Dissection of a Zbot spam
Wednesday, 14 October 2009
Today, I received a piece of spam that contained a very interesting URL.
I own the domain iheartjpgs.info, on which I have an email address or two hosted. The spam is as follows:
Dear user of the iheartjpgs.info mailing service!
We are informing you that because of the security upgrade of the mailing service your mailbox (kale@iheartjpgs.info) settings were changed. In order to apply the new set of settings click on the following link:
http://iheartjpgs.info/owa/service_directory/settings.php?email=kale@iheartjpgs.info&from=iheartjpgs.info&fromname=kale
Best regards, iheartjpgs.info Technical Support.
The URL is intriguing, as this would suggest they had somehow compromised my server (or had broken their mass mailing script). Looking at the source of the message, however, I found that URL actually linked to http://iheartjpgs.info.bertdffm.co.uk/owa/service_directory/settings.php?email=kale@iheartjpgs.info&from=iheartjpgs.info&fromname=kale . This URL is much more curious, as it suggests that zone files were manipulated on bertdffm.co.uk to create a fairly dynamic subdomain solely for distribution of spam on iheartjpgs.info.
This subdomain had an A record pointing to a list of IPs:
iheartjpgs.info.bertdffm.co.uk has address 124.54.222.141
iheartjpgs.info.bertdffm.co.uk has address 125.143.86.51
iheartjpgs.info.bertdffm.co.uk has address 186.18.194.3
iheartjpgs.info.bertdffm.co.uk has address 189.62.171.189
iheartjpgs.info.bertdffm.co.uk has address 190.105.42.124
iheartjpgs.info.bertdffm.co.uk has address 221.161.59.185
iheartjpgs.info.bertdffm.co.uk has address 222.120.6.233
iheartjpgs.info.bertdffm.co.uk has address 81.198.204.182
iheartjpgs.info.bertdffm.co.uk has address 85.85.241.57
iheartjpgs.info.bertdffm.co.uk has address 85.107.80.168
iheartjpgs.info.bertdffm.co.uk has address 89.36.252.143
iheartjpgs.info.bertdffm.co.uk has address 114.205.211.94
iheartjpgs.info.bertdffm.co.uk has address 118.42.94.82
iheartjpgs.info.bertdffm.co.uk has address 121.125.49.20
iheartjpgs.info.bertdffm.co.uk has address 123.195.226.68
which appear to be residential computers from around the world, mostly in eastern Europe, Brazil, and Korea:
17858 | 124.54.222.141 | 124.48.0.0/13 | KR | apnic | 2005-12-21 | KRNIC-ASBLOCK-AP KRNIC
4766 | 125.143.86.51 | 125.128.0.0/11 | KR | apnic | 2005-08-23 | KIXS-AS-KR Korea Telecom
27747 | 186.18.194.3 | 186.18.192.0/22 | AR | lacnic | 2008-11-06 | Telecentro S.A.
28573 | 189.62.171.189 | 189.62.128.0/18 | BR | lacnic | 2007-03-30 | NET Servicos de Comunicao S.A.
27984 | 190.105.42.124 | 190.105.42.0/24 | AR | lacnic | 2008-06-17 | Ver Tv S.A.
4766 | 221.161.59.185 | 221.160.0.0/13 | KR | apnic | 2003-04-17 | KIXS-AS-KR Korea Telecom
4766 | 222.120.6.233 | 222.120.0.0/15 | KR | apnic | 2003-10-27 | KIXS-AS-KR Korea Telecom
12578 | 81.198.204.182 | 81.198.0.0/16 | LV | ripencc | 2002-10-02 | APOLLO-AS LATTELEKOM-APOLLO
12338 | 85.85.241.57 | 85.85.0.0/16 | ES | ripencc | 2004-10-22 | EUSKALTEL Euskaltel Autonomous System
9121 | 85.107.80.168 | 85.107.0.0/17 | TR | ripencc | 2004-09-20 | TTNET TTnet Autonomous System
9050 | 89.36.252.143 | 89.36.252.0/24 | RO | ripencc | 2005-11-29 | RTD ROMTELECOM S.A
9318 | 114.205.211.94 | 114.200.0.0/13 | KR | apnic | 2008-06-18 | HANARO-AS Hanaro Telecom Inc.
