Emails Western Union Service contains Bredolab


After a relative low virus detection for more than a week, MX Lab started to intercepted a new virus outbreak of Bredolab in emails regarding a Western Union money transfer. The malware is named Bredolab.gen.a (McAfee), TrojanDownloader:Win32/Bredolab.X (Microsoft),  Mal/Krap-B (Sophos) or Trojan.Bredolab!gen3 (Symantec).

The spoofed from address is in the form of Manager Ginger Patrick <customer@westernunion.com> where the name of the person is random.

The email has the subject:

Western Union Service. Please get your money. Order NR.4560
Western Union Service. You can receive money transfer. Order NR.5606
Western Union Service. You should receive money transfer. Order NR.0743
Western Union Service. Your money transfer details!. Order NR.4560
Western Union Service. You need to get money! Order NR.5606
Western Union Service. MTCN Details. Order NR.3365

The order numbers will change with each email and are choosen randomly.

The body of the email:

Dear customer.

The amount of money transfer: 4675 USD.
Money is available to withdrawl.

You may find the Money Transfer Control Number and receiver’s details in document attached to this email.

Western Union.
Financial Services.

The email contains the attachment WU_Details_db6ec.zip with the executable WU_Details_db6ec.exe in the archive.

Virus Total permlink and MD5: 0307d603cef4c524c3b05417387dfdec

Emails regarding updating your mailbox leads to the malware flashinstaller.exe


MX Lab intercepts emails with an embedded URL that leads to a web site where  you will have the notice “You don’t have the latest version of Macromedia Flash Player.” and you can download the file flashinstaller.exe. The file itself is malware and listens to the name Win32:Zbot-MGA (Avast), W32/Bifrost.C.gen!Eldorado (F-Prot), PWS-Zbot.gen.v (McAfee) or PWS:Win32/Zbot.gen!R (Micorsoft).

Possible subject are (where * stands for characters of the email address or domain name):

dear owner of ****@*****.com
for ****.com email service user
for ****@****.com email service user
please update your ****@****.com mailbox

The content of the body:

Dear owner of the ****@****.com mailbox,
You have to change the security mode of your account, from standart to secure. Please change the security mode by using the link below:

hxxp://accounts.****.com.verzzg.org.uk/webmail/settings/noflash.php?mode=standart&id=591741907__***lotsofnumbershere***__827&email=****@****.com

The is the screenshot of such a site:

What we notice is, it’s a bit hilarious and looks like the author has been on Mars for quite some time, is the usage of the company name Macromedia. As we all know by now, Macromedia has been taken over by Adobe and the brand name Macromedia isn’t used anymore.

Anyway, the URL leads to the 124 kB big file named flashinstaller.exe. The malware has the characteristics of ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

The system file %System%\sdra64.exe is created, hidden files %System%\lowsec\local.ds, %System%\lowsec\user.ds and a hidden directory %System%\lowsec is created.

New memory pages created in the address space of the system process(es): %System%\services.exe, %System%\lsass.exe, %System%\svchost.exe and %ProgramFiles%\internet explorer\iexplore.exe in combination with Window registry edits.

Connection with a remote host at 193.104.27.42 on port 80 is established and the following URLs are requested:

* http://193.104.27.42/livs/rec.php
* http://193.104.27.42/lcc/ip2.gif
* http://193.104.27.42/ip.php

Virus Total permlink and MD5: f6a5c4ceed2c45268b083488faecb10a.

Twitter accounts abused by spammers


MX Lab detected a spam campaign where Twitter is being abused by spammers to promote online drug stores.

The campaign is sent from random spoofed email addresses and has similar subjects like:

7U1 An amazing selection of brand name medications, all for incredibly low prices!
2F9 Looking for Hytrin? 7N8
6W3 Looking for Abilify?
5Z2 Looking for Fosamax?
4G5 Do you suffer from male impotence? Order Viagra online today 8I7
5Y5 Do you have a urinary blockage?

Some samples of the body:

hxxp://twitter.com/oscaresquire/status/5804523982

All Medications are Always 100% Safe Legal
Our store is Verified, Trusted Licensed
Guaranteed LowPrices – up to 85% Off

! G6Y3

* P h 3nt_ er mI.ne 37.5
* S0 .m@
* X@ /\/ a .X
* R1 .T@ L in
* C 0 d1n3
* V /\ L 1Um
* KL 0 N_0.p in
* AMB1en
* Ci..@ _Lis
* V| @ g.R @

http://www.twitter.com/dweepadvani/status/5790731913
This message was sent to 96190

And another one

site that pharmacies and big companies don’t want you to know about!
Vicodin ES Online, Hyrdrocodone, Lortab…

hxxp://twitter.com/itaiba/status/5803131461

They all have the URL in common that points to a Twitter account. The format is  http://twitter.com/***/status/*** where *** stands for random characters.

Some examples of such an Twitter account that directs you to the online pharmacy.

The med4udirect.com shop looks like this:

The domain appears to registered in China.

 DomainName : MEDS4UDIRECT.COM

RSP: China Springboard Inc.
URL: http://www.namerich.cn      

Name Server :NS3.BERTOSNS.COM
Name Server :NS5.LOVELYSNB34.COM
Name Server :NS1.HDNSSTUFF.COM
Name Server :NS6.LOVELYSNB34.COM
Name Server :NS2.HDNSSTUFF.COM
Name Server :NS4.BERTOSNS.COM
Status :clientTransferProhibited
Status :clientDeleteProhibited
Creation  Date :2009-09-26
Expiration Date :2010-09-26
Last Update  Date :2009-11-11

Registrant ID :V-X-63521-21717
Registrant Name :LU TAO
Registrant Organization :LU TAO
Registrant Address :JIEFANGLU251
Registrant City :ShangHai
Registrant Province/State :ShangHai
Registrant Country Code :CN
Registrant Postal Code :200126
Registrant Phone Number :+86.0217415426
Registrant Fax :+86.0217415426
Registrant Email :djsnhe@163.com

Administrative ID :V-X-63521-21717
Administrative Name :LU TAO
Administrative Organization :LU TAO
Administrative Address :JIEFANGLU251
Administrative City :ShangHai
Administrative Province/State :ShangHai
Administrative Country Code :CN
Administrative Postal Code :200126
Administrative Phone Number :+86.0217415426
Administrative Fax :+86.0217415426
Administrative Email :djsnhe@163.com

Billing ID :V-X-63521-21717
Billing Name :LU TAO
Billing Organization :LU TAO
Billing Address :JIEFANGLU251
Billing City :ShangHai
Billing Province/State :ShangHai
Billing Country Code :CN
Billing Postal Code :200126
Billing Phone Number :+86.0217415426
Billing Fax :+86.0217415426
Billing Email :djsnhe@163.com

Technical ID :V-X-63521-21717
Technical Name :LU TAO
Technical Organization :LU TAO
Technical Address :JIEFANGLU251
Technical City :ShangHai
Technical Province/State :ShangHai
Technical Country Code :CN
Technical Postal Code :200126
Technical Phone Number :+86.0217415426
Technical Fax :+86.0217415426
Technical Email :djsnhe@163.com

New Sasfis trojan in the wild


Between October 27 and November 09th, 2009, MX Lab has noticed a large amount of viruses. Bredolab, distributed by the Cutwail botnet,  was responsible for the majority of viruses during this period. After a few days low virus detection we see new peaks again with different virus campaigns.

The messages contain the trojan Win32:Trojan-gen (Avast), Trojan.Sasfis.C (BitDefender),  Trojan:W32/Sasfis.H (F-Secure), Trojan:Win32/Oficla.E (Microsoft) or Mal/EncPk-LP (Sophos).

“your mailbox has been deactivated”

Subject: “your mailbox has been deactivated”

The content of the email:

We are contacting you in regards to an unusual activity that was identified in your mailbox. As a result, your mailbox has been deactivated. To restore your mailbox, you are required to extract and run the attached mailbox utility.

Best regards, *****.org technical support.

The ending of the email is designed to make it appear to come from your local IT department. For a small business without an IT department this is obviously a reason not to trust the email.

The attached file is named utility.zip and contains the 20 kB big file utility.exe.

payment request from “United Technologies”*

The second variant is regarding a payment that you have made. In order to respond to this and to avoid the further processing of the payment you will need to use the attachment.

Possible subjects:

payment request from “United Technologies”
payment request from “NetApp”
payment request from “CitiGroup”
payment request from “Adobe Systems Inc”
payment request from “Rusell Investment Group”
…..

Body of the email:

We recorded a payment request from “United Technologies” to enable the charge of $5212.39 on your account.

The payment is pending for the moment.

If you made this transaction or if you just authorize this payment, please ignore or remove this email message. The transaction will be shown on your monthly statement as “United Technologies”.

If you didn’t make this payment and would like to decline it, please download and install the transaction inspector module (attached to this letter).

