Monthly Archives: February 2012

Tracking Gameover Zeus

We looked into another IRS-themed spam run today. We wont bore you with the particulars of the spam message and initial redirection to the exploit kit as it follows the patterns established in previous posts … e.g. spam emails with malicious links containing random 8 character filenames, etc.

What we will focus on instead is the different malware payloads hosted by the exploit kit used in todays, 2012-02-29, spam campaign. The IRS-themed spam sample that we found today redirected victims to an exploit kit at curchart[.]com.

In total we found four different malicious payloads on the curchart[.]com kit including a mix of Gameover Zeus and Pony downloaders. Were pretty sure there were a handful more payloads hosted by this kit but alas time was our enemy today and we werent able to poke around as much as we would have liked.

The payloads were found at curchart[.]com included the following:

  • 31148183149102165C910A6ED6A8EF37
  • ED86E03C47661BFF4B265E1B58A9096F
  • 1E97297992A80AFFE82FE3CCA89A319C
  • 491D62AFAB7304C860EC5B8CD393093D

31148183149102165C910A6ED6A8EF37 was a Pony downloader. It was 95232 bytes in size. It was configured to POST stolen FTP credentials to the following drop zones:


This pony downloader variant was also configured to download Gameover Zeus binaries from the following locations:


These Zeus payloads had a MD5 of E250E52F8A601FCE3532CB65BAF988B3 and were 285200 bytes in size. These Zeus payloads also had a bot id of “ppc29”.

ED86E03C47661BFF4B265E1B58A9096F was a Gameover Zeus variant 285200 bytes in size. This particular variant had a bot id of “mmx29”.

1E97297992A80AFFE82FE3CCA89A319C  was another Pony downloader. It was 95232 bytes in size. It was configured to POST stolen FTP credentials to the following drop zones:


Note that the while domains hosting the drop zones were the same between the Pony downloader variants 1E97297992A80AFFE82FE3CCA89A319C and 31148183149102165C910A6ED6A8EF37, the drop zones were different (/pony/ vs. /ponychin). The Pony downloader 1E97297992A80AFFE82FE3CCA89A319C was also configured to download Gameover Zeus binaries from the following locations:


These Zeus variants had an MD5 of CE97FD2C068984F5E593E7B6DD89FF38 and were 285200 bytes in size. They also had a bot id of “cchinx29” – similar to the drop zone of “ponychin”.

491D62AFAB7304C860EC5B8CD393093D was another Pony downloader variant 95744 bytes in size. It was configured to POST stolen FTP credentials to the following drop zones:


This Pony downloader was also configured to download Gameover Zeus variants from the following locations:


These Zeus variants had an MD5 of E74F1B3FFFC4AE61E077BBDEC3230E95 and were 285200 bytes in size. They also had a bot id of “NeTRoAcH”.


Your tax return appeal is rejected

After a few days away Zeus is back in business and delivered to an inbox near you via emails spoofing communications from the IRS. An observed sample had the subject line “Your tax return appeal is rejected.”

Note that this spam template looks identical to a previous IRS spam run documented in our “Rejection of your tax appeal” post on 2012-02-23. The text in both spam messages is remarkably similar as well indicating that the same botnet may have fired off both campaigns.

The observed sample had a link to belajaroption[.]net/pE5jXgA3/index.html. Note the same 8 random character pattern that was observed in our previous posts “Better Business Bureau complaint” and “Notification of securities investigation against your company” was also used in this URL. The page at belajaroption[.]net/pE5jXgA3/index.html contained the following javascript redirectors:


These scripts redirected to two different Blackhole Exploit kits at lazysix[.]com/search.php?page=73a07bcb51f4be71 and pollypeach[.]com/search.php?page=73a07bcb51f4be71. We werent able to get to pollypeach[.]com before the domain was taken down, but we did manage to grab the malicious payload dropped by the exploit kit at lazysix[.]com. Vulnerable victims directed to lazysix[.]com downloaded a Gameover Zeus variant from lazysix[.]com/d.php?f=e4649&e=1. This variant had the following properties:

File: readme.exe
Size: 305226
MD5: 36C9FBD3A1CF05A02DAA0AA50BC1186A

This Gameover Zeus variant sent stolen data to the following dropzones via POST requests:

  • over port 12584
  • over port 26623
Its interesting to note that the IP is also a node in a Cutwail botnet. As documented in a handful of previous posts like “Fwd: Re: Security update for banking accounts” Cutwail spam bots are responsible for spewing many of the spam samples delivering both Zeus and Bugat/Feodo.
The Gameover Zeus variant dropped in this current campaign had a botid of “mmx28”. This botid is very similar to the botid of “mmx22” seen in our previous post “Better Business Bureau complaint.” The numbers appended to the “mmx” string are equivalent to the date that the variants are distributed.

