Tuesday, July 08, 2014

E-ZPass Spam leads to Location Aware Malware

Jump to bottom for update list of malicious URLs

If you drive in a city with toll roads, you are familiar with the E-Z Pass System. If you are, you may have been tempted to click on an email that looked like this:
A quick search in the Malcovery Security Spam Data Mine revealed these related emails:

    date    |                subject                |           sender_name           
------------+---------------------------------------+---------------------------------
 2014-07-08 | In arrears for driving on toll road   | E-ZPass Collection Agency
 2014-07-08 | In arrears for driving on toll road   | E-ZPass Info
 2014-07-08 | In arrears for driving on toll road   | E-ZPass Customer Service Center
 2014-07-08 | In arrears for driving on toll road   | E-ZPass Info
 2014-07-08 | Indebted for driving on toll road     | E-ZPass Service Center
 2014-07-08 | Indebted for driving on toll road     | E-ZPass Service Center
 2014-07-08 | Indebted for driving on toll road     | E-ZPass Collection Agency
 2014-07-08 | Indebted for driving on toll road     | E-ZPass Customer Service Center
 2014-07-08 | Indebted for driving on toll road     | E-ZPass Info
 2014-07-08 | Indebtedness for driving on toll road | E-ZPass Collection Agency
 2014-07-08 | Indebtedness for driving on toll road | E-ZPass Customer Service Center
 2014-07-08 | Indebtedness for driving on toll road | E-ZPass Customer Service Center
 2014-07-08 | Pay for driving on toll road          | E-ZPass Info
 2014-07-08 | Payment for driving on toll road      | E-ZPass Info
 2014-07-08 | Payment for driving on toll road      | E-ZPass Info
 2014-07-08 | Payment for driving on toll road      | E-ZPass Info
But the destination websites are certainly not on E-Z Pass's domains!
          machine          |                               path                                
---------------------------+-------------------------------------------------------------------
 www.federalparts.com.ar   | /tmp/api/3eLv aFKXBvmuxydKFVfEZIMWSl7f4VJfOpfcdAHPeo=/toll
 www.fiestasnightclub.com  | /tmp/api/kJ1a5XRhE7MM9YhRVR1186why1TgPCPH7aieECyjb I=/toll
 www.flavazstylingteam.com | /tmp/api/vBrLdEDWRK4sXs6KaHEbWzHnbEYIFSo42BZvGd4crCY=/toll
 www.fleavalley.com        | /tmp/api/ycI2IRHcInDd1/cetyLMZMjwyxKxTAEHFkjk1dRUfYs=/toll
 www.frazeryorke.com       | /wp-content/api/LtvaZdAvP3GFuaqyulY/C3haFCeID3krbtMHt52cdnM=/toll
 www.fsp-ugthuelva.org     | /tmp/api/fMVyiIXcbY9gamr17zPrnhTgz2Zvs825GTmvvRjlTIA=/toll
 www.fyaudit.eu            | /components/api/yiBOsvUdvftbCd4Fa1zmVtIkbs4x3ThiUnFoIgwyI9Q=/toll
 www.giedrowicz.pl         | /tmp/api/R4a4iKmACUtWoRHq1DsCiQ1aH 3J7QgBMfp1zq8gqj8=/toll
 www.gostudy.ca            | /components/api/Q/sV7HtfnZGOW4lzlLSfFuKM/lLu8LQmOlT TVXKb2o=/toll
 www.graphiktec.com        | /tmp/api/nZbX6I6vYQrsTlY4OAw44Qq96Lnw/JOoLDdBmdLh21M=/toll
 www.h2oasisinc.com        | /components/api/BivlBt/AhVodCMM9zRuvcQpIyG2X6Knd8sERnP1 QDA=/toll
 www.habicher.eu           | /tmp/api/yra96tiDlyYbYxsbJpr/hDVSPmwh6GKYLF6PaD3nUAI=/toll
 www.grupoancon.com        | /components/api/6jI99hwDmjAvkEvuX8JvVSkS3InPtLii ZN3dbIVkOM=/toll
 www.happymaree.com.au     | /tmp/api/d4ik5Y2GvCVSSJQhXI9wYYpBvxjLS78peeRYMKV0V7c=/toll
 www.headspokerfest.com    | /tmp/api/RTuPCuYLjaj1KnTeJrMlCoH9HL4IixR eBvajB6TCeE=/toll
 www.headspokerfest.com    | /tmp/api/43J6l5G/CkNp6kmGl0b jUY/oOL4411pPds8nylDE5g=/toll
When we visit one of the URLs, we are prompted to download a .zip file, containing a .exe file.

Both are conveniently named for the City and ZIP Code from which we are connected.

For example:

When we run this malware, it attempts to make contact with the following C&C locations:

76.74.184.127:443
113.53.247.147:443
50.57.139.41:8080
188.165.192.116:8080
82.150.199.140:8080
203.157.142.2:8080
212.45.17.15:8080
92.240.232.232:443
188.165.192.116:8080
At Malcovery Security, we've been tracking the ASProx botnet for some time. Most of these IP addresses were already known to belong to the ASProx botnet for some time. This is the same botnet that sent the Holiday Delivery Failure spam imitating Walmart, CostCo, and BestBuy over the holidays and that send the Court Related Malware through the early months of 2014.

Thanks to some updates from new friends on Twitter, we wanted to give an update on what we are seeing in the Malcovery Spam Data Mine. Because every advertised URL is unique, we have taken the approach of replacing the "unique stuff" with "...STUFF..." in the URLs below. The important part is that we realize that anything that you see in your logs that includes either "tmp/api" or "wp-content/api" or "components/api" and then some "STUFF" and then "=/toll" is going to be one of these URLs that is part of the current E-Z Pass spam, which began on July 8th and is still continuing here on July 12th. If you have access to Very Large Logs, we'd love to get YOUR URLs of this pattern to see if we can help webmasters identify and shut this stuff down. Note the alphabetical progression through compromised domain names? These are sorted by timestamp, not by domain name. It just so happens those are the same thing. We believe the criminals have a very large list of pre-compromised domains that they can use at will. Possibly these are just harvested passwords from other malware campaigns.

This malware is the ASProx malware. If anyone has more details on the "what happens next?" part of the malware, please do share. What we have observed and been told is that infected machines are primarily used for advertising click-fraud, but happy to learn more about those aspects and share what we learn.

2014-07-08 10:15:00-05 www.fiestasnightclub.com "/tmp/api/..STUFF…=/toll
2014-07-08 11:15:00-05 www.flavazstylingteam.com "/tmp/api/..STUFF…=/toll
2014-07-08 11:20:00-05 www.fleavalley.com "/tmp/api/..STUFF…=/toll
2014-07-08 13:20:00-05 www.fsp-ugthuelva.org "/tmp/api/..STUFF…=/toll
2014-07-08 13:30:00-05 www.frazeryorke.com "/wp-content/api/…STUFF…=/toll
2014-07-08 14:10:00-05 www.fyaudit.eu "/components/api/…STUFF…=/toll
2014-07-08 15:30:00-05 www.giedrowicz.pl "/tmp/api/..STUFF…=/toll
2014-07-08 16:40:00-05 www.gostudy.ca "/components/api/…STUFF…=/toll
2014-07-08 17:45:00-05 www.graphiktec.com "/tmp/api/..STUFF…=/toll
2014-07-08 18:45:00-05 www.h2oasisinc.com "/components/api/…STUFF…=/toll
2014-07-08 18:50:00-05 www.habicher.eu "/tmp/api/..STUFF…=/toll
2014-07-08 19:00:00-05 www.grupoancon.com "/components/api/…STUFF…=/toll
2014-07-08 19:20:00-05 www.headspokerfest.com "/tmp/api/..STUFF…=/toll
2014-07-08 19:30:00-05 www.happymaree.com.au "/tmp/api/..STUFF…=/toll
2014-07-09 01:10:00-05 www.ingersollpharmasave.ca "/components/api/…STUFF…=/toll
2014-07-09 01:30:00-05 www.improlabsa.com "/components/api/…STUFF…=/toll
2014-07-09 01:45:00-05 www.innovem.nl "/components/api/…STUFF…=/toll
2014-07-09 02:00:00-05 www.intelliwaste.net "/components/api/…STUFF…=/toll
2014-07-09 04:15:00-05 www.investment-mastery.com "/wp-content/api/…STUFF…=/toll
2014-07-09 05:50:00-05 www.islandbiblechapel.com "/tmp/api/..STUFF…=/toll
2014-07-09 06:15:00-05 www.ironstoneranch.com "/tmp/api/..STUFF…=/toll
2014-07-09 13:00:00-05 www.klaafalaaf.de "/components/api/…STUFF…=/toll
2014-07-09 20:00:00-05 www.listerus-capital.com "/components/api/…STUFF…=/toll
2014-07-10 00:10:00-05 www.learn-a-language.eu "/components/api/…STUFF…=/toll
2014-07-10 06:30:00-05 www.mindsolutions.sk "/components/api/…STUFF…=/toll
2014-07-10 07:15:00-05 www.mintom.it "/components/api/…STUFF…=/toll
2014-07-10 14:00:00-05 www.moretrends.de "/tmp/api/..STUFF…=/toll
2014-07-10 15:00:00-05 www.nortech.com.au "/components/api/…STUFF…=/toll
2014-07-10 18:30:00-05 www.p-press.com "/components/api/…STUFF…=/toll
2014-07-11 00:00:00-05 www.porno-sexshop.ch "/tmp/api/..STUFF…=/toll
2014-07-11 01:00:00-05 www.powiatstargardzki.eu "/components/api/…STUFF…=/toll
2014-07-11 02:00:00-05 www.projectstc.org "/components/api/…STUFF…=/toll
2014-07-11 08:15:00-05 www.radmotors.com.pl "/components/api/…STUFF…=/toll
2014-07-11 10:10:00-05 www.reportsolutions.com "/components/api/…STUFF…=/toll
2014-07-11 16:00:00-05 www.search4staff.com "/components/api/…STUFF…=/toll
2014-07-11 18:00:00-05 www.sirman.us "/tmp/api/..STUFF…=/toll
2014-07-11 20:30:00-05 www.stjosephbristol.org "/components/api/…STUFF…=/toll
2014-07-11 21:15:00-05 www.stpat.nsw.edu.au "/components/api/…STUFF…=/toll
2014-07-12 15:00:00-05 avauncemarketing.net "/wp-content/api/…STUFF…=/toll

12 comments:

  1. Nice find, Gary. do you know how the malware selected the city and zip? Was it random, or did it appear targeted based on your location or your toll road usage?

    I found a vulnerability in the Texas equivalent of E-Z Pass - TXTAG - that could be used to create highly targeted malware such as this. The login scheme makes it very easy for someone to access accounts through brute force, which would gain an attacker access to names, home addresses, toll road usage history, email, and more. I don't have an E-Z Pass account but wonder if it has the same issues.

    Here is my write-up: http://dnlongen.blogspot.com/2014/04/credit-cards-for-12-million-drivers.html

    ReplyDelete
    Replies
    1. David - it is using a Geolocation service. It nailed my zipcode both at home and at work when I didn't tunnel. When I tunneled, it gave me cities and zips corresponding to where my remote server was located.

      Delete
    2. It has nothing to do with any records because I got two of them and I don't ever drive, nor anyone in my family. Also, I didn't know what EZ Pass was, so I looked it up. It is in the eastern states, and I nor my family have never even been anywhere near those states, plus, again I am not a driver, so I believe it is just random.

      Delete
    3. I live in Australia...never heard of EZ Pass so I looked it up. Was worried as it said debt collection but my own travel tag is in credit. Glad I do my homework before clicking on these things.

      Delete
  2. ok anyone know what this male ware does and how to fix it. I got fooled and it shut down my windows XP machine and now it will only boot and allow me to logon to a blank screen. I can pull up task manager but can not run explorer.exe nothing seems to fix it. anyone else have this problem or better yet a fix?

    ReplyDelete
  3. Thanks Gary! I received one of these this morning. It unfortunately fooled me into clicking it but I received a 404 connection error so not sure anything happened. Should I still be concerned?

    The spam link on this particular email appeared to be german? - (http://www.leuchtkasten.de/) followed by a long path - i assume to be the query string?

    ReplyDelete
  4. What should I do if I already replied to it?

    ReplyDelete
  5. Hi Gary. The happymaree.com.au link is the unused (and mostly forgotten about) website for our cafe in Melbourne, Australia! Trying to get in touch with my friend who set up the page for us 2 years ago but would appreciate any advice on what we should do.

    ReplyDelete
  6. Hi Gary........I too have received this email. Dummy me, did click on the "click here", however when the zip file popped up, I quickly closed it. I am running my Malwarebytes now. Have I already infected my PC by just the click I did?

    ReplyDelete
  7. mine say Agency E-ZPass Colection

    ReplyDelete
  8. I got one of these in my junk email. Funny, I live in Australia and have not driven in USA.

    ReplyDelete
  9. So glad I don't drive! Wasn't even tempted to click on the link, and it got put with all those 'appear in court, or case will be heard in your absence.' straight into the rubbish bin.

    ReplyDelete

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.