Thursday, December 26, 2013

Holiday Delivery Failures lead to Kuluoz malware

As Christmas grew closer and people began to worry about whether their online purchases would reach their destinations in time to be placed beneath the Christmas Tree, online scammers decided to take advantage of this natural fear to install malware on the computers of unsuspecting nervous nellies. One television news program today interviewed a woman who had almost fallen for one of these scams in a story they called Costco Customers Targeted in Phishing Scam. In that story, the shopper, Marianne Bartley, said the email she had received told her a package had not been delivered and that she would receive a refund, but if she didn't fill out an online form, she would be penalized 21% of the purchase price.

The local news station, KOLO 8, contacted CostCo by telephone and received this automated warning:

"If you received an email concerning a delivery failure or cancellation: immediately delete the e-mail and do not reply. This is a phishing scam and was not sent by Costco. Costco is not affiliated with the e-mail in any way."

Here's the email that Marianne and hundreds of thousands of American Christmas shoppers have been receiving since December 19th at approximately 10 AM. The non-stop bombardment of spam continued throughout the day today, December 26th, and will likely continue tomorrow as well:

But it wasn't just CostCo. In fact, Walmart and BestBuy were also used in this spam campaign with emails that looked like these:

Each day the Malcovery Spam Data Mine processes more than a million spam email messages searching for dangerous threats like these and our analysts evaluate the threats and provide intelligence to customers to help them protect themselves. In this case, Malcovery has seen more than 3,000 copies of these "Delivery" emails, which come with one of several prominent Subject lines:

  • Express Delivery Failure
  • Standard Delivery Failure
  • Scheduled Home Delivery Problem
  • Delivery Canceling
  • Special Order Delivery Problem
  • Expedited Delivery Problem
  • Expedited Delivery Problem

The spam messages are being sent out by the ASProx spam-sending botnet. Although the emails can come from any username and any domain, the "Sender Name" (the human-friendly portion of the "From" address) has been consistent as one of these:

  • Best Buy
  • Best Buy Shipping Agent
  • Costco
  • Costco Shipping Agent
  • Costco Shipping Manager
  • Walmart
  • Walmart Delivery
  • Walmart Delivery Agent

What would happen if someone clicked on one of these emails? The actual destination would depend on which date and which email type they clicked on, but we have collected a fairly extensive list of destination websites. A full list of the 636 compromised websites that we have seen so far in this campaign is listed at the very end of this article. Just in the past four hours we've seen spam samples that went to each of these websites:

kinderopvangnatuurlijk.nl       
 radomir.lt                      
 kaufhaus-myklick.de             
 quranrazavi.ir                  
 puertaselectricasof.com         
 pryozerne.com                   
 proschild24.com                 
 profi-poz.pl                    
 profilaktica.tv                 
 preventia.nl                    
 priroda.by                      
 pratabong.com                   
 palswebservice.com              
 pravoslavie-hristianstvo.ru     
 pornoholigans.com               
 polarcol.com                    
 polluxautos.nl                  
 porncontent.nl                  
 podiodemo.aalilaa.com           
 ponorogozone.com                
Each of those websites has been broken into by a criminal's hacking program which has created many subdirectories on the server, each starting with either "/media/" or "/messages/" followed by a long random-looking string, followed by a "Form Name". Here a couple recent examples:

/media/Zo6es/bMNyDwcSdtDF1IPBaXWwNlBiBFq/kCUlscSGI=/WalmartForm
/media/J4oHEmjaJvBvrdXTz3KJ5i7G46NP5/dGAYZ5aN4O qs=/CostcoForm
/media/fs1vp YmmEnb7Z6ftU5jKPU7X9Gc3DsasqKZPCIooRc=/WalmartForm
/media/9mz6i EkIDix5uVIAMa4AuEYNuNf18/32d3lFXUnyIQ=/CostcoForm
The "message" path (and the two BestBuy Forms) were more common earlier in the campaign. In fact, on the 19th, we ONLY saw BestBuy samples of the spam:

/message/zZFXQdfn98Ze1SQS7s6a9/yldS qZDpeIXu2C4RRif8=/BbForm
/message/ByundeWiiEoYMllShj48YUj2k53Nndy0jf2mDPhJdNI=/WalmartForm
/message/xERnC10Jrrv0FedQUPsBkZcIonAwqG6e9vMULe1vDkw=/BestBuyForm

What happens first is that the website prompts the visitor to save or open the file "WalmartForm.zip" (or whichever form they have visited.)

