This week we have seen Pushdo send a number of malicious spam campaigns impersonating Facebook and the FDIC. Today we began to see yet another malicious spam campaign from Pushdo, this time the spam emails claim to come from 'Myspace Service'. The volume of these is currently low and all messages have the subject line 'Myspace Password Reset Confirmation'.

The message claims that to provide safety, your MySpace password has been changed and that your new password is in the attachment.

Unsurprisingly the zip attachment does not contain a new password but an executable file that is the Zbot Trojan horse.

A couple of days after the last fake Facebook spam with malicious attachments, Pushdo began to send this Facebook spam with links to a website that asked users to download and run an update tool that was actually Zbot. If this trend continues it's possible that Pushdo will do the same thing again with a fake MySpace website or use another popular brand such as Twitter or Google.

With Facebook's gaining popularity, the number of Facebook scams we have received recently has also increased. Yet another Facebook spam campaign is being spammed currently which we believe originates from the Pushdo botnet. The scam appears to have two aims; to steal your Facebook account credentials and to distribute the Zbot (Zeus Bot) Trojan.

Opening the link from the message body is a step closer to your Facebook account being compromised. The link looks legitimate at first. But further inspection reveals a URL format like this:

http://www.facebook.com.<MALWARE DOMAIN>u/globaldirectory/LoginFacebook.php?ref=<RANDOM NUMBER>&email=<TARGET EMAIL ADDRESS>

Once you enter your username and password, you will be redirected to another fake Facebook page. The page instructs you to download an executable file that poses as a Facebook update tool. The executable file is none other than the Zbot trojan.

Two days ago, we warned about a Pushdo campaign with a zip attachment using the Facebook theme. The purpose of that spam campaign was to distribute the Bredolab Trojan. Social networking sites such as Facebook sites are very popular and most users are highly susceptible to these kinds of attacks. Always be vigilant when you receive emails like this. Always verify links and be extremely wary of downloading or opening any attachment files especially executable ones.

Two new spam campaigns sent by the Pushdo botnet may trick users into installing malware on their PCs.

The first of these poses as an email from Facebook and contains a zip attachment. The email has the subject line 'Facebook Password Reset Confirmation' and states that your Facebook password has been changed and that your new password is in the attachment.

Inside the attached zip file is an executable file that if run will install Bredolab, a malicious downloader. One of the first things we saw this Trojan horse download was the Pushdo bot which began spamming out more of these Facebook password reset emails.

The second new campaign pretends to come from the Federal Deposit Insurance Corporation (FDIC), and claims that the bank you have an account with has been listed as a failed bank. This may not seem to far fetched to some, especially when considering the number of banks that have been listed as failed by the FDIC in the past year.

We have seen the following subject lines:

FDIC alert: check your Bank Deposit Insurance Coverage
FDIC has officially named your bank a failed bank
you need to check your Bank Deposit Insurance Coverage

The fake FDIC email asks you to visit their website, by clicking on a link, to check your deposit insurance coverage. This link is not to the FDIC website but one of many fraudulent web sites set up to host this campaign.

The web site instructs the user to download their personal insurance file and also mentions that the files are self extracting, which may trick some users once they see that these documents are actually .exe files!

The links to both the PDF and Word document are both links to a ZBot executable. Over the last several months Pushdo has been spreading ZBot with campaigns that have a strong social engineering component that are backed up with well designed websites and offers the user plausible reasons to run a file. Some of these previous campaigns are the Michael Jackson campaign, the IRS scam seen over the last month and the server update scam seen a couple of weeks ago.

For two days now, the Pushdo botnet has been distributing malicious spam intent on causing infections of the Zbot Trojan. This latest campaign pretends to come from a system administrator that asks you to run an executable file disguised as a patch.

The URL format may at first look legitimate since it uses the target's email address as part of the URL in the message body. But please be wary, the link pointing to the executable file is a Zbot Trojan, an information stealing piece of malware.

MailMarshal customers, and WebMarshal 6.5 customers with TRACEnet, are protected from this campaign with the latest updates.

