Internet Security Systems - AlertCon(TM)

The Aftermath of doc.pdf, statistics, payload, and spam

Posted by John Kuhn and Matthew De Carteret on May 03, 2010 at 1:37 PM EDT.

It looks like the onslaught of spam email containing doc.pdf is mostly behind us for now.  The big question on a lot of people’s minds (as with many threats) is what was the point?  We may have some answers here for you, but let’s start with the statistics. 

In the Security operations center we were tracking the footprint of the attack which centered around 5 signatures.  The footprint was somewhat unique aside from always using the name doc.pdf it also triggered PDF_Launch_Program, the main vector of the attack.  On the morning of 4/27/10 our analysts noticed a sudden surge of these attacks as shown by the graph below, which consistently escalated until the evening of 4/28 reaching a large portion of our customer base worldwide.

At the peak of the attacks, we received 85,000+ alerts in a single day, even if the attacker was successful at a 10% rate of infection that’s easily 8500 infections. This is not even considering the amount of these attacks worldwide which would be assumed in the millions. The infection did require the user to first open the PDF, then click “open” however even with the 2 steps; I would assume many end-users were fooled into infection.

The SPAM email was sent from various SMTP servers globally, which appears to be originating from a botnet, looking to expand its troops.  Which botnet we are unsure?  However further analysis of game.exe from one of our analysts, Matthew De Carteret, might give us a good idea.

Game.exe after sandboxing revealed an all too familiar request

Jademason . com / lde / ld.php?v=1&rs=12345-640-1234567-235701224690484&n=1&uid=1

This site replies with

942|12345-640-1234567-23570122469048
d
hxxp:// 193(dot)43(dot)134(dot)50 /us02.exe

Identical requests sent to domains 1foxfiisa.com and dolsgunss.com if each previous request fails.

us02.exe is a Zeus bot with config found at selecbizdom.com/cnf/shopinf.jpg

us02.exe currently has a score of 23/40 (57.60%) coverage at virustotal with most major vendor support.

The Config when decoded lists numerous financial institutions as targets for browser hijacking. It will attempt to get the user to authenticate to the bank’s website but will inject its own input system for the bot to capture input details. Once it has collected the data it requires it will redirect the user to an error page stating that the bank’s webpage is under maintenance.

 

So yet another potentially huge Zeus/Zbot botnet was created or expanded all through spam email.  Zeus, is a force to be reckoned with its expanding and updated code base into version 2.0.  Zeus version 2.0 has new infection measures, new encryption, windows 7 support and a long list of new features.

The evolving threat is not going away anytime soon, so we must all remain vigilant in protecting our networks. 
 

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.