Saturday, June 25, 2011

A New Car! (or Zeus spam Campaign)

If you believe my email today, everyone is getting a new car but me.



There are actually many different spam message subjects that make up this campaign. Those like the one above use a random person name in the subject line, like these:

Remember [name]?
It's [name]'s new car!
Saw new [name]'s car?
Do you remember [name]?

There were also quite a few "non-random" ones. Here's a sampling from yesterday's spam, when we received a total of more than 60,000 emails that are part of this malware distribution campaign:

count | subject
-------+------------------------------------
1398 | info
1389 | Hello
1357 | look
1344 | Hello!
1343 | Hi!
1341 | hello!
1333 | Look!
1328 | hello
1320 | hello.
1314 | Hello.
1305 | hey buddy!
1286 | hi buddy!
1282 | Hey!
590 | Is this your boyfriend?
580 | Do you remember me?
577 | Remember me?
549 | Is This Your Boyfriend?
539 | Is this your girlfriend bro?
538 | Is This Your Girl Bro?
533 | Is This Your Boy?
529 | Is this your boy?
507 | Is this your girl bro?
487 | Is This Your Girlfriend Bro?
482 | Is this your girlfriend buddy?
480 | Is This your Girlfriend?

Those numbers are the count of the email messages we received from that portion of the campaign that pretended to be related to LinkedIn. In the graphic above, you can see that the "From" address is on "live.com" and the "Reply-To" is on "linkedin.com". Actually neither one of those things were true.

Here are the actual mail headers (although I've redacted a couple things from this one):



In this image, the "fake" values are highlighted in green while the "real" values are highlighted in yellow. This email did NOT come from LinkedIn's IP 63.211.90.176. It really came from 173.200.78.57. (Many hundreds of IPs were used.)

We actually saw this same style of mail-header faking beginning last November, especially during a rampant USAA Phishing campaign where the destination websites were all on '.tk' domains. Although I didn't focus on that aspect in the story (instead we found the REAL sender IP addresses and wrote about those) it was partly because at the time I didn't understand how it was possible!

All of the spam messages listed above, whether they are the "New Car" version or the "Is that Your Boyfriend?" or even the "Hello!" versions have a common website location being advertised. They use random numbers in the hostname portion of the website address, but the all point to:

arcid_[RND#].oposumcruiser.com/arc/file/

That website looks like this:



UPDATE!!


I've received an update from my friend Steven Burn who runs the websites of Ur I.T. Mate Group. He pointed out to me that even if you don't download the .exe file from this page, you are still at risk just by visiting the site. There is an IFRAME hidden in the source code of the page that directs all visitors to load the Blackhole Exploit Kit from another location. As of this writing that other location is:

http://motorssmonito.com/forum.php?tp=778973f6b2977050

(Visit at your own risk - it WILL try to infect you! )

The excellent folks at UCSB's Wepawet project provide this decoding of the page:

Wepawet decode of the MotorSSMonito blackhole exploit kit

which shows all the little tricks it tries to use to infect you, including loading malicious .jar files, .pdf files, .avi files,


/End Update - Thank you, Mr. Burn!



One of the characteristics of the "Avalanche" botnet that we believed was associated with the USAA phish back in November was that the destination website is "Fast Flux" hosted -- meaning that the IP address is being constantly changed by modifying the nameserver to resolve the domain name to many different locations.

The first time I looked at this website, it was resolving to the IP address 112.71.69.76 in Japan. But when I asked the nameserver for its location, it gave back eight different IP addresses:

80.171.37.243
81.203.1.104
82.159.38.56
85.86.48.130
91.117.147.33
112.71.69.76
114.183.247.117
217.50.208.196

Only a few minutes later when I rechecked, I found the additional IP addresses:

83.213.31.242
90.168.201.126
95.125.232.109
212.225.173.8

all resolving the "oposumcruiser.com" random hostnames.

One of the many projects we have at the UAB Computer Forensics Research Lab is a Fast Flux tracker. Some of the other domains that are currently fluxing on this same space include perfectcheck2011.com, safeyourwork.net, personalsyscheck.com and safetylife2011.org which use the nameservers ns1.lonfd.net and ns1.cazonet.com. Most of those are autoforwarders for pharmaceutical websites such as sportsmedsrxpills.net which purports to be the "Canadian Health & Care Mall".

The fake website offers a download for you as an executable file "archive.exe"

According to the AV products on the VirusTotal website, this is either the Zbot trojan (commonly known as Zeus) or Kazy.