About 4 months ago, we discussed how proxy-based and template-based spambots work. Most of the spambots we see today use template-based spam engines. This is because proxy-based spambots do not work effectively behind NAT routers. Despite this fact, proxy-based bots are still very much alive.

One of the interesting bots we analyzed recently is Maazben. This bot utilizes both template-based and proxy-based spam engines. Maazben spam focuses exclusively on Casino spam and seems to target Russian and European email domains. So far, we’ve seen only the Virut and Sality downloaders responsible for distributing the Maazben executables.

Here is how Maazben works:

Figure 1: Maazben bot flowchart

Installation

When run, Maazben creates a mutex that serves as an infection marker on the compromised system. It usually has a mutex name with the “S_SERV” prefix on it. It then enables the bot executable to bypass the Windows firewall by modifying a registry key:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\

<Bot executable> = “<Bot executable>:*:Enabled:ipsec”

The bot now registers its whereabouts to its control server by sending this HTTP GET request:

GET /utest/?jutr=16821&oo=2&936b4=407eec&ra=0 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)Host: <control server ip>Cache-Control: no-cache

Behind the Router

Maazben by default is a proxy-based spambot, However in case it runs behind a NAT router it downloads another spambot executable that utilizes a template-based engine. The bot herders know that running a proxy-based bot behind a router would make it difficult for their control servers to initiate connections to the bot clients. In other words, a contingency plan.

When running behind a NAT router, Maazben retrieves a list of URLs where template-based spambots are served up.

Figure 2: URL list of encrypted spambot

Notice the .GIF file extension in Figure 2. The link is actually an encrypted executable file of the template-based spambot. Maazben then attempts to download one of the file from the URL list.

Figure 3: packet capture of an encrypted executable being downloaded

After downloading and decrypting the “.GIF” file, the downloaded spambot is executed on the compromised system. An encrypted spamming template is then retrieved from the control server.

Figure 4: An encrypted and decrypted version of the spam template

The spam template also includes a list containing hundreds of target email addresses and SMTP servers. In addition to this, it also collects email addresses from the current user’s Outlook Windows Addess Book and temporary internet files. It also double checks whether the infected IP address has been blocked by the following spam blacklists:

• bl.spamcop.net
• cbl.abuseat.org
• list.dsbl.org
• sbl-xbl.spamhaus.org
• zen.spamhaus.org
• combined.njabl.org
• multihop.dsbl.org
• blackholes.uceb.org
• bl.csma.biz
• db.wpbl.info
• dnsbl.njabl.org

This is how the spam looks like in your inbox.

Figure 5: Sample email

On the External Network

In a demilitarized zone or in the external network, the spammer’s control server wouldn’t have any problem initiating connection to a proxy-based bot. In this case, the proxy bot would typically register itself to a control server, listen and wait for incoming traffic then relay this traffic to its target.

As we mentioned earlier, by default Maazben is a proxy-based bot. Once it installs itself on the system, it then notifies its control server and listens on a rendezvous port waiting for spam traffic to relay to its target.

Figure 6: Maazben listening and waiting for incoming C&C relay connection.

Image in Figure 7 shows the control server sending request in SOCKS 4 protocol format to relay a spam message to a mail server using port 25.

Figure 7: Control server sends an initiation packet using SOCKS 4.

Maazben spam messages seems to be mostly Casino spam. The language varies, including English, Russian and other European languages. Here is one sample from our spamtraps:

Figure 8. Email sample sent by Maazben spam proxy

Proxy-based spambots are somewhat old-school, but for the spammers behind Maazben botnet it’s just employing the best of both worlds.

An interesting paper was presented last week at the Virus Bulletin conference which gives an insight into spam affiliate programs. In particular, it highlighted the notorious ‘Canadian Pharmacy’ brand as being one of the oldest and largest programs around.

Affiliate programs are how most spammers make money. Once a member of an affiliate program, spammers are given links or page templates to create their own web page to which they use spam to drive potential customers to. The spammers make a commission on each sale. Often affiliate programs have several different 'brands' from which members can choose to promote, for example, Canadian Pharmacy is just one of the brands created by the GlavMed organization.

