Confirm your US airways online reservation

On 2011-04-09 we observed an interesting round of US Airways spam. The sample we analyzed had a subject line of “Confirm your US airways online reservation”.

While this same template had been previously used in high-profile Gameover Zeus laden spam campaigns, this particular campaign was a bit different. The sample we analyzed had a link to a malicious page at Other spam samples from the same campaign had links to hacked websites with malicious us.html pages.

The malicious us.html page contained javascript that redirected victims to a Blackhole Exploit Kit at  The domain resolved to

This Blackhole kit dropped a Bugat* payload with the following properties:

File: about.exe
Size: 71680
MD5: D1455B0C28A145C5D207F276F945ABCA

Unlike other Bugat payloads that weve documented here that used a domain generation algorithm to determine its command and control server, this variant was hardcoded to connect to 4 domains for command and control instructions. This variant was configured to connect to the following:

The and are currently offline. The other domains After this variant successfully connected to the first available command and control server, in this case, it downloaded a configuration file that included a target list of over 400 websites. The vast majority of these targets were financial institutions. If youd like a copy of the target list hit us up at

The downloaded configuration file also revealed the location of the the domains hosting web injects. Bugat, and other banking malware, use web injects to dynamicly man-in-the-middle a victims online banking session. Basically, when a victim logs into their bank’s website these web injects will take control of their session and steal the victim’s banking information in real-time. The webinjects used by this Bugat variant were pulled from The domain resolved to

In addition to providing a configuration file, the command and control server at also pushed a Bugat update on its victims. This updated Bugat payload had the following properties:

Size: 75271
MD5: 0386F4D83DD84D2F60352E00D3F504A6

This updated variant was configured to connect to the following command and control servers:

The domain was offline, but the domain resolved to It seems like these guys like to host their domains in the same neighborhood. Mental note … stay out this /24.

The updated Bugat variant pulled its webinjects from the following domains:

We apologize for not reporting on this one sooner but unfortunately our real lives got in the way this week.

* note, what we call Bugat others call Feodo or Cridex.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: