Monday, January 18, 2010

Sendspace Zbot spreader a Flashback to Dec 15-20

From December 15th to December 20th, the top Zbot or "Zeus" trojan spreader was a spam email campaign which claimed to have news about a photo that may depict the recipient. The "photo" was actually called "photo.exe" and the website from which it was to be downloaded was intended to look like "Sendspace.com", a popular file sharing service.

Beginning early in the morning of January 16th, the UAB Spam Data Mine began to notice that the Sendspace version of Zeus may be making a return. On January 16th, we received six copies of the spam, nearly identical to those received December 15-20. They came between 6:15 and 8:30 AM, and then stopped.

The spam messages ask a variation of question such as:

Hey! Is this photo yours?

Subject such as:
Fw:your photo
Re:your photo
Re:
Fw:look


and provide a link supposedly to a "sendspace" page for you to see the photo.

On January 17th, we saw another burst, beginning shortly after 8:00 AM, and ending about 10:15 AM, with 90 messages being received.

Then at 11:15 PM on January 17th the real campaign began, and has been flowing steadily ever since, although the spam is definitely on a rising trend - we've seen just over 700 copies today so far.

The URLs we've seen in the spam are these:

www.sendspace.com.iko999j0.com.pl
www.sendspace.com.iko999j0.compl
www.sendspace.com.iko999j1.com.pl
www.sendspace.com.iko999j1.compl
www.sendspace.com.iko999j1com.pl
www.sendspace.com.iko999j2.com.pl
www.sendspace.com.iko999j2.compl
www.sendspace.com.iko999j3.com.pl
www.sendspace.com.iko999j3com.pl
www.sendspace.com.iko999j4.com.pl
www.sendspace.com.iko999j5.com.pl
www.sendspace.com.iko999j5.compl
www.sendspace.com.iko999j6.com.pl
www.sendspace.com.iko999j6.compl
www.sendspace.com.iko999j7.com.pl
www.sendspace.com.iko999j7.compl
www.sendspace.com.iko999j7com.pl
www.sendspace.com.iko999j8.com.pl
www.sendspace.com.iko999j9.com.pl
www.sendspace.com.iko999j9com.pl
www.sendspace.com.iko999je.com.pl
www.sendspace.com.iko999je.compl
www.sendspace.com.iko999jq.com.pl
www.sendspace.com.iko999jqcom.pl
www.sendspace.com.iko999jr.com.pl
www.sendspace.com.iko999jrcom.pl
www.sendspace.com.iko999jt.com.pl
www.sendspace.com.iko999jw.com.pl
www.sendspace.com.iko999jw.compl
www.sendspace.com.iko999jwcom.pl
www.sendspace.comiko999j1.com.pl
www.sendspace.comiko999j4.com.pl
www.sendspace.comiko999j5.com.pl
www.sendspace.comiko999j7.com.pl
www.sendspace.comiko999j8.com.pl
www.sendspace.comiko999j9.com.pl
www.sendspace.comiko999je.com.pl
www.sendspace.comiko999jq.com.pl
www.sendspacecom.iko999j1.com.pl
www.sendspacecom.iko999j4.com.pl
www.sendspacecom.iko999j6.com.pl
www.sendspacecom.iko999j7.com.pl
www.sendspacecom.iko999j8.com.pl
www.sendspacecom.iko999j9.com.pl
www.sendspacecom.iko999je.com.pl
www.sendspacecom.iko999jw.com.pl
wwwsendspace.com.iko999j1.com.pl
wwwsendspace.com.iko999j3.com.pl
wwwsendspace.com.iko999j4.com.pl
wwwsendspace.com.iko999j7.com.pl
wwwsendspace.com.iko999j8.com.pl
wwwsendspace.com.iko999j9.com.pl

Note the two pairs of typos? Some ".compl" instead of ".com.pl" and some "sendspacecom" instead of "sendspace.com" and the "wwwsendspace" instead of "www.sendspace". Those are the reasons bad guys do test runs such as we saw on the 16th and 17th. They need to get their bugs worked out.

The webpage looks like this:





While they are at it, perhaps they'll remember to update their malware as well. The version being distributed in this campaign is the same version that was being distributed when the campaign ended on December 20th, which means that 34 out of 41 anti-virus products can detect it, according to this Virus Total Report.

The websites have a secondary infector. An IFRAME in the code calls a malicious website from "gerolli.co.uk". Last go-around it was pulling a file from the "/2img/" subdirectory there. This time around its pulling a file from "/3img/in.php", which when loaded causes "pdf.pdf" to be dropped on the machine, which leads to a Fake Anti-Virus product being installed within a few minutes.

The Zeus bot uses "stomaid.ru" as its Command & Control - just as it has since December 9th.

The computers hosting the "sendspace" version of this webpage are also hosting the "USAA" version that we discussed in yesterday's article - USAA Bank Latest Avalanche Scam.

If you want to see the December version websites, they are listed below:

www.sendspace.com.1citvil1.be
www.sendspace.com.beermeetibe
www.sendspace.com.beermeeti.be
www.sendspace.com.dftjilllcom
www.sendspace.com.dftjilll.com
www.sendspace.com.dftjilllnet
www.sendspace.com.dftjilll.net
www.sendspace.com.fbermeetibe
www.sendspace.com.fbermeeti.be
www.sendspace.com.fbsftiilcom
www.sendspace.com.fbsftiil.com
www.sendspace.com.fbsftiilnet
www.sendspace.com.fbsftiil.net
www.sendspace.com.febrmeeti.be
www.sendspace.com.feeekyyiebe
www.sendspace.com.feeekyyie.be
www.sendspace.com.feeetyyiebe
www.sendspace.com.feeetyyie.be
www.sendspace.com.feeezkyiebe
www.sendspace.com.feeezkyie.be
www.sendspace.com.feeeztyiebe
www.sendspace.com.feeeztyie.be
www.sendspace.com.feeezykiebe
www.sendspace.com.feeezykie.be
www.sendspace.com.feeezytiebe
www.sendspace.com.feeezytie.be
www.sendspace.com.feeezyyiebe
www.sendspace.com.feeezyyie.be
www.sendspace.com.feeezyyikbe
www.sendspace.com.feeezyyik.be
www.sendspace.com.feeezyykebe
www.sendspace.com.feeezyyke.be
www.sendspace.com.feekzyyie.be
www.sendspace.com.feermeetibe
www.sendspace.com.feermeeti.be
www.sendspace.com.feetzyyie.be
www.sendspace.com.fekezyyiebe
www.sendspace.com.fekezyyie.be
www.sendspace.com.fetezyyie.be
www.sendspace.com.ffmjilllcom
www.sendspace.com.ffmjilll.com
www.sendspace.com.ffmjilllnet
www.sendspace.com.ffmjilll.net
www.sendspace.com.ffmjtlllcom
www.sendspace.com.ffmjtlll.com
www.sendspace.com.ffmjtlllnet
www.sendspace.com.ffmjtlll.net
www.sendspace.com.ffmjttllcom
www.sendspace.com.ffmjttll.com
www.sendspace.com.fftjilllcom
www.sendspace.com.fftjilll.com
www.sendspace.com.fftjilllnet
www.sendspace.com.fftjilll.net
www.sendspace.com.fkeezyyiebe
www.sendspace.com.fkeezyyie.be
www.sendspace.com.ftcftiilcom
www.sendspace.com.ftcftiil.com
www.sendspace.com.ftcftiilnet
www.sendspace.com.ftcftiil.net
www.sendspace.com.fteezyyiebe
www.sendspace.com.fteezyyie.be
www.sendspace.com.ftsftiilcom
www.sendspace.com.ftsftiil.com
www.sendspace.com.ftsftiilnet
www.sendspace.com.ftsftiil.net
www.sendspace.com.ftsftiitcom
www.sendspace.com.ftsftiit.com
www.sendspace.com.ftsftiitnet
www.sendspace.com.ftsftiit.net
www.sendspace.com.ftsftiulcom
www.sendspace.com.ftsftiul.com
www.sendspace.com.ftsftiulnet
www.sendspace.com.ftsftiul.net
www.sendspace.com.ftsftkilcom
www.sendspace.com.ftsftkil.com
www.sendspace.com.ftsftkilnet
www.sendspace.com.ftsftkil.net
www.sendspace.com.ftsftmilcom
www.sendspace.com.ftsftmil.com
www.sendspace.com.ftsfttilcom
www.sendspace.com.ftsfttil.com
www.sendspace.com.ftsfttilnet
www.sendspace.com.ftsfttil.net
www.sendspace.com.hcitvil1.be
www.sendspace.com.hreseet01.be
www.sendspace.com.hufteejkibe
www.sendspace.com.hufteejki.be
www.sendspace.com.i1itvil1.be
www.sendspace.com.ic1tvil1.be
www.sendspace.com.ichtvil1.be
www.sendspace.com.ici1vil1.be
www.sendspace.com.icihvil1.be
www.sendspace.com.icit1il1.be
www.sendspace.com.icithil1.be
www.sendspace.com.icitv1l1.be
www.sendspace.com.icitvhl1.be
www.sendspace.com.icitvi11.be
www.sendspace.com.icitvih1.be
www.sendspace.com.icitvil1.be
www.sendspace.com.ihitvil1.be
www.sendspace.com.ireheet01.be
www.sendspace.com.ireseet01.be
www.sendspace.com.ireseht01.be
www.sendspace.com.iresehtt1.be