For anyone monitoring spam, it is obvious that Canadian Pharmacy spam is the most widely spammed program. In our last Security Labs report in July we mentioned Canadian Pharmacy accounted for as much as 50 percent of spam. At M86 Security Labs, we have been doing more research into spam affiliate programs over the last few months.

Below is a chart showing the amount of spam received promoting each affiliate program or their brands. The chart data derives from a random sample taken over the last 48 hours. The results are broadly representative of what we typically have been seeing each day over the last several weeks.

As you can see, Canadian Pharmacy at between 60-70 percent is by far the most spammed program. Many of the top spam botnets, including Bobax, Gheg, Grum, MegaD, Pushdo, Rustock and Xarvester are currently sending spam with links to Canadian Pharmacy websites.

The IRS Scam category is not an affiliate program but a large campaign of malicious emails sent by the Pushdo botnet. As it is responsible for a rather large portion of spam we thought it fit to compare it to existing affiliate programs.

The overwhelming dominance of Canadian Pharmacy suggests tackling the underlying affiliate progams is one way to hamper spammer’s efforts. Although, as we saw last October when the US FTC took action against the SanCash (AKA GenBucks) affiliate program, the botnets were quick to find substitute affiliate programs.

We are still seeing malicious emails from a campaign that was begun several weeks ago by the Pushdo botnet. The emails pretend to come from the IRS and ask that you review your tax statement on the IRS website, a link to which is provided.

The URLs linked to in these emails all have the format 'http://www.irs.gov.[host domain]/fraud_application/directory/statement.php?'. So far in our TRACEnet system we have seen over 300 domains being used to host these websites.

The link takes you to the website below which asks you to download and execute a program in order to review your tax statement.

The executable file that we downloaded was not detected by most anti-virus programs. When run it installs the Zbot Trojan horse which steals information from a victims' PC.

MailMarshal customers, and WebMarshal 6.5 customers with TRACEnet, are protected from this campaign with the latest updates.

To those people who love online games, especially Monopoly, be wary. This morning, we noticed a spam campaign that invites unsuspecting users to visit a website to play an online version of the famous board game Monopoly. The spam message may look similar to this:

When we visited the URL from the message body, the website appeared neat with instructions, trivia, and a little bit of the game history. However, the site also requires you to download a 13Kb "free application" in order to play.

The 13Kb executable file "game application" was actually a downloader Trojan, packed with an unknown packer. Manually unpacking the file reveals another PE (portable executable) file that contains control servers that the downloader tries to communicate with and download additional malware:

The link from the Monopoly website that points to the Trojan binary changes from time to time. The second time we checked the link, it had updated its binary which now connected to a control server located at http://bcchart.net/progs/vjcqznnby/ and http://acmusicstore.com/progs/vjcqznnby/.

The trojan downloads a spambot that looks a lot like Rustock. Here is the packet capture which looks so familiar:

Below is a sample spam message that the spambot sends. The "newsletter" nature of it is vintage Rustock:

It seems the Pushdo botnet never fades. In fact with its latest spam campaigns, Pushdo has been very active in sending malicious emails with fake parcel notification themes. Our spam traps are currently receiving tens of thousands of such message daily. The messages have a zip attachment that purports to be a parcel invoice or a document, similar to this, this and this. The attachment is actually the Bredolab Trojan, a notorious downloader capable of downloading scareware programs, password stealers, spambots, and just about any thing the malware author wishes to download on to the infected computer. Here are some sample emails we've seen:

The Bredolab trojan uses a legitimate looking icon to disguise it as a document file. But the more observant will realize that the file has an executable file extension that makes it very suspicious.

As of this writing, the Bredolab samples we tested downloads the rogue antivirus software "Antivirus Pro 2010" from "gumertagionader.com".

This month, the Microsoft Malware Protection Center has added Bredolab family in its Microsoft Software Removal Tool (MSRT) in response to the emergence of Pushdo’s fake parcel themed spam campaign. The MSRT release also includes cleanup for the password stealing trojan Daurso which may also be downloaded by Bredolab, as well as Cutwail (Pushdo) itself.

These sorts of generics downloaders are becoming more problematic. If you get infected, your computer is then potentially open to a raft of other malware. Which also means you may have a serious cleanup job to do.