Tracking Gameover Zeus

We looked into another IRS-themed spam run today. We wont bore you with the particulars of the spam message and initial redirection to the exploit kit as it follows the patterns established in previous posts … e.g. spam emails with malicious links containing random 8 character filenames, etc.

What we will focus on instead is the different malware payloads hosted by the exploit kit used in todays, 2012-02-29, spam campaign. The IRS-themed spam sample that we found today redirected victims to an exploit kit at curchart[.]com.

In total we found four different malicious payloads on the curchart[.]com kit including a mix of Gameover Zeus and Pony downloaders. Were pretty sure there were a handful more payloads hosted by this kit but alas time was our enemy today and we werent able to poke around as much as we would have liked.

The payloads were found at curchart[.]com included the following:

  • 31148183149102165C910A6ED6A8EF37
  • ED86E03C47661BFF4B265E1B58A9096F
  • 1E97297992A80AFFE82FE3CCA89A319C
  • 491D62AFAB7304C860EC5B8CD393093D

31148183149102165C910A6ED6A8EF37 was a Pony downloader. It was 95232 bytes in size. It was configured to POST stolen FTP credentials to the following drop zones:

hxxp://pollypaw[.]com/pony/gate.php
hxxp://pollypeaceful[.]com/pony/gate.php
hxxp://trucktumble[.]com/pony/gate.php
hxxp://truckturtle[.]com/pony/gate.php
hxxp://wonderfulwriggle[.]com/pony/gate.php
hxxp://curcharge[.]com/pony/gate.php
hxxp://curchart[.]com/pony/gate.php
hxxp://sadropped[.]com/pony/gate.php
hxxp://splatstep[.]com/pony/gate.php
hxxp://ragsnipe[.]com/pony/gate.php

This pony downloader variant was also configured to download Gameover Zeus binaries from the following locations:

hxxp://209[.]140[.]16[.]128/7SQeyACm.exe
hxxp://buddysbarbq[.]com/A8T.exe
hxxp://chovattuvt[.]com/L8Dtm2UP.exe
hxxp://ftp[.]intervene[.]com[.]br/Z908jB.exe

These Zeus payloads had a MD5 of E250E52F8A601FCE3532CB65BAF988B3 and were 285200 bytes in size. These Zeus payloads also had a bot id of “ppc29”.

ED86E03C47661BFF4B265E1B58A9096F was a Gameover Zeus variant 285200 bytes in size. This particular variant had a bot id of “mmx29”.

1E97297992A80AFFE82FE3CCA89A319C  was another Pony downloader. It was 95232 bytes in size. It was configured to POST stolen FTP credentials to the following drop zones:

hxxp://pollypaw[.]com/ponychin/gate.php
hxxp://pollypeaceful[.]com/ponychin/gate.php
hxxp://trucktumble[.]com/ponychin/gate.php
hxxp://truckturtle[.]com/ponychin/gate.php
hxxp://wonderfulwriggle[.]com/ponychin/gate.php
hxxp://curcharge[.]com/ponychin/gate.php
hxxp://sadropped[.]com/ponychin/gate.php
hxxp://splatstep[.]com/ponychin/gate.php
hxxp://ragsnipe[.]com/ponychin/gate.php

Note that the while domains hosting the drop zones were the same between the Pony downloader variants 1E97297992A80AFFE82FE3CCA89A319C and 31148183149102165C910A6ED6A8EF37, the drop zones were different (/pony/ vs. /ponychin). The Pony downloader 1E97297992A80AFFE82FE3CCA89A319C was also configured to download Gameover Zeus binaries from the following locations:

hxxp://ampndesignclients[.]com/C5p4BVm.exe
hxxp://almeconstruction[.]com/hdyUhKhY.exe
hxxp://mixestudio[.]com/kPqCt.exe

These Zeus variants had an MD5 of CE97FD2C068984F5E593E7B6DD89FF38 and were 285200 bytes in size. They also had a bot id of “cchinx29” – similar to the drop zone of “ponychin”.

491D62AFAB7304C860EC5B8CD393093D was another Pony downloader variant 95744 bytes in size. It was configured to POST stolen FTP credentials to the following drop zones:

hxxp://pollypaw[.]com/pony/gate.php
hxxp://pollypeaceful[.]com/pony/gate.php
hxxp://trucktumble[.]com/pony/gate.php
hxxp://truckturtle[.]com/pony/gate.php
hxxp://curcharge[.]com/pony/gate.php
hxxp://sadropped[.]com/pony/gate.php
hxxp://splatstep[.]com/pony/gate.php
hxxp://ragsnipe[.]com/pony/gate.php

This Pony downloader was also configured to download Gameover Zeus variants from the following locations:

hxxp://www[.]top59serv[.]ro/Dep1N.exe
hxxp://www[.]indianwildlifetourism[.]com/k5uE56y.exe
hxxp://impressiveclimate[.]com/shzCP.exe

These Zeus variants had an MD5 of E74F1B3FFFC4AE61E077BBDEC3230E95 and were 285200 bytes in size. They also had a bot id of “NeTRoAcH”.

Advertisements

2 Comments

  1. D2S
    Posted February 29, 2012 at 11:39 pm | Permalink | Reply

    Hi. great work aggregating this info from across these multiple campaigns. Where are you discovering the different botid from these malware? Are you reversing to get it or is it visible in an outbound UDP network capture ? Thx.

  2. Posted March 1, 2012 at 12:30 am | Permalink | Reply

    Hey D2S, thanks for the feedback. There are two basic ways to extract the botid. You can go the hardcore RE route and fire up Olly and IDA or you can study netflow from an infected machine.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: