Important Information About Your Account

The spammers sure are busy. Today, 2012-04-11, we observed a new spam template spoofing communications from – a PayPal service. The spam sample we analyzed had a subject line of “Important Information About Your Account”.

The observed sample contained a malicious link to This page contained the following javascript redirector:

<script type=”text/javascript” src=””></script&gt;

The above javascript redirected victims to a Blackhole Exploit Kit at

This kit dropped a number of different exploits including the latest and greatest Java Exploit CVE-2012-0507. This malicious .jar file had the following properties:

File: Klot.jar
Size: 15719
MD5: 26720F0252EB91BB7A326375313651F9

The kit also dropped a Gameover Zeus variant with the following properties:

Size: 301096
MD5: 5CE366E6D7A949552AF10C4DEAF47506

The Gameover variant had a botid of NRa11. The criminals responsible for this campaign utilized a proxy at to control victims infected with this Gameover variant.


One Trackback

  1. […] via a proxy server at over port 443. This is the same proxy server used in the BillMeLater spam campaign seen earlier […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: