Dear Cyber Criminals,
Isn't there someone out there doing something interesting besides the Zeus criminals?
Today we have yet another major spam campaign spreading malware, and yet again, its the same criminals trying to use social engineering to plant their password stealing and bank website altering software on your computer.
Today's campaign started out while I was breaking in a new pair of boots at Oak Mountain State Park by doing the Peavine Falls Green Trail, a nice set of hills. When I came back to my car I noticed a couple text messages asking about a new Zeus campaign. I checked Twitter and saw that Alex Eckelberry from Sunbelt (@alexeck) and WebSense Labs (@websenselabs) had both covered it. Yes, I am not always online! When I take vacation days I only work in the early morning and the evening!
The email subjects used by this spam campaign are:
Subject: hi
Subject: fw
Subject: hey
Subject: re
Subject: your photos
Subject: some jerk has posted your photos
Subject: some jerk has posted your pictures
The website addresses use randomization in the hostname to create an enormous number of possible URLs, all beginning with "archive", followed by 1 to 8 random digits, and a domain name. Some real examples would include:
The domain names we saw earlier include:
hlrtfeb.com
hlrtfec.com
hlrtfef.com
hlrtfeg.com
hlrtfeh.com
hlrtfek.com
hlrtfem.com
hlrtfen.com
hlrtfeo.com
hlrtfet.com
hlrtfeu.com
hlrtfey.com
uhbzal.com
uhczax.com
uhfzav.com
uhgzao.com
uhrzaf.com
uhszaa.com
uhtzar.com
uhvzac.com
uhwzaq.com
uhxzas.com
heddasb.eu
heddasc.eu
heddase.eu
heddask.eu
heddasl.eu
heddasm.eu
heddast.eu
heddasu.eu
heddasz.eu
salikub.eu
salikuc.eu
salikue.eu
salikuf.eu
salikuh.eu
salikui.eu
salikuj.eu
salikuk.eu
salikur.eu
salikus.eu
salikuu.eu
salikuv.eu
salikuy.eu
daaswev.eu
heddaso.eu
heddasp.eu
heddasq.eu
all with the path "/photo-hosting/
All of the initial domains seem to have been taken offline, but the criminal is starting up a second wave of domain names that we are now seeing in the UAB Spam Data Mine.
daaswea.eu
daasweb.eu
daaswec.eu
daaswed.eu
daaswee.eu
daaswef.eu
daasweg.eu
daasweh.eu
daaswer.eu
daaswet.eu
daaswev.eu
daaswex.eu
daaswey.eu
daaswez.eu
Here's a screenshot from a currently live website:
The malware which is currently dropping is "lightly detected" at VirusTotal, but not "poorly detected". A current VirusTotal report shows 15 of 41 detects with only Microsoft, Sunbelt, and Symantec properly labeling the malware as ZBot.
Here are some examples of the actual hostnames we've seen (and we've now seen more than 6,500 copies):
archive4.daaswea.eu
archive7004014104.daasweb.eu
archive9.daaswec.eu
archive69970154.daaswed.eu
archive98206261.daaswee.eu
archive71911819.daaswef.eu
archive091208.daasweg.eu
archive2312350.daasweh.eu
archive329947.daaswer.eu
archive85173554.daaswet.eu
archive69548414.daaswev.eu
archive062274583.daaswex.eu
archive3318.daaswey.eu
archive2720530501.daaswez.eu
archive445.heddasb.eu
archive432.heddasc.eu
archive907.heddase.eu
archive65975290.heddask.eu
archive4.heddasl.eu
archive90689245.heddasm.eu
archive634960.heddaso.eu
archive4450.heddasp.eu
archive6461304410.heddasq.eu
archive20.heddast.eu
archive5927620984.heddasu.eu
archive29613500.heddasz.eu
Rather than having a standard "From:" address, the criminals are mixing this up as well. Here are the last folks from which we received our copies of the spam -- of course these are all fakes created by the spambot:
"Montgomery" Montgomery@tppa.com
"Gayle Leal" Gayle.Leal@kotnet.org
"Erwin Deleon" Erwin.Deleon@altern.org
"Lovett" Lovett@portsevendomain.biz
"Lance Frank" Frank@pacbell.net
"Kendrick1924" Kendrick1924@168city.com
"Sparks1900" Sparks1900@phayze.com
"Timmons" Timmons@malaysia.net
"Fischer1981" Fischer1981@surfeador.com
"Lemuel Starks" Starks1956@aol.com
"Roman1992" Roman1992@mrg.com
"Alphonso Lockwood" Alphonso.Lockwood@mail15.com
"Reed1954" Reed1954@phayze.com
"Jorge Gonzalez" Jorge.Gonzalez@correo1.com
"Amparo.Rock" Amparo.Rock@computermail.net
"Lamar Jeffers" Jeffers@kichimail.com
"Gil Bonds" Bonds1992@purinmail.com
"Suarez" Suarez@arkansas.net
"Margarito Mcghee" Margarito.Mcghee@verizon.com
"Hodges" Hodges@kinki-kids.com
"Cleveland.Pritchard" Cleveland.Pritchard@regiomontano.com
"Josephine Saldana" Saldana1950@we-help-u.biz
"Allen Lee" Allen.Lee@aol.com
"Ott1987" Ott1987@we-help-u.biz
"Santos" Santos@singapore.net
"Mullins1993" Mullins1993@portsevendomain.biz
"Tim Walsh" Walsh@altern.org
"Andres Daly" Daly@free.fr
"Courtney.Dalton" Courtney.Dalton@kellychen.com
"Marsh1993" Marsh1993@atlanta.com
"Cornelia Wilkins" Cornelia.Wilkins@brainpod.com
"Berger" Berger@mail.com
"Lynn1929" Lynn1929@inodes.org
"Kristin.Costa" Kristin.Costa@myramstore.com
"Jewel Lockhart" Jewel.Lockhart@free.fr
"Roxie Tompkins" Tompkins@singapore.net
"Rodney Smallwood" Rodney.Smallwood@surrealismo.com
"IraIrwin" Irwin@fcta.com
"Gilliam" Gilliam@we-help-u.biz
"Calloway" Calloway@punkass.com
"Blackwell" Blackwell@norika-fujiwara.com
"Carmela Hanson" Carmela.Hanson@sesmail.com
"Chi.Benton" Chi.Benton@norika-fujiwara.com
"Andre.Burnette" Andre.Burnette@surfeador.com
"Alfonso.Poe" Alfonso.Poe@we-help-u.biz
0 comments:
Post a Comment