Over the past few days a sustained email spam campaign has been running to distribute new Zeusbot variants. Initially the campaign kicked off with a story from “your administrator” about some server upgrade that requires you to download and execute a patch to ensure that your computer continues to work properly:
Subject: Important - Read Carefully
Email Body:
Attention!
On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file
and then to run it from your computer location. That's all.
[http://]updates.[TARGET DOMAIN].secure.[MALICIOUS DOMAIN]/[core or mail or ssl]/id=[RANDOM NUMBER]-[VICTIM EMAIL ADDRESS]-patch[RANDOM NUMBER].exe
Thank you in advance for your attention to this matter and sorry for possible inconveniences.
System Administrator
In the server upgrade campaign, the following domains have been observed:
- 1-admin.com
- 1-central.com
- 1-central.net
- 1data-upd.net
- 1-db.net
- 1ssl-certs.net
- 1ssl-network.net
- admin-data.com
- admindatacenter.net
- admin-db.net
- admin-systems.com
- central-updates.com
- cert1.net
- cert-services.net
- first-systems.com
- nixserver-systems.com
- oneupdate.net
- ssl-datacontrol.net
- ssl-updates.net
- up1-mail.net
- upd01.net
- upd-center.com
- upd-central.net
- upd-services.com
Following on from that, the story has changed to one about a security upgrade of the mailing service, which once again requires you to download and run another file. The new email messages now look something like the following:
Subjects: (one of the following)
- The settings for the [TARGET EMAIL ADDRESS] mailbox were changed
- A new settings file for the [TARGET EMAIL ADDRESS] has just been released
- For the owner of the [TARGET EMAIL ADDRESS] e-mail account
- A new settings file for the [TARGET EMAIL ADDRESS]
Email Body:
Dear user of the [TARGET DOMAIN] mailing service!
We are informing you that because of the security upgrade of the mailing service your mailbox ([TARGET EMAIL ADDRESS]) settings were changed.
In order to apply the new set of settings click on the following link:
http://[TARGET DOMAIN]/owa/service_directory/settings.php?email=[TARGET EMAIL ADDRESS]&from=[TARGET DOMAIN]&fromname=tslreplenish
Best regards, [TARGET DOMAIN] Technical Support.
The one thing that isn’t visible in the example above is that the link in the email points to a different address than what is visible in the email. This is a classic low-tech trick used by spammers to hide the true location.
Domains observed in this campaign include the following:
- bertdffe.co.uk
- bertdffe.eu
- bertdffm.co.uk
- bertdffo.eu
- bertdffw.co.uk
- bertdffw.eu
- oikkkkua.eu
- oikkkkua.eu
- oikkkkuf.co.uk
- oikkkkuh.co.uk
- oikkkkuh.eu
- oikkkkuy.co.uk
- oikkkkuy.eu
- polikka.eu
- polikki.co,uk
- polikki.eu
- polikko.co.uk
- polikko.eu
- polikkp.co.uk
- polikkp.eu
- wsasdec.co.uk
- wsasdec.eu
- wsasdep.eu
- wsasdev.co.uk
- wsasdez.co.uk
The domains are fast-fluxing to a range of IPs shared between them:
Name: polikkp.co.uk
Addresses:
121.188.121.64, 124.54.222.141, 124.80.91.82, 190.73.128.107
190.105.42.124, 190.193.99.26, 221.152.125.49, 59.5.221.33, 79.116.206.195
85.85.241.57, 87.228.81.107, 88.102.159.73, 91.113.105.55, 114.207.207.153
121.165.99.200
Name: polikkp.eu
Addresses:
190.193.99.26, 221.152.125.49, 59.5.221.33, 79.116.206.195
85.85.241.57, 87.228.81.107, 88.102.159.73, 91.113.105.55, 114.207.207.153
121.165.99.200, 121.188.121.64, 124.54.222.141, 124.80.91.82, 190.73.128.107
190.105.42.124
The interesting thing about these two spam campaigns is the highly personalized nature of the emails, which are designed to look like they are legitimate emails from the service provider of which the recipient is a customer. Symantec is detecting all the known files in these attacks as
Infostealer.Banker.C. This is the latest twist in the long running saga that is Zeusbot and we expect the story to change once again by tomorrow.