Monday, November 30, 2009

IRS Spam Campaign leads to low detection malware

We're getting tons of strange IRS spam this morning.

Subjects like:

IRS - Please Read!
IRS - Tax Refund Notification!
IRS e-file refund notification!
IRS REFUND Notification - Please Read This!
IRS: Your Tax Refund Notification!
Notification - Tax Refund!
Notification - Your Tax Refund!
Tax Refund!
US Internal Revenue Service!
US Treasury Department - Tax Refund!

Bodies look like this:



-----------------------------

Internal Revenue Service
United States Department of the Treasury
After the last annual calculations of your fiscal activity we have determined that you are eligible to receive 533.41$ tax refund under section 501(c) (10) of the Internal Revenue Code. Please submit the Tax Refund Request Form and allow us 3-9 days to process it.

Yours faithfully,
Sarah Hall Ingram, Commissioner

This notification has been sent by the Internal Revenue Service, a bureau of the Department of the Treasury.

-----------------------
This would be a great place to remind people that if you have turned "javascript" on globally, when you visit ANY website, the code on that website runs, and so does the code on any website that is being loaded into your current webpage with an iframe.

In this case, there's an iframe that draws source from here, being blocked by Google Safe Browsing:

infosayt.com/heabes/index.php

An encrypted javascript is supposed to load from /ssp/index.php on each of the sites below.

The javascript on this page causes the page:

hxxp://refund-services.irs.issue.no.l398726.us/ssp/loadjavad.php?page=1

to be loaded, which drops an executable file called "load.exe". We expect that this page is regularly changed to allow a variety of malware to be dropped. At the moment, what it is dropping is a file that has these characteristics:

My Microsoft Forefront calls that: "Trojan:Win32/Oficla.E"
File size: 19968 bytes
MD5 : 8c111a22d26c84dffe3bc3e03907bc28

A VirusTotal Report gives 5 of 41 detects, meaning that MOST anti-virus software will currently return "no virus found" if you scan the file.

-------------------------
As I was working through my analysis, I found that this has actually already been written up quite nicely by CA in their Security Advisor blog by Mary Grace Gabriel.


Here's a list of webpages we've seen so today (November 30th):

refund-services.irs.issue.no.l320584.us
refund-services.irs.issue.no.l324603.us
refund-services.irs.issue.no.l32839.us
refund-services.irs.issue.no.l354923.us
refund-services.irs.issue.no.l362960.us
refund-services.irs.issue.no.l367360.us
refund-services.irs.issue.no.l372905.us
refund-services.irs.issue.no.l376054.us
refund-services.irs.issue.no.l380027.us
refund-services.irs.issue.no.l382703.us
refund-services.irs.issue.no.l383749.us
refund-services.irs.issue.no.l385372.us
refund-services.irs.issue.no.l387246.us
refund-services.irs.issue.no.l387266.us
refund-services.irs.issue.no.l392053.us
refund-services.irs.issue.no.l392086.us
refund-services.irs.issue.no.l398726.us
refund-services.irs.issue.no.l500328.us
refund-services.irs.issue.no.l507229.us
refund-services.irs.issue.no.l524820.us
refund-services.irs.issue.no.l528074.us
refund-services.irs.issue.no.l539028.us
refund-services.irs.issue.no.l539347.us
refund-services.irs.issue.no.l542043.us
refund-services.irs.issue.no.l562804.us
refund-services.irs.issue.no.l567387.us
refund-services.irs.issue.no.l568730.us
refund-services.irs.issue.no.l572463.us
refund-services.irs.issue.no.l57290.us
refund-services.irs.issue.no.l580382.us
refund-services.irs.issue.no.l583720.us
refund-services.irs.issue.no.l58736.us
refund-services.irs.issue.no.l587468.us
refund-services.irs.issue.no.l587938.us
refund-services.irs.issue.no.l590274.us
refund-services.irs.issue.no.l593380.us
refunds.irs.issue.no.l32839.us
refunds.irs.issue.no.l362960.us
refunds.irs.issue.no.l367360.us
refunds.irs.issue.no.l37204.us
refunds.irs.issue.no.l372905.us
refunds.irs.issue.no.l380027.us
refunds.irs.issue.no.l383749.us
refunds.irs.issue.no.l385372.us
refunds.irs.issue.no.l387246.us
refunds.irs.issue.no.l387266.us
refunds.irs.issue.no.l392053.us
refunds.irs.issue.no.l392059.us
refunds.irs.issue.no.l392086.us
refunds.irs.issue.no.l392503.us
refunds.irs.issue.no.l398726.us
refunds.irs.issue.no.l524820.us
refunds.irs.issue.no.l539347.us
refunds.irs.issue.no.l567387.us
refunds.irs.issue.no.l568730.us
refunds.irs.issue.no.l572035.us
refunds.irs.issue.no.l572463.us
refunds.irs.issue.no.l580382.us
refunds.irs.issue.no.l583720.us
refunds.irs.issue.no.l58736.us
refunds.irs.issue.no.l587468.us
refunds.irs.issue.no.l587938.us
refunds.irs.issue.no.l590274.us
refunds.irs.issue.no.l593380.us
ustreasurydept.irs.issue.no.l320584.us
ustreasurydept.irs.issue.no.l324603.us
ustreasurydept.irs.issue.no.l32839.us
ustreasurydept.irs.issue.no.l354923.us
ustreasurydept.irs.issue.no.l362960.us
ustreasurydept.irs.issue.no.l367360.us
ustreasurydept.irs.issue.no.l37204.us
ustreasurydept.irs.issue.no.l372905.us
ustreasurydept.irs.issue.no.l376054.us
ustreasurydept.irs.issue.no.l380027.us
ustreasurydept.irs.issue.no.l382703.us
ustreasurydept.irs.issue.no.l383749.us
ustreasurydept.irs.issue.no.l385372.us
ustreasurydept.irs.issue.no.l387246.us
ustreasurydept.irs.issue.no.l387266.us
ustreasurydept.irs.issue.no.l392053.us
ustreasurydept.irs.issue.no.l392503.us
ustreasurydept.irs.issue.no.l398726.us
ustreasurydept.irs.issue.no.l500328.us
ustreasurydept.irs.issue.no.l507229.us
ustreasurydept.irs.issue.no.l524820.us
ustreasurydept.irs.issue.no.l528074.us
ustreasurydept.irs.issue.no.l539028.us
ustreasurydept.irs.issue.no.l539347.us
ustreasurydept.irs.issue.no.l542043.us
ustreasurydept.irs.issue.no.l562804.us
ustreasurydept.irs.issue.no.l567387.us
ustreasurydept.irs.issue.no.l568730.us
ustreasurydept.irs.issue.no.l572035.us
ustreasurydept.irs.issue.no.l572463.us
ustreasurydept.irs.issue.no.l57290.us
ustreasurydept.irs.issue.no.l583720.us
ustreasurydept.irs.issue.no.l587468.us
ustreasurydept.irs.issue.no.l587938.us
ustreasurydept.irs.issue.no.l590274.us
ustreasury.irs.issue.no.l320584.us
ustreasury.irs.issue.no.l324603.us
ustreasury.irs.issue.no.l354923.us
ustreasury.irs.issue.no.l362960.us
ustreasury.irs.issue.no.l37204.us
ustreasury.irs.issue.no.l376054.us
ustreasury.irs.issue.no.l380027.us
ustreasury.irs.issue.no.l382703.us
ustreasury.irs.issue.no.l383749.us
ustreasury.irs.issue.no.l385372.us
ustreasury.irs.issue.no.l387246.us
ustreasury.irs.issue.no.l387266.us
ustreasury.irs.issue.no.l392053.us
ustreasury.irs.issue.no.l392059.us
ustreasury.irs.issue.no.l392086.us
ustreasury.irs.issue.no.l392503.us
ustreasury.irs.issue.no.l398726.us
ustreasury.irs.issue.no.l528074.us
ustreasury.irs.issue.no.l539028.us
ustreasury.irs.issue.no.l539347.us
ustreasury.irs.issue.no.l542043.us
ustreasury.irs.issue.no.l562804.us
ustreasury.irs.issue.no.l572035.us
ustreasury.irs.issue.no.l572463.us
ustreasury.irs.issue.no.l57290.us
ustreasury.irs.issue.no.l580382.us
ustreasury.irs.issue.no.l583720.us
ustreasury.irs.issue.no.l58736.us
ustreasury.irs.issue.no.l587468.us
ustreasury.irs.issue.no.l587938.us
ustreasury.irs.issue.no.l590274.us
ustreasury.irs.issue.no.l593380.us

These have been shared with appropriate authorities and will hopefully be shut down soon!

Saturday, November 28, 2009

Beware Weekend Facebook Scam!

The cybercriminals seem to have completed their Black Friday shopping and returned to work this morning with a new Facebook scam. Its probably wrong to call it "new", since its a re-tread of the Facebook scam we warned about October 28th.

The UAB Spam Data Mine saw approximately 20,000 copies of this email today, with the following websites being used in the spam:

www.facebook.com.hssaze.be
www.facebook.com.hssazg.be
www.facebook.com.hssazh.be
www.facebook.com.hssazi.be
www.facebook.com.hssazj.be
www.facebook.com.hssazl.be
www.facebook.com.hssazo.be
www.facebook.com.hssazp.be
www.facebook.com.hssazq.be
www.facebook.com.hssazr.be
www.facebook.com.hssazt.be
www.facebook.com.hssazu.be
www.facebook.com.hssazw.be
www.facebook.com.hssazy.be

Three email subjects (with some variation in case) are used:

Facebook Account Update
Facebook Update Tool
New login system

The path, /usersdirectory/LoginFacebook.php is appended with a unique string for each email sent.

The emails look like this:



Dear Facebook user,
In an effort to make your online experience safer and more enjoyable,
Facebook will be implementing a new login system that will affect all
Facebook users. These changes will offer new features and increased
account security.
Before you are able to use the new login system, you will be required to
update your account.
Click here to update your account online now.

If you have any questions, reference our New User Guide.

Thanks,
The Facebook Team



and the webpage starts like this:



After entering your userid and password, the malware page is loaded:



The "updatetool.exe" is malware, of course.

File size: 129536 bytes
MD5...: adc5806e32716e588faf44622ccb5f9a

Early this morning, virustotal was showing a 5 of 41 detection rate. That's greatly improved now, to 17 of 41, as shown in this current VirusTotal Report. The malware is confirmed to be a Zeus/Zbot infector.

Tuesday, November 24, 2009

Some Jerk posted your photo - and now you're infected!

(Update: this scam from November 2009 is being repeated in February 2010 - for more on the current version please see: Minipost: Fake Photo Zeus

Dear Cyber Criminals,

Isn't there someone out there doing something interesting besides the Zeus criminals?

Today we have yet another major spam campaign spreading malware, and yet again, its the same criminals trying to use social engineering to plant their password stealing and bank website altering software on your computer.

Today's campaign started out while I was breaking in a new pair of boots at Oak Mountain State Park by doing the Peavine Falls Green Trail, a nice set of hills. When I came back to my car I noticed a couple text messages asking about a new Zeus campaign. I checked Twitter and saw that Alex Eckelberry from Sunbelt (@alexeck) and WebSense Labs (@websenselabs) had both covered it. Yes, I am not always online! When I take vacation days I only work in the early morning and the evening!