The attached file is named module.zip and contains the file module.exe.

The trojan Sasfis runs in the background and can download and install additional malware when executed.

The files %Temp%\1.tmp and %System%\wdni.buo are created on an infected system and several Windows registry modifications are executed.

The trojan can make connection to the host 193.104.27.91 and request the following URLs:

  • hxxp://193.104.27.91/limpopo/bb.php?id=&v=200&tm=2&b=4316315581
  • hxxp://193.104.27.91/limpopo/bb.php?id=&v=200&tm=3&b=4316315581
  • hxxp://193.104.27.91/limpopo/bb.php?id=&v=200&tm=4&b=4316315581

Virus Total permlink and MD5: eec53e2239800e5d85b6b85d5e2451cb.

MySpace subject to phishing campaign


Social networks are often subject to phishing and today MySpace is the target. MX Lab intercepted some messages from MySpace <message-*********@message.myspace.com> – where * stands for random letter and number combination. The from address is obviously spoofed.

The body of the email:

Dear MySpace user!

Please be informed that you are required to update your MySpace account.

Please update your MySpace account by clicking here:

hxxp://accounts.myspace.com.iuuuujef.co.uk/msp/index.php?fuseaction=update&code=5A3TCE-JA3T2OSOJ1-AT2LKB0WNLB0-SMSWSGFPGEL97-0JHN4840QT&email=****@*******.co.uk

If you’re unable to click on the link above, copy and paste it into your browser’s address bar.

————————-

At MySpace we care about your privacy. This email is never sent unsolicited.

If you think you’ve received this email in error, or if you have any questions or concerns regarding your privacy, please contact us at:

privacy@myspace.com

MySpace, Inc.
8391 Beverly Blvd. #349
Los Angeles, CA 90048
USA

©2003-2009 MySpace.com. All Rights Reserved.

The domains included are fast-flux domains to avoid Intent Analysis. The domain in this case is registered with the following details:

Domain name:

         iuuuujef.co.uk

     Registrant:
         Joe Tentpeg

     Registrant type:
         Non-UK Individual

     Registrant's address:
         5556 Butt hole Court
         Bum diddle
         66545
         Belgium

     Registrar:
         Webfusion Ltd t/a 123-Reg.co.uk [Tag = 123-REG]
         URL: http://www.123-reg.co.uk

     Relevant dates:
         Registered on: 09-Nov-2009
         Renewal date:  09-Nov-2011
         Last updated:  10-Nov-2009

     Registration status:
         Registration request being processed.

     Name servers:
         No name servers listed.

     WHOIS lookup made at 11:19:48 10-Nov-2009

When we performed WHOIS lookups for other domains involved we noticed some irregularities. The registrant name is different each time but the address doesn’t fit at all. The zip code doesn’t match the country because the zip codes in Belgium are based on 4 numbers. We can assume that the registrant did used different details for registration in order to avoid detection by the registrar.

DHL Tracking Number 3YMH6JJY contains trojan


MX Lab intercepted a large amount of emails with the subject “DHL Tracking Number 3YMH6JJY” containing the trojan TrojanDownloader:Win32/Cutwail.gen!C (Microsoft), Trojan.Kobka.E (GData), AVG (SHeur2.BQSN() or Troj/Agent-LQA (Sophos).

The contents of the email:

Dear customer!

The courier company was not able to deliver your parcel by your address.

You may pickup the parcel at our post office personaly.

The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.

Thank you for attention.
DHL Express Services.

The attachment is named 3YMH6JJY.zip and contains the file 3YMH6JJY.exe, 56 kB big. The threat has the characteristics of ZBot, a trojan that disables firewall, steals sensitive financial data makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system. The trojan can communicate with a remote SMTP server for sending out emails.

The following files are being created:

c:\2.tmp
c:\6.tmp
%AppData%\wiaservg.log
%Temp%\2515696084.exe
%Temp%\b2jp5k.exe
%Temp%\debug.exe
%Temp%\services.exe
%Temp%\svchost.exe
%Temp%\taskmgr.exe
%Temp%\win32.exe
%Temp%\winamp.exe
%Temp%\g260h.exe
%Temp%\habnf88jkefh87ifiks.tmp
%Temp%\jisfije9fjoiee.tmp
%Temp%\ogxyx.exe
%Temp%\pskfo83wijf89uwuhal8.tmp
%UserProfile%\reader_s.exe
%System%\reader_s.exe
%System%\dllcache\ndis.sys
%System%\ntos.exe
%System%\p2hhr.bat
%System%\wbem\grpconv.exe
%System%\wbem\Performance\WmiApRpl_new.ini
%System%\wsnpoem\audio.dll
%System%\wsnpoem\video.dll
%System%\z7v89qurrt.dll

The following file was deleted: %System%\grpconv.exe.
The following file was modified: %System%\drivers\ndis.sys.
The following directory was created: %System%\wsnpoem.

Following processes are created:

%System%\reader_s.exe
%UserProfile%\reader_s.exe
%Temp%\g260h.exe
%Temp%\winamp.exe
%Temp%\services.exe
%Temp%\svchost.exe
%Temp%\ogxyx.exe

A new memory page created in the address space of the system process(es): %System%\svchost.exe.
The following module was loaded into the address space of other process(es): %System%\z7v89qurrt.dll with process name: IEXPLORE.EXE.

Connections to remore hosts:

12.191.105.50 port 25
12.49.129.230 port 25
207.58.165.84 port 25
209.128.32.160 port 25
209.181.247.105 port 25
209.85.135.27 port 25
216.130.106.200 port 25
24.106.49.86 port 25
62.72.96.41 port 25
64.183.119.211 port 25
72.9.145.85 port 80
94.75.207.170 port 80
94.75.228.136 port 80
78.159.121.41 port 38811

The following URLs are requested from the remote web server:

* hxxp://www.panel911.com/traffic/in.cgi?google2
* hxxp://virtualmits.com/ndw/vp1.php?id=1CA619795E68E12&ver=v10&er=S_wd_rd_we_re_
* hxxp://virtualmits.com/ndw/ndw.php?id=1CA619795E68E12&ver=v10&er=S_wd_rd_we_re_
* hxxp://virtualmits.com/ndw/ndw.php?id=1CA619795E68E12&ver=v12
* hxxp://virtualmits.com/ndw/ndw.php?id=1-1CA6197986CAB58&ver=v12
* hxxp://1job1.cn/us4/error
* hxxp://1job1.cn/us4/us4.php?1=computername_0001e9af&i=
* hxxp://1job1.cn/l/controller.php?action=bot&entity_list=&uid=3&first=1&guid=13441600&v=15&rnd=6293712
* hxxp://1job1.cn/us4/us4.php?2=computername_0001e9af&n=1&v=16778496&i=&s=0&sp=0&lcp=0&pr=0
* hxxp://1job1.cn/l/controller.php?action=report&guid=0&rnd=6293712&uid=3&entity=1257509694:unique_start
* hxxp://1job1.cn/l2/2.php
* hxxp://1job1.cn/l2/1.php
* hxxp://1job1.cn/us4/us4.exe
* hxxp://1job1.cn/x.exe
* hxxp://1job1.cn/l2/stat.php

SMTP traffic will be generated from following email addresses:

  • <undersellsgq0@royaldevice.com>
  • <blackballedvm6@rotaerota.com>
  • <reciprocallydo@roispy.com>
  • <frankingoc6485@rmservicing.com>
  • <rackn84@rmanet.com>
  • <wrongdoinglq@rhgmarketing.com>
  • <kazooo@roxcel-usa.com>
  • <ladybirdwtz01@restaurantesol.com>
  • <pleadyl76@rotodiff.com>
  • <deflectorsoj@ramcaterers.com>
  • <demolishedlx@robinson-pilaw.com>
  • <foreordainingg7@rcalum.com>
  • <dismisseseic2@rosenfeldlaw.com>
  • <epitomizezm2@roldeco.com>
  • <dashinglyl8@regenesis-rehab.com>
  • <tattyttg74@rocorpn.com>

Virus Total permlink and MD5:  08ba612f05b0433a4a5ca2df4da38deb.

PayPal phishing in attachments


Yesterday MX Lab reported regarding a phishing email that has no URL but instead an attached HTML document with a web form included. Since then we see more similar cases and also PayPal is subject to this technique. The senders address shows us “www.paypal.com” <service@paypal.com> but this is spoofed. The email was sent from 69.128.90.226, an IP address in the US, pointing to mail.dandlequipment.com.

The body of the email:

To make sure everything is in order,please download the PayPal Security Account Verification and fill in all the required data for verfication.

The actual webpage:

The webform makes a POST to hxxp://0xD5.0xC3.0xDF.0xA9/paypalverification.php/.

Follow

Get every new post delivered to your Inbox.

Join 315 other followers