Fraud Protection Alert

It seems that our Gameover Zeus friends are making available new spam templates. As we pointed out earlier today a LinkedIn-themed template dropped Zeus. Today we also found an American Express-themed template that dropped Gameover Zeus. This American Express-themed template had the following text:


For your security, we regularly monitor accounts for possible fraudulent activity. Please review the attempted charge below which occurred within minutes of the timestamp of this message.

Transaction Date: 03/19/12


Amount: 7261.75

Currency: USD

Case Number: 51499
Please verify these attempted charges using our Secure Online Chat or please log in to to dispute it. If we’ve already spoken to you about this matter, please disregard this message. No further action is required.

Thank you for your Cardmembership.


American Express Account Security

Fraud Prevention Network

In a slight change from previous templates, this American Express spam contained multiple malicious links. The included malicious were as follows:

This pages contain the following malicious javascript redirectors:

<script type=”text/javascript” src=””></script&gt;
<script type=”text/javascript” src=””></script&gt;
<script type=”text/javascript” src=””></script&gt;

These javascript redirectors contained the following document.location script to a Blackhole Exploit kit:


The kit downloaded the following exploits:

File: score.swf
Size: 6923
MD5: 0A0BDA8E72F24B94BCDEA1C183E69789

This exploit was detected by 20 of 43 AV vendors on VirusTotal.

File: field.swf
Size: 1557
MD5: 02FDB88AD9F9A57211041C288D52EA58

This exploit was detected by 16 of 43 AV vendors on VirusTotal.

File: 7163f.pdf
Size: 18734
MD5: 3BA584C6790DFE160D2FBBB9B9803570

This file had not yet been submitted to VirusTotal.

File: Qai.jar
Size: 18454
MD5: A7E26C0B211A39A42695A7BB6772A2CD

This exploit targeted CVE-2011-3544 and was detected by only 2 of 43 AV vendors on VirusTotal — ouch 😦

These exploits in turn downloaded the following Gameover Zeus banking trojan via a GET request to

File: about.exe
Size: 286744
MD5: 3A12082CEC742B0E4BA7C72E867A5ECC

We noticed that this Gameover variant was signed by an obviously fraudulent digital certificate:

This Gameover Zeus variant ex-filtrated stolen data to dropzones at over port 10581 and over port 13510.

This Gameover variant also had a botid of ‘NR20’. Recall that the numbers in botids represented the date of the attack. In this case 20 == the date of March 20. This is also the first time weve observed the botid of ‘NR’. Is it a coincidence that this new botid was used in a campaign leveraging a new spam template?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: