Thursday, July 28, 2011

"Government-related" Zeus spam continues

As we discussed in yesterday's article, "Wrong transaction" hotel spam, the UAB Spam Data Mine now has an ability to provide early alerting when a new spam campaign is directly linking to executable files.



Update: New Zeus distribution site, July 29th AM:

We are receiving spam emails this morning from "nacha.org" From: addresses that direct us to this Zeus distribution site.

hxxp://federalreserve-alert.com/transaction_report.pdf.exe

Here's the VirusTotal report: As of this timestamp (5:30 AM Central time) we see (5 of 43) detections. Only 2 of those are calling this Zeus.




This morning we have a new example of this capability in the form of the two most recent installments of a long-running "government-related" Zeus campaign.

One of the two spammed destinations is:

alert-irs.com /00000700973770US.exe MD5 = 0691a4856713edc97664e60db735747c

This malware is currently showing a (12 of 43) detection rate at VirusTotal, as seen in this VirusTotal Report.

The other spammed destination is:

fdic-updates.com /system_update_07_28.exe MD5 = 7a0303fdb809ac0c1a84123b106992c2

This malware is currently showing a (8 of 43) detection rate at VirusTotal, as seen in this VirusTotal Report.

Both files are 172,032 bytes in size, but currently the FDIC one is showing a dramatically wider distribution via email than the IRS one, which may be an indication of "targeting" by the latter.

The FDIC version has been seen almost 500 times, despite the fact that the campaign is less than 45 minutes old as of this writing. Here is the count per 15 minute block seen in the UAB Spam Data Mine:

     5 | ACH and Wire transfers disabled.      | 2011-07-28 06:00:00
3 | Banking security update. | 2011-07-28 06:00:00
1 | Update for your banking account. | 2011-07-28 06:00:00
107 | ACH and Wire transfers disabled. | 2011-07-28 05:45:00
138 | Banking security update. | 2011-07-28 05:45:00
108 | Security update for banking accounts. | 2011-07-28 05:45:00
122 | Update for your banking account. | 2011-07-28 05:45:00
1 | Banking security update. | 2011-07-28 05:30:00
1 | Security update for banking accounts. | 2011-07-28 05:30:00
1 | ACH and Wire transfers disabled. | 2011-07-28 05:15:00
1 | Banking security update. | 2011-07-28 05:15:00
1 | Security update for banking accounts. | 2011-07-28 05:15:00


(Timestamps are US-Central Time, GMT -6)


The FDIC spam comes from email addresses that randomly associate these "usernames" with these "hostnames". Everything in the first column was seen combined with everything in the second column.

admin            @   admin.fdic.gov
adminnistration @ administration.fdic.gov
cunsumer @ fdic.gov
FDIC @ security.fdic.gov
finance @
govdelivery @
information @
inspector @
news @
no-reply @
privacy_policy @
protection @
public @
report @
service @
stats @
support @
webannouncements @


Here's what the email actually says:

Dear clients,
Your account ACH and Wire transactions have been
temporarily suspended for your settings, due to the
expiration of your security version. To download and install the
newest Updates, click here.

As soon as it is Applied, your transaction abilities will be fully restored.

Best regards,
Online security department
Federal Deposit Insurance Corporation



The IRS related spam came first:

     2 | Internal Revenue Service     | 2011-07-28 04:15:00
2 | Federal Tax payment rejected | 2011-07-28 04:00:00
2 | Your IRS payment rejected | 2011-07-28 04:00:00
2 | Internal Revenue Service | 2011-07-28 03:45:00


This is fairly typical spamming for this group. They like to make a new Zeus variant, populate it on a website, and then spam it very hard at the beginning of the East Coast business day. For example, here is the spam for:

"nacha-rejected.com"

     2 | Rejected transaction | 2011-07-27 05:30:00
1 | Canceled payment | 2011-07-27 05:15:00
2 | Canceled transaction | 2011-07-27 05:15:00
3 | Payment rejected | 2011-07-27 05:15:00
5 | Rejected transaction | 2011-07-27 05:15:00
2 | Canceled transaction | 2011-07-27 05:00:00
8 | Canceled transfer | 2011-07-27 05:00:00
5 | Payment canceled | 2011-07-27 05:00:00
3 | Payment rejected | 2011-07-27 05:00:00
4 | Rejected transaction | 2011-07-27 05:00:00
92 | Canceled payment | 2011-07-27 04:45:00
74 | Canceled transaction | 2011-07-27 04:45:00
84 | Canceled transfer | 2011-07-27 04:45:00
60 | Payment canceled | 2011-07-27 04:45:00
75 | Payment rejected | 2011-07-27 04:45:00
57 | Rejected transaction | 2011-07-27 04:45:00
2 | Payment canceled | 2011-07-27 04:30:00
1 | Payment rejected | 2011-07-27 04:30:00
1 | Canceled transaction | 2011-07-27 04:15:00
2 | Payment canceled | 2011-07-27 04:15:00