The email subjects used by this spam campaign are:

Subject: hi
Subject: fw
Subject: hey
Subject: re
Subject: your photos
Subject: some jerk has posted your photos
Subject: some jerk has posted your pictures

The website addresses use randomization in the hostname to create an enormous number of possible URLs, all beginning with "archive", followed by 1 to 8 random digits, and a domain name. Some real examples would include:

The domain names we saw earlier include:

hlrtfeb.com
hlrtfec.com
hlrtfef.com
hlrtfeg.com
hlrtfeh.com
hlrtfek.com
hlrtfem.com
hlrtfen.com
hlrtfeo.com
hlrtfet.com
hlrtfeu.com
hlrtfey.com
uhbzal.com
uhczax.com
uhfzav.com
uhgzao.com
uhrzaf.com
uhszaa.com
uhtzar.com
uhvzac.com
uhwzaq.com
uhxzas.com
heddasb.eu
heddasc.eu
heddase.eu
heddask.eu
heddasl.eu
heddasm.eu
heddast.eu
heddasu.eu
heddasz.eu
salikub.eu
salikuc.eu
salikue.eu
salikuf.eu
salikuh.eu
salikui.eu
salikuj.eu
salikuk.eu
salikur.eu
salikus.eu
salikuu.eu
salikuv.eu
salikuy.eu
daaswev.eu
heddaso.eu
heddasp.eu
heddasq.eu

all with the path "/photo-hosting/

All of the initial domains seem to have been taken offline, but the criminal is starting up a second wave of domain names that we are now seeing in the UAB Spam Data Mine.

daaswea.eu
daasweb.eu
daaswec.eu
daaswed.eu
daaswee.eu
daaswef.eu
daasweg.eu
daasweh.eu
daaswer.eu
daaswet.eu
daaswev.eu
daaswex.eu
daaswey.eu
daaswez.eu


Here's a screenshot from a currently live website:



The malware which is currently dropping is "lightly detected" at VirusTotal, but not "poorly detected". A current VirusTotal report shows 15 of 41 detects with only Microsoft, Sunbelt, and Symantec properly labeling the malware as ZBot.

Here are some examples of the actual hostnames we've seen (and we've now seen more than 6,500 copies):

archive4.daaswea.eu
archive7004014104.daasweb.eu
archive9.daaswec.eu
archive69970154.daaswed.eu
archive98206261.daaswee.eu
archive71911819.daaswef.eu
archive091208.daasweg.eu
archive2312350.daasweh.eu
archive329947.daaswer.eu
archive85173554.daaswet.eu
archive69548414.daaswev.eu
archive062274583.daaswex.eu
archive3318.daaswey.eu
archive2720530501.daaswez.eu
archive445.heddasb.eu
archive432.heddasc.eu
archive907.heddase.eu
archive65975290.heddask.eu
archive4.heddasl.eu
archive90689245.heddasm.eu
archive634960.heddaso.eu
archive4450.heddasp.eu
archive6461304410.heddasq.eu
archive20.heddast.eu
archive5927620984.heddasu.eu
archive29613500.heddasz.eu

Rather than having a standard "From:" address, the criminals are mixing this up as well. Here are the last folks from which we received our copies of the spam -- of course these are all fakes created by the spambot:

"Montgomery" Montgomery@tppa.com
"Gayle Leal" Gayle.Leal@kotnet.org
"Erwin Deleon" Erwin.Deleon@altern.org
"Lovett" Lovett@portsevendomain.biz
"Lance Frank" Frank@pacbell.net
"Kendrick1924" Kendrick1924@168city.com
"Sparks1900" Sparks1900@phayze.com
"Timmons" Timmons@malaysia.net
"Fischer1981" Fischer1981@surfeador.com
"Lemuel Starks" Starks1956@aol.com
"Roman1992" Roman1992@mrg.com
"Alphonso Lockwood" Alphonso.Lockwood@mail15.com
"Reed1954" Reed1954@phayze.com
"Jorge Gonzalez" Jorge.Gonzalez@correo1.com
"Amparo.Rock" Amparo.Rock@computermail.net
"Lamar Jeffers" Jeffers@kichimail.com
"Gil Bonds" Bonds1992@purinmail.com
"Suarez" Suarez@arkansas.net
"Margarito Mcghee" Margarito.Mcghee@verizon.com
"Hodges" Hodges@kinki-kids.com
"Cleveland.Pritchard" Cleveland.Pritchard@regiomontano.com
"Josephine Saldana" Saldana1950@we-help-u.biz
"Allen Lee" Allen.Lee@aol.com
"Ott1987" Ott1987@we-help-u.biz
"Santos" Santos@singapore.net
"Mullins1993" Mullins1993@portsevendomain.biz
"Tim Walsh" Walsh@altern.org
"Andres Daly" Daly@free.fr
"Courtney.Dalton" Courtney.Dalton@kellychen.com
"Marsh1993" Marsh1993@atlanta.com
"Cornelia Wilkins" Cornelia.Wilkins@brainpod.com
"Berger" Berger@mail.com
"Lynn1929" Lynn1929@inodes.org
"Kristin.Costa" Kristin.Costa@myramstore.com
"Jewel Lockhart" Jewel.Lockhart@free.fr
"Roxie Tompkins" Tompkins@singapore.net
"Rodney Smallwood" Rodney.Smallwood@surrealismo.com
"IraIrwin" Irwin@fcta.com
"Gilliam" Gilliam@we-help-u.biz
"Calloway" Calloway@punkass.com
"Blackwell" Blackwell@norika-fujiwara.com
"Carmela Hanson" Carmela.Hanson@sesmail.com
"Chi.Benton" Chi.Benton@norika-fujiwara.com
"Andre.Burnette" Andre.Burnette@surfeador.com
"Alfonso.Poe" Alfonso.Poe@we-help-u.biz

Monday, November 23, 2009

UAB Spam Data Mine finds Social Security Statement Zeus Bot

I'm frequently asked how it is that the UAB Spam Data Mine is consistently among the first in reporting new spam campaigns that contain harmful malware. I thought I would show you the manual version of the process this morning.

We start by finding the "top subjects" for the current time period. Because the UAB Spam Data Mine now processes inbound spam every 15 minutes, we can do searches to identify the top spam campaigns in the previous 15 minutes such as:

select count(subject), subject from spam where message_id like '%09Nov23.0715%' group by subject order by count(subject) desc;

Look for something interesting, such as:

53 | Watch for errors on Social Security statement
53 | Watch for errors on your Social Security statement
45 | Review your annual Social Security statement

In the previous 15 minutes period, nothing with "Social Security" showed up in the top 100 subjects. Now we have three items in the top 25. By the time I finished writing this article, the 0730 and 0745 runs were complete, and we now have more than 600 samples of the spam. However, using the techniques we've developed for "emerging threat detection", we were aware of the campaign immediately when the 0715 run showed something that was not present in the 0700 run.

Then we may dig in with a subject specific search:

select a.subject, b.machine, b.path from spam a, spam_link b where a.message_id = b.message_id and a.subject like '%Social Security statement%';


Bingo! 200 results with domains like:

statements.ssa.gov.fawaazq.be | /acu/IPS_INTR/controller.php
statements.ssa.gov.reedask.be | /acu/IPS_INTR/controller.php

Let's get JUST the list of machines used:

select machine from spam_link where machine like 'statements.ssa.gov%' group by machine;
machine
-------------------------------
statements.ssa.gov.reedasn.be
statements.ssa.gov.fawaazv.be
statements.ssa.gov.fawaazc.be
statements.ssa.gov.reedasg.be
statements.ssa.gov.ujbhgk.be
statements.ssa.gov.ujbhgx.be
statements.ssa.gov.fawaazs.be
statements.ssa.gov.fawaaza.be
statements.ssa.gov.ujbhgv.be
statements.ssa.gov.fawaaze.be
statements.ssa.gov.reedasu.be
statements.ssa.gov.reedasv.be
statements.ssa.gov.reedask.be
statements.ssa.gov.ujbhgz.be
statements.ssa.gov.fawaazz.be
statements.ssa.gov.reedasj.be
statements.ssa.gov.fawaazx.be
statements.ssa.gov.reedasb.be
statements.ssa.gov.fawaazf.be
statements.ssa.gov.ujbhgq.be
statements.ssa.gov.reedaso.be
statements.ssa.gov.ujbhgb.be
statements.ssa.gov.fawaazq.be
statements.ssa.gov.reedasm.be
statements.ssa.gov.ujbhgm.be
statements.ssa.gov.reedast.be
statements.ssa.gov.fawaazr.be
statements.ssa.gov.fawaazd.be
statements.ssa.gov.reedash.be
statements.ssa.gov.ujbhga.be
statements.ssa.gov.fawaazw.be
statements.ssa.gov.reedasy.be
(32 rows)

(Update: There are now 80 known machines for this campaign . . . here's how many emails we've seen for each one as of 8:20 PM, Central time)

729 | statements.ssa.gov.reedasv.be
431 | statements.ssa.gov.reedasm.be
395 | statements.ssa.gov.fawaaze.be
386 | statements.ssa.gov.fawaazx.be
378 | statements.ssa.gov.reedasg.be
360 | statements.ssa.gov.fawaazf.be
337 | statements.ssa.gov.fawaazz.be
317 | statements.ssa.gov.fawaazd.be
304 | statements.ssa.gov.ujbhgm.be
281 | statements.ssa.gov.reedasb.be
271 | statements.ssa.gov.ujbhgz.be
263 | statements.ssa.gov.reedast.be
254 | statements.ssa.gov.reedask.be
253 | statements.ssa.gov.fawaazw.be
242 | statements.ssa.gov.fawaaza.be
224 | statements.ssa.gov.ujbhgv.be
222 | statements.ssa.gov.fawaazv.be
209 | statements.ssa.gov.ujbhgc.be
199 | statements.ssa.gov.reedasj.be
197 | statements.ssa.gov.ujbhga.be
186 | statements.ssa.gov.reedaso.be
183 | statements.ssa.gov.fawaazq.be
181 | statements.ssa.gov.ujbhgj.be
170 | statements.ssa.gov.ujbhgq.be
166 | statements.ssa.gov.ujbhgx.be
161 | statements.ssa.gov.ujilld.be
160 | statements.ssa.gov.fawaazs.be
160 | statements.ssa.gov.ujillv.be
154 | statements.ssa.gov.ujillx.be
153 | statements.ssa.gov.uhyuhd.be
152 | statements.ssa.gov.ujbhgn.be
149 | statements.ssa.gov.fawaazr.be
147 | statements.ssa.gov.uhyuhu.be
144 | statements.ssa.gov.ujilln.be
136 | statements.ssa.gov.uhyuhl.be
132 | statements.ssa.gov.ujillc.be
131 | statements.ssa.gov.uhyuha.be
129 | statements.ssa.gov.ujillb.be
125 | statements.ssa.gov.ujills.be
125 | statements.ssa.gov.uhyuhj.be
125 | statements.ssa.gov.ujille.be
119 | statements.ssa.gov.uhyuhq.be
117 | statements.ssa.gov.ujillr.be
116 | statements.ssa.gov.gredfe.be
110 | statements.ssa.gov.reedasn.be
108 | statements.ssa.gov.ujillf.be
107 | statements.ssa.gov.uhyuhe.be
105 | statements.ssa.gov.gredve.be
101 | statements.ssa.gov.fawaazc.be
97 | statements.ssa.gov.reedasy.be
94 | statements.ssa.gov.grezfe.be
91 | statements.ssa.gov.uhyuho.be
86 | statements.ssa.gov.reedasu.be
83 | statements.ssa.gov.uhyuhg.be
76 | statements.ssa.gov.ujillw.be
75 | statements.ssa.gov.grenfe.be
74 | statements.ssa.gov.grewfe.be
72 | statements.ssa.gov.ujbhgk.be
58 | statements.ssa.gov.uhyuht.be
49 | statements.ssa.gov.ytttdsj.be
46 | statements.ssa.gov.ytttdsv.be
43 | statements.ssa.gov.ujbhgb.be
43 | statements.ssa.gov.ytttdsn.be
39 | statements.ssa.gov.reedash.be
38 | statements.ssa.gov.ytttdsk.be
38 | statements.ssa.gov.ytttdse.be
37 | statements.ssa.gov.ytttdsb.be
36 | statements.ssa.gov.ytttdsh.be
34 | statements.ssa.gov.ytttdsm.be
32 | statements.ssa.gov.ytttdsf.be
29 | statements.ssa.gov.ytttdso.be
29 | statements.ssa.gov.nionuie.be
28 | statements.ssa.gov.ytttdsy.be
27 | statements.ssa.gov.ytttdsu.be
27 | statements.ssa.gov.nionuis.be
26 | statements.ssa.gov.nionuia.be
25 | statements.ssa.gov.nionuig.be
22 | statements.ssa.gov.nionuiq.be
21 | statements.ssa.gov.nionuib.be
21 | statements.ssa.gov.nionuid.be


Looks serious. Let's pull a list of all the unique subjects:

select a.subject from spam a, spam_link b
where a.message_id = b.message_id and
b.machine like 'statements.ssa.gov%'
group by a.subject order by a.subject;

subject
----------------------------------------------------
Review annual Social Security statement
Review your annual Social Security statement
Watch for errors on Social Security statement
Watch for errors on your Social Security statement
(4 rows)

Pulling up some samples in an email tool shows us what the original emails looked like:



The emails claim that
Due to possible calculation errors, your annual Social Security statement may contain errors.

Use the link below to review your annual Social Security statement:


The emails say they came from:

"Social Security Administration auto-notifications@ssa.gov"

Next we visit the website to pull screen shots there as well:



After entering a (fake) Social Security Number, we are taking to another screen that offers us the option of "Generating a Report".



Clicking on "Generate Report" prompts us to download the malware:



Throwing that "statement.exe" to VirusTotal shows us a current detect rate of 5 out of 41 anti-virus products. This is very early in the detection cycle. There is no agreement on what this malware may be:

Authentium: W32/Bifrost.C.gen!Eldorado
AVG: Win32/Cryptor
F-Prot: W32/Bifrost.C.gen!Eldorado
McAfee-GW-Edition: Heuristic.BehavesLike.Win32.Trojan.H
Sunbelt: Trojan-Spy.Win32.Zbot.gen (v)

At this point none of the other AV products have a signature in place for this malware.

The malware file statistics:

File size: 129536 bytes
MD5...: 40469349c5be9033fd57f6e021e7d06e

Because so little is known about this malware, we then queue it as a "high priority item" for the UAB Malware Analysis group to look at. We'll be sure to update the blog with more information about the malware when it is available.

UAB Malware Brian Tanner confirmed for us that this is a Zbot trojan, and that it connects to the IP address 193.104.27.42, which has been used to deliver Zbot configuration files since at least October 26th.

Sunday, November 22, 2009

Fake Flash Player Zbot spread by "Your Domain"

The malware just keeps flowing! Today the top email-based threats continue to be related to the Zeus botnet or Zbot. The first we've written about previously in our article on November 18th, Zeus: Same Criminal, New Spam which discussed the malware which pretended to be "payment request from (insert company)" and contained a "module.zip" attachment. That campaign fell away finally about 4:15 Friday morning.

To replace it, we have the new version of the "Avalanche" spam. We've received 51,400 copies of this spam email so far. (Yes! The UAB Spam Data Mine is now growing by more than 1 million messages per day - more about that in the near future.) The new campaign lit up about 9:15 AM on Friday morning, and has been unstoppable since.

The email seems especially scary to recipients because it includes your own email address in the subject, and your own domain name as part of the URL to be visited. So, for instance, if your email address were "bugs@bunny.com", your subject lines would be:

dear owner of the bugs@bunny.com
for bugs@bunny.com owner
for bunny.com email service user
please update your bugs@bunny.com mailbox

And your email would read:
Dear owner of the bugs@bunny.com mailbox,
You have to change the security mode of your account, from standart to secure. Please change the security mode by using the link below:

http://accounts.bunny.com.dlsports.be/webmail/settings/noflash.php?mode=standart&id=5236183961831736912306248671355740858547&email=bugs@bunny.com


Even some security researchers thought that others were receiving spam using their company name as the site distributing the virus, but in reality each recipient of the spam email sees his own domain name as part of the website address to be visited.

For simplicity, we'll use "mydomain.com" when we document the websites below.

The webpage looks like this:



After warning that "You don't have the latest version of Macromedia Flash Player", the website offers the fairly standard "Get Adobe Flash Player" icon. In this case, however, instead of fetching from Adobe, it installs from the server you are visiting, from the path "/webmail/settings/flashinstaller.exe".

We've seen twenty-two different domains registered for this round of cybercrime. All of these sites are currently live:

accounts.mydomain.com.ftpddrs.be
accounts.mydomain.com.dlsports.be
accounts.mydomain.com.modertps.be
accounts.mydomain.com.dirddrf.be
accounts.mydomain.com.verzzi.co.uk
accounts.mydomain.com.verzzm.co.uk
accounts.mydomain.com.verzzn.me.uk
accounts.mydomain.com.verzzg.org.uk
accounts.mydomain.com.verzzm.org.uk
accounts.mydomain.com.verzzg.co.uk
accounts.mydomain.com.verzzq.me.uk
accounts.mydomain.com.verzzi.me.uk
accounts.mydomain.com.verzzn.co.uk
accounts.mydomain.com.verzzq.co.uk
accounts.mydomain.com.verzzn.org.uk
accounts.mydomain.com.verzzi.org.uk
accounts.mydomain.com.verzzg.me.uk
accounts.mydomain.com.verzzm.me.uk
accounts.mydomain.com.verzzq.org.uk

The VirusTotal report for flashinstaller.exe shows fairly decent detection with many brands calling this a "Zbot" variant.

The file we scanned was the currently live file:
File size: 123392 bytes
MD5 : f890afa3b55a64b70d45f1b1fc60a77b

Some folks have been confused by the great news from the Metropolitan Police of London this past week. Metropolitan Police's Central e-Crime Unit (PCeU) arrested a pair of twenty-year olds, one man and one woman, on November 3rd for their use of the Zeus bot. You can read more about that arrest in Jeremy Kirk's PC World article or in this Press Release on the Metro Police website.

While its terribly exciting news, and we congratulate all the fine folks at PCeU, they've only arrested one of the many groups distributing Zeus, and not "the big one". While Zeus or Zbot is best known as a stealer of banking credentials, its important to remember that ALL userids and passwords entered on a Zeus victim computer end up in the databases of criminals. Whether these be your email password, your Netflix password, your BestBuy or Dell or Amazon.com or eBay or Paypal, or any other password, it now belongs to the criminals, along with your Credit Card and Banking information.


Here are some of the places we're currently seeing these domains resolve:

ip | hostname
-----------------+-------------------------------------
114.47.126.158 | accounts.mydomain.com.dlsports.be
114.47.126.158 | accounts.mydomain.com.modertps.be
114.47.126.158 | accounts.mydomain.com.ftpddrs.be
114.47.126.158 | accounts.mydomain.com.dirddrf.be
116.34.65.11 | accounts.mydomain.com.verzzq.co.uk
116.34.65.11 | accounts.mydomain.com.verzzg.org.uk
116.34.65.11 | accounts.mydomain.com.verzzg.co.uk
116.34.65.11 | accounts.mydomain.com.verzzn.org.uk
116.34.65.11 | accounts.mydomain.com.verzzg.me.uk
116.34.65.11 | accounts.mydomain.com.verzzm.me.uk
116.34.65.11 | accounts.mydomain.com.verzzi.co.uk
116.34.65.11 | accounts.mydomain.com.verzzq.org.uk
116.34.65.11 | accounts.mydomain.com.verzzm.co.uk
116.34.65.11 | accounts.mydomain.com.verzzn.me.uk
116.34.65.11 | accounts.mydomain.com.verzzn.co.uk
116.34.65.11 | accounts.mydomain.com.verzzq.me.uk
116.34.65.11 | accounts.mydomain.com.verzzi.me.uk
116.34.65.11 | accounts.mydomain.com.verzzm.org.uk
116.34.65.11 | accounts.mydomain.com.verzzi.org.uk
117.102.44.55 | accounts.mydomain.com.verzzi.org.uk
117.102.44.55 | accounts.mydomain.com.verzzq.co.uk
117.102.44.55 | accounts.mydomain.com.verzzg.org.uk
117.102.44.55 | accounts.mydomain.com.verzzg.co.uk
117.102.44.55 | accounts.mydomain.com.verzzn.org.uk
117.102.44.55 | accounts.mydomain.com.verzzg.me.uk
117.102.44.55 | accounts.mydomain.com.verzzm.me.uk
117.102.44.55 | accounts.mydomain.com.verzzi.co.uk
117.102.44.55 | accounts.mydomain.com.verzzq.org.uk
117.102.44.55 | accounts.mydomain.com.verzzm.co.uk
117.102.44.55 | accounts.mydomain.com.verzzn.me.uk
117.102.44.55 | accounts.mydomain.com.verzzn.co.uk
117.102.44.55 | accounts.mydomain.com.verzzq.me.uk
117.102.44.55 | accounts.mydomain.com.verzzi.me.uk
117.102.44.55 | accounts.mydomain.com.verzzm.org.uk
118.171.100.18 | accounts.mydomain.com.dirddrf.be
118.171.100.18 | accounts.mydomain.com.dlsports.be
118.171.100.18 | accounts.mydomain.com.modertps.be
118.171.100.18 | accounts.mydomain.com.ftpddrs.be
118.32.132.193 | accounts.mydomain.com.dirddrf.be
118.32.132.193 | accounts.mydomain.com.dlsports.be
118.32.132.193 | accounts.mydomain.com.modertps.be
118.32.132.193 | accounts.mydomain.com.ftpddrs.be
119.202.26.228 | accounts.mydomain.com.dirddrf.be
119.202.26.228 | accounts.mydomain.com.dlsports.be
119.202.26.228 | accounts.mydomain.com.modertps.be
119.202.26.228 | accounts.mydomain.com.ftpddrs.be
121.96.119.92 | accounts.mydomain.com.dirddrf.be
121.96.119.92 | accounts.mydomain.com.dlsports.be
121.96.119.92 | accounts.mydomain.com.modertps.be
121.96.119.92 | accounts.mydomain.com.ftpddrs.be
122.163.117.150 | accounts.mydomain.com.ftpddrs.be
122.163.117.150 | accounts.mydomain.com.dirddrf.be
122.163.117.150 | accounts.mydomain.com.dlsports.be
122.163.117.150 | accounts.mydomain.com.modertps.be
123.201.38.247 | accounts.mydomain.com.ftpddrs.be
123.201.38.247 | accounts.mydomain.com.dirddrf.be
123.201.38.247 | accounts.mydomain.com.dlsports.be
123.201.38.247 | accounts.mydomain.com.modertps.be
123.236.191.162 | accounts.mydomain.com.verzzi.org.uk
123.236.191.162 | accounts.mydomain.com.verzzq.co.uk
123.236.191.162 | accounts.mydomain.com.verzzg.org.uk
123.236.191.162 | accounts.mydomain.com.verzzg.co.uk
123.236.191.162 | accounts.mydomain.com.verzzn.org.uk
123.236.191.162 | accounts.mydomain.com.verzzg.me.uk
123.236.191.162 | accounts.mydomain.com.verzzm.me.uk
123.236.191.162 | accounts.mydomain.com.verzzi.co.uk
123.236.191.162 | accounts.mydomain.com.verzzq.org.uk
123.236.191.162 | accounts.mydomain.com.verzzm.co.uk
123.236.191.162 | accounts.mydomain.com.verzzn.me.uk
123.236.191.162 | accounts.mydomain.com.verzzn.co.uk
123.236.191.162 | accounts.mydomain.com.verzzq.me.uk
123.236.191.162 | accounts.mydomain.com.verzzi.me.uk
123.236.191.162 | accounts.mydomain.com.verzzm.org.uk
186.81.205.197 | accounts.mydomain.com.verzzm.org.uk
186.81.205.197 | accounts.mydomain.com.verzzi.org.uk
186.81.205.197 | accounts.mydomain.com.verzzq.co.uk
186.81.205.197 | accounts.mydomain.com.verzzg.org.uk
186.81.205.197 | accounts.mydomain.com.verzzg.co.uk
186.81.205.197 | accounts.mydomain.com.verzzn.org.uk
186.81.205.197 | accounts.mydomain.com.verzzg.me.uk
186.81.205.197 | accounts.mydomain.com.verzzm.me.uk
186.81.205.197 | accounts.mydomain.com.verzzi.co.uk
186.81.205.197 | accounts.mydomain.com.verzzq.org.uk
186.81.205.197 | accounts.mydomain.com.verzzm.co.uk
186.81.205.197 | accounts.mydomain.com.verzzn.me.uk
186.81.205.197 | accounts.mydomain.com.verzzn.co.uk
186.81.205.197 | accounts.mydomain.com.verzzq.me.uk
186.81.205.197 | accounts.mydomain.com.verzzi.me.uk
187.10.65.176 | accounts.mydomain.com.ftpddrs.be
187.10.65.176 | accounts.mydomain.com.dirddrf.be
187.10.65.176 | accounts.mydomain.com.dlsports.be
187.10.65.176 | accounts.mydomain.com.modertps.be
187.67.255.47 | accounts.mydomain.com.verzzm.org.uk
187.67.255.47 | accounts.mydomain.com.verzzi.org.uk
187.67.255.47 | accounts.mydomain.com.verzzq.co.uk
187.67.255.47 | accounts.mydomain.com.verzzg.org.uk
187.67.255.47 | accounts.mydomain.com.verzzg.co.uk
187.67.255.47 | accounts.mydomain.com.verzzn.org.uk
187.67.255.47 | accounts.mydomain.com.verzzg.me.uk
187.67.255.47 | accounts.mydomain.com.verzzm.me.uk
187.67.255.47 | accounts.mydomain.com.verzzi.co.uk
187.67.255.47 | accounts.mydomain.com.verzzq.org.uk
187.67.255.47 | accounts.mydomain.com.verzzm.co.uk
187.67.255.47 | accounts.mydomain.com.verzzn.me.uk
187.67.255.47 | accounts.mydomain.com.verzzn.co.uk
187.67.255.47 | accounts.mydomain.com.verzzq.me.uk
187.67.255.47 | accounts.mydomain.com.verzzi.me.uk
189.101.130.181 | accounts.mydomain.com.verzzm.org.uk
189.101.130.181 | accounts.mydomain.com.verzzi.org.uk
189.101.130.181 | accounts.mydomain.com.verzzq.co.uk
189.101.130.181 | accounts.mydomain.com.verzzg.org.uk
189.101.130.181 | accounts.mydomain.com.verzzg.co.uk
189.101.130.181 | accounts.mydomain.com.verzzn.org.uk
189.101.130.181 | accounts.mydomain.com.verzzg.me.uk
189.101.130.181 | accounts.mydomain.com.verzzm.me.uk
189.101.130.181 | accounts.mydomain.com.verzzi.co.uk
189.101.130.181 | accounts.mydomain.com.verzzq.org.uk
189.101.130.181 | accounts.mydomain.com.verzzm.co.uk
189.101.130.181 | accounts.mydomain.com.verzzn.me.uk
189.101.130.181 | accounts.mydomain.com.verzzn.co.uk
189.101.130.181 | accounts.mydomain.com.verzzq.me.uk
189.101.130.181 | accounts.mydomain.com.verzzi.me.uk
189.105.69.79 | accounts.mydomain.com.verzzm.org.uk
189.105.69.79 | accounts.mydomain.com.verzzi.org.uk
189.105.69.79 | accounts.mydomain.com.verzzq.co.uk
189.105.69.79 | accounts.mydomain.com.verzzg.org.uk
189.105.69.79 | accounts.mydomain.com.verzzg.co.uk
189.105.69.79 | accounts.mydomain.com.verzzn.org.uk
189.105.69.79 | accounts.mydomain.com.verzzg.me.uk
189.105.69.79 | accounts.mydomain.com.verzzm.me.uk
189.105.69.79 | accounts.mydomain.com.verzzi.co.uk
189.105.69.79 | accounts.mydomain.com.verzzq.org.uk
189.105.69.79 | accounts.mydomain.com.verzzm.co.uk
189.105.69.79 | accounts.mydomain.com.verzzn.me.uk
189.105.69.79 | accounts.mydomain.com.verzzn.co.uk
189.105.69.79 | accounts.mydomain.com.verzzq.me.uk
189.105.69.79 | accounts.mydomain.com.verzzi.me.uk
189.68.28.51 | accounts.mydomain.com.ftpddrs.be
189.68.28.51 | accounts.mydomain.com.dirddrf.be
189.68.28.51 | accounts.mydomain.com.dlsports.be
189.68.28.51 | accounts.mydomain.com.modertps.be
189.99.176.72 | accounts.mydomain.com.ftpddrs.be
189.99.176.72 | accounts.mydomain.com.dirddrf.be
189.99.176.72 | accounts.mydomain.com.dlsports.be
189.99.176.72 | accounts.mydomain.com.modertps.be
190.128.153.40 | accounts.mydomain.com.ftpddrs.be
190.128.153.40 | accounts.mydomain.com.dirddrf.be
190.128.153.40 | accounts.mydomain.com.dlsports.be
190.128.153.40 | accounts.mydomain.com.modertps.be
190.245.105.180 | accounts.mydomain.com.ftpddrs.be
190.245.105.180 | accounts.mydomain.com.dirddrf.be
190.245.105.180 | accounts.mydomain.com.dlsports.be
190.245.105.180 | accounts.mydomain.com.modertps.be
200.86.147.219 | accounts.mydomain.com.verzzm.org.uk
200.86.147.219 | accounts.mydomain.com.verzzi.org.uk
200.86.147.219 | accounts.mydomain.com.verzzq.co.uk
200.86.147.219 | accounts.mydomain.com.verzzg.org.uk
200.86.147.219 | accounts.mydomain.com.verzzg.co.uk
200.86.147.219 | accounts.mydomain.com.verzzn.org.uk
200.86.147.219 | accounts.mydomain.com.verzzg.me.uk
200.86.147.219 | accounts.mydomain.com.verzzm.me.uk
200.86.147.219 | accounts.mydomain.com.verzzi.co.uk
200.86.147.219 | accounts.mydomain.com.verzzq.org.uk
200.86.147.219 | accounts.mydomain.com.verzzm.co.uk
200.86.147.219 | accounts.mydomain.com.verzzn.me.uk
200.86.147.219 | accounts.mydomain.com.verzzn.co.uk
200.86.147.219 | accounts.mydomain.com.verzzq.me.uk
200.86.147.219 | accounts.mydomain.com.verzzi.me.uk
201.165.241.127 | accounts.mydomain.com.verzzq.me.uk
201.165.241.127 | accounts.mydomain.com.verzzi.me.uk
201.165.241.127 | accounts.mydomain.com.verzzm.org.uk
201.165.241.127 | accounts.mydomain.com.verzzi.org.uk
201.165.241.127 | accounts.mydomain.com.verzzq.co.uk
201.165.241.127 | accounts.mydomain.com.verzzg.org.uk
201.165.241.127 | accounts.mydomain.com.verzzg.co.uk
201.165.241.127 | accounts.mydomain.com.verzzn.org.uk
201.165.241.127 | accounts.mydomain.com.verzzg.me.uk
201.165.241.127 | accounts.mydomain.com.verzzm.me.uk
201.165.241.127 | accounts.mydomain.com.verzzi.co.uk
201.165.241.127 | accounts.mydomain.com.verzzq.org.uk
201.165.241.127 | accounts.mydomain.com.verzzm.co.uk
201.165.241.127 | accounts.mydomain.com.verzzn.me.uk
201.165.241.127 | accounts.mydomain.com.verzzn.co.uk
201.226.135.11 | accounts.mydomain.com.verzzm.co.uk
201.226.135.11 | accounts.mydomain.com.verzzn.me.uk
201.226.135.11 | accounts.mydomain.com.verzzn.co.uk
201.226.135.11 | accounts.mydomain.com.verzzq.me.uk
201.226.135.11 | accounts.mydomain.com.verzzi.me.uk
201.226.135.11 | accounts.mydomain.com.verzzm.org.uk
201.226.135.11 | accounts.mydomain.com.verzzi.org.uk
201.226.135.11 | accounts.mydomain.com.verzzq.co.uk
201.226.135.11 | accounts.mydomain.com.verzzg.org.uk
201.226.135.11 | accounts.mydomain.com.verzzg.co.uk
201.226.135.11 | accounts.mydomain.com.verzzn.org.uk
201.226.135.11 | accounts.mydomain.com.verzzg.me.uk
201.226.135.11 | accounts.mydomain.com.verzzm.me.uk
201.226.135.11 | accounts.mydomain.com.verzzi.co.uk
201.226.135.11 | accounts.mydomain.com.verzzq.org.uk
210.4.118.70 | accounts.mydomain.com.ftpddrs.be
210.4.118.70 | accounts.mydomain.com.dirddrf.be
210.4.118.70 | accounts.mydomain.com.dlsports.be
210.4.118.70 | accounts.mydomain.com.modertps.be
220.66.118.214 | accounts.mydomain.com.ftpddrs.be
220.66.118.214 | accounts.mydomain.com.dirddrf.be
220.66.118.214 | accounts.mydomain.com.dlsports.be
220.66.118.214 | accounts.mydomain.com.modertps.be
24.139.111.53 | accounts.mydomain.com.verzzi.co.uk
24.139.111.53 | accounts.mydomain.com.verzzq.org.uk
24.139.111.53 | accounts.mydomain.com.verzzm.co.uk
24.139.111.53 | accounts.mydomain.com.verzzn.me.uk
24.139.111.53 | accounts.mydomain.com.verzzn.co.uk
24.139.111.53 | accounts.mydomain.com.verzzq.me.uk
24.139.111.53 | accounts.mydomain.com.verzzi.me.uk
24.139.111.53 | accounts.mydomain.com.verzzm.org.uk
24.139.111.53 | accounts.mydomain.com.verzzi.org.uk
24.139.111.53 | accounts.mydomain.com.verzzq.co.uk
24.139.111.53 | accounts.mydomain.com.verzzg.org.uk
24.139.111.53 | accounts.mydomain.com.verzzg.co.uk
24.139.111.53 | accounts.mydomain.com.verzzn.org.uk
24.139.111.53 | accounts.mydomain.com.verzzg.me.uk
24.139.111.53 | accounts.mydomain.com.verzzm.me.uk
24.42.38.115 | accounts.mydomain.com.verzzm.co.uk
24.42.38.115 | accounts.mydomain.com.verzzn.me.uk
24.42.38.115 | accounts.mydomain.com.verzzn.co.uk
24.42.38.115 | accounts.mydomain.com.verzzq.me.uk
24.42.38.115 | accounts.mydomain.com.verzzi.me.uk
24.42.38.115 | accounts.mydomain.com.verzzm.org.uk
24.42.38.115 | accounts.mydomain.com.verzzi.org.uk
24.42.38.115 | accounts.mydomain.com.verzzq.co.uk
24.42.38.115 | accounts.mydomain.com.verzzg.org.uk
24.42.38.115 | accounts.mydomain.com.verzzg.co.uk
24.42.38.115 | accounts.mydomain.com.verzzn.org.uk
24.42.38.115 | accounts.mydomain.com.verzzg.me.uk
24.42.38.115 | accounts.mydomain.com.verzzm.me.uk
24.42.38.115 | accounts.mydomain.com.verzzi.co.uk
24.42.38.115 | accounts.mydomain.com.verzzq.org.uk
41.249.1.157 | accounts.mydomain.com.verzzg.co.uk
41.249.1.157 | accounts.mydomain.com.verzzn.org.uk
41.249.1.157 | accounts.mydomain.com.verzzg.me.uk
41.249.1.157 | accounts.mydomain.com.verzzm.me.uk
41.249.1.157 | accounts.mydomain.com.verzzi.co.uk
41.249.1.157 | accounts.mydomain.com.verzzq.org.uk
41.249.1.157 | accounts.mydomain.com.verzzm.co.uk
41.249.1.157 | accounts.mydomain.com.verzzn.me.uk
41.249.1.157 | accounts.mydomain.com.verzzn.co.uk
41.249.1.157 | accounts.mydomain.com.verzzq.me.uk
41.249.1.157 | accounts.mydomain.com.verzzi.me.uk
41.249.1.157 | accounts.mydomain.com.verzzm.org.uk
41.249.1.157 | accounts.mydomain.com.verzzi.org.uk
41.249.1.157 | accounts.mydomain.com.verzzq.co.uk
41.249.1.157 | accounts.mydomain.com.verzzg.org.uk
41.249.3.188 | accounts.mydomain.com.verzzg.org.uk
41.249.3.188 | accounts.mydomain.com.verzzg.co.uk
41.249.3.188 | accounts.mydomain.com.verzzn.org.uk
41.249.3.188 | accounts.mydomain.com.verzzg.me.uk
41.249.3.188 | accounts.mydomain.com.verzzm.me.uk
41.249.3.188 | accounts.mydomain.com.verzzi.co.uk
41.249.3.188 | accounts.mydomain.com.verzzq.org.uk
41.249.3.188 | accounts.mydomain.com.verzzm.co.uk
41.249.3.188 | accounts.mydomain.com.verzzn.me.uk
41.249.3.188 | accounts.mydomain.com.verzzn.co.uk
41.249.3.188 | accounts.mydomain.com.verzzq.me.uk
41.249.3.188 | accounts.mydomain.com.verzzi.me.uk
41.249.3.188 | accounts.mydomain.com.verzzm.org.uk
41.249.3.188 | accounts.mydomain.com.verzzi.org.uk
41.249.3.188 | accounts.mydomain.com.verzzq.co.uk
59.95.168.192 | accounts.mydomain.com.ftpddrs.be
59.95.168.192 | accounts.mydomain.com.dirddrf.be
59.95.168.192 | accounts.mydomain.com.dlsports.be
59.95.168.192 | accounts.mydomain.com.modertps.be
85.108.73.82 | accounts.mydomain.com.verzzq.co.uk
85.108.73.82 | accounts.mydomain.com.verzzg.org.uk
85.108.73.82 | accounts.mydomain.com.verzzg.co.uk
85.108.73.82 | accounts.mydomain.com.verzzn.org.uk
85.108.73.82 | accounts.mydomain.com.verzzg.me.uk
85.108.73.82 | accounts.mydomain.com.verzzm.me.uk
85.108.73.82 | accounts.mydomain.com.verzzi.co.uk
85.108.73.82 | accounts.mydomain.com.verzzq.org.uk
85.108.73.82 | accounts.mydomain.com.verzzm.co.uk
85.108.73.82 | accounts.mydomain.com.verzzn.me.uk
85.108.73.82 | accounts.mydomain.com.verzzn.co.uk
85.108.73.82 | accounts.mydomain.com.verzzq.me.uk
85.108.73.82 | accounts.mydomain.com.verzzi.me.uk
85.108.73.82 | accounts.mydomain.com.verzzm.org.uk
85.108.73.82 | accounts.mydomain.com.verzzi.org.uk

