“Whenever I post my computer putssomething on the end of my post that I didn't type. Just look, it'sthat link and the text know will appear when I post this.P.S.Look,Super sreensaver! :)) …”
I wanted to start this blog by quoting a post picked up from one ofthe many forums contaminated by Mespam to show exactly what infectedusers experience without having a clue of what’s going on with theircomputer. If your friends are complaining that your e-mails, blog postsand chat sessions show a suspicious URL linking to photos, jokes orscreensavers that you hadn’t sent them, you’re probably another victimof this Trojan.
Trojan.Mespam was originally spotted in February and we described herethe new spreading technique, which uses an LSP component to attach textand malicious links to the outgoing HTTP traffic. In the Web 2.0 worldthis technique has proven its efficiency. It’s worth mentioning thatMespam was distributed via the Trojan.Peacomm P2P network.
In the last few months we’ve seen many recompiled variants of thisMespam coming out, and I’m reporting here some of the malicious URLsthat users should absolutely never click, even if they seem to beposted by trusted friends. We have noticed that each outbreak of Mespamhas a main “theme” in the spammed messages, such as postcards, jokes,screensavers, and photos, which is configured by a remote C&Ccenter. When we examine the languages of contaminated forums and blogs,it looks like some infections are localized only to specific countries.
February – The “Jokes” malicious URLs series:
hxxp://jokeonlineworld.com
hxxp://practicaljokeonline.com
hxxp://dailyjokeonline.com
March – The “Screensavers” malicious URLs series:
hxxp://screensavers4us.info/funscr/silly_bear32_funny.scr
hxxp://webcounterstat.info/screensavers/wallpapers_gold_bear_b.scr
April – The "Sex-game" malicious URLs series:
hxxp://www.vixen-toys.com/download/sex-game-3.801.zip
hxxp://www.marketing-know-how.com/just/sex-game-3.801.zip
hxxp://fruitsinsuits.com.hk/images/flyers/sex-game-3.801.zip
May – The "foto" malicious URLs series (only targeting Germans?):
hxxp://www.lastik.com/images/foto.exe
hxxp://www.ultimatexpressions.co.uk/foto.exe
hxxp://www.arborwood.com/images/foto.exe
With some help from Google I’ve searched forums, blogs and web boardsfor the keywords included in the spam messages, to estimate how manyforums and sites contain infected posts. The results shown in thistable were not optimistic. We should mention that Mespam also spreadsthrough IM, traditional e-mail and web mail, so we’re not consideringin this statistic all the messages spammed, for example via Gmail,Yahoo Mail, ICQ, AIM, etc.
(*) – the keyword includes all the links spammed for the “screensaver” series
But who controls what the infected bots spam, and where? Thisdiagram shows some Mespam code on the right and a C&C interface onthe left.
The interface on the left is also known as “Zunker” and is a C&Cweb panel that controls Mespam bots The connections between Mespam codeand the Zunker panel are obvious. We have many other clues that theyare just different pieces of the same thing. With this panel, thebotmaster has quick statistics on the number of infected hosts,affected countries, new bots added recently, and can also see whichchannels, such as IM, traditional mail, webmail, and forums, are usedto send spam.
The configuration area of the panel gives the botmaster the ability tochoose a different template message for each channel. This is anexample of a configured template found on one of the many Zunkerinterfaces analyzed recently.
When the botnet becomes big enough, the botmaster can use it to infectmore hosts or eventually install a secondary Trojan on the infectedmachines. This secondary file is always configured from the Zunkerinterface, and is usually a bank Trojan or DDoS threat. In some cases,after the botnet is ready, the botmaster tries to sell this“install-a-Trojan” service to other cyber-criminals who can decidewhich Trojan to distribute on the infected hosts.
For example, we’ve seen a file named “ebr9.exe” on a Zunker botnet,which from the panel statistics was targeting mostly German users. ThisTrojan drops the BHO file “%SYSTEM%\console32.dll” and tries to hijackthe execution of the following German programs by changing the registrykey “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image FileExecution Option” for each of them:
Banking.exe
BankingUpdate.exe
Erinnerung.exe
GetOn4uHdWID.exe
MG.exe
MGBSE.exe
Mnyupdate.exe
Msmoney.exe
Netviewer.exe
Nv_o2o_Teilnehmer_DE.exe
Salv.exe
Sanitize.exe
SCRSetup.exe
Smkonv.exe
StartStarMoney.exe
The reason for this registry key change is unclear, but German userswho have these specific programs should double-check their machines forthis Trojan.
We don’t know if the Zunker interface was created together withTrojan.Mespam, or if it was added later by someone else. The currentstatistics of Mespam samples show that there’s a specific Zunker webpanel link hardcoded in every different version of Trojan.Mespam DLL.So probably the package Mespam/Zunker is sold together on theunderground market.
