Saturday, March 31, 2012

USPS Click-N-Ship abused in malware spam

This campaign begins with an email that looks like this:



The email indicates that you have been charged a random amount of money to have a shipping label created. In this case, we were charged $47.44. Because we haven't really ordered a shipping label, we might be upset to be charged, and click the "USPS Click-N-Ship" link that APPEARS to take you to "www.usps.com/clicknship".

In reality, there are more than eight hundred destination webpages on more than one hundred sixty (160) websites were advertised in emails that we saw in the UAB Spam Data Mine that use this template, but none of them go to the United States Postal Service.

A single destination would have many subdirectories, all created by the hacker, that contained the link. For example, this Czech website:

1 | lenkajonasova.chytrak.cz | /1xmg2qrr/index.html
11 | lenkajonasova.chytrak.cz | /9hEetc63/index.html
5 | lenkajonasova.chytrak.cz | /CgeknEwU/index.html
14 | lenkajonasova.chytrak.cz | /FP817PwV/index.html
9 | lenkajonasova.chytrak.cz | /hQLv8GxT/index.html
1 | lenkajonasova.chytrak.cz | /LRt1KuAY/index.html
13 | lenkajonasova.chytrak.cz | /qedwZQiv/index.html
1 | lenkajonasova.chytrak.cz | /rSqvJdhP/index.html

The spam messages use a variety of subjects. The ones we saw yesterday were:

count | subject | sender_domain
-------+--------------------------------------------+---------------
479 | USPS postage labels order confirmation. | usps.com
433 | Your USPS postage charge. | usps.com
428 | USPS postage labels receipt. | usps.com
403 | Your USPS postage labels charge. | usps.com
384 | Your USPS shipment postage labels receipt. | usps.com
346 | USPS postage labels invoice. | usps.com
322 | Your USPS delivery. | usps.com
319 | USPS postage invoice. | usps.com
(8 rows)


This was a very light campaign, compared to many that we have seen recently. We received more than half of these emails in a single 15 minute span ending at 7:15 AM our time - which would be 8:15 AM on the US East Coast. We have the theory that the new spam campaign, with a never-before-seen malware sample, is sent at the beginning of the East Coast day as a way to get maximum infections in places like New York City and Washington DC.


The most common websites, all with their own "random-looking" subdirectories were:
count | machine
-------+----------------------------------
598 | h7xb37qx.utawebhost.at
208 | jadore-events.ro
150 | kissmyname.fr
143 | renkliproje.com
139 | kegelmale.com
138 | layarstudio.com
127 | firemediastd.com
126 | hillside.99k.org
126 | ks306518.kimsufi.com
118 | k-linkinternational.com
113 | graphicdesignamerica.com
112 | hascrafts.com
112 | iaatiaus.org
102 | immodefisc.net

(The rest of the list is at the end of this article...)

A Sample Run


Each day in the UAB Computer Forensics Research Laboratory, students in the MS/CFSM program produce a report shared with the government called the "Emerging Threats By Email" report. They take a prevalent "new threat" in the email from that day and document it's action, in part by infecting themselves with the malware! Here's a sample run through I did this morning using the techniques followed in our daily report.

We begin by visiting a website advertised in the spam. In this case, I chose:

allahverdi.eu (109.235.251.244) /BSg1hNCZ/index.html (400 bytes)

These "email-advertised links" each call javascript files from a variety of other sites. In this example run, visiting the site caused us to load Javascript from the URL below.

uglyd.com/xTnfi7mG (210.193.7.161) / xTnfi7mG/js.js (81 bytes)

This javascript file sets the "document location" for the current browser
window to be "http://178.32.160.255:8080" with a path of showthreat.php
?t = 73a07bcb51f4be71. This is a Black Hole Exploit kit server, which causes the rest of the infection to be continued.)

This is the location my run gave this morning . . . yesterday morning's run used a different Black Hole Exploit Kit location:



178.32.160.255:8080/showthread.php?t=blahblahblah (20,110 bytes)

178.32.160.255:8080/data/Pol.jar (14,740 bytes)

178.32.160.255:8080/q.php?f=4203d&e=0 (dropped calc.exe 151,593 bytes)
MD5 = 44226029540cd2ad401c4051f8dac610
VirusTotal (16/42)

The next two files are dropped because of the Java execution of "Pol.jar".