nacha-transactions.com

     1 | Payment rejected     | 2011-07-27 07:00:00
1 | Rejected transaction | 2011-07-27 06:45:00
4 | Canceled payment | 2011-07-27 06:30:00
2 | Canceled transfer | 2011-07-27 06:30:00
1 | Payment canceled | 2011-07-27 06:30:00
1 | Payment rejected | 2011-07-27 06:30:00
1 | Canceled transaction | 2011-07-27 06:15:00
1 | Canceled transfer | 2011-07-27 06:15:00
1 | Payment canceled | 2011-07-27 06:15:00
1 | Payment rejected | 2011-07-27 06:15:00


taxes-refund.com

     1 | Internal Revenue Service        | 2011-07-27 08:00:00
1 | U.S. Department of the Treasury | 2011-07-27 08:00:00
1 | Internal Revenue Service | 2011-07-27 07:45:00
2 | Internal Revenue Service (IRS) | 2011-07-27 07:45:00
2 | Payment IRS.gov | 2011-07-27 07:45:00
1 | Internal Revenue Service | 2011-07-27 07:30:00
1 | IRS.gov | 2011-07-27 07:30:00
1 | U.S. Department of the Treasury | 2011-07-27 07:30:00


Three consecutive campaigns, one following the other, with the whole thing wrapping up before 8 AM Central time. (which would be 9 AM Eastern time).

The NACHA spam leading to Zeus has been an issue for a very long time. We've seen spam like this since all the way back to November 2009, but it's been fairly constant since February of this year when we shared the article ACH Transaction Rejected Payment Spam.

Following the Botnet Back in Time


Because of the way we archive our email, it's possible for us to ask the UAB Spam Data Mine to reveal a deeper history for this particular spamming botnet by asking a question like:

"Show me all the spam subjects that have been sent by IP addresses that sent me this morning's fdic-updates.com spam message"

     5 | 2011-07-28 06:00:00 | ACH and Wire transfers disabled.
3 | 2011-07-28 06:00:00 | Banking security update.
1 | 2011-07-28 06:00:00 | Update for your banking account.
107 | 2011-07-28 05:45:00 | ACH and Wire transfers disabled.
138 | 2011-07-28 05:45:00 | Banking security update.
108 | 2011-07-28 05:45:00 | Security update for banking accounts.
122 | 2011-07-28 05:45:00 | Update for your banking account.
1 | 2011-07-28 05:30:00 | Banking security update.
1 | 2011-07-28 05:30:00 | Security update for banking accounts.
1 | 2011-07-28 05:15:00 | ACH and Wire transfers disabled.
1 | 2011-07-28 05:15:00 | Banking security update.
1 | 2011-07-28 05:15:00 | Security update for banking accounts.
1 | 2011-07-27 23:30:00 | ho
1 | 2011-07-27 21:15:00 | RE:.. How do you do,
4 | 2011-07-27 20:00:00 | ho
1 | 2011-07-27 14:45:00 | VIDEO: Lockerbie bomber at pro-Gaddafi rally
1 | 2011-07-27 12:00:00 | Yo
1 | 2011-07-27 08:00:00 | Internal Revenue Service
1 | 2011-07-27 06:45:00 | Rejected transaction
2 | 2011-07-27 05:15:00 | Rejected transaction
2 | 2011-07-27 05:00:00 | Canceled transaction
2 | 2011-07-27 05:00:00 | Canceled transfer
3 | 2011-07-27 05:00:00 | Payment rejected
33 | 2011-07-27 04:45:00 | Canceled payment
22 | 2011-07-27 04:45:00 | Canceled transaction
26 | 2011-07-27 04:45:00 | Canceled transfer
24 | 2011-07-27 04:45:00 | Payment canceled
30 | 2011-07-27 04:45:00 | Payment rejected
17 | 2011-07-27 04:45:00 | Rejected transaction
1 | 2011-07-27 04:30:00 | Payment canceled
1 | 2011-07-27 04:15:00 | Canceled transaction
1 | 2011-07-27 04:15:00 | Payment canceled
1 | 2011-07-26 17:15:00 | Attack on Guinea leader repelled
1 | 2011-07-26 06:00:00 | IRC.gov
1 | 2011-07-26 05:45:00 | VIDEO: Phoenix hit by second dust storm
1 | 2011-07-25 14:00:00 | Hi!
1 | 2011-07-23 19:45:00 | Giant space telescope reaches orbit
1 | 2011-07-23 19:45:00 | High Court challenge on care cuts
1 | 2011-07-23 19:45:00 | HMRC in cost-cutting 'challenge'
1 | 2011-07-23 19:45:00 | Mortgage lending remains subdued
1 | 2011-07-23 19:45:00 | Mum's stress reaches baby in womb
1 | 2011-07-23 19:45:00 | Nato hands over key Afghan city
1 | 2011-07-23 19:45:00 | Personal pension advice still bad
1 | 2011-07-23 19:45:00 | Scots economy escapes recession
1 | 2011-07-23 19:45:00 | Serbia arrests last war crimes fugitive
1 | 2011-07-23 19:45:00 | Strauss-Kahn daughter questioned
1 | 2011-07-23 19:45:00 | VIDEO: Key moments as MPs grill Murdochs
1 | 2011-07-23 18:30:00 | Heya
2 | 2011-07-22 19:45:00 | Hi
1 | 2011-07-22 19:00:00 | Hey
1 | 2011-07-22 19:00:00 | Hi
1 | 2011-07-22 13:45:00 | Heya
1 | 2011-07-22 07:15:00 | Read: A Must for High-Rise Emergencies
1 | 2011-07-22 05:00:00 | IRC.gov
1 | 2011-07-22 04:45:00 | Support IRS.gov
2 | 2011-07-22 03:45:00 | Change Confirmation
1 | 2011-07-22 03:45:00 | Does your enterprise including outstanding tax debts
1 | 2011-07-22 03:45:00 | Internal Revenue Service
1 | 2011-07-22 03:45:00 | Internal Revenue Service United States Department of the Treasury
1 | 2011-07-22 03:45:00 | IRC.gov
1 | 2011-07-22 03:45:00 | IRS.gov US
1 | 2011-07-22 03:45:00 | Notice of Underreported Income
3 | 2011-07-22 03:45:00 | Support IRS.gov
2 | 2011-07-22 03:45:00 | Treasury Inspector General for Tax Administration
2 | 2011-07-22 03:45:00 | U.S. Department of the Treasury
2 | 2011-07-22 03:45:00 | Your company including unpaid tax debts
1 | 2011-07-21 13:00:00 | Manhood raisers with price-offs!
1 | 2011-07-21 13:00:00 | Super lasting and good stiff!
1 | 2011-07-21 05:45:00 | New security update
2 | 2011-07-21 04:45:00 | Go id token update
6 | 2011-07-21 04:45:00 | Security token update
1 | 2011-07-21 04:45:00 | Token code update
2 | 2011-07-21 04:45:00 | Token software update
1 | 2011-07-20 07:30:00 | Canceled payment
1 | 2011-07-20 07:30:00 | Rejected transaction
1 | 2011-07-20 07:00:00 | Payment rejected
1 | 2011-07-20 06:45:00 | Canceled payment
1 | 2011-07-20 06:45:00 | Payment canceled
16 | 2011-07-20 06:30:00 | Canceled payment
8 | 2011-07-20 06:30:00 | Canceled transaction
10 | 2011-07-20 06:30:00 | Canceled transfer
7 | 2011-07-20 06:30:00 | Payment canceled
8 | 2011-07-20 06:30:00 | Payment rejected
6 | 2011-07-20 06:30:00 | Rejected transaction
19 | 2011-07-20 06:15:00 | Canceled payment
13 | 2011-07-20 06:15:00 | Canceled transaction
15 | 2011-07-20 06:15:00 | Canceled transfer
16 | 2011-07-20 06:15:00 | Payment canceled
17 | 2011-07-20 06:15:00 | Payment rejected
24 | 2011-07-20 06:15:00 | Rejected transaction
2 | 2011-07-20 05:00:00 | Wire transfer # 3240569823405844930
4 | 2011-07-20 05:00:00 | Wire transfer # 3463453123432454667
1 | 2011-07-20 05:00:00 | Wire transfer # 3858994783568734677
1 | 2011-07-20 05:00:00 | Wire transfer # 4577867895676542367
2 | 2011-07-20 05:00:00 | Wire transfer # 5645746324515345353
2 | 2011-07-20 05:00:00 | Wire transfer # 6754846773457536756
2 | 2011-07-20 05:00:00 | Wire transfer # 6785675623451222333
1 | 2011-07-20 05:00:00 | Wire transfer # 8565696735865742365
2 | 2011-07-20 05:00:00 | Wire transfer ID 2345578568567567544
1 | 2011-07-20 05:00:00 | Wire transfer ID 3265474356547356756
1 | 2011-07-20 05:00:00 | Wire transfer ID 3425215345565475468
1 | 2011-07-20 05:00:00 | Wire transfer id 3425233214234534634
5 | 2011-07-20 05:00:00 | Wire transfer ID 3425233214234534634
1 | 2011-07-20 05:00:00 | Wire transfer id 3452364365475463425
1 | 2011-07-20 05:00:00 | Wire transfer ID 4135146854351231151
1 | 2011-07-20 05:00:00 | Wire transfer ID 4353267658545629087
3 | 2011-07-20 05:00:00 | Wire transfer ID 5468513264769656536
1 | 2011-07-20 05:00:00 | Wire transfer id 5473785489567245623
1 | 2011-07-20 05:00:00 | Wire transfer ID 5687895416264572398
1 | 2011-07-20 05:00:00 | Wire transfer ID 5876978567345176586
1 | 2011-07-20 05:00:00 | Wire transfer ID 6768576565423453415
1 | 2011-07-20 05:00:00 | Wire transfer id 6857234568657433677
3 | 2011-07-20 05:00:00 | Wire transfer id 8479764976835672345
1 | 2011-07-20 05:00:00 | Wire transfer id 8658375686537546544
41 | 2011-07-20 05:00:00 | Your Wire fund transfer
1 | 2011-07-20 04:30:00 | Wire transfer ID 6431531354846843122
1 | 2011-07-19 04:45:00 | Change Confirmation
1 | 2011-07-19 04:45:00 | Does your company is registered outstanding tax debts
2 | 2011-07-19 04:45:00 | U.S. Department of the Treasury
1 | 2011-07-19 04:45:00 | Your IRS payment rejected
1 | 2011-07-19 04:30:00 | Change Confirmation
1 | 2011-07-19 04:30:00 | Does your company including tax debts
1 | 2011-07-19 04:30:00 | Does your enterprise listed unpaid tax debts
2 | 2011-07-19 04:30:00 | Federal Tax payment rejected
1 | 2011-07-19 04:30:00 | For your company including unpaid tax debt
1 | 2011-07-19 04:30:00 | For your enterprise including tax debt
13 | 2011-07-19 04:30:00 | Internal Revenue Service
4 | 2011-07-19 04:30:00 | Internal Revenue Service (IRS)
2 | 2011-07-19 04:30:00 | Internal Revenue Service United States Department of the Treasury
4 | 2011-07-19 04:30:00 | IRC.gov
5 | 2011-07-19 04:30:00 | IRS.gov US
8 | 2011-07-19 04:30:00 | Notice of Underreported Income
6 | 2011-07-19 04:30:00 | Payment IRS.gov
4 | 2011-07-19 04:30:00 | Support IRS.gov
5 | 2011-07-19 04:30:00 | Treasury Inspector General for Tax Administration
1 | 2011-07-19 04:30:00 | U.S. Department of the Treasury
2 | 2011-07-19 04:30:00 | Your enterprise has remained outstanding tax debts
3 | 2011-07-19 04:30:00 | Your IRS payment rejected
1 | 2011-07-19 04:15:00 | Internal Revenue Service
1 | 2011-07-18 10:30:00 | Love BlackJack? Check out the games at Winner Palace
1 | 2011-07-16 02:00:00 | Out of Office AutoReply: Please Review
1 | 2011-07-15 09:00:00 | For your company is registered unpaid tax debt
1 | 2011-07-15 09:00:00 | Internal Revenue Service
2 | 2011-07-15 08:45:00 | Change Confirmation
2 | 2011-07-15 08:45:00 | Federal Tax payment rejected
2 | 2011-07-15 08:45:00 | Internal Revenue Service
2 | 2011-07-15 08:45:00 | Internal Revenue Service (IRS)
4 | 2011-07-15 08:45:00 | Internal Revenue Service United States Department of the Treasury
3 | 2011-07-15 08:45:00 | IRC.gov
1 | 2011-07-15 08:45:00 | IRS.gov US
3 | 2011-07-15 08:45:00 | Payment IRS.gov
2 | 2011-07-15 08:45:00 | Support IRS.gov
1 | 2011-07-15 08:45:00 | Treasury Inspector General for Tax Administration
1 | 2011-07-15 08:45:00 | U.S. Department of the Treasury
2 | 2011-07-15 08:45:00 | Your IRS payment rejected
1 | 2011-07-15 07:30:00 | TV murder appeal prompts 40 calls
1 | 2011-07-14 21:30:00 | US senator requests hacking probe
1 | 2011-07-14 20:15:00 | Parties unite over BSkyB bid call
1 | 2011-07-14 19:45:00 | PM Kan urges 'nuclear-free Japan'
1 | 2011-07-14 18:00:00 | Man tells jury 'I killed Lynette'
1 | 2011-07-14 15:15:00 | VIDEO: Live: Debate on youth unemployment
1 | 2011-07-14 07:15:00 | Security update for banking accounts.
10 | 2011-07-14 07:00:00 | ACH and Wire transfers disabled.
5 | 2011-07-14 07:00:00 | Banking security update.
7 | 2011-07-14 07:00:00 | Security update for banking accounts.
5 | 2011-07-14 07:00:00 | Update for your banking account.
1 | 2011-07-13 11:30:00 | Hospitals warned over clot deaths
1 | 2011-07-13 07:45:00 | Does your enterprise listed unpaid tax debt
3 | 2011-07-13 07:45:00 | Federal Tax payment rejected
5 | 2011-07-13 07:45:00 | Internal Revenue Service United States Department of the Treasury
2 | 2011-07-13 07:45:00 | IRC.gov
7 | 2011-07-13 07:45:00 | Notice of Underreported Income
1 | 2011-07-13 07:45:00 | Treasury Inspector General for Tax Administration
2 | 2011-07-13 07:45:00 | U.S. Department of the Treasury
1 | 2011-07-13 07:45:00 | Your company listed outstanding tax debt
1 | 2011-07-13 07:45:00 | Your enterprise listed unpaid tax debt
1 | 2011-07-13 07:30:00 | Internal Revenue Service
2 | 2011-07-13 07:30:00 | Internal Revenue Service (IRS)
2 | 2011-07-13 07:30:00 | Internal Revenue Service United States Department of the Treasury
1 | 2011-07-13 07:30:00 | Notice of Underreported Income
3 | 2011-07-13 07:30:00 | Payment IRS.gov
1 | 2011-07-13 07:30:00 | Support IRS.gov
2 | 2011-07-13 07:30:00 | U.S. Department of the Treasury
2 | 2011-07-13 07:30:00 | Your IRS payment rejected
3 | 2011-07-13 05:45:00 | Business accounts updates
1 | 2011-07-13 05:45:00 | Dear corporate clients
1 | 2011-07-13 05:45:00 | New settings for wire transfers
1 | 2011-07-13 05:30:00 | Business accounts updates
5 | 2011-07-13 05:30:00 | Corporate banking security
3 | 2011-07-13 05:30:00 | Dear corporate clients
10 | 2011-07-13 05:30:00 | Federalreserve security update
4 | 2011-07-13 05:30:00 | New security settings
4 | 2011-07-13 05:30:00 | New security update
5 | 2011-07-13 05:30:00 | New settings for wire transfers
2 | 2011-07-13 05:30:00 | Wire transfers update



