« January 2009 · July 2009 · February 2012 »

March 2009
MonTueWedThuFriSatSun
      01
02030405060708
09101112131415
16171819202122
23242526272829
3031     
April 2009
MonTueWedThuFriSatSun
  0102030405
06070809101112
13141516171819
20212223242526
27282930   
May 2009
MonTueWedThuFriSatSun
    010203
04050607080910
11121314151617
18192021222324
25262728293031

Calendar:

  • No entries for May 2009.
  • 29.04.2009: See below.
  • 21.04.2009: Waledac Joe Jobbing Again?
  • 16.04.2009: Waledac - New Campaign, New Domains, GeoCities, and SpywareProtect2009
  • 01.04.2009: Waledac Joe Jobbing Blizzard Image Hosting?
  • 31.03.2009: Conficker Working Group
  • 02.03.2009: Waledac Coupon Campaign & Updated Domain List
Newest first Oldest first

Wednesday, 29 April 2009

Federal Reserve Spam/Malware Attack is After Your Data

Federal Reserve Spam/Malware Attack is After Your Data

The Shadowserver Foundation would like to share some information regarding a recent round of attacks that have come via e-mail by way of luring spam campaigns that are designed to appear as if they are coming from the Federal Reserve. These attacks are not attempting to phish you and trick you into giving them banking or other personal information. Although they do want this information, only they aren't going to ask you for it. They are actually looking to install a info stealing/banking trojan on your system via drive-by exploits. The first part of the setup is an e-mail in your inbox that looks something like this:

As you can see it is designed to look like a message coming from the Federal Reserve with a message designed to get you to click the link from the e-mail. This may look familiar as this scam has been around for some time now. In fact part of this write-up was actually prepared in November of last year, but we never ended up publishing it. The group has since sent out a few different waves and may have infected multiple tens of thousands of systems over the last 6+ months.

Malicious Websites

Well it was no surprise that the sites linked to in the e-mail did not have anything to do with the Federal Reserve, U.S. Treasury, or FDIC. However, what was interesting is what the website attempted to do to visiting users. It turns out the websites behind the links weren't looking to trick users into inputing their financial, banking, or personal information. In fact they did not want the user to input a thing. The first page the the websites never really full loads. In the background the website then attempts to the send the user various exploits. We have observed the site sending both Adobe PDF and Flash exploits in attempts to infect visiting systems. Shortly after the exploits are sent, users are presented with a new page which appears to be the entrance to a porn site. Perhaps in an attempt to make the users think they have been tricked into click a link on a pornographic spam lure instead of leaving them suspicious about the initial website.

Several Domains

As we mentioned and you can see in the above e-mail image, attacks attempt to get you to click a link visit malicious websites. It turns out they registered several domain names that appear to be related to the Federal Reserve or banks to be used in these attacks. A listing of these malicious domains that is most likely not comprehensive is as follows: 

	1-bank.us
	1-secure.us
	1-security.us
	banks-net.us
	central-security.us
	direct-ebank.us
	ebanks-net.us
	e-banks.us
	ecureserver-39.us
	e-directconnect.us
	safe-connect.us
	securenet-1.us
	secure-server1.us
	secureserver-1.us
	secureserver-23.us
	secureserver-27.us
	secureserver-28.us
	secureserver-32.us
	secureserver-33.us
	secureserver-34.us
	secureserver-37.us
	secureserver-39.us
	secureserver-44.us
	secureserver-4.us
	secureserver-55.us
	secureserver-6.us
	server-17.us
	server-18.us
	server-19.us
	server-22.us
	server-23.us

This should not be considered a comprehensive list, but should be a bulk of the domains. The .us registry has been notified and we hope that by the time you read this or shortly after they are all suspended and no longer functioning. You may notice that they all resolved to the Chinese IP address 221.5.74.42. This is also the same IP address used for their name servers.

A Trojan Installed

If the websites send exploits, then they must have a purpose. It turns out the bad guys want to install a trojan on your system. If the exploits are successful it will do just that. The system will then reboot your system. Once the system comes back online, it will attempt to download a new update that will begin to steal data from the system. This is not something you want on your system. At our last check a successful download will result in beaconing activity to the Latvian IP address 195.216.175.118 on tcp port 80. The system appears to be down and has been all day for us. Fortunately, that means any infected systems will not get the updated trojan if the system stays offline. It is also a good way to look for malicious activity on your network.

LuckySploit & Malware

The bad guys behind the Federal Reserve malware use the LuckySploit exploit pack. LuckySploit has a variety of exploits it fires at systems and is the kit that uses that tricky encryption to hide what its actually doing. Successful exploitation tends to drop a file named wQJs.exe onto the system in the user's Temp folder. It may also drop a file named svchost.exe (same name as a legitimate Windows file) onto the system as well. This "svchost.exe" and "wQJs.exe" are the same file. They both create shell32.dll and 123.info in the user's Temp directory as well. Note that 123.info is just a text file that contains the path to the malware.

Malware Details:

File Name: wJQs.exe | svchost.exe
File Size: 9216 bytes
MD5 hash: 175ef7faf41ecbe757bcd3021311f315

File Name: shell32.dll
File Size: 6144 bytes
MD5 hash: 3182da0a9c6946e226ee6589447af170

VirusTotal Results for these files can be viewed below:

.exe: http://www.virustotal.com/analisis/a4f6ce98cb24ca1640d7f86ceb6181f1
.dll: http://www.virustotal.com/analisis/d6ba4efea309d3993c6215bf41a64f7c

Mitigation

Your best bet is to not visit any suspicious or odd sites that come in via e-mail and make sure your systems are fully patched. That being said your next options are to block all of the above listed domains and IP addresses on your firewalls, content filters, proxies, etc. These are not places you want to be going. Pay special attention to access attempts from your network to the 195.216.175.118 IP address. If you see continued traffic from your network to it, you may have a compromised system. Go clean it up!

If you have any questions on any of this or need help figuring anything out, feel free to drop us a line.

=>Posted April 28, 2009, at 09:14 PM by Steven Adair