Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 9 November 2009

Zeus Malware Moves to Myspace

Posted on 06:18 by Unknown
Beginning about 90 minutes ago, the Zeus malware, also known as Zbot, began a new spam distribution campaign to infect more victims. The newest campaign follows the model of last week's Facebook UpdateTool, only now targeting MySpace users.

This update is pretty much in "Breaking News" mode at the moment, we haven't yet run the malware through the lab for a full analysis, but here's what we can tell you so far:

1. There are 30 recently created domains being used as targets in the spam messages. Here are the host names we've seen so far in spam messages:

accounts.myspace.com.deaaaf.co.uk
accounts.myspace.com.deaaaf.me.uk
accounts.myspace.com.deaaaf.org.uk
accounts.myspace.com.deaaag.me.uk
accounts.myspace.com.deaaag.org.uk
accounts.myspace.com.deaaas.me.uk
accounts.myspace.com.deaaas.org.uk
accounts.myspace.com.iiolii.co.uk
accounts.myspace.com.iiolii.me.uk
accounts.myspace.com.iiolii.org.uk
accounts.myspace.com.iiolik.co.uk
accounts.myspace.com.iiolik.me.uk
accounts.myspace.com.iiolik.org.uk
accounts.myspace.com.iiolio.co.uk
accounts.myspace.com.iiolio.me.uk
accounts.myspace.com.iiolio.org.uk
accounts.myspace.com.iioliu.co.uk
accounts.myspace.com.iioliu.me.uk
accounts.myspace.com.iioliu.org.uk
accounts.myspace.com.ttesza.co.uk
accounts.myspace.com.ttesza.org.uk
accounts.myspace.com.tteszf.co.uk
accounts.myspace.com.tteszf.me.uk
accounts.myspace.com.tteszf.org.uk
accounts.myspace.com.tteszg.co.uk
accounts.myspace.com.tteszg.me.uk
accounts.myspace.com.tteszg.org.uk
accounts.myspace.com.tteszk.co.uk
accounts.myspace.com.tteszk.me.uk
accounts.myspace.com.tteszk.org.uk

2. Spam messages are using a variety of subject lines, including:

message id #5332015152732 (note: each message has a random id #)
MySpace Account update
Please update your MySpace account
Update your MySpace account
You are required to update your MySpace account
Your MySpace account

3. The text of the email messages contains:

Dear MySpace user!

Please be informed that you are required to update your MySpace account.

Please update your MySpace account by clicking here:

http://accounts.myspace.com.iiolii.me.uk/msp/index.php?fuseaction=update&code=(random)&email=(email address)

If you're unable to click on the link above, copy and paste it into your browser's address bar.

-------------------------

At MySpace we care about your privacy. This email is never sent unsolicited.

If you think you've received this email in error, or if you have any questions or concerns regarding your privacy, please contact us at:

privacy@myspace.com

MySpace, Inc.
8391 Beverly Blvd. #349
Los Angeles, CA 90048
USA

©2003-2009 MySpace.com. All Rights Reserved.


4. The websites look like this:



5. Logging in takes you to a page that looks like this:



6. The malware is NOT being distributed from these sites. The malware link actually points to a domain created this morning called:

myspace-files.com

which was registered through "Answerable.com", using PrivacyProtection.

We tried to give Answerable a call, but the crappy VOIP forwarding service they are using to connect to their technical support left me with an agent crackling and saying "I'm sorry, I can't understand you." On the third try, I got a very helpful woman in India who referred me to "support.publicdomainregistry.com" to fill out an abuse desk. We've requested that the domain be terminated.

A VirusTotal report shows that while most of the AV products do not yet detect this malware (14 of 41 can detect it), those which do label it either as Zbot or Bifrost.

File size: 108544 bytes
MD5 : 9014141626efee1175ebee3135f3accf

First Update: 10:20 AM


The malware is now back on the same server as advertised by the spam. Seems something happened to their old malware domain. (evil grin). The new path is:

/msp/updatetool.exe

A Fresh VirusTotal Report shows that the malware has changed in both size and signature. Detection is still 14 of 41, but its a different 14.

File size: 105472 bytes
MD5 : 4c7693219eaa304e38f5f989a8346e51

Second Update: 4:20 PM



There have been sixty-nine unique domains seen in this campaign so far today. The currently live domains at this timestamp are:

accounts.myspace.com.iuuuujef.co.uk
accounts.myspace.com.iuuuujef.me.uk
accounts.myspace.com.iuuuujef.org.uk
accounts.myspace.com.iuuuujeg.co.uk
accounts.myspace.com.iuuuujeg.me.uk
accounts.myspace.com.iuuuujeg.org.uk
accounts.myspace.com.iuuuujek.co.uk
accounts.myspace.com.iuuuujek.me.uk
accounts.myspace.com.iuuuujek.org.uk
accounts.myspace.com.iuuuujer.co.uk
accounts.myspace.com.iuuuujer.me.uk
accounts.myspace.com.yyyyiuj.co.uk
accounts.myspace.com.yyyyiuj.me.uk
accounts.myspace.com.yyyyiuj.org.uk
accounts.myspace.com.yyyyiuk.co.uk
accounts.myspace.com.yyyyiuk.me.uk
accounts.myspace.com.yyyyiuk.org.uk
accounts.myspace.com.yyyyiuo.co.uk
accounts.myspace.com.yyyyiuo.me.uk
accounts.myspace.com.yyyyiuo.org.uk
accounts.myspace.com.yyyyiur.co.uk
accounts.myspace.com.yyyyiur.me.uk
accounts.myspace.com.yyyyiur.org.uk


These have been reported to the Fox Interactive Media and MySpace abuse teams for termination.
Email ThisBlogThis!Share to XShare to Facebook
Posted in zbot | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Happy New Year! Here's a Virus! (New Year's Postcard malware)
    I've been busy this week looking at the various defacements (see ComputerWorld , and ABC News ) and other cyber attacks (see yesterday...
  • From Russia, With Love . . . new Postcard spam spies on your PC
    Isn't it nice to have friends who send you postcards? The UAB Spam Data Mine is especially fortunate in that way. Beginning the evenin...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • Tempting Photo Attachments Lead to Fake AV
    One of today's largest malicious spam campaigns continued an occasional theme we've been seeing for a few weeks. A subject line, fo...
  • What about the Social Security Numbers? (The Utah Data Breach and your SSN)
    The Utah Data Breach This week the continuing saga of the Utah Medicaid Data Breach continued to unfold. If you haven't been following...
  • Stop the Rumors: Quit SMSing about WalMart Gang Initiations
    My daughter and her teenage friend were sitting on the couch watching TV today when they began getting text messages on their phone. Here...
  • Minipost: IPR Center celebrates Cyber Monday
    The National Intellectual Property Rights Center (IPR Center) announced today that in celebration of Cyber Monday, they have Seized 82 Domai...
  • ACH Spammer switches to Shortened URLs
    For many weeks now the spammers behind one particular malware family have been fighting a running battle to keep their malware-hosting domai...
  • Work at Home . . . for a Criminal?
    How do you tell if a "Work at Home" invitation is a scam? Here's a clue: It comes in your email. In today's Blog, I tho...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ▼  2009 (92)
    • ►  December (12)
    • ▼  November (11)
      • IRS Spam Campaign leads to low detection malware
      • Beware Weekend Facebook Scam!
      • Some Jerk posted your photo - and now you're infec...
      • UAB Spam Data Mine finds Social Security Statement...
      • Fake Flash Player Zbot spread by "Your Domain"
      • Running out of Money Mules?
      • Zeus: Same Criminal, New Spam Infrastructure
      • Newest Zeus = NACHA: The Electronic Payments Assoc...
      • The $9 Million World-Wide Bank Robbery
      • Zeus / Zbot Malware moves Back to IRS
      • Zeus Malware Moves to Myspace
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ►  2008 (101)
    • ►  December (7)
    • ►  November (17)
    • ►  October (11)
    • ►  September (10)
    • ►  August (22)
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile