We are seeing a massive spam campaign send to random e-mail adresses and which claims to be from UPS (does that sound familiar?).
The spam mails comes with the content shown below:
Notice the attachment is a zip file which when unzipped will reveal itself as a Win32 PE but using a Word looking icon to trick the user into opening it.
The Win32 is a ZeuS P2P variant which upon execution will copy itself to the compromissed system. It first spawns and runs a batch file which executes several commands and does a bit of cleaning up after the infection process has occoured.
Spawns a shell like this:
C:Windowssystem32cmd.exe /c C:[%user profile%]AppDataLocalTempWUX818.bat
The batch job looks like this:
@echo off
:d
del “C:invoice-2131 copy.exe”
if exist “C:invoice-2131 copy.exe” goto d
del /F “[%user profile%]AppDataLocalTempWUX818.bat”
This will execute the file “C:invoice-2131 copy.exe” dropped into the root folder of the infected machine. Next step the main component will get dropped with a random filename into:
[%user profile%]AppDataRoaming[%random folder name%][%random filename%].exe
The ZeuS P2P version ID returns 2.2.5.
During execution the code makes several checks including:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion InstallDate
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptography MachineGuid
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion DigitalProductId
The code then injects itself into several Windows processes e.g. explorer.exe, svchost.exe, conhost.exe and connects itself with other peers in the ZeuS P2P Botnet using the UDP protocol. Peers observed include but not limited to:
46.48.148.147
190.239.109.160
210.213.137.50
186.136.173.245
194.36.163.54
99.116.158.19
99.120.1.3
186.59.228.111
220.246.38.109
183.11.30.252
71.43.167.82
99.72.61.142
184.147.56.198
190.36.95.118
67.140.85.16
[..]
BOTnet communication:
GET
HTTP/1.1
Connection: Close
Authorization
Basic
GET
POST
div
script
nbsp;
connection
proxy-connection
content-length
transfer-encoding
upgrade
chunked
keep-alive
close
The decrypted config contains more than 100 specific targets primarily online banking solutions.
As a sidenote we have previously this week seen same payload but with different lures:
Bank of America spam / stid 36618-22.zip
http://blog.dynamoo.com/2013/07/bank-of-america-spam-stid-36618-22zip.html
A scan on Virustotal gives the malware a signature detection rate of 24 / 47:
https://www.virustotal.com/da/file/a2fa9736bf5d58a1b905f17d6c2629e5d333e38c4c9379ad5551c553a7df4108/analysis/
For more detailed info on this threat I’d recommend the fine work from our friends at Cert Polska entitled
“ZeuS-P2P internals – understanding the mechanics: a technical report”:
http://www.cert.pl/news/7386/langswitch_lang/en