The simplistic spam campaign that hit around Christmas and purported to be a holiday greeting from the White House not only included a piece of Zeus-related malware that searches hard drives for documents and uploads them to a remote server, but also appears to be connected to a similar attack from early 2010 that exposed a nascent botnet.
The holiday e-card scam is a typical year-end spam tactic and often will include malware of one type or another. But the latest incarnation was different in that it included a malicious executable related to the Zeus botnet and it seems that officials in a number of government agencies in the U.S. and elsewhere fell for the scam and ended up exposing gigabytes of government documents, according to a report by Brian Krebs on the attack. One of the executables being used in the e-card attack is nearly identical to a file that was used in a similar attack in February 2010 that was detailed by security firm NetWitness at the time.
In the frst stage of the latest attack, the user clicks on a link in the malicious e-card and a process started that downloaded a variant of the ever-popular Zeus bot. That bot’s purpose in life is much like any other’s: to steal information related to online banking, payment sites, eBay and other valuable sites. That data is then sent off to a remote drop server. NetWitness identified three of the drop servers, all of which are down right now, as:
But that’s only one piece of the action. The second stage of this attack downloads an executable file called “pack.exe” that searches the HDD of the compromised PC for a number of common file types, including Word documents, PDFs and Excel files. Those files are then sent to another server controlled by the attacker. An analysis of the executable, compared to one used in the original attack last year, found that the two files are nearly identical in size and bear a number of other similarities, as well.
“An interesting sidenote to this particular aspect
of the kneber data was that the ZeuS bot that was involved with this
phish had a second stage download of an executable called “stat.exe”.
This malware was revealed to be a perl script converted to a stand-alone
executable with the perl2exe tool.
This malware searched the local harddrive of the victim PC for xls,doc and pdf files, and uploaded them via FTP to:
Which at the time, resided on a server in Belarus. This current spam run, also downloaded a second-stage executable, called “pack.exe”, which was also:
– A perl2exe exectuable
– Searched the victim PC for all xls, doc and pdf files
– Uploaded stolen information to a server in Belarus, which resolved to “uploadpack.org”
So in this case, we have two executables, and three domain names,
that have three converging elements, (pack, belarus and perl2exe),” Alex Cox, principal research analyst at NetWitness said in his analysis of the new attack.
At the time the original attack was revealed in February 2010, NetWitness officials did not talk about the fact that the executable that the malware downloaded was a Perl script that had been converted using a tool called Perl2exe. The fact that this current attack includes a file that also was created using that tool and is so similar in other respects to the original one is likely more than a coincidence, Cox said.
“This, because it is such a small and fairly
unknown aspect of the kneber compromise, makes us think that this is
indeed the same operator, who is again after documents pertaining to
U.S. Government activities,” he wrote.