At the time of the UAB Emerging Threats by Email report on Friday morning March 29th, the Virus Total detections for this malware were "2 of 42". More than 20 hours later the detection is still only "19 of 42".

santacasaitajuba.com.br (200.26.137.121) /WBoTANuY/hBhT7.exe (323,624 bytes)
MD5 = 276dbbb4ae33e9e202249b462eaeb01e
VirusTotal (19/42)

elespacio.telmexla.net.co (200.98.197.103) /sNxQTzEK/bHk6KE.exe (323,624 bytes)
MD5 = 276dbbb4ae33e9e202249b462eaeb01e
VirusTotal (19/42)



The "Zeus file" (the 323,624 byte one) copies itself into a newly created randomly named directory within the current user's "Application Data" directory. In the current run, it disguised itself with a "Notepad" icon, claiming to be "Notepad / Microsoft Corporation" in it's properties. The file was named peix.exe (but that's random also.) The file does an "in place update" so that my MD5 modified without changing the filename. My new MD5 of this morning was:

98202808dea55042a3a1aa2d28ab640a

Which gives a current VirusTotal detection of (14/42):

AntiVir = TR/Crypt.XPACK.Gen
Avast = Win32:Spyware-gen [Spy]
AVG = Zbot.CO
BitDefender = Gen:Variant.Kazy.64187
DrWeb = Trojan.PWS.Panda.1947
F-Secure = Gen:Variant.Kazy.64187
GData = Gen:Variant.Kazy.64174
Kaspersky = Trojan-Dropper.Win32.Injector.dxrh
McAfee = PWS-FADB!98202808DEA5
Microsoft = PWS:WIn32/Zbot.gen!AF
NOD32 = Win32/Spy.Zbot.AAN
Norman = W32/Kryptik.BKR
Rising = Trojan.Win32.Generic.12BDDB90
VIPRE = Trojan.Win32.Generic.pak!cobra

Most of those definitions just mean "Hey! This is Bad! Don't Run It!"

Antivirus companies don't use the same names for most of this stuff as cybercrime investigators. So, for instance, in the Microsoft Lawsuit last week, they described criminals involved with three malware families = Zeus, SpyEye, and IceIX. All of these would show a "Zbot" or "Kazy" detection in the group above. PWS means "Pass Word Stealer." "pak", "XPACK", and "kryptic" just mean that the malware is compressed in a way that implies it is probably malicious.

The bottom line is that this very successful malware distribution campaign has tricked people into installing something from the broader Zeus family (whether Zeus, SpyEye, or IceIX doesn't really matter to the consumer). Once compromised, that computer is going to begin sharing personal financial information with criminals, and allowing remote control access to the computer from anywhere in the world to allow further malicious activity to occur.

This is the kind of malware that was featured on NBC's Rock Center with Brian Williams recently, and that was at the heart of the civil action taken by Microsoft, FS-ISAC, and NACHA that lead to the seizure of many domain names and some servers controlled by Zeus Criminals.



Click to learn more about UAB's Center for Information Assurance and Joint Forensics Research or to learn about UAB's Masters Degree in Computer Forensics & Security Management.




other destinations



98 | made.lu
96 | maceraoyunlari.host.org
88 | kazahana.hanabie.com
85 | kthtu.or.kr
84 | ftp.peratur.com.br
82 | agroturystyka-szczawnica.pl
78 | lenkajonasova.chytrak.cz
77 | ftp.lucpinheiro.com.br
74 | imo213.com
70 | indonesiatravelnow.com
67 | gulfcoastlocalsearch.com
67 | laptopschematic.org
65 | 4realpeople.info
62 | incaltamintepeg.ro
58 | davidanber.com
52 | malibojevnik.si
52 | 188.121.58.196
45 | lcvtv.com
44 | lastrender.com
44 | laserreproducciones.com
44 | lukasz-slaby.pl
41 | 032b67b.netsolhost.com
41 | larryharrison.com
40 | 182.18.152.247
39 | genxlogistics.com
38 | 0317159.netsolhost.com
37 | getprofitsfast.com
37 | kbizzsolutions.com
34 | icon-construction.ca
33 | mariekebrouwers.nl
33 | kgncomputers.com
30 | meinungsmacher.at
21 | heroesandheritage.net
20 | interfinbrok.ro
16 | ecrane.vn
16 | erolkara.net
12 | euro2012bettingtips.com
11 | ftp.tack.sk
11 | stcw95.org
10 | 6111homewood.com
10 | meritmobile.com
10 | ozerresidence.com
10 | ftp.infoesporte.com.br
10 | grossturismo.com.br

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.