www.sendspace.com.iresett01.be
www.sendspace.com.ireshet01.be
www.sendspace.com.ireteht01.be
www.sendspace.com.irhseet01.be
www.sendspace.com.iteseht01.be
www.sendspace.com.jtualasabe
www.sendspace.com.jtualasa.be
www.sendspace.com.juzeepee0.jpn.com
www.sendspace.com.kjifatilacom
www.sendspace.com.kjifatila.com
www.sendspace.com.ktualasabe
www.sendspace.com.ktualasa.be
www.sendspace.com.lhfteejkibe
www.sendspace.com.lhfteejki.be
www.sendspace.com.lipskuiil.com
www.sendspace.com.lipskuiil.jpn.com
www.sendspace.com.lipskuiil.kr.com
www.sendspace.com.lipskuiil.no.com
www.sendspace.com.lipskuiil.uy.com
www.sendspace.com.lufheejkibe
www.sendspace.com.lufheejki.be
www.sendspace.com.lufteejkibe
www.sendspace.com.lufteejki.be
www.sendspace.com.lufteejkvbe
www.sendspace.com.lufteejkv.be
www.sendspace.com.lufteejvibe
www.sendspace.com.lufteejvi.be
www.sendspace.com.lufteevkibe
www.sendspace.com.lufteevki.be
www.sendspace.com.luftevjkibe
www.sendspace.com.luftevjki.be
www.sendspace.com.lufthejkibe
www.sendspace.com.lufthejki.be
www.sendspace.com.luhteejkibe
www.sendspace.com.luhteejki.be
www.sendspace.com.mjifatilacom
www.sendspace.com.mjifatila.com
www.sendspace.com.mjifatilwcom
www.sendspace.com.mjifatilw.com
www.sendspace.com.mjifatiwacom
www.sendspace.com.mjifatiwa.com
www.sendspace.com.mjifatwlacom
www.sendspace.com.mjifatwla.com
www.sendspace.com.mjifawilacom
www.sendspace.com.mjifawila.com
www.sendspace.com.mjifwtilacom
www.sendspace.com.mjifwtila.com
www.sendspace.com.mjiuatilacom
www.sendspace.com.mjiuatila.com
www.sendspace.com.mjiwatilacom
www.sendspace.com.mjiwatila.com
www.sendspace.com.mjufatilacom
www.sendspace.com.mjufatila.com
www.sendspace.com.mjwfatilacom
www.sendspace.com.mjwfatila.com
www.sendspace.com.mnvdtdt.co.uk
www.sendspace.com.mnvdtdt.me.uk
www.sendspace.com.mnvdtdt.orguk
www.sendspace.com.mnvdtdt.org.uk
www.sendspace.com.mnvdtdtorg.uk
www.sendspace.com.modeservicepp.co.kr
www.sendspace.com.modeservicepp.com
www.sendspace.com.modeservicepp.kr
www.sendspace.com.muifatilacom
www.sendspace.com.muifatila.com
www.sendspace.com.mwifatilacom
www.sendspace.com.mwifatila.com
www.sendspace.com.polaasa1qc.com
www.sendspace.com.pretopsd.co.uk
www.sendspace.com.pretopsdco.uk
www.sendspace.com.pretopsd.me.uk
www.sendspace.com.pretopsd.org.uk
www.sendspace.com.tjualasabe
www.sendspace.com.tjualasa.be
www.sendspace.com.tkualasabe
www.sendspace.com.tkualasa.be
www.sendspace.com.ttjalasabe
www.sendspace.com.ttjalasa.be
www.sendspace.com.ttkalasabe
www.sendspace.com.ttkalasa.be
www.sendspace.com.ttuajasabe
www.sendspace.com.ttuajasa.be
www.sendspace.com.ttuakasabe
www.sendspace.com.ttuakasa.be
www.sendspace.com.ttualakabe
www.sendspace.com.ttualaka.be
www.sendspace.com.ttualasabe
www.sendspace.com.ttualasa.be
www.sendspace.com.ttualaskbe
www.sendspace.com.ttualask.be
www.sendspace.com.ttualjsabe
www.sendspace.com.ttualjsa.be
www.sendspace.com.ttualksabe
www.sendspace.com.ttualksa.be
www.sendspace.com.ttujlasabe
www.sendspace.com.ttujlasa.be
www.sendspace.com.ttuklasabe
www.sendspace.com.ttuklasa.be
www.sendspace.com.ujifatilacom
www.sendspace.com.ujifatila.com
www.sendspace.com.vdslprr.co.uk
www.sendspace.com.vdslprr.me.uk
www.sendspace.com.vdslprr.org.uk
www.sendspace.com.vufteejkibe
www.sendspace.com.vufteejki.be
www.sendspace.com.wjifatilacom
www.sendspace.com.wjifatila.com

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.