UPS Postal Service trojan still active

November 25, 2008 by mxlab 1 Comment

In the past we’ve seen many variants of the UPS email containing an attached trojan in a zip file known now as Win32/Kollah.RT, 32/Zbot.GXN!tr.spy or TrojanSpy:Win32/Zbot.gen!C according to the virus engine. Since yesterday we’ve seen a new variant and it is quite active and being distributed because MX Lab has intercepted quite some samples of this emails.

The emails hasn’t changed much, the subject is “Your Tracking # 877874077711″ (where the number is dyanimc and changes often) and the content of the body:

Sorry, we were not able to deliver postal package you sent on November the 1st in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office. If you do not receive package in ten days you will have to pay 36$ per day.

Your UPS

The email has the zip file Invoice_UPS.zip attached with the Invoice_UPS.exe inside.

VirusTotal Permalink and MD5: 68ab2a6801bbc18e727d8ac093c8087f.

Filed under Viruses Tagged with , , ,

Email from Int. F.C.U contains trojan downloader

November 25, 2008 by mxlab Leave a Comment

Messages with the subject Re: F.C. Doc. contain an attached file Doc_N012.zip that contain according to F-Secure the Trojan-Downloader.Win32.Small.aglf or known as Mal/EncPk-CO by Sophos.

The contents of the email:

Hello, onkar-amodik.

We send the updated report.
Ssory for a delay.
Look the attached file.

Tel: 028663

Best regards,
Int. F.C.U.  mailto:scott@planetterragen.com

The unpacked zip file contains the file: Doc_N012.Doc______________________________________.exe. Please be aware that subjects, body of the email and file names can change when new variants emerge.

It is a threat that attempts to open backdoor and allows unauthorized access to an infected machine. It will create the file %Temp%\system.ex, creates a new process and adds itself to the registry so that it runs each time when the computer boots.

VirusTotal Permalink and MD5: 28c8d27cb9da210a5480618a57788dde.

Filed under Viruses Tagged with , , ,

Rustock is back online, spam levels rise again

November 25, 2008 by mxlab Leave a Comment

UPDATE, Nov 27th: One of the new CnC servers, ‘sdx3Fs5B.info’ was resolving to 72.233.114.74 at LayeredTech. FireEye sent an abuse notification to LayeredTech when the CnC servers went online and they have pulled out the server.

—————-

Yesterday, Nov 24, 2008, I noticed a sudden spam rise. When checking some samples I found that the ‘Canadian Pharmacy’ spam is back and some new image based spam campaigns have been launched.

But the ‘Canadian Pharmacy’ spam is where we should focus on. These spam campaigns are being sent by Rustock, so the conclusion is that these guys are back online and in business.

With subjects like Obama.s new plan, Food crisis in California or Bush.s last words they try to get their email opened to see the ‘Canadian Pharmacy’ advertisment. URLs, like hxxp://alsi.kugusup.cn or hxxp://ppbka.kugusup.cn will redirect you to hxxp://beautythrow.com/ where the Canadian Pharmacy web site is hosted.

When looking for more information if Rustock is back I found that the Company FireEye Security has posted more details on their blog.

As expected, the bot admins learned from the shut down of McColo. They can now simply change DNS to make sure that their command and control server still can be accessed.

The new Rustock spam campaign is already having an impact on the spam levels. The image below is the graph for one of my domains and you can see the spam level drop when McColo was taken down. The red line is the global spam level.

We have a peak during the weekend, the absence of business emails, and a global spam level between 75% and 85% during the week. Yesterday we had a spam level of 89,4% and at the time of writting this article we are back at 93%. You can see the graph going up again after the re-activation of the Rustock C&C servers.

Filed under Spam Tagged with , , , ,

ISP McColo down, what is the impact so far?

November 20, 2008 by mxlab Leave a Comment

After the take down of the internet connections for the US ISP McColo on November, 11th 2008, spam levels dropped worldwide between 50% and 75% according to some sources. 5 botnets Rustock, Srizbi, Pushdo/Cutwail, Ozdok/Mega-D and Gheg where directly affected because their command and control servers got disconnected from the botnet. What is the impact of this take down after a week?

At MX Lab we could notice a significant drop down in the SMTP connections that contained spam. Our global spam level of around 90% during business days and more than 95% during weekens also had a drop to approx 75% short after the take down of McColo.

During the first weekend this was up again, due to the absence of business emails, to more than 94% in the weekend and during week days around the 80% – 83%.

This graph above shows the global vs domain spam levels for one of my domains pixeldesign.be. As you may notice the spam level for pixeldesign.be is always rather on the high side because we get a lot of spam compared to business emails.

More important is that MX Lab noticed a global drop down of SMTP connections from spam sources just like any other email security provider. The SMTP connection graph mostly has a curved level going up and down and on occasion a high burst depending on the spam campaign that is running.

When McColo was taken down we can measure a 50% drop in SMTP connections. As you may notice, since Nov 17th, the graph is slightly climing again to a higher level and for today we have the 3rd increase in a row.

As reported earlier, The Rustock botnet admins managed to get their command and control servers to Russia and post an update towards their botnets. Some sources claim that the uptime was too short to fully update the botnet in time.

FireEye Security has detected that 450.000 compromised computers on different IP addresses have been trying to connect to the command and control servers from Sribzi that would have been hosted by McColo until it disappeared. FireEye recommends that admin check firewall logs to trace http traffic opening ports towards IP addresses 75.127.68.122 or 64.22.92.15. The company also posted instructions on how to remove the Sribi rootkit.

On the website of HostExploit you can download PDF documentation regarding the take down of McColo and their brief connection.

Filed under Spam Tagged with , , , , ,

McColo up and down again, C&C servers to Russia

November 17, 2008 by mxlab Leave a Comment

McColo, the ISP that has been taken down because of their malicious activities, was back online during a brief period thanks to the Swedish ISP TeliaSonara AB that has a router in San Jose. The peering was revoked after complaints to the abuse email address by security from Sophos and security researcher Atif Mushtaq.

During this time Rustock admins did had time to update the Command And Control server with an IP of 208.66.194.22 at McColo to a new host in Russia.

With the takedown of McColo the drop of spam volumes worldwide is still continuing but as we can see the botnet admins are gettings thing up and running again. It is my belief that sooner or later, perhaps sooner, the spam levels will rise again and tradionally the end of the year is very attractive for spammers.

The botnet admins will learn a lesson of this and make their systems more redundant with fall back servers and we could even see systems where the centralized Command And Control server is replaced by a structure more based on P2P. Taking down the command center will become more difficult.

Filed under Spam Tagged with , , , , ,

Spam drops after McColo Corp taken offline

November 13, 2008 by mxlab Leave a Comment

SMTP connections that involves spam have dropped 50% at MX Lab since yesterday. At first, we thought we faced a technical problem and all systems where checked to be sure but there where less SMTP conenctions that contained spam. Today we still noticed a very low level of spam volume.

Several news sites report that the San-Jose, California, US based hosting firm McColo Corp. has been taken offline when its primary Internet providers severed its connection to the web.

McColo’s clients included cybercriminal groups that ran some of the biggest spam-spewing and malware-spreading botnets. McColo hosts the botnet command-and-control servers (Rustock, Srizbi, Pushdo/Cutwail, Ozdok/Mega-D and Gheg)  as well as other systems that ran malware distribution points and criminal payment services. McColo could be responsible for approx. 75% of all the spam traffic according to several sources.

Security Fix has gathered data about the activities of McColo over the past four months and has handed over some critical information towards the ISPs that offer the internet connection for McColo.

Hurricane Electric, one of the major Internet providers for McColo, has shut down the internet connection towards the hosting provider within the hour.

In September another U.S.-based hosting service Intercage, also active under the name Atrivo, suspected of harboring spammers was shut down. Within three days, the dip had disappeared as others stepped in. So it is expected that the spam level will return to its usual levels within the next few days.

Filed under Spam, Various Tagged with , , , , ,

Commtouch Honored with Deloitte Technology Fast 50

November 7, 2008 by mxlab Leave a Comment

Commtouch, one of our technology partners, has been honored with the Deloitte Technology Fast 50. Read the full article.

Filed under Various Tagged with , , ,

Active key trojan

November 5, 2008 by mxlab Leave a Comment

Emails with the following subjects contain the Trojan.Downloader-58166, W32.SillyDC or Worm.Win32.AutoRun.rwo, depending on the anti virus engine, in the file active_key.zip. It is being detected by 12 of the 36 anti virus engines at Virus Total.

The Activation Keys
Recovery KEYS for your account 

Content:

Hello,

As you requested your account was held up. You can activate it any time with the help of the keys (they are in Word file) added to this letter.

Feel free to address to our offices in your place to get all your questions answered.

Virus Total permalink and MD5: 04cae49dfbfbfdcd1af74015c1003bb5.

Installs a default debugger that is injected into the execution sequence of a target application. If a threat is installed as a default debugger, it will be run every time a target application is attempted to be launched – either to mimic it and hide its own presence (e.g. an open port or a running process), or simply to be activated as often as possible.

The following file will be created: %ProgramFiles%\Microsoft Common\wuauclt.exe, some Windows registry changes will be made, the host name www.microsoft.com will be requested at the host database and connections can be made to the following hosts:

http://*****.ru/ld.php?v=1&rs=13441600&n=1&uid=1

http://*****.ru/ld.php?v=1&rs=13441600&n=1&uid=1.

Filed under Viruses Tagged with , , ,

Dutch spam from Euro Dice Casino

November 5, 2008 by mxlab 3 Comments

It not happens very often but this spam is written in Dutch and doesn’t contains spelling or grammar mistakes. An example:

 

Iemand heeft de dobbelstenen gegooid en heeft voor jou een verbazingwekkende bonusaanbieding.  

Kom kijken in het Euro Dice Casino. http://www.*************gaming.net/nl

 

And the web site is also available in Dutch and other languages

Filed under Spam Tagged with , , , ,

Phishing attempt for your domain name

November 1, 2008 by mxlab 2 Comments

Phishers try to get confidential information and most these guys are out for your login and password of your banc accounts or credit card details. However, the latest phishing attemps are more targeted towards domain owners. MX Lab has intercepted similar messages like below during the last few days.

The message body:

Dear user,

On Sat, 1 Nov 2008 06:48:43 +0500 we received a third party complaint of invalid domain contact information in the Whois database for this domain. Whenever we receive a complaint, we are required by ICANN regulations to initiate an investigation as to whether the contact data displaying in the Whois database is valid data or not. If we find that there is invalid or missing data, we contact both the registrant and the account holder and inform them to update the information.

The contact information for the domain which displayed in the Whois database was indeed invalid. On Sat, 1 Nov 2008 06:48:43 +0500 we sent a notice to you at the admin/tech contact email address and the account email address informing you of invalid data in breach of the domain registration agreement and advising you to update the information or risk cancellation of the domain. The contact information was not updated within the specified period of time and we canceled the domain. The domain has subsequently been purchased by another party. You will need to contact them for any further inquiries regarding the domain.

PLEASE VERIFY YOUR CONTACT INFORMATION – http://www.enom.com <http://www.enom.com.ssl48.mobi>  

If you find any invalid contact information for this domain, please respond to this email with evidence of the specific contact information you have found to be invalid on the Whois record for the domain name. Examples would be a bounced email or returned postal mail. If you have a bounced email, please attach or forward with your reply or in the case of returned postal mail, scan the returned letter and attach to your email reply or please send it to:

Attn: Domain Services 14455 N Hayden Rd Suite 219 Scottsdale, AZ 85260

LINK TO CHANGE INFORMATION – http://www.enom.com <http://www.enom.com.ssl48.mobi>

Thank you,
Domain Services

[IncidentID:57914] 

Just like any other phishing attempt, there is a problem and you’ll need to take action to resolve it by going to a web site, obviously not the “real site” but a site that has been set up by the phishers.

From that point on your submitted information is falling into the wrong hands so keep an eye for those messages.

These are some domains that are used and their registration date:

 

#1 ssl42.mobi Sat, 01 Nov 2008 01:48:07 +0000
#2 ssl48.mobi Sat, 01 Nov 2008 01:47:31 +0000
#3 ssl45.mobi Sat, 01 Nov 2008 01:01:27 +0000
#4 sys49.mobi Thu, 30 Oct 2008 11:49:57 +0000
#5 sys42.mobi Thu, 30 Oct 2008 11:43:44 +0000
#6 sys44.mobi Thu, 30 Oct 2008 09:53:52 +0000

Filed under Phishing Tagged with , , , ,