Emails Western Union Service contains Bredolab


After a relative low virus detection for more than a week, MX Lab started to intercepted a new virus outbreak of Bredolab in emails regarding a Western Union money transfer. The malware is named Bredolab.gen.a (McAfee), TrojanDownloader:Win32/Bredolab.X (Microsoft),  Mal/Krap-B (Sophos) or Trojan.Bredolab!gen3 (Symantec).

The spoofed from address is in the form of Manager Ginger Patrick <customer@westernunion.com> where the name of the person is random.

The email has the subject:

Western Union Service. Please get your money. Order NR.4560
Western Union Service. You can receive money transfer. Order NR.5606
Western Union Service. You should receive money transfer. Order NR.0743
Western Union Service. Your money transfer details!. Order NR.4560
Western Union Service. You need to get money! Order NR.5606
Western Union Service. MTCN Details. Order NR.3365

The order numbers will change with each email and are choosen randomly.

The body of the email:

Dear customer.

The amount of money transfer: 4675 USD.
Money is available to withdrawl.

You may find the Money Transfer Control Number and receiver’s details in document attached to this email.

Western Union.
Financial Services.

The email contains the attachment WU_Details_db6ec.zip with the executable WU_Details_db6ec.exe in the archive.

Virus Total permlink and MD5: 0307d603cef4c524c3b05417387dfdec

Emails regarding updating your mailbox leads to the malware flashinstaller.exe


MX Lab intercepts emails with an embedded URL that leads to a web site where  you will have the notice “You don’t have the latest version of Macromedia Flash Player.” and you can download the file flashinstaller.exe. The file itself is malware and listens to the name Win32:Zbot-MGA (Avast), W32/Bifrost.C.gen!Eldorado (F-Prot), PWS-Zbot.gen.v (McAfee) or PWS:Win32/Zbot.gen!R (Micorsoft).

Possible subject are (where * stands for characters of the email address or domain name):

dear owner of ****@*****.com
for ****.com email service user
for ****@****.com email service user
please update your ****@****.com mailbox

The content of the body:

Dear owner of the ****@****.com mailbox,
You have to change the security mode of your account, from standart to secure. Please change the security mode by using the link below:

hxxp://accounts.****.com.verzzg.org.uk/webmail/settings/noflash.php?mode=standart&id=591741907__***lotsofnumbershere***__827&email=****@****.com

The is the screenshot of such a site:

What we notice is, it’s a bit hilarious and looks like the author has been on Mars for quite some time, is the usage of the company name Macromedia. As we all know by now, Macromedia has been taken over by Adobe and the brand name Macromedia isn’t used anymore.

Anyway, the URL leads to the 124 kB big file named flashinstaller.exe. The malware has the characteristics of ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

The system file %System%\sdra64.exe is created, hidden files %System%\lowsec\local.ds, %System%\lowsec\user.ds and a hidden directory %System%\lowsec is created.

New memory pages created in the address space of the system process(es): %System%\services.exe, %System%\lsass.exe, %System%\svchost.exe and %ProgramFiles%\internet explorer\iexplore.exe in combination with Window registry edits.

Connection with a remote host at 193.104.27.42 on port 80 is established and the following URLs are requested:

* http://193.104.27.42/livs/rec.php
* http://193.104.27.42/lcc/ip2.gif
* http://193.104.27.42/ip.php

Virus Total permlink and MD5: f6a5c4ceed2c45268b083488faecb10a.

Twitter accounts abused by spammers


MX Lab detected a spam campaign where Twitter is being abused by spammers to promote online drug stores.

The campaign is sent from random spoofed email addresses and has similar subjects like:

7U1 An amazing selection of brand name medications, all for incredibly low prices!
2F9 Looking for Hytrin? 7N8
6W3 Looking for Abilify?
5Z2 Looking for Fosamax?
4G5 Do you suffer from male impotence? Order Viagra online today 8I7
5Y5 Do you have a urinary blockage?