Fwd: Re: Security update for banking accounts

We were able to track down the ACH/Wire-themed spam referred to in our “Next Day Malware” post. The observed sample had the following text:

Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details

Best regards,
Security department


This sample was sent from the IP address This IP is apart of a Cutwail spambot.

The ‘View details’ text contained a hyperlink to hxxp://www[.]weight-losstoday[.]com/wp-content/themes/illustration-too-10/nacha-index.htm. This html page contained an iframe to hxxp://cgunikqakklsdpfo[.]ru:8080/img/?promo=nacha.

Note the exploit kit at cgunikqakklsdpfo[.]ru. This is the same kit we saw mentioned in our “Next Day Malware” post.

Victims were then redirected to fedikankamolns[.]ru, where they downloaded a Bugat/Feodo banking trojan with the MD5 286918DE8BEE1CACD3A1089076C3DE45. This sample was only detected by 3 of 43 AV vendors on VirusTotal.

This Bugat/Feodo variant retrieved its configuration file/target list via the following POST request to hjpyvexsutdctjol[.]ru:

POST /rwx/B1_3n9/in/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
Host: hjpyvexsutdctjol[.]ru:8080
Content-Length: 109
Connection: Keep-Alive
Cache-Control: no-cache

Yeah, we know … this is identical to the DHL and FedEx spam runs documented in our earlier post.

What we found interesting about the NACHA spam was that it leveraged the legitimate site in its social engineering efforts. The exploit kit at cgunikqakklsdpfo[.]ru appears to pull content from the legitimate website and dynamically assemble the phishing page below.

Note the inclusion of a malicious link to a fake transaction report. That link points to hxxp://cgunikqakklsdpfo[.]ru:8080/img/?file=report-ACH782316225975342US.exe. As you recall from our “Next Day Malware” post the sample hosted at this location has an MD5 of 82c95751e71c829b09fef4166a749e67 – the same hash used in the DHL and FedEx spam runs.

It seems that the bad guys set this page up as a fallback in the case that visitors are not vulnerable to the exploits packaged in the exploit kit at cgunikqakklsdpfo[.]ru. Those users that are patched may still fall victim to this clever social engineer lure.

Next Day Malware

On 2012-02-25 we looked at a spam sample spoofing communications from UPS. Today we’ll look at parallel campaigns spoofing DHL and FedEx. Apparently our spammer friends dont like to play favorites 🙂

We retrieved a number of samples from each campaign. Observed FedEx samples had subject lines of “Fedex id. 624486″ or ” FedEx DELIVERY CONFIRMATION 4999298″ where the included transaction numbers vary by spam sample. Likewise, a DHL sample had a subject line “DHL id. 6686369” were 6686369 appears to vary by each spam specimen.We noted that two of the FedEx samples that we examined were sent from and Each of these IPs are apart of a Cutwail spam botnet.  While we werent able to trace the source IP of the sample we analyzed were confident that it was also spewed by the same Cutwail botnet.

All of the FedEx and DHL spam samples we examined had .html files attachments. These .html files contained malicious javascript that redirected victims to an exploit kit at ciontooabgooppoa[.]ru. This domain resolves to the following IP addresses:

The domain ciontooabgooppoa[.]ru has an A record with a TTL of 60 seconds and appears to be hosted on  a similar fast-flux infrastructure as the fast-flux network discussed in our previous post “The Redret Connection“. However, none of the above IPs overlap with the IPs seen in our previous posts.

Vulnerable victims then download the same Bugat/Feodo banking trojan from fedikankamolns[.]ru:8080/images/jw.php?i=1 and fedikankamolns[.]ru:8080/images/jw.php?i=3. Both payloads have an MD5 of 82c95751e71c829b09fef4166a749e67 and are only detected by 2 of 42 AV vendors on VirusTotal. Its worth noting that the sample uploaded to VirusTotal had a file name report-ACH121768812916532US.exe and was retrieved from hxxp://cgunikqakklsdpfo[.]ru:8080/img/?file=report-ACH121768812916532US.exe. We verified that a GET request to this URL did in fact return a Bugat/Feodo payload with a MD5 of 82c95751e71c829b09fef4166a749e67. This suggests that another ACH wire-themed spam campaign also redirected victims to the same exploit kit.

The fedikankamolns[.]ru and cgunikqakklsdpfo[.]ru domains resolved to the same IP addresses as the ciontooabgooppoa[.]ru domain seen above. We poked the exploit kit at fedikankamolns[.]ru and found that it hosted the following files. The list below is presented in the following format url, file size, MD5 hash:

  • fedikankamolns[.]ru:8080/images/jw.php?i=1 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=2 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=3 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=4 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=5 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=6 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=7 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=8 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=9 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=10 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=11 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=12 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=13 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=14 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=15 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=16 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=17 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=18 65536 82c95751e71c829b09fef4166a749e67

The Bugat/Feodo variant with the MD5 82c95751e71c829b09fef4166a749e67 retrieved its configuration file/target list via a POST request to hjpyvexsutdctjol[.]ru:8080/rwx/B1_3n9/in/. Like you, Im getting tired of seeing this control server in operation.

During our analysis, the c2 server at resolved to the following IPs:

Many of these IPs were seen in our “The Redret Connection” post.

Triple Barrel Spam Cannon

wall of spam

Our spammer friends started their week with an early morning spam run. We observed three different spam campaigns in action today that all utilized the same infrastructure and dropped the same Bugat/Feodo banking trojan.

The bad guys used the same modus operandi that theyve come to rely on. Their spam messages contained link to hacked websites – primarily WordPress blogs. These hacked sites hosted malicious javascript that redirected victims to an Exploit Kit that dropped a Bugat/Feodo payload.

The different campaigns were easily identifiable via the URL paths used on the hacked websites.

  • IRS-themed spam had a URL path of /fgallery/rep.html or just /rep.html. Checkout a Wepawet report from an IRS-spam sample here.
  • AICPA-themed spam had a URL path of /fgallery/astro.html or just /astro.html. Checkout a Wepawet report from an AICPA-spam sample here.
  • BBB-themed spam had a URL path of /fgallery/brena.html or just /brena.html. Checkout a Wepawet report from a BBB-spam sample here.

All of the observed samples redirected victims to an exploit kit at hxxp://110hobart[.]com.

The 110hobart[.]com currently resolves to While this domain only points to 1 IP address, the A record has a TTL of 900 seconds – indicating that it is hosted on a fast-flux infrastructure. This is consistent with the other exploits kits used in associated spam campaigns. Further investigation of the 110hobart[.]com domain shows that its has 4 NS records including:


Our guess is that these nameservers are serving other malicious domains. We can use the “swiss army knife” over at Robtex to validate our assumption. Indeed, Robtex proves our intuition correct and shows that following other domains also utilized these nameservers:

  • energirans[.]net
  • hapturing[.]net
  • housespect[.]net
  • synergyledlighting[.]net
  • synetworks[.]net
Have we seen any of these domains before? We sure have! The domain hosted an exploit kit used in a previous AICPA spam run documented here. Jsunpack tells us that hapturing[.]net is also bad. Conrad over at Dynamoo’s Blog notes that housespect[.]net and synetworks[.]net are bad as well. And yes, you guessed it synergyledlighting[.]net also stinks … Wepawet tell us more here.

In the case of the IRS, AICPA, and BBB spam runs seen today all of them ultimately instructed victims to download a Bugat/Feodo banking trojan from hxxp://110hobart[.]com/w.php?f=cc677&e=1. This payload had an MD5 of 2dbe5c4303672f256886ed27c92e97be and was detected by 9 of 43 AV vendors on VirusTotal.

This Bugat/Feodo sample retrieved a configuration file/target list from a command and control server at hjpyvexsutdctjol[.]ru:8080 via the following POST request:
POST /rwx/B2_9w3/in/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
Host: hjpyvexsutdctjol[.]ru:8080
Content-Length: 97
Connection: Keep-Alive
Cache-Control: no-cache
We havent yet examined the configuration file/target list in detail but were confident that it targets the same 300+ financial institutions that weve seen in previous Bugat/Feodo configs.

The Connection

We had some time on hands this weekend so we took a closer look at the IPs used by the fast flux network supporting the Blackhole Exploit Kits used to drop Bugat/Feodo banking trojans. If you recall from our previous posts “United Postal Service Tracking Number H7614058739” and “Rejection of your tax appeal” the following IP addresses were apart of a fast-flux network that hosted Blackhole Exploit Kits:

The IP is of particular interest. In mid-January 2012 the domain cxredret[.]ru resolved to this IP. This domain was apart of the family of * domains that plagued the internet at the end of last year. The boys over at the Internet Storm Center blogged about the * domains back on 2011-12-06. It should come as no surprise that the * domains also hosted Blackhole Exploit Kits that dropped Bugat/Feodo banking trojans.

