Thursday, February 11, 2010

Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild

A currently ongoing malware campaign courtesy of the gang that's been busy rotation themes over the past few weeks, has changed the theme to "You are in a higher tax bracket", and continues serving client-side exploits next to a Zeus crimeware sample using a bogus "You don't have the latest version of Macromedia Flash Player" error message.

- Sample URL: rep1031 .be/reports/getreport.php?email=email - Email: The following currently suspended domains are also involved - rep1032 .be; .uk; .uk; .uk; .uk; .uk; .uk; .uk; .uk; .uk

- UPDATED: The most recently spamvertised domains include:
rep1041 .kr - Email:
rep1042 .kr - Email:
rep1043 .kr - Email:
rep1044 .kr - Email: .kr - Email: .kr - Email: .kr - Email: .kr - Email: .kr - Email: .kr - Email: .kr - Email:
rep1041.or .kr - Email:
rep1042.or .kr - Email:
rep1043.or .kr - Email:
rep1044.or .kr - Email:

- Sample detection rate:
update.exe - PWS:Win32/Zbot.RS - Result: 8/41 (19.52%); MD5: 44028f0e2fa3ec70507992cb0684ff58

- Name servers of notice:
ns1.socialworc .net - - Email:
ns1.trihtmens .net -
ns1.inserthelping .net - suspended
ns1.citysatellites .net - down

- Sample message: "Dear taxpayer, The Federal income tax is a progressive tax, meaning that the more you earn, the higher your tax rate. Your tax rate depends not just upon your taxable income, but also upon your filing status (single, married filing jointly, etc.). You're in a higher tax bracket because: - your annual income for the last tax year has increased. Please review your annual tax report immediately at: get report."

- Sample iFrame used: /uzs/in.php also used in last week's PhotoArchive campaign; - AS50215 - Troyak-as Starchenko Roman Fedorovich -; and serving CVE-2007-5659; CVE-2008-2992; CVE-2009-0927; CVE-2009-4324.

- Sample malware detection rate/phone back C&Cs: update.exe - Trojan-Spy.Win32.Zbot.gen - Result: 8/41 (19.52%), MD5: f15d88ac3e381aeb6b3779b0dd7042ce.

Upon execution phones back to trollar .ru/cnf/trl.jpg - - Email:; AS50369 - VISHCLUB-AS Kanyovskiy Andriy Yuriyovich. Email was also used to register the Zeus C&C from last week's "PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild" campaign.

- Name servers of notice: ns1.gompley .net - - Email:; ns1.hoocky .net - - Email:, also known to have been parked on the same IP are ns1.allhostinfo .com - Email:; ns1.helpgoldbank .net - Email: and ns1.drowthdb .com.

- Second portfolio of related name servers: the second portfolio is parked at - ns1.faktorypro .com - Email:; ns1.x-videocovers .net - Email:; ns1.serwisezone .net - Email:; ns1.guarantexpres .com; ns1.respectiveowners .net

Updates will be posted as soon as new developments emerge.

Related coverage of the gang's previous campaigns:
PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild
Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.