Rise in Zeus spam campaigns (July 30, 2010)
Updated on August 02, 2010 11:30 AM PST
SonicWALL UTM Research team has observed an increase in spam campaigns involving new variants of Zeus banking Trojan in last 24 hours. These spam campaigns included two new themes like Social Security Annual statement pretending to be arriving from Social Security Administration and Fraudulent Credit Card transaction report pretending to arriving from ATM Electronic Report system.
SonicWALL has received more than 100,000 e-mail copies from these spam campaigns till now. The email messages in all these spam campaigns have a zip archived attachment which contain the new variants of Zbot Trojan executable. The sample e-mail format from each spam campaign is shown below:
Campaign #1 – Social Security Annual statement
Attachment: statement.zip (contains statement.exe)
Subject: Review your annual Social Security statement
Email Body:
————————
Due to possible calculation errors, your annual Social Security statement may contain errors.
Open attached file to review your annual Social Security statement.
————————
The email message looks like:
Campaign #2 – Fraudulent Credit Card Transaction report
Attachment: report.zip (contains report.exe)
Subject: Possible Fraudulent Transaction
Email Body:
————————
Dear VISA card holder,
A recent review of your transaction history determined that your card was used at an ATM located in Peru, but for security reasons the requested transaction was refused.Please carefully review electronic report for your VISA card (attach to this letter)
————————
The email message looks like:
Campaign #3 – Password Reset
Attachment: password.zip (contains password.exe)
Subject: Password Reset Confirmation
Email Body:
————————
Hello,
Because of the measures taken to provide safety to our clients, your password has been changed. You can find your new password in attached document.
Thanks,
————————
The email message looks like:
The executable files inside the attachment looks like:
If the user downloads and executes the malicious executable inside the zip attachment, it performs following activity:
- Drops following files:
- (Application Data)Adliudikz.exe – Detected as GAV: Zbot.ALYP (Trojan)
- (Application Data)Cutufymus.piz
- Registry modification:
- HKUSoftwareMicrosoftInternet ExplorerPrivacyCleanCookies = 0x00000000
- HKU\SoftwareMicrosoftWindowsCurrentVersionRun{31F6212F-0693-C632-DA88-C26F74578F5F}: (Application Data)Adliudikz.exe
- Network activity:
- Downloads encrypted configuration file from a predetermined Zeus C&C domain zephehooqu.ru – GET /bin/koethood.bin
- Sends information to a predetermined Zeus C&C domain jocudaidie.ru – POST /9xq/_gate.php
- Deletes the original copy of the malware executable.
SonicWALL Gateway AntiVirus provided proactive protection against above spam campaigns by following signatures:
- GAV: Zbot.PSQ (Trojan) [1,611,630 hits recorded in last 24 hours]
- GAV: Suspicious#bredolab_3 (Trojan) [983,152 hits recorded in last 24 hours]
[Update – August 02, 2010] SonicWALL UTM Research team observed a big spike in the Zeus spam campaign over the weekend and SonicWAL Gateway AntiVirus continued to provide proactive protection via following signature:
- GAV: Suspicious#bredolab_3 (Trojan) [15 million hits recorded in last 4 days]