If they choose "Open" it will show them that there is a form to be extracted within the .zip file.

If extracted or moved to the Desktop, the form will display a comforting Microsoft Word logo, despite the ".exe" extension

If the visitor tries to open the WalMartForm.exe program, they will get an error message, which is actually a file called WalmartForm.txt opening in Notepad:

If we check memory though, the program "WalMartForm.exe" has spawned an instance of "svchost.exe" which has some very interesting strings, including:

 http://192.210.142.87:8080/709E5B7E58D806F5837DA791871C5FD8EF71A1A7F2

That IP is believed to be the Command & Control (C&C) server to which my infected computer instance is talking.

Other interesting strings include a "knock" tag:

(knock)(id)709E5B7E71F412D245208000C3208388(/id)
       (group)2612r(/group)
       (src)21(/src)
       (transport)0(/transport)
       (time)-194855676(/time)
       (version)1281(/version)
       (status)0(/status)
       (debug)5.1 x32  none  none(/debug)(/knock)
The location of some additional malware dropped from the server:

C:\Documents and Settings\Owner\Local Settings\Application Data\kinwmeiq.exe

And a tag that SEEMS to show the username of the malware author, though I'll not include that here . . .

Note that even though this malware distribution campaign has been running for at least seven days, many major anti-virus products are still unable to detect the malware as being malicious. A VirusTotal report showed that only 20 of 48 anti-virus products currently detect the malware that I received when visiting the most recent website seen in spam. Neither of the two locally installed AV products on my machine detect the malware, and the URL I attempted to visit was not marked as dangerous by any of the systems I have installed. VirusTotal Report here.

Hacked websites used to Deliver Delivery malware

12zuilen.com
1clicksoeasy.com
235concept.com
2emamzadegan.com
3tm.org
4wedding.in.ua
555robogo.hu
8888.ru
911-experience.nl
aa.tukums.lv
aaronsautomatedclassroom.com
aayushivfraipur.com
abc-f.com.ua
acciongranate.com
ace.amiworks.co.in
acod.digitalgeneration.be
acrideme.co.mz
addvo.ru
adventistfamily.net
aesthetic-dentistry-travel.com
africinworld.net
ag376.us
ahangerooz.com
ahbrownlibrary.org
ahpamt.com
ahr-fund.com
akhals.com
albergoquisisana.it
albertheijnwijkerbaan.nl
alecro.nl
alexian.com
algofacil.orgs.pe
almexterminatinginc.com
alphaomedia.org
alphaservices.co.in
alstudios.net
aluracks.be
amateurpov.nl
ame.edu.lr
americanexceptionalism.com
amgsmit.nl
amigosporelkartismo.com
andeandiscovery.com
andysarcade.de
angelinaconsignment.com
angelleinsurance.com
anoesjkasmoveon.nl
antonidesmedia.nl
antoniofalduto.it
antonio-vitolo.de
apishosting.com
aproshop.hu
aquadistri-china.com
aquafarminternational.com
aquafora.nl
arbobhv.com
arcobriga.com
arefeens.com
areyousavedtour.com
arino.de
arnoldonline.eu
artartel.ru
artexpotema.com
art-lenimarx.de
ascoelda.nl
asiancarcenter.net
asooneh.ir
astarta-group.ru
atades.com
atena-tile.ir
atlanticfitnessproducts.com
attento-systems.de
ausprogroup.com.au
autobedrijfleidscherijn.nl
autobike.tw
autocadtekenaar.nl
automartin.com
autoteile-online-shop24.de
avast.softvisia.com
avtoshkola-v-moskve.ru
awardcom.net
awaylifecommunications.com
aziendagricolacosta.it
backend.myamcat.com
balance-kettwig.de
ballandautreyancestry.com
baltiyskayasloboda.ru
barbarameszaros.com
bbkdw.com
bcstrikebusters.de
bear-tail.net
bella-signorina.nl
bermejo.be
bexeeco.com
bierwinkeltje.nl
bloemenhof-heemstede.nl
blueorangeapps.com
blueskyworksstudios.com
bmaschool.net
bodyandskincenter.be
boerenheerlijkheid.nl
boerenrock.fm
bosma.com
bphn.go.id
brandschutz-poenitz.de
breslavtsev.com
bright-color.de
bright-on-design.co.uk
brillenhuis.nl
bruggejudo.be
brugwaarde.nl
btw-nummer-controleren.nl
btwnummers.be
budapestivillanyszerelo.hu
businessmaturity.nl
butikispot.com
bvlemmer.nl
cafe-boehlig.de
callabook.ru
callshop-discount.de
camspleetje.com
canceris.net
capital-incentive.com
careercompasscanada.com
carinvandenberg.nl
carolinaalpacafarms.org
carrefoursteusebe.com
castlekeepdanes.com
cgrc.org
challenge-center.org
chazeaux.com
cher.ec-jugend.de
chezjeanpartyservice.nl
chiduong.net
chooyilin.com
christianfamily.net
christliche-devotionalien.de
cinefocus.nl
citrusempirewebdev.com
cjays.nl
cmjardim.com.br
cocoxiang.com
coleon.ru
collectorsfair.nl
conectareus.es
confitt.de
constructii24.ro
consultoriasocial.com
convertidosacristo.org
corrado-club.nl
costa-development.nl
costa-smeralda-sardinia.com
country-freunde-nesselroeden.de
coxengines.eu
coyotepetanquetour.com
cpmerced.com
crea3x7.mx
creativefill.com
creative-interchange.com
creatures.gr
ctechmetrology.com
cuahanghieu.com
cyndiknill.ca
daalbhaat.com
dafhobby.nl
da-fortunato.de
dansgroepsplinter.be
dcb-substrate.com
deborahharrisinc.com
deeterinkbetonwerken.nl
Deko-Kerze.de
demo-design.nl
deutscheq.de
dianaostariz.com
diceonice.com
dietweetest.nl
directadvies.info
directcorp.de
diseclick.tk
distillator66.ru
djet.by
dmwgalvano.nl
dohodbezriska.ru
dokterfred.be
dongle2bin.com
doorenmalen.nl
dosmundostravel.com
dr-bekele.de
drpind.com
dscorpio.com
duapulos.com
eatecnologia.com.br
ebbinghaus-gewinnspiel.de
ebrahimiclinic.com
echocentrumamsterdam.nl
economistasmurcia.es
effectivemarketing.be
egypt4all.com
ehbo-zieuwent.nl
eierbettelnleissling.de
eijlders.net
electricmattresspadreview.com
eleganceorganizasyon.com
ellsshop.nl
emthesisconsulting.com
energotorg.com.ua
energyartgroup.com
engels-konzertbuero.de
eniac.net
enmarkservices.com
e-oksi.ru
epicschool.com
equinoxinnovations.com
equipenordestebrasil.com.br
e-quit.co.uk
erwinvandewiel.nl
esector.co
esmee.es
espaciosvintage.cl
esperanza-cafe.de
espinosagomez.com
esscortgreek.com
ethaarle.nl
evacuaid.nl
evergreenbuddhist.com
evociente.nl
ewfoods.com
excipientfest.com
explode7.com
eyco.org
ezdevajasooneh.com
f1ltracers.lt
fabgiftidea.com
fabrykakatalogow.pl
fahrfreunde.de
fakita.com
famdiffusion.ch
farbenscheibe.de
fasaltrading.com
fashionfloorz.com
fastproinvestments.nl
fccr.org.br
fceibergen.nl
fcr-jugend.de
feathersonwings.com
feichtinger-wurst.at
feldmochinger-hof.eu
fengshui-eschke.de
feriasnoriodejaneiro.com.br
fewo-haus-fuchs.de
fewo-labo.de
ff-altmannstein.de
fgh-co.ir
fgz-heidelberg.de
fidesgroup.es
fietsenineuropa.nl
final-fight.net
financialarchitects.us
finanzen-und-kredite24.de
finde-immobilien.de
fineafricasafaris.com
finishlinebuilders.com
fisch-schmidt.de
fiseon.com
flcams.com
fleer-ellerbrake.de
flicflac-mannheim.de
florarbo.com
florarie.kikirara.jp
flybowshop.com
fm.utopica.com
foodinnmobile.lpipl.com
footballmoves.com
forestshores.com
fotobox-lenthe.de
fotografie-schwelm.de
franckviviani.fr
frankenturm-trier.de
fransvanloon.com
frantoio-ramoino.com
fratresmugello.it
frederique-magnetiseur.fr
frevert-almena.de
friesekoers.nl
front404.com
froschtempel.de
fr-project.fr
fsg-pforzheim.de
fujisawa-shinya.com
funeralgravestonesandmemorialplaques.com
fysiofits.nl
galerie-rekonquista.de
galeritenuntroso.com
garage-silvestre.com
garageviaene.be
gas-zaragoza.net
gbnf.edu.co
gbrsas.com
gdp.aalilaa.com
gente1.com
gepassioneerdeeindgebruikers.nl
getfoundlocally.info
ghostwriter-sm.de
ghscowboys.com
gidroponika.pro
gipack.it
glavmel.ru
glcalpacaplace.com
goedkope-webcamsex.nl
goodnightdrink.mv
good-relation.de
gorganonline.com
graymankin.com
greatwhitegoldens.com
greendatahosting.com.au
green-fuel.us
grmt.net
growthdevelopmentpartners.com
grupofef.com.br
grup-yakamoz.de
hallandwilliamson.com
hameleon76.ru
hangvietgiatot.com
harms-melzer.de
hartvanleerdam.nl
hasanbaranatas.com
hausaerzte-bremen.de
healthycolontoday.com
heli-online.com
hellobaby.kz
herefordesign.com
hetofde.nl
hickscsc.com
hi-ns.com
hoegy.de
hoffmans-leder.de
hokkoku-cs.co.jp
holmeswf.it
homewiredandwireless.com
hondenkapperijmazzel.nl
hoofdtoren.nl
hoogglansspray.nl
hortifrut.com.ar
hostingacela.com
hotel-heigerhof.de
hotellequerce.it
hotsia.com
hotstonerelax.nl
housecoating-takayama.com
hoveniersbedrijfveere.nl
hr-solutions.pl
i.walmartimages.com
iconicalcreative.com
idvpistoia.it
ienova.com
ifb-bernhard.at
igl-netto.de
iic-corporation.com
ikastpedersen.dk
imajthailand.com
imediak.de
imenkadeh.com
impiantioleari.it
infostart.it
infostudio.org
ingomoegling.de
ini-europe.com
in-kom.com
integrityperiod.net
interakces.com.pl
interior.de
intermet.it
interweavecorp.com
intlead.ru
iphometech.com
iphone5bestellen.net
iridewheelies.com
iso17025handbuch.de
isoftenterprise.com
it2simplify.de
italcaseimmobiliare.eu
itathomegroup.com
iwmpyashada.in
iz5ilj.it
jamesroke.co.uk
jappoo-nrw.de
jdkjaslo.pl
jelte.nl
jeuxprizee.com
jmwdesign.nl
jobsearchsimplified.com
joemahonedrummer.com
johndeereoldtimers.com
jojama.nl
jonasnovello.com
jonkers-en-juffers.nl
joomla15.guru99.com
joomla3.guru99.com
jordanhomesmn.com
joyful-miniaussies.nl
j-rs.com
judithvandevecht.nl
julienblog.com
justlikedreams.com
justthrift.com
kaitoweb.com
kalinkinhill.com
kaolincentre.com.ua
kastelsbroodje.be
katglobal.in
kaufhaus-myklick.de
khoandph01081.tk
khuyenhoccham.com
kimupvc.com
kinderopvangnatuurlijk.nl
kingstarsm.com
kirschner-sonthofen.de
kitesurfschool.co.za
kmg.hobbit.seedboxes.cc
