SonicWALL UTM Research team observed multiple spam campaigns of new Trojan downloader – Branvine.A starting June 2, 2009. The emails have a zip archived attachment which contains the new Trojan downloader variant.

SonicWALL has received more than 10,000 e-mail copies of this malware so far.

While the spammed e-mails and attachment name changed across the different spam campaign, the attachment payload only changed once on June 4, 2009.

When executed the Trojan attempts to connect to the domains below:

• biz-er.org
• full-free-xmovies.com
• mysex-adult.com

It tries to download files from above domains via following GET requests respectively:

• GET /cnf/bizzi11.exe

– Detected as GAV: Agent.BIZ (Trojan)

• GET /promo1/soft/install-1557.exe

– Detected as GAV: PrivacyCenter.DO_2 (Trojan)

• GET /promo1/soft/install-1557.exe

– Detected as GAV: PrivacyCenter.DO_2 (Trojan)

Sample e-mails for each spam campaign are shown below:

June 2, 2009 – Sample Email #1:

June 2, 2009 – Sample Email #2:

June 2, 2009 – Sample Email #3:

June 2, 2009 – Sample Email #4:

June 3, 2009 to June 4, 2009 – Sample Email #5:

The Trojan is also known as Trojan-Downloader.Win32.Murlo.bdc [Kaspersky], Trojan-Downloader.Win32.Branvine [IKarus], and Downloader-BPX trojan [McAfee]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Branvine.A (Trojan) signature. Total hits recorded since the release of this signature on June 2, 2009 – 2,318,091.

SonicWALL UTM Research team observed a new wave of the UPS invoice spam campaign starting late Wednesday night, May 27, 2009. The email has a zip archived attachment which contains the new ZBot Trojan variant.

SonicWALL has received more than 1,500 e-mail copies of this malware till date. The e-mail looks like:

Attachment: UPS_DOC_986001.zip (contains UPS_DOC_986001.exe) or UPSEXL_GEN99012.zip (contains UPSEXL_GEN99012.exe)

Subject: Postal Tracking # [15-digit alpha-numeric number]

Email Body:
————————
Hello!

We were not able to deliver postal package you sent on the 14th of March in time because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office.

Your United Parcel Service of America
————————

The e-mail message looks like below:

The executable file inside the zip attachment has an icon disguised as a Microsoft Excel sheet file:

The Trojan when executed performs following host level activity:

• Creates a directory (Windows System Folder)wbem
• Drops a copy of itself as (Windows System Folder)wbemgrpconv.exe
• Deletes the original file

It tires to connect to dollarpoint.ru domain and sends following HTTP request to it:

• dollarpoint.ru/abc/controller.php?action=bot&entity_list=&uid=&first=1&guid=13441600&rnd=8520045

The Trojan is also known as trojan W32/Trojan3.AXD [F-Secure], Win32/Agent.PMJ trojan [ESET], and Spy-Agent.bw trojan [McAfee]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Zbot.JFG (Trojan) and GAV: Zbot.JFA (Trojan) signature.

Zeus, also known as Zbot, WSNPoem and NTOS is a crimeware kit. It offers its own cryptor that obfuscates the Trojan, making it difficult to detect. The cryptor creates a new binary file each time it is used, and these files are radically different from each other. SonicWALL blocks over 3,500 different binary variants of the Zeus Trojan.

Zeus is built for hijacking E-banking sessions, although it can steal credentials for any online services. The kit costs about $700 to purchase.

The Zeus Trojan is frequently installed through drive-by exploits or through spam mails that pretend to be invoices and contain a copy of the Trojan as an attachment.

Typically the Trojan is located on the system at:

• Variant A:
  • C:WINDOWSsystem32ntos.exe
  • C:WINDOWSsystem32wsnpoemaudio.dll
  • C:WINDOWSsystem32wsnpoemvideo.dll
• Variant B:
  • C:WINDOWSsystem32oembios.exe
  • C:WINDOWSsystem32sysproc64sysproc86.sys
  • C:WINDOWSsystem32sysproc64sysproc32.sys
• Variant C:
  • C:WINDOWSsystem32twext.exe
  • C:WINDOWSsystem32twain_32local.ds
  • C:WINDOWSsystem32twain_32user.ds

Zeus consists of three parts:

• Control Panel, which is installed on the server
• Builder, an application for Windows, is used to specify the configuration for the infector bot.
• Bot, Trojan for for Windows, infects the victim, then connects to the dropzone.

Zeus host consists of three components as well:

• a config file (usually with file extension *.bin)
• a binary file which contains the newest version of the trojan
• a dropzone (usually a php file)

The config file is an encrypted binary file that contains information necessary for the Zeus bot to update itself and instructions where to submit stolen data. Also, it has a list of sites to target, to avoid, and what code to inject into web pages.

