The simplistic spam drive that striking around Christmas too purported to locomote a vacation greeting from the White House non but included a slice of Zeus-related malware that searches difficult drives for documents too uploads them to a remote server, but also appears to locomote connected to a similar assail from early on 2010 that exposed a nascent botnet.
The vacation e-card scam is a typical year-end spam tactic too oftentimes volition include malware of ane type or another. But the latest incarnation was dissimilar inwards that it included a malicious executable related to the Zeus botnet too it seems that officials inwards a publish of authorities agencies inwards the States too elsewhere roughshod for the scam too ended upwardly exposing gigabytes of authorities documents. One of the executables beingness used inwards the e-card assail is nearly identical to a file that was used inwards a similar assail inwards Feb 2010 that was detailed past times safety theater NetWitness at the time.
In the frst phase of the latest attack, the user clicks on a link inwards the malicious e-card too a procedure started that downloaded a variant of the ever-popular Zeus bot. That bot's work inwards life is much similar whatever other's: to steal information related to online banking, payment sites, eBay too other valuable sites. That information is hence sent off to a remote drib server. NetWitness identified 3 of the drib servers, all of which are downward correct now, as:
http://209.172.60.242/ newdowni/stat/gate_in.php
http://someonesome.mobi/imgs_ctn/icon_sml/gate_in.php
http://shock-world.mobi/zs/tmp/gate.php
But that's but ane slice of the action. The minute phase of this assail downloads an executable file called "pack.exe" that searches the HDD of the compromised PC for a publish of mutual file types, including Word documents, PDFs too Excel files. Those files are hence sent to some other server controlled past times the attacker. An analysis of the executable, compared to ane used inwards the master copy assail concluding year, constitute that the ii files are nearly identical inwards size too behave a publish of other similarities, every bit well.
"An interesting sidenote to this special facial expression of the kneber information was that the ZeuS bot that was involved amongst this phish had a minute phase download of an executable called “stat.exe”. This malware was revealed to locomote a perl script converted to a stand-alone executable amongst the perl2exe tool.
This malware searched the local harddrive of the victim PC for xls,doc too pdf files, too uploaded them via FTP to:
packupdate.com
Which at the time, resided on a server inwards Belarus. This electrical flow spam run, also downloaded a second-stage executable, called “pack.exe”, which was also:
- Influenza A virus subtype H5N1 perl2exe exectuable
- Searched the victim PC for all xls, MD too pdf files
- Uploaded stolen information to a server inwards Belarus, which resolved to “uploadpack.org”
- Searched the victim PC for all xls, MD too pdf files
- Uploaded stolen information to a server inwards Belarus, which resolved to “uploadpack.org”
So inwards this case, nosotros convey ii executables, too 3 domain names, that convey 3 converging elements, (pack, belarus too perl2exe)," Alex Cox, principal inquiry analyst at NetWitness said inwards his analysis of the novel attack.
At the fourth dimension the master copy assail was revealed inwards Feb 2010, NetWitness officials did non beak almost the fact that the executable that the malware downloaded was a Perl script that had been converted using a tool called Perl2exe. The fact that this electrical flow assail includes a file that also was created using that tool too is hence similar inwards other respects to the master copy ane is probable to a greater extent than than a coincidence, Cox said.
"This, because it is such a pocket-size too fairly unknown facial expression of the kneber compromise, makes us intend that this is indeed the same operator, who is ane time to a greater extent than later documents pertaining to States Government activities," he wrote.
News Submitted By : Om Rathore
Share This :
comment 0 Comments
more_vert