United Postal Service Tracking Number H7614058739

Most of the spam cannons that we follow go quiet on the weekends, so lets take a look at a sample that we picked up on Friday 2012-02-24. This spam spoofed communications from UPS.

We noted that at least one spam sample from this UPS campaign was sent from a bot at This particular IP is apart of a known Grum spambot.

Attached to this sample was an file named “UPS-NR954wi27683.htm”. This html file contained a malicious javascript that redirected victims to a Blackhole Exploit kit cgoosjjdopola[.]ru. This kit probed victims for a series of potential vulnerabilities downloading malicious .swf, .pdf, and .jar files.

Vulnerable computers were then instructed to download a Bugat/Feodo banking trojan from sumgankorobanns[.]ru via a GET request to sumgankorobanns[.]ru:8080/images/jw.php?i=10. The downloaded Bugat/Feodo payload had the following properties:

File: gsxohsapcpklkti.exe
Size: 73216
MD5: c6d7b68ee00085702f7f6aafb03ca559

Both cgoosjjdopola[.]ru and sumgankorobanns[.]ru were hosted on the same fast-flux botnet we observed in our previous post “Rejection of your tax appeal“. These domains resolved to the following IP addresses (a number of which were observed in our previous post):

We had a little time on our hands today so we decided to poke around the Blackhole Kit  at sumgankorobanns[.]ru and see if it hosted any other goodies. We found that this kit hosted the same Bugat/Feodo payload (c6d7b68ee00085702f7f6aafb03ca559) between jw.php?i=1 and jw.php?i=18.

This Bugat/Feodo variant attempts to first to connect to a command and control server at hjpyvexsutdctjol[.]ru. During testing this control server returned a “500 Internal Server Error”. The variant then connects to a secondary control server at wfyusepaxvulfdtn[.]ru via the following POST request wfyusepaxvulfdtn[.]ru:8080/rwx/B1_3n9/in/. This POST request returned a configuration file. The configuration file instructed the Bugat/Feodo variant to hijack account credentials for approximately 300 banking websites.

If the /rwx/B1_3n9/in/ path looks familiar to you it should. Recall our previous post “Rejection of your tax appeal” where we saw a different Bugat/Feodo variant pull down its configuration file from hjpyvexsutdctjol[.]ru:8080/rwx/B2_9w3/in/.

Hrm, the Bugat/Feodo variant dropped by the UPS spam also tried to connect to the control server at hjpyvexsutdctjol[.]ru. However, the UPS Bugat/Feodo variant was configured to download its configuration file from /rwx/B1_3n9/in/ instead of /rwx/B2_9w3/in/. Perhaps, the /B1 and /B2 path variations are used by the bad guys to track different spam and malware distribution campaigns.

The current control server at wfyusepaxvulfdtn[.]ru also dropped an additional bit of love. Appended to the configuration file downloaded from wfyusepaxvulfdtn[.]ru:8080/rwx/B1_3n9/in/ was a secondary malware payload identified as Heap. This Heap variant had the following properties:

File: POS1B.tmp
Size: 118272
MD5: 64BE90378FC40117EA93DFB8FA5AEC92

This Heap variant scans the victim machine for email addresses. These email addresses are harvested and then sent to a control server over port 20050. Communications from the Heap variant to the control server at were encoded with a standard base64 alphabet.

If you wanna know if youre infected by Bugat/Feodo you can do the following simple checks on your local machine. First, Bugat/Feodo is almost always installed in the following location on your filesystem: C:\Documents and Settings\Administrator\Application Data\. Bugat/Feodo is installed as KB********.exe where ******** is a series of 8 random number unique to each victim computer. Additionally, the downloaded configuration file is stored in the clear in the victim’s registry at HKEY_CURRENT_USER\Software\Microsoft\Windows Media Center\********. If you find either of these artifacts on your machine youre probably infected.

What can brown do for you, you ask? Well, in this case it can infect you with a Bugat/Feodo banking trojan and a Heap email harvester.

Warning from IRS

We’re going to file the following example under “even spammers make mistakes”.