knightsbridgestudenthousing.com
komproweb.nl
kongres.pgri.or.id
koreanspa.lk
koshiki.nl
kowalewskiczarter.pl
kranendijk-domotica.nl
kreuzhuber.de
krishwellness.com
kromkesim.com
kursimakan.info
kursitamu.info
kvs-centr.com.ua
labelsexchange.ca
lafotografa.net
lapetito.cz
larredabene.com
laurenfrances.com
lavidayogabodyworks.com
ldkgroup.eu
ledmateriaal.nl
lee-kleimann.de
leerkrachtbegeleiding.nl
lema-cad.de
lesavto.ru
letreros-abc.cl
lightingretrofit.com.au
lilyzhang.net
livredesignrio.com.br
losbailongos.es
lovesdoor.org
lowerheidelbergtownship.org
lucas-av.com
luger-genesis.com
lummysoft.com
maasukraine.com.ua
macora.tv
madamebloem.nl
madsnow.ru
magentoconnect.us
mainlinemedical.com
mamonia-club.com
manliodeangeli.it
marcelldev.nl
markazisport.ir
marketingandsupport.com
markhalwani.com
marokko-ferien.de
marriageselite.com
masseriabaronia.it
matius.net
mayahuel.info
mcatransportation.com
media-aetas.de
media-industries.nl
megashoes.com.ua
memorialmustangs.com
menya-marugen.com
merflemunchies.com
merkx-mook.nl
methodistfamily.com
mftqs.com
michaelbadura.net
michelsweb.nl
mijnbieshaar.nl
minamargroup.com
minasvale.com.br
minuscity.ru
miriam-strehlau.com
mixpromocionales.com
mobifrit.be
modumorientering.no
molecularmotors.org
mon-arch.com.ua
mondart.net
monkeyinthecage.com
monster-rock.com
montanaflowergirls.com
mooibeautyandwellness.nl
mooigelukt.nl
mootstudio.mx
mops-greta.de
mortgage-rates-refinancing.com
mostly3d.com
mpacreative.co.uk
mrcollection.com
mrfancyplantsnursery.com
msmarketintel.com
mvcf.dreamhosters.com
mvcfmaster.com
mybloodfirst.com
nakyb.com
nancydsolomon.com
nanogate.co.uk
naturex.lt
naunhofer-wohnbau.de
nawazone.com
nayaraspa.com
nederlandoutdoor.nl
needhamcab.com
nepal-himalaya-trekking.de
nesslerfamily.com
netscripter.org
new.free-dom.by
newelementgaming.net
neweranewplan.com
newhanovergardens.com
newstylezone.com
nhasachphuongdong.com
nickmudge.info
nipponboard.com
nododono.com
norcalcompetitivesports.com
northgateanimalclinic.com
noval.cl
novinhosdobrasil.com.br
noworriesit.net
nrgservice.ru
nudiism.com
nujit.com
nur-celik.com
nushaba.ru
nysalons.com
nystormnyc.com
odeaannemer.nl
odessa-live.ru
offertedelmomento.it
olense-truckersvrienden.be
oliehandeltwente.nl
omsinchan.ac.th
onetelenet.co.uk
online-planning.eu
opportunityspinner.com
optimosapto.com
optiontradingnewsletter.com
oreda.nl
organicfoodtown.com
ortalsoft.com
oshoppingtv.com
otm-corp.com
otudo.ru
owingen-coudoux.de
ows-winespirits.com
pafrock.de
palswebservice.com
paoloverrecchia.it
papironi.com
patatfriet.com
pavlab.com
pcmcalibrators.com
pcs-network.de
peaceofmind.com.pl
penumbrasolutions.com
petr.ilgner.cz
photo2canvasdirect.com
pimhesse.nl
pinkdiamondconsulting.com
pixelonnet.de
piyamaku.com
planet-intv.com
pn-kotamobagu.info
podiodemo.aalilaa.com
pokojegoscinnekarpacz.pl
polarcol.com
polkphotography.net
polluxautos.nl
ponorogozone.com
porncontent.nl
pornoholigans.com
pratabong.com
pravoslavie-hristianstvo.ru
prazdnik-doma.by
preventia.nl
priroda.by
profilaktica.tv
profi-poz.pl
proschild24.com
pryozerne.com
puertaselectricasof.com
quranrazavi.ir
radomir.lt
redwineevents.biz
rik-design.ru
rockzulte.be
rondomhetpark.nl
salsacursussen.nl
scienceofsailing.info
sheltiesvombuchenweg.de
shikmodern.by
shotredes.com
slotoking.com
smartwebarchitect.be
snoeppotten.nl
sobob.org
standbouwmateriaal.nl
sterconsultancy.nl
stnw.nl
tauer.pl
tk-simvol.ru
topsticker.nl
tr-edv.info
ufakupon.ru
usethis.ru
versinamsterdam.nl
vibocenter.nl
voet-fit.nl
webmasterkursu.net
webwinkelprijsvergelijk.nl
wellingtonaugusto.com
xamb.nl
yellow-bricks.de
yfk-web.jp
zachtfruit.nl
zakenkantoorvancauwenberghe.be
zeltlager-amelsbueren.de

