Monthly Archives: May 2012

Twitter received a request to reset the password for your account.

We analyzed following malicious URL which is used in Twitter themed spam on May 17 2012:

hxxp://lakshmiparthasarathyathreya.com/nwFzPsjZ/index.html

Twitter - Reset Password

This malicious page contained 4 javascripts as shown below:

<script type=”text/javascript” src=”hxxp://www.houard.eu/D2ec6Q6S/js.js”></script>
<script type=”text/javascript” src=”hxxp://egerak.ipislam.edu.my/vp0BYhy2/js.js”></script>
<script type=”text/javascript” src=”hxxp://hardinggraphics.com/ZRRV8K9w/js.js”></script>
<script type=”text/javascript” src=”hxxp://portaldomarmoreegranito.com.br/69zecvvX/js.js”></script>

Eventually these malicious JS redirects victim to a Blackhole Exploit kit at hxxp://69.194.192.218/showthread.php?t=d7ad916d1c0396ff

BlackHole kit first droppes Pony from the following location:

hxxp://69.194.192.218/q.php?f=ba33e&e=4
File: readme.exe
MD5: cc696f9ac857c59be3940791f1dfa9c1
Size: 99,808 bytes

Pony downloader posts to its dropzone at hxxp://50.57.121.196/pony/gate.php. It was also configured to download 2 identical Gameover Zeus payloads from following locations:

1. hxxp://hosting1554269.az.pl/j5EGyoC.exe
2. hxxp://spiritfinancial.net/JqLBEaNt.exe

Gameover installes in %APPDATA%\Micyu\viunbu.exe

MD5: 1a518087bc0cbc1efd869012b2b1a7bd
Size: 3,05,120 bytes
Timestamp: 2010:10:29 20:57:49+02:00
Signature: This file is digitally signed by ‘gHA6’
Certificate Validity: 05/16/2012 to 01/01/2040

This Gameover Zeus variant posts to a dropzone at 189.78.66.155:29620. Webinjects were downloaded from 87.23.103.64:19802. The Gameover variant had a botid of “NRm18”.

As we have been seeing for past few weeks, Pony Downloader and Gameover Zeus both payloads share same file properties indicating both these payloads were built by same group/people, around same time(?):

Signature: This file is digitally signed by ‘gHA6’
Certificate Validity: 05/16/2012 to 01/01/2040
Company Name: bhq93888888888 Corporation
File Description: CTF Loader
Internal Name: CTFMON
Legal Copyright: © bhq93888888888 Corporation. All rights reserved.
Original Filename: CTFMON.EXE
Product Name: bhq93888888888® Windows® Operating System
Product Version: 6.1.7600.16385
Ole Self Register: D

Zeus v2.0.8.9 being rolled out on IRS themed spam

We analyzed following malicious attachement which was distributed with IRS themed spam May 14 2012:

Name: Plexer_Order-z9284
MD5: e807511362923762da627599daeeba65
Size: 21,54,749 bytes
Content: Plexer_Order-z9284.exe

This zip archive contained the following malicious dropper:

Name: Plexer_Order-z9284.exe
MD5: 3c8b1a1c45fbb93e93dbde75795c21bd
Size: 21,84,348 bytes
Timestamp: 1970:01:01 01:00:49+01:00
Company Name: NEW ORDER 2012 FOR VIEW PLEXR
File Description: Win32 Cabinet Self-Extractor
File Version: 9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
Internal Name: Wextract
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: WEXTRACT.EXE .MUI
Product Name: Plexer Order Viewer 2012
Product Version: 56.0.89.3
Comments: NEW VERSION ORDER 2012 FOR VIEW PLEXR
Website: http://www.avira.com
Packager: Xenocode Postbuild 2009 for .NET Beta
Packager Version: 7.0.162

This dropper first installs Google Talk on the system and brings Google Talk window on top of desktop. Behind the scene, it installs Zeus v2.0.8.9. Zeus was intalled in %APPDATA%/[random]/emta.exe and had following file properties:

Name: emta.exe
MD5: bbdeabff13e565e187e0e85fcb1e732f
Size: 95,744 bytes
Tmestamp: 2011:07:27 04:06:30+02:00

Like normal Zeus, it first downloads configuration file consisting of targetlist and webinjects from:

hxxp://kmginsights.com/upload/LoadhandlerImages_/y/config.bin

Zeus dropzone was also running on same domain at:

hxxp://kmginsights.com/upload/LoadhandlerImages_/y/gate.php

This Zeus controller was running on a compromised website of KMG INSIGHTS who offers a complete line of marketing, technology and organizational consulting services.

Russian, Spanish, Italian and UK banks and financial institutions were on the target of this Zeus controller.