Monthly Archive for June, 2009

New features on the ZeuS Tracker

The last few days I made several improvements to the abuse.ch ZeuS Tracker. First of all I have removed more than 300 ZeuS hosts which are no longer reachable (eg. because the domain has been suspended or deleted etc). So if you are using the ZeuS Blocklist please download the updated blocklist (link). You can get a look at the removed ZeuS hosts on the removal list.

New features

  • I have added a AV detection rate for each binary which is in the Tracker. Special thanks to Team Cymru which is providing the Malware Hash Registry (MHR) to the ZeuS Tracker!
  • There is now a column on the monitor page which shows how many files on a ZeuS hosts are currently online. This feature was requested by various CERTs and ISPs – thanks for your feedback! (link)
  • The removal list now contains archived binaries and configs (link)
  • There is now a page which lists all ZeuS Tracker RSS feeds which are available (link)
  • I’ve added a new filter for the ZeuS Tracker monitor called “ZeuS hosts with files online”. If you click on this filter you will see only ZeuS hosts which have at least one file online (link)
  • You have now the possibility to download ALL ZeuS binaries which are currently in the Tracker. For this purpose I’ve created a cronjob which export all ZeuS binaries on 01:00 UTC into a ZIP-file. For security reasons I won’t post the link here. You can find the link on the FAQ page

Changelog

  • I’ve synchronized the color for the column SBL, status and files online. ZeuS hosts which are offline will now be colored green (and not red)
  • I’ve added a statistical breakdown of the AV detection rate on the bottom of the statistic page (link)
  • I’ve made some changes on the site layout
  • The ZeuS Tracker is no longer BETA

The ZeuS Tracker is searching a new location

Maybe you already noticed that the server which is hosting the ZeuS Tracker and abuse.ch has often connection issues and is not reachable. This is caused by DDoS- and SYN-Flood attacks from various sources agains the Webserver. Unfortunately I’ve only limited ressources to mitigate such attacks at the current server location so I have decided to search a new location for the ZeuS Tracker and abuse.ch. If you have the possibility to spend a server in your network please contact me using the contact form.

Have fun with the new features of the ZeuS Tracker! :)

WSNPoem: report_8977.exe

Seit heute Nachmittag ist erneut eine Spam-Welle unterwegs, welche den Banken-Trojaner ZeuS (aka zbot / wsnpoem) verbreitet:

Subject: Information of your Transactions

Good evening
Dear Credit Card Holder:

The last transaction report on your credit card shows a number of transactions that have questionable background. That gives us reasons to believe that your credit card details have been stolen, and your card has been abused for making unauthorized payments.

Enclosed is the listing of transactions made with your credit card between 13.06.2009 and 15.06.2009. Please look through the enclosed document carefully and pay special attention to the last three of the listed transactions they are the ones that we suspect to be fraudulent.

Please find time to review the enclosed account statement and confirm the transactions you have authorized in person. This would help us both to have this issue resolved as quickly as possible.

The Word-formatted copy of your transaction list:

http://scananida.com.pl/report_8977.exe

Email Text sowie der Betreff scheint immer der selbe zu sein. Der Absender der Email ist gefälscht und variiert. Interessant ist, dass der Trojaner diesmal nicht in einer ZIP-Datei daher kommt: vielmehr verweist ein Link am Ende des Emails auf eine gehackte Webseite, wo das ZeuS binary liegt:

http://scananida.com.pl/report_8977.exe

;; QUESTION SECTION:
;scananida.com.pl. IN A

;; ANSWER SECTION:
scananida.com.pl. 39283 IN A 91.121.8.196

route: 91.121.0.0/18
descr: OVH ISP
descr: Paris, France
origin: AS16276
mnt-by: OVH-MNT

Äusserst erschreckend ist die Tatsache, dass das Binary derzeit gerade einmal von zwei Antivirus Herstellern als Malware erkannt wird:

Filename: report_8977.exe
File size: 81920 bytes
MD5 : d4e6069285270e41ef470d897cf26e36
SHA1 : 854bf8ff8933cd30797eb1d2e134a4895f574af6
Erkennungsrate: 2/41 (4.88%)

Fürt der Empfänger der Email das EXE-File aus, nistet sich ZeuS im System ein und lauscht nach Login Daten für Mail-, Bank-, und Social Network-Accounts. Auffallend ist, dass auch dieses mal die gestohlenen Daten wieder an den uns bereits bekannten Command&Control Server djellow.com (siehe WSNPoem: client_update.zip / WSNPoem: Spam-Wellen fluten das Netz) gesendet werden:

GET http://djellow.com/djwlc/djwl.bin <- ZeuS configuration file
GET http://djellow.com/djwlc/bin.exe <- Latest ZeuS binary
POST http://djellow.com/djwl/rec.php <- Dropzone

Auch der Ort, wo sich der Trojaner im System ein nistet, ist wieder der selbe:

C:\WINDOWS\system32\sdra64.exe
C:\WINDOWS\system32\lowsec
C:\WINDOWS\system32\lowsec\user.ds
C:\WINDOWS\system32\lowsec\local.ds

Fazit

  • Emails mit dem Betreff Information of your Transactions temporär an den Email Gateways abweisen
  • Den Zugriff auf djellow.com (91.206.201.6) sperren
  • Da seit einigen Tagen gleich mehrere solcher ZeuS Spam-Wellen unterwegs sind, empfielt sich eine erhöte Wachsamkeit beim öffnen von Emails mit umbekanntem oder verdächtigen Absender
  • UPDATE 20:31 Uhr

    Scheinbar scheint noch eine zweite ZeuS Spam-Welle die Runde zu machen:

    Subject: Worldpay CARD transaction Confirmation

    Your transaction has been processed by WorldPay, on behalf of Amazon Inc.

    http://w-crook.com.ar/report_8977.exe

    This is not a tax receipt.
    We processed your payment.
    Amazon Inc has received your order,
    and will inform you about delivery.
    Sincerely,
    Amazon Team

    This confirmation only indicates that your transaction has been processed
    successfully.
    It does not indicate that your order has been accepted.
    It is the responsibility of Amazon Inc to confirm that
    your order has been accepted, and to deliver any goods or services you have
    ordered.

    Text und Betreff sind immer die gleichen. Die im Spam-Mail angepriesene URL ist eine andere, als die URL aus dem “Information of your Transactions” Spam-Mail, das dort angebotene Binary ist jedoch das selbe:

    http://w-crook.com.ar/report_8977.exe

    Filename: report_8977.exe
    File size: 81920 bytes
    MD5 : d4e6069285270e41ef470d897cf26e36
    SHA1 : 854bf8ff8933cd30797eb1d2e134a4895f574af6
    Erkennungsrate: 2/41 (4.88%)




    economics-recluse
    Scene
    Urgent!