Decoding Zeus Config

Zeus uses HTTP for command and control. It is built on PHP, mySQL. The system normally installs with a password protection scheme using HTTP basic authentication to protect the botnet. The Zeus botnet uses HTTP to communicate to its controlling servers by sending a POST message to the server. The response contains an encoded command.

The Zeus is capable of logging all network information, stealing banking data or credit card numbers, controlling the system, sending spam, or stealing passwords from Protected Storage. The collected info is sent to the dropzone via HTTP requests. Zeus can be re-configured, malware retrieves current configuration file from the dropzone.

It is a very effective stealer of user private and confidential information (form grabber), it can inject arbitrary HTML code into any website (also encrypted websites), can steal certificates and use screenshots to defeat virtual keyboards commonly used by financial institutions. It can also act as a proxy server via Socks 4/4a/5, even if compromised device is behind a NAT.

Zeus kit is a complete package, complex professional software with a team of Russian programmers actively developing it. Zeus’s “features under development” include:

• Compatibility with Windows Vista and Windows 7
• Random generation of configuration files to avoid generic detection”
• Console-based builder
• Full IPv6 support
• Detailed statistics on antivirus software and firewalls installed on the infected machines

Zeus even has its own EULA (end-user license agreement), in Russian.

Which translates roughly as follows:

• The user may not distribute the product in a commercial way.
• The user may not reverse-engineer the bot builder.
• The user may not use the control panel to control other botnets.
• The user may not deliberately share any portion of the code to anti-virus companies.
• The user must pay for any future features or improvements..

According to Zeus Tracker, the countries where most Zeus sites are hosted are USA, Russia, China, Ukraine and Latvia. More than half of the dropzones are hosted on bullet-proof hosting (providers that do not honor takedown requests).

The individuals behind Zeus are allegedly based in Europe, and known as the Rock Phish group. It is a criminal collective that has been targeting banks and other financial institutions since 2004. According to RSA, they are responsible for half of the worldwide phishing attacks and have siphoned tens of millions of dollars from individuals’ bank accounts. The group got its name from an old feature where phishers used directory paths that contained the word “rock.”

Antivirus companies have different names for Zeus threat, most common being: Trojan.Wsnpoem (Symantec), W32/Zbot (F-Secure), Trojan.Spy.Zeus (Bitdefender), TSPY_ZBOT (TrendMicro), NTOS.

SonicWALL has many signatures protecting from variants of Zeus malware, including: GAV: Zbot.HNO (Trojan) , GAV: ZBot.gen (Trojan) , GAV: Zbot.AEZ (Trojan) , GAV: Zbot.ABC (Trojan) , GAV: Zbot.CMS (Trojan) , GAV: Zbot.RL (Trojan) , GAV: Zbot.IXC (Trojan).

Zeus builder

Zeus admin panel

Some screenshots from www.abuse.ch:

Zeus admin panel

Zeus stats

Issuing a command

Online Bots

Browsing logs for stolen accounts

For more on ZEUS check out Zeus Tracker .

SonicWALL UTM Research team observed an increase in use of Gumblar drive-by attack on many popular websites.

Gumblar exploit is dynamically generated and varies not only from site to site, but also from page to page on the same site. It is also heavily obfuscated, making detection difficult. According to ScanSafe, Gumblar compromises are increasing – up 188% from last week. According to Sophos, Gumblar infections accounted for 42 percent of all infections found on websites last week.

This attack consists of two stages: the first stage of this exploit attempts to compromise legitimate websites by injecting malicious code into them. These infections occur mostly through stolen or weak FTP logins. The second stage of this exploit happens when users visit the website infected by Gumblar. It attempts to load exploits in PDF and SWF (flash) files, and through those exploits infect the users with a Trojan. This Trojan can monitor network traffic and steal FTP logins, as well as meddle with Google search results.

At least 3,000 websites have been compromised. United States Computer Emergency Readiness Team (US-CERT), issued an alert about it: here (link to US-CERT).

The original version of this exploit loaded malicious content from a site in china called Gumblar.cn, which inspired the name ‘Gumblar’. Recently ‘gumblar.cn’ was shutdown, and the exploit evolved to load malicious payload from ‘martuz.cn’. The new version also detects the Google Chrome browser and avoids loading the exploit in it.

SonicWALL Gateway Antivirus detects Gumblar exploit with GAV: Suspicious#gumblar (Trojan) signature. This signature has 24,500 hits so far.

Gumblar malicious script is injected between the HEAD and BODY tags as seen in this screenshots:

Obfuscated:

Decoded:

Below are the hits on our signature: