Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 23 November 2009

UAB Spam Data Mine finds Social Security Statement Zeus Bot

Posted on 05:58 by Unknown
I'm frequently asked how it is that the UAB Spam Data Mine is consistently among the first in reporting new spam campaigns that contain harmful malware. I thought I would show you the manual version of the process this morning.

We start by finding the "top subjects" for the current time period. Because the UAB Spam Data Mine now processes inbound spam every 15 minutes, we can do searches to identify the top spam campaigns in the previous 15 minutes such as:

select count(subject), subject from spam where message_id like '%09Nov23.0715%' group by subject order by count(subject) desc;

Look for something interesting, such as:

53 | Watch for errors on Social Security statement
53 | Watch for errors on your Social Security statement
45 | Review your annual Social Security statement

In the previous 15 minutes period, nothing with "Social Security" showed up in the top 100 subjects. Now we have three items in the top 25. By the time I finished writing this article, the 0730 and 0745 runs were complete, and we now have more than 600 samples of the spam. However, using the techniques we've developed for "emerging threat detection", we were aware of the campaign immediately when the 0715 run showed something that was not present in the 0700 run.

Then we may dig in with a subject specific search:

select a.subject, b.machine, b.path from spam a, spam_link b where a.message_id = b.message_id and a.subject like '%Social Security statement%';


Bingo! 200 results with domains like:

statements.ssa.gov.fawaazq.be | /acu/IPS_INTR/controller.php
statements.ssa.gov.reedask.be | /acu/IPS_INTR/controller.php

Let's get JUST the list of machines used:

select machine from spam_link where machine like 'statements.ssa.gov%' group by machine;
machine
-------------------------------
statements.ssa.gov.reedasn.be
statements.ssa.gov.fawaazv.be
statements.ssa.gov.fawaazc.be
statements.ssa.gov.reedasg.be
statements.ssa.gov.ujbhgk.be
statements.ssa.gov.ujbhgx.be
statements.ssa.gov.fawaazs.be
statements.ssa.gov.fawaaza.be
statements.ssa.gov.ujbhgv.be
statements.ssa.gov.fawaaze.be
statements.ssa.gov.reedasu.be
statements.ssa.gov.reedasv.be
statements.ssa.gov.reedask.be
statements.ssa.gov.ujbhgz.be
statements.ssa.gov.fawaazz.be
statements.ssa.gov.reedasj.be
statements.ssa.gov.fawaazx.be
statements.ssa.gov.reedasb.be
statements.ssa.gov.fawaazf.be
statements.ssa.gov.ujbhgq.be
statements.ssa.gov.reedaso.be
statements.ssa.gov.ujbhgb.be
statements.ssa.gov.fawaazq.be
statements.ssa.gov.reedasm.be
statements.ssa.gov.ujbhgm.be
statements.ssa.gov.reedast.be
statements.ssa.gov.fawaazr.be
statements.ssa.gov.fawaazd.be
statements.ssa.gov.reedash.be
statements.ssa.gov.ujbhga.be
statements.ssa.gov.fawaazw.be
statements.ssa.gov.reedasy.be
(32 rows)

(Update: There are now 80 known machines for this campaign . . . here's how many emails we've seen for each one as of 8:20 PM, Central time)

729 | statements.ssa.gov.reedasv.be
431 | statements.ssa.gov.reedasm.be
395 | statements.ssa.gov.fawaaze.be
386 | statements.ssa.gov.fawaazx.be
378 | statements.ssa.gov.reedasg.be
360 | statements.ssa.gov.fawaazf.be
337 | statements.ssa.gov.fawaazz.be
317 | statements.ssa.gov.fawaazd.be
304 | statements.ssa.gov.ujbhgm.be
281 | statements.ssa.gov.reedasb.be
271 | statements.ssa.gov.ujbhgz.be
263 | statements.ssa.gov.reedast.be
254 | statements.ssa.gov.reedask.be
253 | statements.ssa.gov.fawaazw.be
242 | statements.ssa.gov.fawaaza.be
224 | statements.ssa.gov.ujbhgv.be
222 | statements.ssa.gov.fawaazv.be
209 | statements.ssa.gov.ujbhgc.be
199 | statements.ssa.gov.reedasj.be
197 | statements.ssa.gov.ujbhga.be
186 | statements.ssa.gov.reedaso.be
183 | statements.ssa.gov.fawaazq.be
181 | statements.ssa.gov.ujbhgj.be
170 | statements.ssa.gov.ujbhgq.be
166 | statements.ssa.gov.ujbhgx.be
161 | statements.ssa.gov.ujilld.be
160 | statements.ssa.gov.fawaazs.be
160 | statements.ssa.gov.ujillv.be
154 | statements.ssa.gov.ujillx.be
153 | statements.ssa.gov.uhyuhd.be
152 | statements.ssa.gov.ujbhgn.be
149 | statements.ssa.gov.fawaazr.be
147 | statements.ssa.gov.uhyuhu.be
144 | statements.ssa.gov.ujilln.be
136 | statements.ssa.gov.uhyuhl.be
132 | statements.ssa.gov.ujillc.be
131 | statements.ssa.gov.uhyuha.be
129 | statements.ssa.gov.ujillb.be
125 | statements.ssa.gov.ujills.be
125 | statements.ssa.gov.uhyuhj.be
125 | statements.ssa.gov.ujille.be
119 | statements.ssa.gov.uhyuhq.be
117 | statements.ssa.gov.ujillr.be
116 | statements.ssa.gov.gredfe.be
110 | statements.ssa.gov.reedasn.be
108 | statements.ssa.gov.ujillf.be
107 | statements.ssa.gov.uhyuhe.be
105 | statements.ssa.gov.gredve.be
101 | statements.ssa.gov.fawaazc.be
97 | statements.ssa.gov.reedasy.be
94 | statements.ssa.gov.grezfe.be
91 | statements.ssa.gov.uhyuho.be
86 | statements.ssa.gov.reedasu.be
83 | statements.ssa.gov.uhyuhg.be
76 | statements.ssa.gov.ujillw.be
75 | statements.ssa.gov.grenfe.be
74 | statements.ssa.gov.grewfe.be
72 | statements.ssa.gov.ujbhgk.be
58 | statements.ssa.gov.uhyuht.be
49 | statements.ssa.gov.ytttdsj.be
46 | statements.ssa.gov.ytttdsv.be
43 | statements.ssa.gov.ujbhgb.be
43 | statements.ssa.gov.ytttdsn.be
39 | statements.ssa.gov.reedash.be
38 | statements.ssa.gov.ytttdsk.be
38 | statements.ssa.gov.ytttdse.be
37 | statements.ssa.gov.ytttdsb.be
36 | statements.ssa.gov.ytttdsh.be
34 | statements.ssa.gov.ytttdsm.be
32 | statements.ssa.gov.ytttdsf.be
29 | statements.ssa.gov.ytttdso.be
29 | statements.ssa.gov.nionuie.be
28 | statements.ssa.gov.ytttdsy.be
27 | statements.ssa.gov.ytttdsu.be
27 | statements.ssa.gov.nionuis.be
26 | statements.ssa.gov.nionuia.be
25 | statements.ssa.gov.nionuig.be
22 | statements.ssa.gov.nionuiq.be
21 | statements.ssa.gov.nionuib.be
21 | statements.ssa.gov.nionuid.be


Looks serious. Let's pull a list of all the unique subjects:

select a.subject from spam a, spam_link b
where a.message_id = b.message_id and
b.machine like 'statements.ssa.gov%'
group by a.subject order by a.subject;

subject
----------------------------------------------------
Review annual Social Security statement
Review your annual Social Security statement
Watch for errors on Social Security statement
Watch for errors on your Social Security statement
(4 rows)

Pulling up some samples in an email tool shows us what the original emails looked like:



The emails claim that
Due to possible calculation errors, your annual Social Security statement may contain errors.