Some samples of the body:

hxxp://twitter.com/oscaresquire/status/5804523982

All Medications are Always 100% Safe Legal
Our store is Verified, Trusted Licensed
Guaranteed LowPrices – up to 85% Off

! G6Y3

* P h 3nt_ er mI.ne 37.5
* S0 .m@
* X@ /\/ a .X
* R1 .T@ L in
* C 0 d1n3
* V /\ L 1Um
* KL 0 N_0.p in
* AMB1en
* Ci..@ _Lis
* V| @ g.R @

http://www.twitter.com/dweepadvani/status/5790731913
This message was sent to 96190

And another one

site that pharmacies and big companies don’t want you to know about!
Vicodin ES Online, Hyrdrocodone, Lortab…

hxxp://twitter.com/itaiba/status/5803131461

They all have the URL in common that points to a Twitter account. The format is  http://twitter.com/***/status/*** where *** stands for random characters.

Some examples of such an Twitter account that directs you to the online pharmacy.

The med4udirect.com shop looks like this:

The domain appears to registered in China.

 DomainName : MEDS4UDIRECT.COM

RSP: China Springboard Inc.
URL: http://www.namerich.cn      

Name Server :NS3.BERTOSNS.COM
Name Server :NS5.LOVELYSNB34.COM
Name Server :NS1.HDNSSTUFF.COM
Name Server :NS6.LOVELYSNB34.COM
Name Server :NS2.HDNSSTUFF.COM
Name Server :NS4.BERTOSNS.COM
Status :clientTransferProhibited
Status :clientDeleteProhibited
Creation  Date :2009-09-26
Expiration Date :2010-09-26
Last Update  Date :2009-11-11

Registrant ID :V-X-63521-21717
Registrant Name :LU TAO
Registrant Organization :LU TAO
Registrant Address :JIEFANGLU251
Registrant City :ShangHai
Registrant Province/State :ShangHai
Registrant Country Code :CN
Registrant Postal Code :200126
Registrant Phone Number :+86.0217415426
Registrant Fax :+86.0217415426
Registrant Email :djsnhe@163.com

Administrative ID :V-X-63521-21717
Administrative Name :LU TAO
Administrative Organization :LU TAO
Administrative Address :JIEFANGLU251
Administrative City :ShangHai
Administrative Province/State :ShangHai
Administrative Country Code :CN
Administrative Postal Code :200126
Administrative Phone Number :+86.0217415426
Administrative Fax :+86.0217415426
Administrative Email :djsnhe@163.com

Billing ID :V-X-63521-21717
Billing Name :LU TAO
Billing Organization :LU TAO
Billing Address :JIEFANGLU251
Billing City :ShangHai
Billing Province/State :ShangHai
Billing Country Code :CN
Billing Postal Code :200126
Billing Phone Number :+86.0217415426
Billing Fax :+86.0217415426
Billing Email :djsnhe@163.com

Technical ID :V-X-63521-21717
Technical Name :LU TAO
Technical Organization :LU TAO
Technical Address :JIEFANGLU251
Technical City :ShangHai
Technical Province/State :ShangHai
Technical Country Code :CN
Technical Postal Code :200126
Technical Phone Number :+86.0217415426
Technical Fax :+86.0217415426
Technical Email :djsnhe@163.com

New Sasfis trojan in the wild


Between October 27 and November 09th, 2009, MX Lab has noticed a large amount of viruses. Bredolab, distributed by the Cutwail botnet,  was responsible for the majority of viruses during this period. After a few days low virus detection we see new peaks again with different virus campaigns.

The messages contain the trojan Win32:Trojan-gen (Avast), Trojan.Sasfis.C (BitDefender),  Trojan:W32/Sasfis.H (F-Secure), Trojan:Win32/Oficla.E (Microsoft) or Mal/EncPk-LP (Sophos).

“your mailbox has been deactivated”

Subject: “your mailbox has been deactivated”

The content of the email:

We are contacting you in regards to an unusual activity that was identified in your mailbox. As a result, your mailbox has been deactivated. To restore your mailbox, you are required to extract and run the attached mailbox utility.

Best regards, *****.org technical support.

The ending of the email is designed to make it appear to come from your local IT department. For a small business without an IT department this is obviously a reason not to trust the email.

The attached file is named utility.zip and contains the 20 kB big file utility.exe.

payment request from “United Technologies”*

The second variant is regarding a payment that you have made. In order to respond to this and to avoid the further processing of the payment you will need to use the attachment.

Possible subjects:

payment request from “United Technologies”
payment request from “NetApp”
payment request from “CitiGroup”
payment request from “Adobe Systems Inc”
payment request from “Rusell Investment Group”
…..

Body of the email:

We recorded a payment request from “United Technologies” to enable the charge of $5212.39 on your account.

The payment is pending for the moment.

If you made this transaction or if you just authorize this payment, please ignore or remove this email message. The transaction will be shown on your monthly statement as “United Technologies”.

If you didn’t make this payment and would like to decline it, please download and install the transaction inspector module (attached to this letter).

The attached file is named module.zip and contains the file module.exe.

The trojan Sasfis runs in the background and can download and install additional malware when executed.

The files %Temp%\1.tmp and %System%\wdni.buo are created on an infected system and several Windows registry modifications are executed.

The trojan can make connection to the host 193.104.27.91 and request the following URLs:

  • hxxp://193.104.27.91/limpopo/bb.php?id=&v=200&tm=2&b=4316315581
  • hxxp://193.104.27.91/limpopo/bb.php?id=&v=200&tm=3&b=4316315581
  • hxxp://193.104.27.91/limpopo/bb.php?id=&v=200&tm=4&b=4316315581

Virus Total permlink and MD5: eec53e2239800e5d85b6b85d5e2451cb.

MySpace subject to phishing campaign


Social networks are often subject to phishing and today MySpace is the target. MX Lab intercepted some messages from MySpace <message-*********@message.myspace.com> – where * stands for random letter and number combination. The from address is obviously spoofed.

The body of the email:

Dear MySpace user!

Please be informed that you are required to update your MySpace account.

Please update your MySpace account by clicking here:

hxxp://accounts.myspace.com.iuuuujef.co.uk/msp/index.php?fuseaction=update&code=5A3TCE-JA3T2OSOJ1-AT2LKB0WNLB0-SMSWSGFPGEL97-0JHN4840QT&email=****@*******.co.uk

If you’re unable to click on the link above, copy and paste it into your browser’s address bar.

————————-

At MySpace we care about your privacy. This email is never sent unsolicited.

If you think you’ve received this email in error, or if you have any questions or concerns regarding your privacy, please contact us at:

privacy@myspace.com

MySpace, Inc.
8391 Beverly Blvd. #349
Los Angeles, CA 90048
USA

©2003-2009 MySpace.com. All Rights Reserved.

The domains included are fast-flux domains to avoid Intent Analysis. The domain in this case is registered with the following details:

Domain name:

         iuuuujef.co.uk

     Registrant:
         Joe Tentpeg

     Registrant type:
         Non-UK Individual

     Registrant's address:
         5556 Butt hole Court
         Bum diddle
         66545
         Belgium

     Registrar:
         Webfusion Ltd t/a 123-Reg.co.uk [Tag = 123-REG]
         URL: http://www.123-reg.co.uk

     Relevant dates:
         Registered on: 09-Nov-2009
         Renewal date:  09-Nov-2011
         Last updated:  10-Nov-2009

     Registration status:
         Registration request being processed.

     Name servers:
         No name servers listed.

