McAfee Labs

"A very warm invitation to you," Courtesy of a Mass-Spam Run

0
By on Sep 17, 2010

McAfee Labs has been monitoring a spam run that was launched earlier today. The message follows:

Subject: A very warm invitation to you

Body:

Hello,

Hope your week has been wonderfull well.  I would like to extend a very warm invitation to you to the Verbum Dei Missionary Festival this Sunday, September 19.

With a lot of support and collaboration from groups of people we work with in the Bay Area, an international spread of food
will be served at the festival.  Besides the spread, cultural and folkloric performances, music, games for children, and activities will be part of the day’s programme.
This once a year event brings all of our friends and family from around the Bay Area, an expression of the internationality of our community, mission and work here.  At the same time, the festival is also a fund-raising initiative open to all, which is important for us in the ongoing Verbum Dei mission here in the Bay Area.

I really look forward to your coming to be able to catch up more.  More details are in the attached invitation, I hope the directions woul be helpful in navigating the way to the St. Thomas More parish.

With joy and peace to you,
Collin Vaughan

Attachment: #####vacation.html
(most typically, but can also be many other names, such as #####.xls.html, #####wachovia summons.html, #####randolph-revisedplans.html, and others)

The attachments are all the same and contain an encoded JavaScript, which redirects to a web page on the numerouno-india.com domain.

The destination page does a redirect (to a page on the scaner-g.cz.cc domain) and also contains an iframe (with a target of a page on the arestyute.com domain).

The redirect domain displays the standard fake anti-virus scanning animated image and subsequent prompt to download an executable:


fake scanning image


download prompt


icon used by executable

The iframe leads to a cocktail of exploits, including a Java Development Toolkit exploit (CVE-2010-0886), as well as exploits targeting Adobe Flash and PDF vulnerabilities, including CVE-2007-5659, CVE-2008-2992, CVE-2010-0188.

The payload of these exploits is a password-stealing Trojan, which copies itself using a randomly named folder and file in the %AppData% directory and creates a registry run key to load the file at start-up, for example:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    “{608F1285-57B7-C631-DE51-8A99508CC7A9}” = “C:\Documents and Settings\Administrator\Application Data\Ezudi\oqek.exe”

This password stealer injects into the iexplorer.exe process and targets dozens of mainstream financial institutions.  It also contacts the domains ohmaebahsh.ru and eexiziedai.ru.

  • This fake AV executable was detected by Global Threat Intelligence File Reputation at the time of this blogging when running at Very Low sensitivity or higher.
  • The first-stage domain (numerouno-india.com) is rated RED by TrustedSource and SiteAdvisor
  • The second-stage domains (arestyute.com, and scaner-g.cz.cc) are rated RED by TrustedSource and SiteAdvisor
  • The third-stage domains (ohmaebahsh.ru and eexiziedai.ru) have been rated RED by TrustedSouce and SiteAdvisor for weeks
  • DAT file coverage is being added under the following names:
    • PWS-Zbot
    • FakeAlert-PE
    • JS/Downloader.gen
    • JS/FakeAlert-AB.dldr

Customers may download updated signatures using the extra.dat request page: https://www.webimmune.net/extra/getextra.aspx. These are also available in the beta DATs.


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>