UPS Postal Service trojan still active

November 25, 2008 1 Comment

In the past we’ve seen many variants of the UPS email containing an attached trojan in a zip file known now as Win32/Kollah.RT, 32/Zbot.GXN!tr.spy or TrojanSpy:Win32/Zbot.gen!C according to the virus engine. Since yesterday we’ve seen a new variant and it is quite active and being distributed because MX Lab has intercepted quite some samples of this emails.

The emails hasn’t changed much, the subject is “Your Tracking # 877874077711″ (where the number is dyanimc and changes often) and the content of the body:

Sorry, we were not able to deliver postal package you sent on November the 1st in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office. If you do not receive package in ten days you will have to pay 36$ per day.

Your UPS

The email has the zip file Invoice_UPS.zip attached with the Invoice_UPS.exe inside.

VirusTotal Permalink and MD5: 68ab2a6801bbc18e727d8ac093c8087f.

Filed under Viruses Tagged with , , ,

Email from Int. F.C.U contains trojan downloader

November 25, 2008 Leave a Comment

Messages with the subject Re: F.C. Doc. contain an attached file Doc_N012.zip that contain according to F-Secure the Trojan-Downloader.Win32.Small.aglf or known as Mal/EncPk-CO by Sophos.

The contents of the email:

Hello, onkar-amodik.

We send the updated report.
Ssory for a delay.
Look the attached file.

Tel: 028663

Best regards,
Int. F.C.U.  mailto:scott@planetterragen.com

The unpacked zip file contains the file: Doc_N012.Doc______________________________________.exe. Please be aware that subjects, body of the email and file names can change when new variants emerge.

It is a threat that attempts to open backdoor and allows unauthorized access to an infected machine. It will create the file %Temp%\system.ex, creates a new process and adds itself to the registry so that it runs each time when the computer boots.

VirusTotal Permalink and MD5: 28c8d27cb9da210a5480618a57788dde.

Filed under Viruses Tagged with , , ,

Rustock is back online, spam levels rise again

November 25, 2008 Leave a Comment

UPDATE, Nov 27th: One of the new CnC servers, ‘sdx3Fs5B.info’ was resolving to 72.233.114.74 at LayeredTech. FireEye sent an abuse notification to LayeredTech when the CnC servers went online and they have pulled out the server.

—————-

Yesterday, Nov 24, 2008, I noticed a sudden spam rise. When checking some samples I found that the ‘Canadian Pharmacy’ spam is back and some new image based spam campaigns have been launched.

But the ‘Canadian Pharmacy’ spam is where we should focus on. These spam campaigns are being sent by Rustock, so the conclusion is that these guys are back online and in business.

With subjects like Obama.s new plan, Food crisis in California or Bush.s last words they try to get their email opened to see the ‘Canadian Pharmacy’ advertisment. URLs, like hxxp://alsi.kugusup.cn or hxxp://ppbka.kugusup.cn will redirect you to hxxp://beautythrow.com/ where the Canadian Pharmacy web site is hosted.

When looking for more information if Rustock is back I found that the Company FireEye Security has posted more details on their blog.

As expected, the bot admins learned from the shut down of McColo. They can now simply change DNS to make sure that their command and control server still can be accessed.

The new Rustock spam campaign is already having an impact on the spam levels. The image below is the graph for one of my domains and you can see the spam level drop when McColo was taken down. The red line is the global spam level.

We have a peak during the weekend, the absence of business emails, and a global spam level between 75% and 85% during the week. Yesterday we had a spam level of 89,4% and at the time of writting this article we are back at 93%. You can see the graph going up again after the re-activation of the Rustock C&C servers.

Filed under Spam Tagged with , , , ,

Follow

Get every new post delivered to your Inbox.

Join 109 other followers