     WHOIS lookup made at 11:19:48 10-Nov-2009

When we performed WHOIS lookups for other domains involved we noticed some irregularities. The registrant name is different each time but the address doesn’t fit at all. The zip code doesn’t match the country because the zip codes in Belgium are based on 4 numbers. We can assume that the registrant did used different details for registration in order to avoid detection by the registrar.

DHL Tracking Number 3YMH6JJY contains trojan


MX Lab intercepted a large amount of emails with the subject “DHL Tracking Number 3YMH6JJY” containing the trojan TrojanDownloader:Win32/Cutwail.gen!C (Microsoft), Trojan.Kobka.E (GData), AVG (SHeur2.BQSN() or Troj/Agent-LQA (Sophos).

The contents of the email:

Dear customer!

The courier company was not able to deliver your parcel by your address.

You may pickup the parcel at our post office personaly.

The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.

Thank you for attention.
DHL Express Services.

The attachment is named 3YMH6JJY.zip and contains the file 3YMH6JJY.exe, 56 kB big. The threat has the characteristics of ZBot, a trojan that disables firewall, steals sensitive financial data makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system. The trojan can communicate with a remote SMTP server for sending out emails.

The following files are being created:

c:\2.tmp
c:\6.tmp
%AppData%\wiaservg.log
%Temp%\2515696084.exe
%Temp%\b2jp5k.exe
%Temp%\debug.exe
%Temp%\services.exe
%Temp%\svchost.exe
%Temp%\taskmgr.exe
%Temp%\win32.exe
%Temp%\winamp.exe
%Temp%\g260h.exe
%Temp%\habnf88jkefh87ifiks.tmp
%Temp%\jisfije9fjoiee.tmp
%Temp%\ogxyx.exe
%Temp%\pskfo83wijf89uwuhal8.tmp
%UserProfile%\reader_s.exe
%System%\reader_s.exe
%System%\dllcache\ndis.sys
%System%\ntos.exe
%System%\p2hhr.bat
%System%\wbem\grpconv.exe
%System%\wbem\Performance\WmiApRpl_new.ini
%System%\wsnpoem\audio.dll
%System%\wsnpoem\video.dll
%System%\z7v89qurrt.dll

The following file was deleted: %System%\grpconv.exe.
The following file was modified: %System%\drivers\ndis.sys.
The following directory was created: %System%\wsnpoem.

Following processes are created:

%System%\reader_s.exe
%UserProfile%\reader_s.exe
%Temp%\g260h.exe
%Temp%\winamp.exe
%Temp%\services.exe
%Temp%\svchost.exe
%Temp%\ogxyx.exe

A new memory page created in the address space of the system process(es): %System%\svchost.exe.
The following module was loaded into the address space of other process(es): %System%\z7v89qurrt.dll with process name: IEXPLORE.EXE.

Connections to remore hosts:

12.191.105.50 port 25
12.49.129.230 port 25
207.58.165.84 port 25
209.128.32.160 port 25
209.181.247.105 port 25
209.85.135.27 port 25
216.130.106.200 port 25
24.106.49.86 port 25
62.72.96.41 port 25
64.183.119.211 port 25
72.9.145.85 port 80
94.75.207.170 port 80
94.75.228.136 port 80
78.159.121.41 port 38811

The following URLs are requested from the remote web server:

* hxxp://www.panel911.com/traffic/in.cgi?google2
* hxxp://virtualmits.com/ndw/vp1.php?id=1CA619795E68E12&ver=v10&er=S_wd_rd_we_re_
* hxxp://virtualmits.com/ndw/ndw.php?id=1CA619795E68E12&ver=v10&er=S_wd_rd_we_re_
* hxxp://virtualmits.com/ndw/ndw.php?id=1CA619795E68E12&ver=v12
* hxxp://virtualmits.com/ndw/ndw.php?id=1-1CA6197986CAB58&ver=v12
* hxxp://1job1.cn/us4/error
* hxxp://1job1.cn/us4/us4.php?1=computername_0001e9af&i=
* hxxp://1job1.cn/l/controller.php?action=bot&entity_list=&uid=3&first=1&guid=13441600&v=15&rnd=6293712
* hxxp://1job1.cn/us4/us4.php?2=computername_0001e9af&n=1&v=16778496&i=&s=0&sp=0&lcp=0&pr=0
* hxxp://1job1.cn/l/controller.php?action=report&guid=0&rnd=6293712&uid=3&entity=1257509694:unique_start
* hxxp://1job1.cn/l2/2.php
* hxxp://1job1.cn/l2/1.php
* hxxp://1job1.cn/us4/us4.exe
* hxxp://1job1.cn/x.exe
* hxxp://1job1.cn/l2/stat.php

SMTP traffic will be generated from following email addresses:

  • <undersellsgq0@royaldevice.com>
  • <blackballedvm6@rotaerota.com>
  • <reciprocallydo@roispy.com>
  • <frankingoc6485@rmservicing.com>
  • <rackn84@rmanet.com>
  • <wrongdoinglq@rhgmarketing.com>
  • <kazooo@roxcel-usa.com>
  • <ladybirdwtz01@restaurantesol.com>
  • <pleadyl76@rotodiff.com>
  • <deflectorsoj@ramcaterers.com>
  • <demolishedlx@robinson-pilaw.com>
  • <foreordainingg7@rcalum.com>
  • <dismisseseic2@rosenfeldlaw.com>
  • <epitomizezm2@roldeco.com>
  • <dashinglyl8@regenesis-rehab.com>
  • <tattyttg74@rocorpn.com>

Virus Total permlink and MD5:  08ba612f05b0433a4a5ca2df4da38deb.

PayPal phishing in attachments


Yesterday MX Lab reported regarding a phishing email that has no URL but instead an attached HTML document with a web form included. Since then we see more similar cases and also PayPal is subject to this technique. The senders address shows us “www.paypal.com” <service@paypal.com> but this is spoofed. The email was sent from 69.128.90.226, an IP address in the US, pointing to mail.dandlequipment.com.

The body of the email:

To make sure everything is in order,please download the PayPal Security Account Verification and fill in all the required data for verfication.

The actual webpage:

The webform makes a POST to hxxp://0xD5.0xC3.0xDF.0xA9/paypalverification.php/.

Phish of Banca Agricola Popolare di Ragusa has no URL but is in an attachment


In almost every phish email there is an URL leading to the phishingsite where you are asked for a login, password and other personal information. With the latest phish targeting Banca Agricola Popolare di Ragusa the URL is not inside the email but there is an attachment in HTML format. The goal of this trick is to avoid filters that detect phishing based on Intent Analysis.

Contents of the email:

Gentile Cliente,

Un nuovo documento di rendicontazione a sua disposizione.
Per consultarlo e salvarlo sul suo PC entro un anno da oggi, visitando l’area Estratto conto e documentazione dei suoi Servizi via internet.
Per l’assistenza ai Servizi via internet pui contattare il numero verde 800 010 257, gratuito anche da cellulare.

Cordiali saluti.
Banca Agricola Popolare di Ragusa


Questo e un messaggio automatico.
Per disabilitare il servizio puograve utilizzare la funzione Modifica abilitazioni (Comunicazioni Estratto conto e documentazione).
Prima di stampare, pensa all’ambiente ** Think about the environment before printing

When opening the novembre 2009.hml document we got the following screenshot in the browser.

The webform submits the details to hxxp://67.214.177.8/passo1.php and redirects you afterwards to the official login page of the bank.

Facebook updated account agreement email contains Sasfis trojan


Apparently, the virus campaigns are far from over. MX Lab reported on this blog regarding the latest virus campaign that would be an attempt to grow the Cutwail botnet by infecting new computer systems by launching new trojan variants every few days.