(Click the image to go to the VirusTotal Report for this malware

MD5: a653ef80a47f5ec646a2ce0fdbc1068d

Trojan-Spy.Win32.Zbot.buax, Gen:Variant.Kazy.28222, Win32/Spy.Zbot.YW, Trojan/Win32.Zbot

I put the malware in our Malware Analysis VM and watched to see what it would do.

The version of the malware that I self-infected with made DNS calls for
the following domains, many of which have not yet been registered.

lrnsxmztnqiomiq.com
rqnorekziuhmsxr.biz
rqnorekziuhmsxr.org
vlolhmcjlpqntm.net
vlolhmcjlpqntm.com
zqpyuykzovrsjw.info
zqpyuykzovrsjw.biz
wzmkrojrutomsg.net
wzmkrojrutomsg.org
nnpgpskekyrtyoq.info
nnpgpskekyrtyoq.com
stqbbjuqsoefcpcq.biz
stqbbjuqsoefcpcq.com
xljpkdlnzniocjpu.info

It also modified many registry keys, primary related to Outlook Express, which means there was probably going to be some spamming going on if I left the infection up.

The only one of these I can tell that WAS registered was here...using a
privacy service.

Domain Name: LRNSXMZTNQIOMIQ.COM

Administrative Contact:
Reinecker, Beverly ap9cm76v4sv@nameprivacy.com
ATTN:
P.O. Box 430 c/o NameSecure
Herndon, VA 20171-430
US
570-708-8782


When it was live, it was hosted on 72.249.171.121.

Also seen on that IP, according to bfk.de, are:

www.realgirlfights.org CNAME realgirlfights.org
lrnsxmztnqiomiq.com A 72.249.171.121
wqonlrwkuswjzmm.net A 72.249.171.121
lmnqnxypfulhgxo.biz A 72.249.171.121
kmxpiylvojgjcus.biz A 72.249.171.121

That IP is Colo4Dallas LP (AS36024) in Dallas, Texas.

Steven Burn provided the following list of related domains, as well as the path which hosts their respective badness. Again, please don't follow these links unless you are a malware researcher in a safe environment.

cgywgtcwpngrzgk.net/news/?s=195341
cpgfkybtkljjwvsk.org/news/?s=195341
futplqwsqqiopntn.com/news/?s=195341
ijqrqinymhjsvr.net/news/?s=195341
imwftfprsbxzgiy.info/news/?s=195341
iruwoekurjzrpko.biz/news/?s=195341
jptptmlpqnzdnpl.biz/news/?s=195341
jtpknvosaiwoxqs.info/news/?s=195341
jwqqrkosoqqglvpk.biz/news/?s=195341
jxatmxeojvhwhvd.com/news/?s=195341
ktznowypsmswqtjl.net/news/?s=195341
kxzjfqomtyjhhhzr.com/news/?s=195341
lhourmoptjoejd.info/news/?s=195341
lqwryghqqpiujsp.com/news/?s=195341
mjeqpkukusnkkhtm.info/news/?s=195341
mpwpxgmpjqkrpfzd.biz/news/?s=195341
mrjuqpqqzqikin.org/news/?s=195341
nfumumsidtqtynr.com/news/?s=195341
oopmeozgtsxerenn.com/news/?s=195341
orelrxnwtuiuplhn.biz/news/?s=195341
ounwukdlrpflento.com/news/?s=195341
pluufpyllzrqpnot.com/news/?s=195341
ppjjvmomiiwtkyn.com/news/?s=195341
prminhfvfmsckzjw.info/news/?s=195341
psiscguokswppvys.biz/news/?s=195341
pxcoprkgsoeyoiej.info/news/?s=195341
quujzvhhutfvtlq.info/news/?s=195341
rcjemwpzhygppmuo.net/news/?s=195341
rggfymzrkzpnpsjl.com/news/?s=195341
rheovalxkdmspe.net/news/?s=195341
rhtjdemtypbpow.com/news/?s=195341
rnosovkotqwbk.info/news/?s=195341
rpjrewwqsditwtky.org/news/?s=195341
rwfstvftrzwwtjxu.info/news/?s=195341
rxtrpjvcuikyipt.net/news/?s=195341
sklyzjonvkikpjt.org/news/?s=195341
soilvjyksytnfp.net/news/?s=195341
ssmkoqkrgimsnwe.com/news/?s=195341
tjtoehpzjmtnigs.net/news/?s=195341
ttzoxhbzvgpijlwk.biz/news/?s=195341
twsrnyyfnvrqhht.org/news/?s=195341
ydvkmqunnnnwqop.info/news/?s=195341
yjlmfeinqhupvtnh.info/news/?s=195341
yphxjkymmnqynogh.com/news/?s=195341