Internet Security Systems - AlertCon(TM)

A new wave of ZIP malware spam

Posted by Jon Larimer and Ralf Iffert on August 24, 2010 at 4:49 PM EDT.

Over the past few weeks, we've seen a significant uptick in the number of spam e-mail messages with ZIP file attachments that contain malicious EXE files. Normally we see that between 0.1 and 1.5% of all spam messages contain a ZIP attachment. This chart shows the percentage of ZIP spams since beginning of 2010 through the end of July on a weekly basis:

Since beginning of August the percentage of ZIP spam has increased significantly. On Sunday, August 8th, 2010, it has reached its peak at 8.1%, but on the following days we saw between two and four percent of all spams having ZIP attachments:


 
We looked into these messages and found that it wasn't just a single malware campaign or spam botnet – there are a few different types of malware all contributing to what we saw. Each message we examined had a ZIP file attachment that contained a single EXE file that was malicious.

First, here are some messages that contained a variant of the Zeus v2 trojan. Zeus is a very common trojan that's generated with a kit that anyone can purchase online. There are many different individuals and groups that have Zeus botnets set up. There are a lot of ways it gets spread, but the operators of this particular botnet are growing it by sending out e-mails with ZIP file attachments. The goal of Zeus botnets is usually to steal personal information, and the type of information stolen is commonly online banking data that the criminals will use to access bank accounts to transfer money.

These three messages all contain a copy of Zeus that connects back to the same C&C servers:

The configuration file is at hXXp://zephehooqu.ru/bin/koethood.bin
The drop zone is at hXXp://jocudaidie.ru/9xq/_gate.php

That last one is really great – it includes a warning about phishing and identity theft.

The next set of e-mails are from an interesting new variant of Zeus. Some people claim this is Zeus v3, others say it's just Zeus v2. It also has some aspects that are similar to Zeus v1.

When executed under an Administrator account, this specific version will copy itself to %System32%\SvcHost32.exe and use the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon key to auto-start. If the user is running without Administrator privileges, the file is copied to their Application Data directory and the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key is used, with a value named userinit.

It uses SSL to communicate with the C&C server which makes this one difficult to detect based on analyzing the network traffic. The configuration file is located at hXXps://193.104.146.12/box1/1.gif, and the drop zone URL that was specificed in that configuration file was hXXps://193.104.146.12/box1/update.php.

Here are some sample e-mails from this latest Zeus campaign:


 
And this last one contained a copy of the Bredolab downloader. This trojan downloads a rogue antivirus program called SecurityTool that pretends to find viruses on your PC when none exist. Actually, if you fall for this one, your machine is probably so full of malware that the fake SecurityTool results are probably not too far off.

This is what the e-mail looks like. It's not very convincing:

And this is what SecurityTool looks like when it runs:

It will continually pop up bogus warnings, like this one that we found amusing:

To protect yourself from these and other e-mail threats, never open attachments from people you don't know. Be wary of unexpected attachments from people you do know – if you have any doubt, mail them back and ask if they sent you the file. Install some antivirus software and always keep it up to date. And of course, always keep your OS up to date with the latest security patches.

Proventia customers can use the Email_Zip_Executable_Content signature to detect threats like these.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.