Thursday, November 19, 2009

Running out of Money Mules?

Cyber criminals have launched a new spam campaign this morning trying to recruit more Money Mules. What is a Money Mule? A Money Mule is a person who is participating in a money laundering scheme to help cyber criminals move stolen funds out of the country. The most common way this is performed is to deposit money into the Money Mule's bank account, and then send them instructions on where to wire the money using Western Union, MoneyGram, or some other non-bank world-wide money movement system.

In today's newest Money Mule recruitment scam, the criminals have sent a broad-blast email with email subjects such as:

employees needed
job in USA
job offer
part-time job

The "From:" email is widely scattered with nearly every email forging a different from email address, but most use the from name of either "Employees Needed" or "Job Offer".

The scam emails began arriving around 6:35 AM today, and we've already received more than 500 copies in the UAB Spam Data Mine.

The website advertised in the scam is based in China, currently hosted on the IP 222.73.37.203 in Shanghai China and has the address:

http://abc-webdesign.cn/jobs_usa.htm



Here's the text of their job description from that site:

Financial Manager

Location: USA, statewide
Availability: currently available
Employment type: Part-time employment
Number of employees required: 5

CANDIDATE REQUIREMENTS

* not less than 21 years old
* internet access to reply emails promptly
* availability by phone (1-2 hours a day)
* a bank account to process payments
* good credit history with your bank (new bank account is an option)
* no criminal offense or convictions
* experience in the field of finance is preferred

DUTIES

We are searching for people to process payments coming from our clients. ABCWebDesign will provide an agent with detailed instructions as regards payment processing operations including sender full name and amount total for each separate case.

When funds enter employee's bank account, Financial Agent's duty is to withdraw cash and transfer the funds via Western Union/Money Gram money transfer systems. The main advantage of our services is the shortest possible time within which the seller can receive money for the services sold. If this operation is delayed, our clients are entitled to cancel their contract with us and we suffer financial loss. Therefore, successful applicant must be very responsible and careful!

TRIAL PERIOD POLICY

Successful applicants are offered the position on a probationary period basis (1 month). This is the period when a new employee will be trained and receive online support while working and being paid. A personal supervisor can recommend termination during/after the trial period depending on agent's activity. New employee should be responsible and strictly follow supervisor's recommendations to pass the Probationary Period successfully and be employed by us on a regular basis.

SALARY

During the probationary period we offer $500 monthly salary plus 5% commission for each payment processing operation. For example, an average $5,000 payment will entail $400 commission. A successful agent may ask for additional tasks and earn more Base salary ($500) will be transferred at the end of each month to employee's bank account. Commission (5%) is to be deducted from the processed money.

IMPORTANT DETAILS

* Financial Agent is supposed to process received assets during one business day, i.e. from the moment of money entering his bank account to the moment of re-send to our client in accordance with contract terms. If money enters employee's account on a day-off or holiday, all payment processing procedures have to be completed during the next working day.
* Financial Agent receives invoices for each transaction every 14 days. This document is a confirmation of transaction validity, and in case of any (if any at all) unforeseen circumstances it will evidence your personal non-participation. All invoices will contain detailed information on money sender and will be both sealed and certified with President's signature.
*After the Probationary Period completion, invoices will be sent every business day.
* Since business transfers can be processed with delays, Financial Manager should specify each transfer as a private remittance. This provision is also applicable in case of a third party interest in the transfer.
* Our clients appreciate our operational efficiency and are ready to pay extra fee for shorter transaction terms.
* The fees for Western Union and MoneyGram transfers are paid by our company. Absolutely nothing is subtracted from your commission; you get exactly 5% from amount. The fees will be discounted from the money that you will send via Western Union or MoneyGram transfers.
* We don't ask for any investment to start cooperating with our company.
* The company offers incentive bonus program based on work results with regard to several factors, i.e. total sum of money transferred, payment processing time, etc.

OUR BENEFITS

Probationary period imposes restrictions on the employment benefits of our corporation. Financial Manager will be able to receive ABCWebDesign employment benefits only after probationary period completion. Employment benefits will include:

* stock options
* child-care subsidies
* flex-time
* business casual attire
* free training and professional development programs

*Detailed information concerning the employment benefits will be provided after probationary period successful completion.


If you have a desire to work send us your CV (resume) to hr-usa@abc-webdesign.cn

You can send us this application form instead of CV also.

CURRENT/LAST JOB:
WORK EXPERIENCE (years):
MOBILE or HOME NUMBER:

As soon as we receive your CV (preferred) or application form we call you
with the result of accepting you to our job position and further details.



ABCWebDesign

A: Tarnow, ul. Wałowa 4 1B, 51-326 Poland
T: +48 22 389 7067


(The telephone number belongs to a real company in Poland, City Web Design - city-pl.com. Its very common for these fake job sites to steal a real company's website as the base for their Money Mule website.)




There are so many, many interest things hosted on this IP address, but since this blog entry is primarily about career scams, I'll mention one other in particular.

http://your-usa-address.net/index.php?node=job

Is also on the same IP address in China as the Money Mule site above. This business consists of receiving packages at your home address, and shipping those packages overseas. Criminals establish these "Reshipper" jobs to allow them to buy products online with stolen credit cards and ship them to "less suspicious" addresses here in the United States. Orders made with American credit cards and foreign delivery addresses are treated with a higher level of scrutiny by merchants, so the criminals avoid that by tricking Americans into working for them through attractive career offerings like this one:



The advertisement on this site reads:
The Next Stage of Your Career Starts Here

Jobs come and go. But a rewarding career is a lifelong goal - achieved over time. Working at The Shipping Company Limited offers career-building opportunities, many exciting challenges and the satisfaction of knowing you can make a difference.

We are always looking for the best people to join our growing team. As a diversified services company, we have a wide range of exciting career opportunities. So whether you're just starting out or looking to set a whole new career direction, The Shipping Company Limited can help make it happen.

Are you driven by new challenges every day? Do you love to work with people? If you prefer to be in charge of your own destiny, then Authorized Agent Job may be the right career path for you. In our training program, you'll get valuable hands-on experience and could be on your way to running your own business.

About the Authorized Agent

Every day we support our customers from developing countries to purchase goods in the major trading platforms worldwide, while Authorized Agent's job is focused on receiving goods from the trading platforms and further sending them to our customers. As a Authorized Agent, you'll have an opportunity to:

* Establish your own schedule.
* Grow personally and professionally.
* Control your income level.
* Make a real impact with members and within local communities.

Benefits

As a The Shipping Company Limited Authorized Agent, your salary is just part of the compensation package offered. We understand you have responsibilities both at work and at home, therefore we offer a wide range of flexible benefits designed to provide opportunity, protection, and security for you and your family.
The Shipping Company Limited offers:

* Highly competitive compensation and income potential
* Exceptional, comprehensive training to get you started plus ongoing learning opportunities.

Eligibility Requirements

Exciting opportunities await you if you qualify to be a The Shipping Company Limited Co. Authorized Agent. Job requirements:

* Obtain and maintain:
1. PC, Internet, E-mail user-level skills
2. Mailing/Dispatching prior experience;
* Be eligible for adult employment with C&T Shipment Service.
* Any additional employment is not a hindrance as long as you have 3-4 hours a day free.
* Eligible to work long-term.

Frequently Asked Questions

The opportunity is here. The potential for success is unlimited.

>>> Apply now <<< .

IMPORTANT: Your detailed CV in MS Word format will considerably facilitate our choice.





If you or anyone you know has gotten mixed up in one of these Money Mule or Reshipper schemes, its important that you contact law enforcement. Please save any emails, either recruitment emails or instruction emails, that you receive from the criminals, because these can help law enforcement to identify who the criminals are and where they are located!

If you aren't sure where to report it, this or any other cybercrime can be reported to the Internet Crime & Complaint Center on their website at ic3.gov.

Wednesday, November 18, 2009

Zeus: Same Criminal, New Spam Infrastructure

Last week, one of the most long-lived malware spam delivery systems, which the anti-phishing community knew as "Avalanche" went off-line. After sending spam almost non-stop for many months, no spam at all has been received from the "Avalanche" group, which has been used since June to deliver a variety of Zeus or Zbot infectors, including scams pretending to be MySpace, Facebook, the FDIC, the IRS, NACHA, a Microsoft Outlook Update, and other scams.

Last night a new spam campaign began using a new scam to spread malware. A sample of the email looks like this:
We recorded a payment request from "Amy's Kitchen" to enable the charge of $94.71 on your account.

The payment is pending for the moment.

If you made this transaction or if you just authorize this payment, please ignore or remove this email message. The transaction will be shown on your monthly statement as "Amy's Kitchen".

If you didn't make this payment and would like to decline it, please download and install the transaction inspector module (attached to this letter).


The "Transaction Inspector Module" is in a file called "module.zip", which when opened contains a file called "module.exe". That file is a piece of malware called "Sasfis", which is a dropper. A tiny piece of malware which, when launched, causes additional malware to be downloaded as well.

The Sasfis malware is File size: 18944 bytes
MD5 : eec53e2239800e5d85b6b85d5e2451cb

A VirusTotal Report shows that this version of Sasfis is very widely detected.

UAB Malware Analyst Brian Tanner ran the malware in the lab for me. After launching, the malware connects to a Command & Control server which is on the same computer as the NACHA version of Zeus! Nothing happens for the first 45 minutes, then two additional executables are downloaded, one of which is a copy of Zeus that uses the same config file and same update server as the NACHA version of Zeus.

The UAB Spam Data Mine has received many thousand copies of the new spam campaign, with 536 unique company names used in the subject and body of the email. Each copy of the spam email has a randomly selected company name, and specifies a random dollar amount for the transaction. Here is the complete list of email Subjects:

payment request from "a21"
payment request from "Aaron Rents"
payment request from "Abbott Laboratories"
payment request from "Abercrombie & Fitch"
payment request from "ABM Industries"
payment request from "ABX Air, Inc."
payment request from "ACCO Brands"
payment request from "Ace Hardware"
payment request from "Acme Brick Company"
payment request from "Acme Markets"
payment request from "ACN Inc."
payment request from "Activision Blizzard"
payment request from "Acuity Brands"
payment request from "ADC Telecommunications"
payment request from "Adobe Systems Inc."
payment request from "Advance Auto Parts"
payment request from "Advanced Processing & Imaging"
payment request from "AES"
payment request from "Aetna"
payment request from "Affiliated Computer Services"
payment request from "AFLAC"
payment request from "AGCO"
payment request from "Agilent Technologies"
payment request from "AGL Resources"
payment request from "Air Products & Chemicals"
payment request from "Airgas"
payment request from "AirTran Holdings"
payment request from "AK Steel Holding"
payment request from "Alaska Air Group"
payment request from "Albemarle"
payment request from "Albertsons"
payment request from "Alcoa"
payment request from "Aleris International"
payment request from "Alexander & Baldwin"
payment request from "Allegheny Energy"
payment request from "Allegheny Technologies"
payment request from "Allen Organ"
payment request from "Allergan"
payment request from "Alliant Energy"
payment request from "Alliant Techsystems"
payment request from "Allstate"
payment request from "Amazon.com"
payment request from "AMC Entertainment"
payment request from "AMD"
payment request from "Ameren"
payment request from "America Online"
payment request from "American Airlines"
payment request from "American Apparel"
payment request from "American Axle & Manufacturing"
payment request from "American Broadcasting Company"
payment request from "American Eagle Outfitters"
payment request from "American Electric Power"
payment request from "American Express"
payment request from "American Family Insurance Group"
payment request from "American Financial Group"
payment request from "American Greetings"
payment request from "American Hofmann"
payment request from "American Home Mortgage"
payment request from "American International Group"
payment request from "American Reprographics Company"
payment request from "AmeriCredit"
payment request from "Amerigroup"
payment request from "Ameriprise Financial"
payment request from "AmerisourceBergen"
payment request from "Ametek"
payment request from "Amgen"
payment request from "Amiga"
payment request from "Amkor Technology"
payment request from "Amphenol Corporation"
payment request from "AMR"
payment request from "Amtrak"
payment request from "Amy"s Kitchen"
payment request from "Anadarko Petroleum"
payment request from "Analog Devices"
payment request from "AnaSpec"
payment request from "Anchor Bay Entertainment"
payment request from "AND1"
payment request from "Anixter International"
payment request from "Ann Taylor"
payment request from "Aon"
payment request from "Apache Software Foundation"
payment request from "Apollo Group"
payment request from "Apple Inc."
payment request from "Applebee's"
payment request from "Applied Biosystems"
payment request from "Applied Industrial Technologies"
payment request from "Applied Materials"
payment request from "Aramark"
payment request from "Arbitron"
payment request from "Arch Coal"
payment request from "Archer Daniels Midland"
payment request from "Arctic Cat"
payment request from "Ariba"
payment request from "Armstrong World Industries"
payment request from "Arrow Electronics"
payment request from "Arryx"
payment request from "ArvinMeritor"
payment request from "ASARCO"
payment request from "Asbury Automotive Group"
payment request from "Ashland, Inc."
payment request from "AskMeNow"
payment request from "Aspyr Media Inc."
payment request from "Assurant"
payment request from "AT&T"
payment request from "Atari"
payment request from "Atmos Energy"
payment request from "Autodesk"
payment request from "Autoliv"
payment request from "Automatic Data Processing"
payment request from "AutoNation"
payment request from "Auto-Owners Insurance"
payment request from "Autozone"
payment request from "Avaya"
payment request from "Avery Dennison"
payment request from "Avis Budget Group"
payment request from "Avnet"
payment request from "Avon Products"
payment request from "AVST"
payment request from "Babcock & Wilcox"
payment request from "Baker Hughes"
payment request from "Baldor Electric"
payment request from "Ball"
payment request from "Bank of America Corp."
payment request from "Bank of New York Mellon Corp."
payment request from "Barnes & Noble"
payment request from "Bath & Body Works"
payment request from "Baxter International"
payment request from "BB&T Corp."
payment request from "BE Aerospace"
payment request from "Beaner"s Gourmet Coffee"
payment request from "BearingPoint"
payment request from "Beazer Homes USA"
payment request from "Bechtel Corporation"
payment request from "Beckman Coulter"
payment request from "Becton Dickinson"
payment request from "Bed Bath & Beyond"
payment request from "Belden"
payment request from "Belk"
payment request from "Belkin"
payment request from "Bemis"
payment request from "Benchmark Electronics"
payment request from "Berkshire Hathaway"
payment request from "Berry Plastics"
payment request from "Best Buy"
payment request from "Big Lots"
payment request from "Binney & Smith"
payment request from "Biogen Idec"
payment request from "Biomet"
payment request from "Bio-Rad Laboratories"
payment request from "Birdwell"
payment request from "BJ Services"
payment request from "BJ"s Wholesale Club"
payment request from "Black & Decker"
payment request from "BlackRock"
payment request from "Blockbuster Video"
payment request from "BlueLinx Holdings"
payment request from "BMC Software"
payment request from "Bob Evans Farms"
payment request from "Boeing"
payment request from "Boise"
payment request from "Borders Group"
payment request from "BorgWarner"
payment request from "Bosch Brewing Company"
payment request from "Boston Scientific"
payment request from "Boyd Gaming"
payment request from "Bradley Pharmaceuticals"
payment request from "Briggs & Stratton"
payment request from "Brightpoint"
payment request from "Brinker International"
payment request from "Brinks"
payment request from "Bristol-Myers Squibb"
payment request from "Broadcom"
payment request from "Broadridge Financial Solutions"
payment request from "Brookdale Senior Living"
payment request from "Brown-Forman"
payment request from "Brunswick Corporation"
payment request from "Bucyrus International"
payment request from "Burger King Holdings"
payment request from "Burlington Coat Factory"
payment request from "Burlington Northern Santa Fe"
payment request from "C.H. Robinson Worldwide"
payment request from "CA, Inc."
payment request from "Calpine"
payment request from "Capital One"
payment request from "Cartoon Network Studios"
payment request from "Caterpillar Inc."
payment request from "CBS Corporation"
payment request from "Cerner Corporation"
payment request from "Chem-Dry"
payment request from "Chevron"
payment request from "Chicago Bridge & Iron Company"
payment request from "Chrysler"
payment request from "CIGNA"
payment request from "Cisco Systems, Inc."
payment request from "Citigroup"
payment request from "Citrix"
payment request from "CKE Restaurants"
payment request from "Clear Channel Communications"
payment request from "CNA"
payment request from "CNET"
payment request from "Cognizant Technology Solutions"
payment request from "Colgate-Palmolive"
payment request from "Colt Defense"
payment request from "Colt"s Manufacturing Company"
payment request from "Columbia Pictures"
payment request from "Comcast"
payment request from "Comodo"
payment request from "ConocoPhillips"
payment request from "Conseco"
payment request from "Continental Airlines"
payment request from "Control Data Corporation"
payment request from "Convergys Corp."
payment request from "Converse"
payment request from "Corning Incorporated"
payment request from "Costco"
payment request from "Coventry Health Care"
payment request from "Crazy Eddie"
payment request from "Crowley Maritime Corporation"
payment request from "CVS Pharmacy"
payment request from "Danaher"
payment request from "Darden Restaurants"
payment request from "DaVita"
payment request from "Dean Foods"
payment request from "Deere & Company"
payment request from "Del Monte Foods"
payment request from "Dell, Inc."
payment request from "Delphi"
payment request from "Delta Air Lines"
payment request from "Dereon"
payment request from "Devon Energy"
payment request from "Dexrex"
payment request from "DiC Entertainment"
payment request from "Dick"s Sporting Goods"
payment request from "Diebold"
payment request from "Digi-Key"
payment request from "Dillard's"
payment request from "DineEquity"
payment request from "DirecTV Group"
payment request from "Discovery Communications"
payment request from "DISH Network"
payment request from "Doculabs"
payment request from "Dole Foods"
payment request from "Dollar General"
payment request from "Dollar Tree"
payment request from "Dominion Resources"
payment request from "Domtar"
payment request from "Donaldson"
payment request from "Dover"
payment request from "Dow Jones & Company"
payment request from "Dr Pepper Snapple Group"
payment request from "Dresser Inc."
payment request from "DRS Technologies"
payment request from "DST Systems"
payment request from "DTE Energy"
payment request from "Duke Energy"
payment request from "Dun & Bradstreet"
payment request from "DuPont"
payment request from "DynCorp International"
payment request from "Dynegy"
payment request from "Eastman Chemical Company"
payment request from "Eastman Kodak"
payment request from "eBay"
payment request from "Ecolab"
payment request from "El Paso Corp."
payment request from "Electric Boat"
payment request from "Electronic Data Systems"
payment request from "Eli Lilly and Company"
payment request from "EMC Corporation"
payment request from "Emcor Group"
payment request from "Emerson Electric Company"
payment request from "Energy East"
payment request from "Entergy"
payment request from "Enterprise GP Holdings"
payment request from "Equifax"
payment request from "Erie Insurance Group"
payment request from "Exelon Corporation"
payment request from "Expeditors International"
payment request from "Express Scripts Incorporated"
payment request from "ExxonMobil"
payment request from "Federal Home Loan Mortgage Corporation"
payment request from "Federal National Mortgage Association"
payment request from "FedEx"
payment request from "Fidelity Investments"
payment request from "FileMaker Inc., formerly Claris Corp."
payment request from "Ford Motor Company"
payment request from "Forum Communications"
payment request from "Fox Film Corporation"
payment request from "FreeWave Technologies, Inc."
payment request from "Frontier Airlines"
payment request from "Gartner"
payment request from "Gateway Computers"
payment request from "Gatorade"
payment request from "General Dynamics"
payment request from "General Electric"
payment request from "General Mills"
payment request from "General Motors"
payment request from "Gentiva Health Services"
payment request from "Georgia Pacific"
payment request from "Giant Food"
payment request from "Global Insight"
payment request from "Go Daddy"
payment request from "Goldman Sachs"
payment request from "Goodyear Tire and Rubber Company"
payment request from "Google"
payment request from "H&R Block"
payment request from "H. J. Heinz Company"
payment request from "Haley Builders"
payment request from "Halliburton"
payment request from "Hallmark Cards"
payment request from "Hardee's"
payment request from "Harley-Davidson"
payment request from "Hasbro"
payment request from "Hastings Entertainment"
payment request from "Hawaiian Airlines"
payment request from "HCD Surveys"
payment request from "H-E-B"
payment request from "Hewlett-Packard"
payment request from "Hilton Hotels Corporation"
payment request from "Hi-Point Firearms"
payment request from "Home City Ice Co."
payment request from "Home Depot"
payment request from "Honeywell"
payment request from "Hot Topic"
payment request from "Hyland Software"
payment request from "i-flex Solutions"
payment request from "Infor"
payment request from "Informix"
payment request from "Intel"
payment request from "International Business Machines"
payment request from "International Game Technology"
payment request from "International Paper"
payment request from "Interplay Entertainment"
payment request from "Interstate Batteries"
payment request from "Intuit"
payment request from "ION Media Networks"
payment request from "iRobot"
payment request from "J. C. Penny"
payment request from "J. P. Morgan Chase and Co."
payment request from "JetBlue Airways"
payment request from "JN-International Medical Corporation"
payment request from "Johnson & Johnson"
payment request from "Johnson Controls"
payment request from "Jones Soda Co."
payment request from "Journal Communications"
payment request from "KBR"
payment request from "Kellogg Company"
payment request from "Kerr-McGee"
payment request from "Kimberly-Clark"
payment request from "Kmart Corporation"
payment request from "Kohler"
payment request from "KPMG"
payment request from "KPMG Fiduciaire"
payment request from "Kraft Foods"
payment request from "Kroger"
payment request from "Kurzweil Educational Systems"
payment request from "L.L.Bean"
payment request from "Landscape Binders"
payment request from "Laserfiche"
payment request from "LeapFrog Enterprises"
payment request from "Limited Brands"
payment request from "Liz Claiborne"
payment request from "Local Matters"
payment request from "Lockheed Martin"
payment request from "Louisiana Pacific"
payment request from "Lowe's"
payment request from "Lucas Oil"
payment request from "Lucasfilm"
payment request from "Lumencraft"
payment request from "Marathon Oil"
payment request from "Mars Incorporated"
payment request from "Marsh & McLennan"
payment request from "Marshall Pottery Inc."
payment request from "Martha Stewart Living Omnimedia"
payment request from "Martin Marietta Materials"
payment request from "MasterCard"
payment request from "Mattel"
payment request from "McDonald"s Corporation"
payment request from "MCI"
payment request from "Medimix International"
payment request from "Meijer"
payment request from "Merck and Company"
payment request from "Microsoft"
payment request from "Midway Games"
payment request from "Midwest Communications"
payment request from "Miller Brewing"
payment request from "Minnesota IMPLAN Group"
payment request from "Miro Technologies"
payment request from "Monsanto Company"
payment request from "Morgan Stanley"
payment request from "Motorola"
payment request from "Musco Lighting"
payment request from "Mutual of Omaha"
payment request from "Nabisco"
payment request from "Nationwide Insurance"
payment request from "NBC Universal"
payment request from "NCR Corporation"
payment request from "NetApp"
payment request from "NetZero"
payment request from "New Balance"
payment request from "New Era Tickets"
payment request from "News Corporation"
payment request from "Nike"
payment request from "Northrop Grumman"
payment request from "Northwest Airlines"
payment request from "Novell"
payment request from "Novellus Systems"
payment request from "Office Depot"
payment request from "Office Max"
payment request from "Oracle Corporation"
payment request from "PACCAR"
payment request from "Pacific Gas & Electric Company"
payment request from "PalmOne, Inc."
payment request from "PalmSource, Inc."
payment request from "Paramount Pictures"
payment request from "PayPal"
payment request from "PepsiCo"
payment request from "Pfizer"
payment request from "Pinnacle Systems"
payment request from "Pizza Hut"
payment request from "Polaroid Corporation"
payment request from "Precision Castparts Corporation"
payment request from "Price Waterhouse Coopers"
payment request from "Principal Financial Group"
payment request from "Procter & Gamble"
payment request from "Publix"
payment request from "Qualcomm"
payment request from "Quantrix"
payment request from "Quest Software"
payment request from "Quincy Newspapers"
payment request from "Qwest"
payment request from "R. H. Donnelley"
payment request from "R. R. Donnelley & Sons"
payment request from "RadioShack"
payment request from "Raytheon"
payment request from "RCA"
payment request from "Red Hat"
payment request from "Red River Broadcasting"
payment request from "Regis Corporation"
payment request from "Respironics"
payment request from "Rockwell Automation"
payment request from "Rockwell Collins"
payment request from "Russell Investment Group"
payment request from "Russell Stovers"
payment request from "Safeco Corporation"
payment request from "Safeway Inc."
payment request from "Salem Communications"
payment request from "SBC Communications"
payment request from "Science Applications International Corporation"
payment request from "Sears"
payment request from "Sequoia Voting Systems"
payment request from "Service Corporation International"
payment request from "Silicon Graphics"
payment request from "Six Flags"
payment request from "Skype"
payment request from "SkyWest Airlines"
payment request from "Snap-on Tools"
payment request from "Softscape"
payment request from "Sony Pictures Entertainment"
payment request from "Southern California Edison"
payment request from "Southwest Airlines"
payment request from "Spanx"
payment request from "Sprint Nextel Corporation"
payment request from "Staples, Inc."
payment request from "Starbucks"
payment request from "Starz"
payment request from "State Street Corporation"
payment request from "Steinway & Sons"
payment request from "Sterling Commerce"
payment request from "Sterling Ledet & Associates, Inc."
payment request from "Stewart-Warner"
payment request from "STOUT UNIVERSITY FOUNDATION"
payment request from "STX"
payment request from "Subway"
payment request from "Sun Microsystems"
payment request from "Sunny Delight Beverages"
payment request from "Sunoco"
payment request from "Syntel"
payment request from "Target Corporation"
payment request from "Tesla Motors"
payment request from "Texas Instruments"
payment request from "Textron Inc."
payment request from "The Coca-Cola Company"
payment request from "The Dow Chemical Company"
payment request from "The Liberty Corporation"
payment request from "The Ohio State University Medical Center"
payment request from "The Vanguard Group"
payment request from "The Walt Disney Company"
payment request from "The Weinstein Company"
payment request from "TheStreet.com"
payment request from "Time Warner Cable"
payment request from "Towers Perrin"
payment request from "Trinity Industries Inc."
payment request from "U.S. Robotics"
payment request from "Ubu Productions"
payment request from "Union Oil Company of California"
payment request from "Union Pacific Railroad"
payment request from "Unisys"
payment request from "United Airlines"
payment request from "United Parcel Service"
payment request from "United Services Automobile Association"
payment request from "United Technologies"
payment request from "Universal Studios"
payment request from "US Airways"
payment request from "US Cellular"
payment request from "UTStarcom"
payment request from "Valero Energy Corporation"
payment request from "Vectren"
payment request from "Verizon"
payment request from "Verizon Wireless"
payment request from "Viacom"
payment request from "Visa Inc."
payment request from "VIZ Media"
payment request from "Vizio"
payment request from "VMware"
payment request from "Vocera Communications"
payment request from "W.R. Berkley"
payment request from "Walgreens"
payment request from "Walmart"
payment request from "Washington Mutual"
payment request from "Welch's"
payment request from "Wells Fargo Bank, N.A."
payment request from "Wendy"s/Arby"s Group"
payment request from "West Liberty Foods"
payment request from "Westat"
payment request from "Whole Foods Market"
payment request from "Wizards of the Coast"
payment request from "World Financial Group"
payment request from "World Wrestling Entertainment"
payment request from "Xerox"
payment request from "Xilinx"
payment request from "XPLANE"
payment request from "Yahoo!"
payment request from "YRC Worldwide Inc."
payment request from "Yum! Brands, Inc."
payment request from "Zapata"
payment request from "Zappos.com"