MX Lab now intercepts a new Facebook virus campaign from the spoofed address <automailer+gtevzolc@facebook.com> or similar.

The campaign is send out with one of the following subjects:

Facebook updated account agreement
new Facebook account agreement
new account agreement

The content of the email:

Dear Facebook user,

Due to Facebook policy changes, all Facebook users must submit a new, updated account agreement, regardless of their original account start date.
Accounts that do not submit the updated account agreement by the deadline will have restricted.

Please unzip the attached file and run “agreement.exe” by double-clicking it.

Thanks,
The Facebook Team

Confirmation Code #: 3233075834

The email contains the ZIP archive agreement.zip with the 20 kB big executable agreement.exe inside. This trojan is known as Trojan.Sasfis.A (BitDefender), W32/Sasfis.E (F-Prot) or Trojan:Win32/Oficla.E (Microsoft).

MX Lab submitted the sample to Virus Total at 2009.11.07 00:03:35 UTC and 21 of the 41 AV engines did detect the trojan. The first sample was submitted at 2009.11.06 09:24:44 UTC. So this means that after more than 2 hours 52% of the AV engines can intercept this piece of malware.

Please do remember that Facebook, or any other company, will not communicate in any way like this. Companies like Facebook will not send attachments to update your profile, agreement or anything else.

The trojan will create the files %Temp%\1.tmp and %System%\ifmq.kqo, modify the Windows registry and will try to connect to the remote host 193.104.27.91. The following URLs are requested:

hxxp://193.104.27.91/limpopo/bb.php?id=&v=200&tm=1&b=300
hxxp://193.104.27.91/limpopo/bb.php?id=&v=200&tm=2&b=300
hxxp://193.104.27.91/limpopo/bb.php?id=&v=200&tm=3&b=300

Virus Total link and MD5: c175b5afc8bb7a7f716ccf3829412ff1.

Bredolab surges to new heights thanks to Cutwail botnet


Several sources reported a surge of the Bredolab trojan in the middle of October but MX Lab did noticed an real increase on October 27th.

The following graph shows the virus detection from October 7th until November 5th (from right to left) with small peaks at the beginning of October while at the end the virus outbreak really started for us. Virus detection and interception rate increased 5x to 6x times compared to the normal average.

We noticed Bredolab appearing in different campaigns where Facebook Password Reset Confirmation was perhaps one of the most widespread campaigns targeting social network users. But let’s not forget DHL tracking emails or the Western Union Payment.

So what is going on? Bredolab is being distributed mainly over the Cutwail (or Pandex) botnet. One of the reasons is that this botnet is trying to infect new computers to be added to the botnet as zombies. A larger botnet can be used to distribute even more emails containing mailware and infect even more systems or send out new large spam campaigns.

The Cutwail botnet activity decreased from sending around 45% of spam at the beginning of the year to only 11% in September. Other botnets increased in size and activity. One of the newer botnets is called Maazbem and was responsible for a large casino-related spam email campaign earlier in May 2009.

The malware authors of Cutwail are trying to make up some of those losses and to regain a dominant position in the botnet scene. So far, approximately 3.6 Billion Bredolab emails are likely to be send out each day, worldwide.

In order to do so they publish new variants on a regular base to avoid detection by AV engines. As we could see during the last few days, virus detection was sometimes very low when a new variant was out and the file was offered tyo Virus Total for inspection.

At Virus Total, a great tool by the way, we often noticed that the 41 AV engines did had difficulties in detecting the new variant resulting in less protection for an end user system. In some cases, not even 30% of the engines did detect the trojan after more than 6 hours when the variant first appeared.

It is clear that the traditional signature or heuristic based AV engines fail to offer a good security in a very short time frame. A time frame that is so important to detect and handle malware correctly. At MX Lab we can only recommend to deploy anti virus engines in multiple layers with a zero hour anti virus solution as the main and first line of defense.

Follow

Get every new post delivered to your Inbox.

Join 291 other followers