We can also ask it to tell us what spammed destinations were being described by those messages and learn that what we see is:

July 13th = usbanking-security.com
July 15th = federalsecusrity.com
July 19th = taxreport-irs.com
July 19th = irs-taxes-report.com
July 19th = irs-report-link.com
July 20th = www.federalreserve.gov
July 20th = reports-federalreserve.com
July 20th = nacha-alert.org
July 20th = nacha-alert.com
July 20th = alerts-federalresrve.com
July 21st = national-security-agency.com
July 21st = federal-secueity-government.com
July 22nd = irs-downloads.com
July 22nd = irs-files.com
July 26th = taxes-irs.net
July 27th = www.nacha-rejected.com
July 27th = taxes-refund.com
July 28th = fdic-updates.com

Again, the query run says "look at my spam history FOR THE IP ADDRESSES USED BY THE GOV-RELATED ZEUS DOMAIN THIS MORNING and see what else they've sent me previously."

I've temporarily included only those links that were DIRECTLY linking to an executable, but we also have all of the "domain-shortener" spam that was sent on July 13th pretending to be a LinkedIn message. In that case, the spam used 25 different shortener services, most of which seem to have been created specifically for that purpose:

1tja.com
4h.biz
4nu.net
coge.la
d3c.co
flyfrm.com
gli.im
gsfn.info
hi2.com
ion.so
ks.gs
lawurl.com
lllll.im
niy.me
nznet.info
sendtourl.com
shoor.tk
smlurl.info
sra.li
tiny.tw
vs0.net
widg.me
wurl.ca
yi.pe
zolp.net

And yes, we can also tie today's spamming botnet to all of those fake LinkedIn spam messages that distributed Zeus on July 13th.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.