Thursday, November 12, 2009

Newest Zeus = NACHA: The Electronic Payments Association

This morning I was meeting with some graduate students in the UAB Computer Forensics program to discuss what projects we would be running in the lab. When the topic of Zeus came up, we observed that we had seen no new spam on the IRS Zeus Campaign in the past 2.5 hours, which probably meant the bad guy was about to change his "look".

Sure enough, I came back from my morning meetings to find 150 copies of the newest Zeus distribution campaign. The new campaign pretends to be the National Automated Clearing House Association (NACHA), which is the group that manages the relationships between participating financial institutions. During the 3rd Quarter of 2009, they report that they brokered 3.77 billion transactions worth more than $7.3 trillion. I was observing this morning that the criminals know more about our financial networks than the average banking consumer who probably doesn't understand what NACHA is or how the organization works. When I shared this thought with Brian Krebs today, he commented "I assure you that the comptrollers of the companies being targeted by these criminals know who NACHA is!" (Krebs is the author of the Washington Post's Security Fix column, and a leader in researching this family of attacks.

In this case, the spam subject lines are:

Please review the transaction report
Rejected ACH transaction
Rejected ACH transaction, please review the transaction report
Unauthorized ACH transaction
Unauthorized ACH Transaction Report
Your ACH transaction was rejected
Your ACH transaction was rejected by The Electronic Payments Association

Sender names used in the spam, all with the email support@nacha.org, included:

ACH Network
Automated Clearing House (ACH)
Electronic Payments Association
NACHA
nacha.org
National Automated Clearing House Association

The email message itself reads:

Dear bank account holder,

The ACH transaction, recently initiated from your bank account (by you or any third party), was rejected by the Electronic Payments Association. Please review the transaction report by clicking the link below:

Unauthorized ACH Transaction Report


------------------------------------------------------------------

Copyright ©2009 by NACHA - The Electronic Payments Association



The website to which you are directed looks like this:



The Transaction Report is described on the website as a "self-extracting, pdf format" file, but is of course really a zbot infector.

The current version of the file is:
File size: 123392 bytes
MD5 : f8150d384940a3ddd24fa5333be0162b

A full Virus Total report is also available, showing 16 of 41 AV companies detecting this version of the malware.

The websites that we are seeing so far on this attack are . . .

nacha.org.corefirstid.com
nacha.org.corefirstid.eu
nacha.org.corefirstid3.com
nacha.org.corefirstid4.com
nacha.org.corefirstid5.com
nacha.org.corefirstid8.com
nacha.org.fffazsa.co.uk
nacha.org.fffazsa.me.uk
nacha.org.fffazsa.org.uk
nacha.org.fffazsf.co.uk
nacha.org.fffazsf.me.uk
nacha.org.fffazsf.org.uk
nacha.org.fffazss.co.uk
nacha.org.fffazss.me.uk
nacha.org.fffazss.org.uk
nacha.org.fffazsx.co.uk
nacha.org.fffazsx.me.uk
nacha.org.fffazsx.org.uk
nacha.org.fstpproid01.com
nacha.org.fstpproid02.com
nacha.org.fstpproid03.com
nacha.org.fstpproid04.com
nacha.org.fstpproid08.com
nacha.org.fstpproid09.com
nacha.org.fstpproid10.com
nacha.org.fstpproid12.com
nacha.org.fstpproid15.com
nacha.org.modsftp01.com
nacha.org.modsftp03.com
nacha.org.modsftp04.com
nacha.org.modsftp05.com
nacha.org.redaczxj.co.uk
nacha.org.redaczxj.me.uk
nacha.org.redaczxj.org.uk
nacha.org.redaczxk.co.uk
nacha.org.redaczxk.me.uk
nacha.org.redaczxk.org.uk
nacha.org.redaczxm.co.uk
nacha.org.redaczxm.me.uk
nacha.org.redaczxm.org.uk
nacha.org.redaczxn.me.uk
nacha.org.redaczxn.org.uk
nacha.org.redaczxs.co.uk
nacha.org.redaczxs.me.uk
nacha.org.tttteacb.co.uk
nacha.org.tttteacb.me.uk
nacha.org.tttteacb.org.uk
nacha.org.tttteacf.co.uk
nacha.org.tttteacf.me.uk
nacha.org.tttteacg.co.uk
nacha.org.tttteacg.org.uk
nacha.org.tttteack.co.uk
nacha.org.tttteack.me.uk
nacha.org.tttteack.org.uk
nacha.org.tttteacx.co.uk
nacha.org.tttteacx.me.uk
nacha.org.tttteacx.org.uk
nacha.org.tyeen.me.uk
nacha.org.tyeep.me.uk

Wednesday, November 11, 2009

The $9 Million World-Wide Bank Robbery

On November 7th and 8th, 2008 a group of Russian and Estonian hackers raised the balances on several ATM "prepaid payroll cards" belonging to RBS WorldPay, headquartered in Atlanta, Georgia. The hackers also modified the business logic regarding the limits on how much money could be withdrawn from a single account via ATM machines. At the pre-arranged time, a world-wide ATM spree began, with hackers using duplicates of 44 payroll cards to make withdrawals from 2,100 ATM machines in at least 280 cities around the world, including cities in the United States, Russia, Ukraine, Estonia, Italy, Hong Kong, Japan, and Canada.

When the adrenaline rush cleared, the gang had stolen Nine Million Dollars in twelve hours, and the hackers hit RBS WorldPay seeking to destroy all copies of the records of these withdrawals. The "cashiers", the people who actually used the ATM cards, were allowed to keep between 30% and 50% of the funds they withdrew, sending the rest back to the ring-leaders via Webmoney and Western Union.

The questions being asked by EVERYONE was "HOW IS THAT POSSIBLE?!?!?!" For instance, look at the comments on this Boing Boing article: Flashmob of ATM crooks scores $9 million. At that time the news was that "less than 100" cards were used in 30 minutes in 49 cities. Everyone was saying "That's like $90,000 per payroll card? Who has that kind of money on a payroll card?" or "Can you imagine trying to take 3,500 $20 bills out of an ATM?" Keep reading, because those questions are answered below.

On November 10th, 2009, just about one year later, Special Agent in Charge Greg Jones of the Atlanta FBI issued a press release entitled International Effort Defeats Major Hacking Ring: Elaborate Scheme Stole over $9.4 Million from Credit Card Processor.

VIKTOR PLESHCHUK, 28, of St. Petersburg, Russia; SERGEI TŠURIKOV, 25, of Tallinn, Estonia; and OLEG COVELIN, 28, of Chişinău, Moldova, along with an unidentified individual, have been indicted by a federal grand jury on charges of conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud, computer fraud, and aggravated identity theft. IGOR GRUDIJEV, 31, RONALD TSOI, 31, EVELIN TSOI, 20, and MIHHAIL JEVGENOV, 33, each of Tallinn, Estonia, have been indicted by a federal grand jury on charges of access device fraud.


Congratulations to all the great investigators involved in this, from the FBI investigators, the RBS investigations team, and all the locals who got called to pull ATM video all around the world. Well done!

Singled out for praise in the press release were the Estonian Central Criminal Police and the Netherlands Police Agency. The Hong Kong Police worked closely with the FBI to separately charge the criminals who used ATM's based in Hong Kong as part of this scheme.

RBS WorldPay is headquartered in Atlanta, and is owned by Citizens Financial Group, which is itself owned by the Royal Bank of Scotland. Although prepaid debit cards from RBS WorldPay are issued by RBS Citizens of North America, Palm Desert National Bank, The Bankcorp, Inc, and First Bank of Delaware, in this case 42 of the 44 cards used in the scheme were from Palm Desert National Bank.

Let's look at the individuals involved.

SERGEI TŠURIKOV, 25, of Tallinn, Estonia performed reconnaissance and found a path of entry into the RBS WOrldPay computer network. Using unnamed hackers, they found a successful path of vulnerability into the network. TŠURIKOV then introduced these hackers to VIKTOR PLESHCHUK, 28, of St. Petersburg, Russia who was the one to actually mastermind the hack, supported by OLEG COVELIN, 28, of Chişinău, Moldova, and an unknown hacker referred to in the indictment as "HACKER 3". TŠURIKOV also managed an existing ring of "cashiers" - criminals who brazenly take the risk of withdrawing money using counterfeit ATM cards, and then dutifully wire part of their proceeds back to the smarter criminals who don't take such risks themselves.

The key activity that let them get started was to reverse engineer the encryption of the PINs used by the RBS Worldpay computer network. Run by PLESHCHUK's superior hacking capabilities, TŠURIKOV, HACKER 3, and others are then said to have raised the limits on certain of the prepaid payroll cards. PLESHCHUK, TŠURIKOV were logged in to the RBS Worldpay computer network actively observing the world-wide withdrawals taking place on the cards they had distributed for use in this scam. When each card was done, they gave orders in the RBS network to lock that card.

HACKER 3 was primarily responsible for running the network of cashiers and coordinating the simultaneous world-wide withdrawal of what would end up being $9 Million. He was also the funds manager who received the funds from the cashiers and distributed the shares to the other members of the conspiracy.

OLEG COVELIN, 28, of Chişinău, Moldova is the hacker who first found the vulnerability in the RBS WorldPay system, and who shared it with TŠURIKOV so that it could be exploited. COVELIN received stripe data and pins from the hackers which he distributed to his own cashier network to participate in the ATM withdrawal spree.

From November 4th until November 8th, the 44 cards that would be used in the attack were created and distributed to the "lead cashers", who in turn spread the cards to their cashiers, both in the United States and around the world.

To test their scheme, the hackers, PLESHCHUK, TŠURIKOV, and HACKER 3, modified one card distributed to COVELIN and raised the available balance on that account number.

Then on November 8th, the three hackers did the same for the remained of the cards, and the ATM Blitz was on. Cashiers hit the 2,100 ATM terminals in at least 280 cities. At the agreed upon time limit, PLESCHUK and TŠURIKOV tried to begin their clean-up, deleting data in Atlanta Georgia from St. Petersburg, Russia and Tallin, Estonia, attempting to cover their tracks and conceal their unauthorized access and fraud.

The indictment contains "xxxxx"ed out versions of the actual commands issued by PLESHCHUK, such as:

UPDATE Card
SET
ATMxxxxxLimit = 500000, POSxxxxLimit = 500000, ATMxxxxxx=500000, ATMxxxxLimit2=500000 where xxxxPAN IN ('xxxxxxxxxxxx1627')

or

delete from xxxxLogs where xxxxLogID>2400000 and xxxxPAN in (''xxxxxxxxxxxx4809', 'xxxxxxxxxxxx3926', 'xxxxxxxxxxxx1041', 'xxxxxxxxxxxx5815', 'xxxxxxxxxxxx4912', 'xxxxxxxxxxxx9488', 'xxxxxxxxxxxx2840', 'xxxxxxxxxxxx3890)

delete from xxxxTransaction where xxxxxxxxID>820000000 and xxxxPAN in (''xxxxxxxxxxxx4809', 'xxxxxxxxxxxx3926', 'xxxxxxxxxxxx1041', 'xxxxxxxxxxxx5815', 'xxxxxxxxxxxx4912', 'xxxxxxxxxxxx9488', 'xxxxxxxxxxxx2840', 'xxxxxxxxxxxx3890)

Commands issued by TŠURIKOV are also listed in the indictment such as:

select xxxxxxxxxxxID, xxxxxxxxDateTime, xxxxxxxxAmount, xxxxxxxName, xxxxxMerchxxx, xxxxAddr, xxxxCity, xxxxState, xxxZip, xxxxCounty from xxxxxxxxxxxTransaction where xxxPAN = 'xxxxxxxxxxxx0336' and xxxxxxxxxxxxID > 82300000


Some of the specific counts include:

COUNT ONE: Conspiracy to Commit Wire Fraud 18 USC § 1349.

COUNTS TWO THROUGH TEN: Wire Fraud 18 USC §§ 1343

COUNT ELEVEN: Conspiracy to Commit Computer Fraud (see below)

COUNT TWELVE: Computer Intrusion Causing Damage 18 USC §§ 1030(a)(5)(A), 1030(b), 1030(c)(4)(B)

COUNT THIRTEEN: Computer Intrusion Obtaining Information 18 USC § 1349, 18 USC §§ 1030(a)(2), 1030(c)(2)(B)(i), 1030(c)(2)(B)(ii), 1030(c)(2)(B)(iii)

COUNT FOURTEEN: Computer Intrusion Furthering Fraud 18 USC §§ 1030(a)(4), 1030(c)(3)(A)

COUNT FIFTEEN: Aggravated Identity Theft 18 USC §§ 1028A(a)(1), 1028A(b), 1028A(c)(5)

COUNT SIXTEEN: Access Device Fraud 18 USC §§ 1029(a)(5), 1029(c)(1)(A)(ii)

Count Sixteen is where the other parties come into play. These are the guys doing the cashing.

SERGEI TSURIKOV gave card numbers and PIN codes to IGOR GRUDIJEV, who then gave the information to RONALD TSOI, EVELIN TSOI, MIHHAIL JEVGENOV, all of Estonia, who withdrew funds worth US$289,000 from ATMs in Tallin, Estonia.



The charges are much cooler than that really - they use this language that I love, because it makes so clear and easy to find in our laws EXACTLY what they were being charged with. As you read below, just picture bad guys going to jail, and smile with me:

knowingly and willfully conspire to: (a) knowingly cause the transmission of a program, information, code, and command, and as a result of such conduct, intentionally cause damage and attempt to cause damage without authorization to a protected computer, causing loss aggregating at least $5,000 in value to at least one person during a one-year period from a related course of conduct affecting a protected computer, in violation of 18 USC §§ 1030 (a)(5)(A) and 1030(b); (b) intentionally access a computer without authorization, and thereby obtain information contained in a financial record of a financial institution, and of a card issuer as defined in 15 USC § 1602(n), and from a protected computer, and the offense being committed for purposed of commercial advantage and private financial gain, and in furtherance of a criminal and tortious act in violation of the Constitution and the laws of the United States, specifically, conspiracy to commit wire fraud in violation of 18 USC § 1349 and wire fraud in violation of 18 USC § 1343, and the value of the information obtained exceeding $5,000, in violation of 18 USC § 1030(a)(2); and (c) access a protected computer without authorization and by means of such conduct further the intended fraud and obtain value, specifically, prepaid payroll card number and PIN codes, and withdrawals from such prepaid payroll card accounts exceeding US$9 million, in violation of 18 USC § 1030(a)(4), all in violation of 18 USC § 371.