Thursday, February 11, 2010
Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild
A currently ongoing malware campaign courtesy of the gang that's been busy rotation themes over the past few weeks, has changed the theme to "You are in a higher tax bracket", and continues serving client-side exploits next to a Zeus crimeware sample using a bogus "You don't have the latest version of Macromedia Flash Player" error message.
- Sample URL: rep1031 .be/reports/getreport.php?email=email - Email: email@example.com. The following currently suspended domains are also involved - rep1032 .be; rep1030.me .uk; rep1031.me .uk; rep1032.me .uk; rep1030.co .uk; rep1031.co .uk; rep1032.co .uk; rep1043.me .uk; rep1041.co .uk; rep1032.co .uk
rep1041 .kr - Email: Souchuck@yahoo.com
rep1042 .kr - Email: Souchuck@yahoo.com
rep1043 .kr - Email: Souchuck@yahoo.com
rep1044 .kr - Email: Souchuck@yahoo.com
rep1041.ne .kr - Email: Souchuck@yahoo.com
rep1042.ne .kr - Email: Souchuck@yahoo.com
rep1043.ne .kr - Email: Souchuck@yahoo.com
rep1041.co .kr - Email: Souchuck@yahoo.com
rep1042.co .kr - Email: Souchuck@yahoo.com
rep1043.co .kr - Email: Souchuck@yahoo.com
rep1044.co .kr - Email: Souchuck@yahoo.com
rep1041.or .kr - Email: Souchuck@yahoo.com
rep1042.or .kr - Email: Souchuck@yahoo.com
rep1043.or .kr - Email: Souchuck@yahoo.com
rep1044.or .kr - Email: Souchuck@yahoo.com
- Sample detection rate:
update.exe - PWS:Win32/Zbot.RS - Result: 8/41 (19.52%); MD5: 44028f0e2fa3ec70507992cb0684ff58
- Name servers of notice:
ns1.socialworc .net - 188.8.131.52 - Email: firstname.lastname@example.org
ns1.trihtmens .net - 184.108.40.206
ns1.inserthelping .net - suspended
ns1.citysatellites .net - down
- Sample message: "Dear taxpayer, The Federal income tax is a progressive tax, meaning that the more you earn, the higher your tax rate. Your tax rate depends not just upon your taxable income, but also upon your filing status (single, married filing jointly, etc.). You're in a higher tax bracket because: - your annual income for the last tax year has increased. Please review your annual tax report immediately at: get report."
week's PhotoArchive campaign; - AS50215 - Troyak-as Starchenko Roman Fedorovich - email@example.com; firstname.lastname@example.org and serving CVE-2007-5659; CVE-2008-2992; CVE-2009-0927; CVE-2009-4324.
Trojan-Spy.Win32.Zbot.gen - Result: 8/41 (19.52%), MD5: f15d88ac3e381aeb6b3779b0dd7042ce.
Upon execution phones back to trollar .ru/cnf/trl.jpg - 220.127.116.11 - Email: email@example.com; AS50369 - VISHCLUB-AS Kanyovskiy Andriy Yuriyovich. Email was also used to register the Zeus C&C from last week's "PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild" campaign.
- Name servers of notice: ns1.gompley .net - 18.104.22.168 - Email: firstname.lastname@example.org; ns1.hoocky .net - 22.214.171.124 - Email: email@example.com, also known to have been parked on the same IP are ns1.allhostinfo .com - Email: firstname.lastname@example.org; ns1.helpgoldbank .net - Email: email@example.com and ns1.drowthdb .com.
- Second portfolio of related name servers: the second portfolio is parked at 126.96.36.199 - ns1.faktorypro .com - Email: firstname.lastname@example.org; ns1.x-videocovers .net - Email: email@example.com; ns1.serwisezone .net - Email: firstname.lastname@example.org; ns1.guarantexpres .com; ns1.respectiveowners .net
Updates will be posted as soon as new developments emerge.
Related coverage of the gang's previous campaigns:
PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild
Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.