4766 | 118.42.94.82 | 118.32.0.0/12 | KR | apnic | 2007-08-03 | KIXS-AS-KR Korea Telecom
9318 | 121.125.49.20 | 121.125.0.0/16 | KR | apnic | 2006-08-02 | HANARO-AS Hanaro Telecom Inc.
Not all of the hosts are alive at the moment, which is unsurprising when dealing with residential computers. A simple portscan on one of them reveals the following services running:
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
554/tcp open rtsp
7070/tcp open realserver
Checking a few others that were alive, all of them had these four ports open at minimum. Connecting to the ports, I found that while open, only HTTP reacted as expected; the other ports did not follow their suggested protocols.
A simple GET / query on port 80 resulted in:
HTTP/1.1 302 Found
Date: Wed, 14 Oct 2009 15:29:07 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Location: http://www.microsoft.com/
Content-Type: text/html
Every one of the live servers served the exact same headers.
After manually setting my hosts file to one of the live servers, I visited the page in Safari — who immediately told me that it’s a phishing site. Kudos on the detection, Apple.
The page looks like a Microsoft Outlook Web Access page with all resources hosted locally. There’s no malicious JavaScript or iframes embedded into the page (which simply seems inefficient). The page offers up a “settings file” that I should run on my workstation to update my Exchange settings — the file is called kale-settings-file.exe. Or john-settings-file.exe. Or mary-settings-file.exe. Or whatever I set the $fromname variable to in the URL.
I scanned the file at VirusTotal – here is the report. As you can see, only 6 of the 41 virus scanners found anything: F-Secure, Kaspersky, McAfee+Artemis and McAfee-GW-Edition (both different than standalone McAfee), Microsoft’s built-in (!), and Sophos. Each AV product identifies the file slightly differently, though the common thread is Zbot. The Zbot payload first started showing up around January; the methods used to hide and obfuscate the payload, however, have grown increasingly sophisticated and harder to detect.
A summary of Zbot from ThreatExpert:
Threat characteristics of ZBot - a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.
Keylogger, trojan/bot, backdoor.
Trend picked up on this new “customized URL” Zbot spam and blogged about it yesterday. Zbot is also deployed in spam emails referencing the IRS (”Notice of Underreported Income”). It should be noted that the Zbot-infected binary distributed in the two spam campaigns are significantly different, though the payload is the same — the changes are designed to evade anti-virus protection, always staying one step ahead of the AV firms. A fun user-end analysis of the Zbot trojan (technically, the PostZeuS trojan, on which Zbot is heavily based) can be found at this (machine-translated) French website.
Bottom line: never click links in spam. Seriously. Especially if you run Windows.
Addendum: If you have downloaded and run the linked file, please update your virus definitions and immediately run a scan. You can also go to here to run F-Secure’s online virus scanner, which ought be able to detect and assist in cleaning of the virus as well.
No. 1 — October 14th, 2009 at 5:51 pm
Hello, today a coworker got an email like this and clicked on the link. What should I do?
Dear user of the idiomasperucom mailing service!
We are informing you that because of the security upgrade of the mailing service your mailbox (elsol_soporte@idiomasperu.com) settings were changed. In order to apply the new set of settings click on the following link:
http://idiomasperu.com/owa/service_directory/settings.php?email=elsol_soporte@idiomasperu.com&from=idiomasperu.com&fromname=elsol_soporte
Best regards, idiomasperu.com Technical Support.
Please give me some advice. I think this is a current massive phishing attack.
No. 2 — October 14th, 2009 at 11:34 pm
Hello Ricardo,
First step is to run some anti-virus on their computer! F-Secure has an online scanner available here, which should be able to detect this Zbot variant and clean his computer. After the virus is removed, educate your coworker to not click on links from strangers
No. 3 — October 19th, 2009 at 10:46 pm
[...] has written a detailed report about a complex phishing email that has been sighted in the wild. This phishing message makes use [...]