The above spam message spoofing communications from the IRS was received yesterday on 2012-02-23. It was sent from a bot with the IP

The otherwise well crafted spam had one crucial mistake. It contained a link to hxxp://dll-aghazeh[.]com/YzrYt31J/index.html. Unfortunately for the bad guys this page returned a ‘404 Page Not Found’ error instead of the expected malicious javascript.

While its unclear why this page did not contain any malicious code, we can safely assume that it was supposed to contain javascript redirectors that would have pointed victims to a Blackhole Exploit kit. That Exploit kit would have almost certainly dropped a Pony downloader on its victims.

How can we make this assumption? Well, its simple. Note the structure of the above malicious link – hxxp://dll-aghazeh[.]com/YzrYt31J/index.html. Notice the random 8 random digit character folder name in the URL path? Weve seen that pattern before. A quick review of the previous posts Better Business Bureau complaint and Notification of securities investigation against your company reveal that this 8 random digit pattern was used in previous spam campaigns that also dropped a Pony downloader variant. So, this random file name pattern appears to be an indicator for malicious behavior.

As you’re trolling through your inbox and you see suspicious looking emails with text goading you to click on a link, place your mouse over this link and study the destination url without clicking on the link. If you see this 8 random digit pattern its a good idea to delete the email and carry on your day.

AICPA fraud allegations

Since there was so much overlap between the IRS spam blogged about earlier today and a concurrent AICPA fraud allegation spam, it makes sense to point out some of these similarities. Here is an image of the AICPA spam:

This particular spam contains a hyperlink to evergreennatural[.]ro/aicp.html. Just like with the IRS spam, this campaign uses the same HTML page name across all of the hacked sites – in this case, ‘aicp.html’. We can find additional hacked pages with our Google-fu:

Remember the Black hole exploit kit URL the IRS spam redirected to – hxxp://energirans[.]net/main.php?page=710730c6e154dae7? Surprise, the hacked URLs in the AICPA spam redirect to a Black hole kit using the same domain with a different ‘page=’ ID – energirans[.]net/main.php?page=78581944265196f1.

This also drops a Bugat variant, the malicious binary is downloaded from energirans[.]net /w.php?f=dd786&e=4:

65024 bytes

After connecting to a C&C server, this variant is updated with a new Bugat binary:

63488 bytes

Look familiar? It should, its the same MD5 we saw dropped by the IRS spam.

Notification of securities investigation against your company

Many spam cannons were firing today. We found an interesting sample spoofing communications from the Securities and Exchange Commission. The observed sample had the subject line “Notification of securities investigation against your company” and was sent from a bot with the IP address This sample had the following text and pulled an SEC logo from www[.]compliancebuilding[.]com/wp-content/uploads/2010/06/sec-logo.png,

U.S. Securities and Exchange Commission

Dear customer,
Securities and Exchange Commission Whistleblower office has
received information about alleged misconduct at your company, including
Material misstatement or omission in a company's public filings or financial
statements, or a failure to file Municipal securities transactions or public
pension plans, involving such financial products as Real Estate.
Failure to provide feedback to this complaint within 14 day period will
result in Securities and Exchange Commission investigation against your
company. You can obtain the complaint details in U.S. Securities and
Exchange Commission Tips, Complaints, and Referrals portal under the
following link:
Complaint details
SEC Office
100 F Street NE
Mail Stop 5971
Washington, DC 20549
Fax: (703) 813-9322
This sample contained a link to ftp[.]doers[.]com[.]br/eCPYfXi6/index.html. This page contained the following javascript redirectors:


These javascript redirectors contain the following document.location script that send victims to a Blackhole Exploit kit at campinghold[.]com:


Vulnerable victims then downloaded a Pony Downloader variant from hxxp://campinghold[.]com/d.php?f=29651&e=1. This binary had the following properties:

File: info.exe
Size: 94720
MD5: A65EA4CB7683692CA28C6901959A99A8

Unfortunately, this binary was only detected by 2 of 41 AV vendors on This Pony downloader variant was configured to POST stolen FTP credentials to the following drop zones:


Further, the Pony downloader then grabbed Gameover Zeus banking trojans from the following locations:


These Gameover Zeus variants were all identical and had the following properties:

Size: 294912
MD5: 3FCF95CD338E38320F56C82F580D7D76

This Gameover variant is detected by 8 of 43 AV vendors on

This Gameover variant also had a botid of “ppc24”. Like other Gameover variants it was configured to steal online banking credentials. This variant then sent stolen credentials to over port 12584.