171.124 /srt/404.php hYYp://126.96.36.199 /ssd/ust12.exe
The IP addresses that would be most critical to block to protect your network would be these. Most of these addresses are on a Cloud hosting service in Russia, "clodo.ru", some on the ASN - St. Petersburg, Russia (clodo.ru) - AS48172 OVERSUN and others on AS56534 PIRIX-INET-AS PIRIX, ltd.
188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206The .exe that gets dropped is ZeuS, though current detection would make that a bit hard to tell. The main file being dropped this morning has the MD5 hash = b32e5922c82208b5fdf6d60503d458f9. Here is the VirusTotal report for that URL as of this timestamp, which is showing greatly improved detection over my original run. ESET, Kaspersky, and Microsoft are all agreeing this is Zeus, while 9 other vendors list some form of "Generic" as the detection name.
Spamming Computers analysisHow often were the same computers used to send these campaigns? We first created three lists of IP addresses used to deliver the spam on each day. I called them ss5ip, ss6ip, and ss7ip for the three days. ss5ip was a list of the 47,380 IP addresses we saw deliver the Bank of America spam on February 5. ss6ip was a list of the 58,532 IP addresses we saw deliver the Visa/MasterCard spam on February 6. ss7ip was a list of the 51,883 IP addresses we saw deliver the FedEx spam on February 7.
5 Intersection 6 = 22,500 shared IPs
6 Intersection 7 = 25,405 shared IPs
5 Intersection 7 = 18,261 shared IPs
16,255 IPs were seen in all three campaign.
107,987 unique IPs were seen if we combine all three campaigns.
Those 107,987 IP addresses sent Malcovery's spam accounts an average of 6.8 emails each and a median of 4 emails each. The two top spamming IP addresses were 220.127.116.11 (France, 158 messages) and 18.104.22.168 (Peru, 142 messages).
I geo-coded those IP addresses that sent more than 10 emails to us, which was a total of 21,955 IP addresses from 141 countries. A very unusual number of IP addresses, more than 45%, are from Spanish-speaking countries, . At some point this botnet probably enlarged itself on Spanish-language spam- or website-based malware
ES 3052 - Spain AR 2148 - Argentina US 1841 - United States CO 1387 - Colombia MX 1374 - Mexico IT 1263 - Italy DE 1025 - Germany PE 915 - Peru RO 876 - Romania BR 833 - Brazil GB 666 - Great Britain CL 634 - Chile FR 537 - France IL 489 - Israel CA 379 - Canada PL 342 - Poland TR 325 - Turkey BG 267 - Bulgaria PT 259 - Portugal GR 238 - Greece VE 238 - Venezuela AT 183 - Austria RS 180 - Republic of Serbia EC 131 - Ecuador CH 118 - Switzerland IN 116 - India CZ 104 - Czech Republic PA 104 - Panama