Update -- the following destination domains seen on December 27th & December 28th.

           machine           
-----------------------------
 ahbrownlibrary.org
 asu-student.com
 e-quit.co.uk
 garageviaene.be
 hameleon76.ru
 magentoconnect.us
 nederlandoutdoor.nl
 newelementgaming.net
 nospammer.net
 otm-corp.com
 pratabong.com
 pruebas.tasoge.es
 radomir.lt
 ralf-willms.eu
 rbook.ir
 recycling-zukunft.de
 reinhard-jaeger.de
 reklametataneon.com
 retailunitglasgow.co.uk
 revistaxtreme.com
 rezalighting.com
 ribalka100.ru
 rik-design.ru
 rnpadvisory.com
 robwa.nl
 rockinspain.es
 rocksonjohn.com
 rockymtneventcenter.com
 rockzulte.be
 roes-vermessung.de
 romarkmarble.com
 ronachhuettli.ch
 rondomhetpark.nl
 rork.lpipl.com
 rosdeutschland.de
 rosfrance.fr
 ros-hungary.hu
 ros-romania.ro
 rossbach-onkes.de
 ros-schweiz.ch
 rozasalesconsultancy.nl
 rri-berlin.de
 rudyenkarolien.nl
 ruschke-wilfling.de
 russelmanagement.com
 rweis.com
 rwtb-schneesport.de
 ryoh.com
 salon-cuna.net
 salsacursussen.nl
 sankinhdoanh.vn
 sardanet.org
 saskiakusters.nl
 satin-solutions.de
 satorilinens.com
 sattinfo.kz
 saturntechnolabs.com
 savakovacevic.rs
 saw-eishockeycamp.de
 scala-rijopleiding.nl
 scandalltypess.com
 sccschmeligk.com
 scharenborg.nl
 schmetterling-ev.de
 schnaase.de
 schottland-reisen.at
 schottranch.com
 schreibschwung.de
 schylgefoto.nl
 scienceofsailing.info
 scribbleballard.com
 sealservice.nl
 SECWAY.PT
 seiungakuin.com
 selmo-honmoku.com
 sen-sei.nl
 sentimentrecords.com
 sequoyahregionallibrary.org
 setarip.com
 sgelettronica.it
 shampooink.com
 shekarkhand.ir
 shikmodern.by
 shineyouththeatre.com
 shootingfairytales.be
 shopdiversant.com
 shopzippers.com
 shotredes.com
 shufflerror.com
 simantabnews.com
 simonebertolotti.it
 singflut-burghaun.de
 sitoo.nl
 sklauctions.com
 skm.lt
 slm-kunststofftechnik.de
 smaakkeuken.tv
 sma-amersfoort.nl
 smartwebarchitect.be
 smilelandtravel.com
 smilenews.org
 sms-silvestergruesse.de
 snoeppotten.nl
 snowwhiteweddings.nl
 sobob.org
 socialapp.in
 solardynamicsinc.com
 solutions-imprimees.net
 solvam.es
 soolz.nl
 soomtech.evisionegypt.com
 sortirenfauteuil.com
 souburgh.nl
 soudomundo.es
 sounddreamradio2007.de
 spaghetti-casa.de
 spb-dctec.ru
 spireplayschool.co.uk
 splinterville.com
 spoekes.eu
 spoker.ro
 sportwelt-verlag.de
 spotfx.com
 standbouwmateriaal.nl
 stanislav-glazar.si
 starbene.it
 starthelpfoundation.org
 startmenu.nl
 staug.org
 sterconsultancy.nl
 sterre.fr
 st-exupery.be
 stnw.nl
 strandhousestmarys.com
 strandoase.de
 strokersex.com
 stscpeduc.ph
 studio-fantasy.de
 subway-uae.com
 sunoil-biodiesel.com
 sunucuhizmetleri.net
 superiorsecurity.org
 swim.intersectmg.com
 swing-sport.com
 szantai.hu
 www.mailscanner.info
 www.transtec.co.uk
(147 rows)