ZeuS « M86 Security Labs Blog

Posts Tagged ‘ZeuS’

Don’t Pay Your Taxes

By Gavin Neale • December 5th, 2010 • Malware

Or at least try to ensure that your money doesn’t end up in the hands of criminals using the Zeus crimeware kit, which could happen if you fall for this latest malicious email campaign targeting tax payers. The emails are being sent from one of the Pushdo/Cutwail botnets and the campaign is very similar to the EFTPS one we previously blogged about. The main difference is the use of legitimate hacked websites and a range of exploits targeting vulnerabilities in client side software such as Java and Adobe PDF readers.

The malicious email claims that your tax payment has been rejected and provides a link for you to check your information:

The link in the email, which appears to go to eftps.gov, actually goes to one of many web pages which have been uploaded to hacked web servers. The pages contain the obfuscated JavaScript shown below:

All of this script has the effect of adding just one new line of JavaScript to the current page: location.replace(“http://[removed]autocom.ru/trafflit.php”). This code tells the browser to browse to a new URL that is hosting the SEO exploit kit which contains the JavaScript below.

This JavaScript determines if Java (Oracle Java, not JavaScript) is enabled and then redirects the browser again to the page rotator.php on the same server. Rotator.php contains exploits for four Java vulnerabilities and prompts you to download and open the file asshole.pdf. This PDF file, when opened in Adobe Reader attempts to detect the version and then launch an appropriate exploit if the detected version is known to be vulnerable.

The end goal of all these redirects and exploits is to install the notorious Zeus crimeware bot onto the victim’s machine. This is the VirusTotal report for the Zeus sample we collected. Zeus is well known for helping criminals steal login credentials as victims’ browse their online bank accounts and to transfer money into accounts under the criminals’ control.

Changing Battlefield

By Vadim Pogulievsky • November 15th, 2010 • Cybercrime

The success of the Zeus Trojan has led directly to the creation of the ZeusTracker project, and as of a few weeks ago, the SpyEye Tracker project was put into play.

So what’s left to say other than SpyEye is now in our midst…

Now that we agree about the success of the banking Trojans, let’s talk a little bit about one of its primary victims, that being the banks themselves.

A few months ago, the M86 Security Labs team discovered another SpyEye C&C server targeting one of the largest American banks. As part of the internal M86 disclosure policy, we contacted the bank to provide the detailed information we had discovered..

In this particular case of malicious activity, the SpyEye Trojan’s “install base” included more than 270,000 infections. The bank eventually confirmed that more than 200 bank accounts had been compromised.

True, there’s nothing new in this…

However, since it’s far from being first time we’ve contacted banks to provide this type of information; we sat up and took notice of the gradual change in the way banks response to our data.

Just a year ago, a bank’s response would have been akin to:

“Why contact us? Certainly this is a police issue!” or “Where are you from? Kindly talk to your local branch”. One bank questioned, “Where is malicious server located? Eastern Europe? So, why are you contacting us?”

I believe everyone who had provided similar information to various banks encountered the same sort of responses.

Today, the situation is conceptually different. Based on several recent cases, we can verify that the banks have begun to take this information much more seriously.

First, they’ve educated themselves on banking Trojans - a refreshing change. Second, they are ready to cooperate and convey a willingness to further investigate the information provided. For example, the SpyEye case mentioned above was a process that took less than a month with the bank. At the conclusion of the case, we received complementary information that was confirmed by the bank.

Without the pretense for accurate statistics, the behavioral changes of the banks is significant, and is a result of the losses the banks suffered and continue to suffer, as result of this new type of Banker Trojans activity.

The success of Zeus and SpyEye have caused numerous copycats to appear, such as the new Bugat, Carberp, and latest Feodo Trojans. The war that the banks were engaged in at the birth of Cybercrime has become increasingly sophisticated. Given the new battle landscape, banks have begun to re-group their efforts in fighting back.

USAA Credential Phishing

By Gavin Neale • November 2nd, 2010 • Spam

Today we started seeing a new phishing campaign which is being sent by the Cutwail spambot, targeting customers of the United States Automobile Association (USAA). Cutwail is the spamming component installed by the Pushdo botnet. The phishing emails ask the recipient to fill out a ‘confirmation form’ which they can access by clicking on a link in the message.

Phishing spam targeting USAA customers

To hide the URL of the phishing web page, these emails contain a link to one of several different URL shortening services such as http://bit.ly which redirect the browser to the actual phishing page.

The link ‘Access USAA Confirmation Form’ in the spam email above points to http://bit . ly/agWGNG. When we tested this link, bit.ly had already determined that there may be a problem with the URL it was redirecting to and displayed a warning page rather than redirecting us to the phishing page.

bit.ly warning page

If we choose to ignore this warning and continue to the un-shortened URL, we end up at the page below, a phishing website aimed at stealing information from USAA members. This page, titled ‘Cardholder Form’, asks the user to provide information such as their online ID, password, name, card number, card security code and PIN. When the user clicks the submit button all of the details are sent to the criminals’ server and the users’ browser is redirected to the real USAA website.

The USAA phishing page

For now, this phishing site, which is hosted on the domain vsdfile (dot) ru is not serving up any malicious content. The USAA provides a banking and credit card service which may be the intended target of these criminals once they have tricked a customer into divulging their cardholder details.

We have not seen one of these large scale phishing campaigns from Cutwail for some time, as the cybercriminals switched to spamming out links to the data-stealing Zeus malware. With the recent high profile arrests of several Zeus perpetrators, and all the subsequent public attention on Zeus, maybe phishing, where you politely ask for data instead of stealing it, will come back in fashion?

Tags: Bit.ly | Phishing | URL Shortener | USAA | ZeuS

Malicious LinkedIn Campaigns Continue

By Phil Hay • September 30th, 2010 • Spam

The malicious LinkedIn spam campaigns of the last few days are continuing in force. The source is the Pushdo botnet, which is back in full force following disruption to its operations last month. The campaigns mimic a LinkedIn update notification. Here is a sample from today:

LinkedIn Update with URL pointing to malicious web page

The malicious web page displays code that includes an iframe that loads the Phoenix exploit kit, which attempts to exploit the victim’s browser.

Web code includes iframe incorporating Phoenix exploit kit

The Phoenix admin login page was at the same server location as the index.php file.

Phoenix exploit kit login page at the same location

And, just in case the auto-exploit doesn’t work, the user is prompted to manually download flash_player_07.78.exe, which is none other than the Zeus (Zbot) data stealing trojan.

User prompted to install a "Flash Player"

This campaign is slicker than normal. The LinkedIn email and the Flash Player download image look convincing, signifying that these cybercriminals have taken it up a notch. Going by the number of URL hits we intercepted with our TRACEnet system, some users are falling for it too. Don’t be one of them.

Tags: LinkedIn | Malicious Spam | Phoenix exploit | ZeuS

Russian Pro-Spam Registrars

By Gavin Neale • September 22nd, 2010 • Spam

Since CNNIC, China’s domain regulator, introduced stricter rules for domain registration at the end of last year, spammers have moved on to the Russian .ru TLD to register their spam domains. Similar rules that were apparently made effective on April 1st for Russian registrars do not seem to have had the same effect. Every day we see a continuous stream of newly registered .ru domains in spam email. In fact, in the last month one third of all unique domains we have seen in spam have been .ru domains. This is the highest proportion of any TLD, with .com the second highest accounting for just under one third of spammed domains.

Nearly all of these .ru domains are registered though two registrars, Naunet and Reg.ru (also known as NAUNET-REG-RIPN and REGRU-REG-RIPN).

Spammers generally advertise each domain for only a couple of hours and register new ones all the time. In the last month from spam alone we have seen over 4000 .ru domains registered through Naunet. These are hosting a variety of spam web sites including Ultimate replica, Dr Maxman, online casinos, Via grow and Eurosoft software.

We have also seen over 1800 domains registered through Reg.ru in spam over the last month, all of which lead to Canadian pharmacy websites. Reg.ru actually has a feature to register up to 600 domains at once, pretty useful for a spammer:

Reg.ru bulk domain registration. Translated via Google Translate.

These spammed web sites are generally non-malicious as in they don’t try to exploit vulnerabilities on the visitor’s machine, although we’re not sure they would be so generous with your credit card details if you were to buy one of their ‘products.’ We have however seen domains registered with both of these registrars used as controllers for the Zeus crimeware kit. And recently, Naunet was used to register domains used as control servers for the Asprox botnet, although these were done on a much smaller scale than the spam domains.

Several anti-spam groups have already pointed out these registrars as the source of Russian spam domains and that these registrars often ignore requests to suspend illegal domains. With domain blacklisting being a popular anti-spam measure, a continuous supply of fresh domains is vital for any spam operation. These sorts of registrars are making the business of spamming that much easier.

Tags: Asprox | Registrars | Russia | ZeuS

Statement About Infection of Macs by ZeuS

By Bradley Anstis • August 13th, 2010 • Reports

In recent press coverage several industry publications and blogs stated that between 3,000 – 4,000 Mac OS machines had been infected with the latest ZeuS Trojan. We believe that this is an incorrect interpretation of Figure 3 from our recent M86 Security Labs report.

Figure 11, Admin Panel of Eleonore Exploit Kit

Figure 3: Stats from the Eleonore Exploit Kit Administrative Panel

Figure 3 does not show the number of infected computers. It is a screen shot of an exploit kit console that shows the number of times that the malicious page had been requested and identifies those visits by the type of operating system of the visitor’s computer. In this case, it shows that the exploit kit’s page was served to as many as 300,000 users of which 3,851 visits were from computers running Mac OS.

Tags: Exploit Kits | ZeuS

Customers of Global Financial Institution Hit by Cybercrime

By Bradley Anstis • August 10th, 2010 • Reports

Today, we released a report of an attack targeting the UK customers of a global financial institution. This attack has been on-going since early July, and our research has discovered that approximately 3000 customers of this financial institution have fallen victim to it. We’ve estimated that close to £675,000 GBP (over $1 Million USD) has been stolen from customer accounts.

The M86 Security Labs team detected this illegal operation after discovering a malicious code attack used to infect users’ PCs with a Trojan. The team then followed the trail to a Command & Control center. The research reveals that the cybercriminals used a combination of exploit kits, the new Zeus v3 Trojan, and money mule accounts to compromise user systems, successfully avoid anti-fraud systems, and rob bank accounts. The whole operation shows a high degree of technical sophistication and complexity, and highlights the continuing and escalating battle we have with cybercrime.

Our report exposes the architecture, business model, tools and methods used by the cybercriminal operation behind this attack. You can download a copy of the report here.

The image below illustrates one of the cybercriminal’s admin panels,showing financial transactions from compromised accounts sent to money mule accounts.

Admin panel showing financial transactions from compromised accounts sent to Money Mule accounts

M86 Security representatives have informed relevant law enforcement agencies of all criminal activities and methods used by the perpetrators of this attack.

Tags: eBanking | Exploit Kits | Money Mules | ZeuS

PDF ‘Launch’ Feature Used to Install Zeus

By Gavin Neale • April 15th, 2010 • Spam

Today we began seeing emails, like the one shown below, claiming to be from Royal Mail with an attached PDF file.

This PDF uses a feature, specified in the PDF format, known as a Launch action. A Launch action is intended to be used to run an application or opening or printing a document. Recently it has been discovered by a security researcher that this feature can be used to run an executable embedded within the PDF file.

This PDF also contains an attachment (PDFs can have an attachment embedded within them, just like emails) named Royal_Mail_Delivery_Notice.pdf which has been compressed inside the PDF file. This attachment is actually an executable file and if run, will install the Zeus bot. The image below shows part of this attachment within the PDF file, the start of the executable file is shown decompressed, in the red box.

The PDF uses the JavaScript function exportDataOject, shown below, to save a copy of the attachment to the user’s PC.

When this PDF is opened In Adobe Reader with JavaScript enabled, the exportDataOject function causes a dialog box to be displayed asking the user to “Specify a file to extract to”. The default file is the name of the attachment, Royal_Mail_Delivery_Notice.pdf. This could be somewhat confusing to users, and not really knowing what is happening, they may just click save (It appears as if they are just saving a PDF file after all). Users of Foxit PDF reader will get no warning and the attachment will be saved to the users Documents folder.

Once the exportDataOject function has completed, the Launch action is run. The Launch action is used to execute the Windows command interpreter (cmd.exe) and is given a command line to execute.

This command line searches for the previously saved Royal_Mail_Delivery_Notice.pdf file in some commonly used folders such as My Documents and Desktop and then tries to run the file. (Remember that this is actually the executable file). Adobe Reader will pop up the box shown below and the command will only be run it the user clicks ‘Open’. The latest version of Foxit reader (released April 1st) will display a similar warning, older versions will go ahead and execute the command without asking.

If this command if successfully run, the Zeus data stealing bot is installed. Although having the latest versions of Foxit and Adobe reader will not protect you entirely from this feature, they do offer configuration settings and warnings before any program is launched. In Adobe reader you can disable the opening of non-PDF attachments using the trust manager in the preferences menu. You can also disable JavaScript in both readers to mitigate the impact of this and many other vulnerabilities.

MailMarshal users with the Block Executable rule enabled will be protected from PDF attachments with executable attachments. SpamCensor version 431 and KnownThreats version 26 both protect MailMarshal users from PDFs using this Launch action and Executable attachment feature.

Tags: Adobe | PDF | Vulnerabilities | ZeuS