Use the link below to review your annual Social Security statement:


The emails say they came from:

"Social Security Administration auto-notifications@ssa.gov"

Next we visit the website to pull screen shots there as well:



After entering a (fake) Social Security Number, we are taking to another screen that offers us the option of "Generating a Report".



Clicking on "Generate Report" prompts us to download the malware:



Throwing that "statement.exe" to VirusTotal shows us a current detect rate of 5 out of 41 anti-virus products. This is very early in the detection cycle. There is no agreement on what this malware may be:

Authentium: W32/Bifrost.C.gen!Eldorado
AVG: Win32/Cryptor
F-Prot: W32/Bifrost.C.gen!Eldorado
McAfee-GW-Edition: Heuristic.BehavesLike.Win32.Trojan.H
Sunbelt: Trojan-Spy.Win32.Zbot.gen (v)

At this point none of the other AV products have a signature in place for this malware.

The malware file statistics:

File size: 129536 bytes
MD5...: 40469349c5be9033fd57f6e021e7d06e

Because so little is known about this malware, we then queue it as a "high priority item" for the UAB Malware Analysis group to look at. We'll be sure to update the blog with more information about the malware when it is available.

UAB Malware Brian Tanner confirmed for us that this is a Zbot trojan, and that it connects to the IP address 193.104.27.42, which has been used to deliver Zbot configuration files since at least October 26th.
Email ThisBlogThis!Share to XShare to Facebook
Posted in zbot | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • 2009 Year in Review
    As 2009 comes to a close I wanted to take a minute to thank all of the people who have been helpful to this blog this year, and to share bac...
  • What about the Social Security Numbers? (The Utah Data Breach and your SSN)
    The Utah Data Breach This week the continuing saga of the Utah Medicaid Data Breach continued to unfold. If you haven't been following...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • Carder Christopher Schroebel gets Seven Years
    21 years old and thinking about Cybercrime as a career choice?  Think again.  Seattle-based U.S. Attorney Jenny Durkan told a press conferen...
  • Stop the Rumors: Quit SMSing about WalMart Gang Initiations
    My daughter and her teenage friend were sitting on the couch watching TV today when they began getting text messages on their phone. Here...
  • New BBC spam mocks Georgia's President, Spreads New Virus
    This morning we've received more than 300 copies of a new "BBC" spam campaign which mocks Georgia's President and spreads ...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Digital Certificates Update
    A quick update from the previous post. The Digital Certificates spam campaign against Merrill Lynch continues, but the good guys seem to be ...
  • ATM Cashers in 26 Countries steal $40M
    CBS News in New York has a video on their website this morning title Cyber-attacks behind possibly record-breaking bank heist . Former FBI ...
  • A New Year and Anti-Virus Products Are Still Losing
    One of our most popular blog posts in 2008 was back in August - Anti-Virus Products Still Fail on Fresh Viruses . I'm sad to report tha...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ▼  2009 (92)
    • ►  December (12)
    • ▼  November (11)
      • IRS Spam Campaign leads to low detection malware
      • Beware Weekend Facebook Scam!
      • Some Jerk posted your photo - and now you're infec...
      • UAB Spam Data Mine finds Social Security Statement...
      • Fake Flash Player Zbot spread by "Your Domain"
      • Running out of Money Mules?
      • Zeus: Same Criminal, New Spam Infrastructure
      • Newest Zeus = NACHA: The Electronic Payments Assoc...
      • The $9 Million World-Wide Bank Robbery
      • Zeus / Zbot Malware moves Back to IRS
      • Zeus Malware Moves to Myspace
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ►  2008 (101)
    • ►  December (7)
    • ►  November (17)
    • ►  October (11)
    • ►  September (10)
    • ►  August (22)
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile