Your Bill Is Now Available

We saw a return of Verizon Wireless-themed spam today. The sample in question had a subject line of “Your Bill Is Now Available” and was sent from a Cutwail spambot at

This sample had the following malicious links:

These malicious links contained the following html code:

<h1>WAIT PLEASE</h1>
<script type=”text/javascript” src=””></script&gt;
<script type=”text/javascript” src=””></script&gt;

These javascript redirectors in turn bounced victims to a Blackhole Exploit kit at

Vulnerable victims directed to the above URL at then downloaded a Pony downloader with the following properties:

File: about.exe
Size: 95785
MD5: 14D9C851566E0C66EF67E2C08E6866A7

This Pony downloader posted stolen FTP credentials to The downloader was also configured to communicate with the following backup dropzones in the event the primary at was unavailable. The backup drops were located at:

The Pony downloader was also configured to downloader a Gameover Zeus variant from the following locations:

This Gameover variant had the following properties:

Size: 262696
MD5: B818C5240F3D45A123F2A497ACA8BEA1

This Gameover variant sent stolen data to drops zones at:

Web injects were downloaded from

Note, we also observed other blackhole exploit kits at:



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: