Some reports says that the Zbot source code was given to the SpyEye crew. Others say that Zeus was sold, and some even say that nothing really happened–this was only a deceptive tactic from the Zeus author to try to stay under the radar due recent takedowns on its “customers.”

Whatever the case, there’s one thing I can say for sure: Both crews are quite active.
As tax time in the United States arrives, it offers a huge opportunity for malware to take advantage of social-engineering tactics.

Today I examined two samples related to U.S. Internal Revenue Service social-engineering tactics. I tempted to think that Zeus and SpyEye are sharing the same marketing team due the timing.

Here are some examples of the messages in the mail:

Urgent Report!

Your Federal Tax Payment ID: 0010323734 has been rejected.
Return Reason Code R21 – The identification number used in the Company Identification Field is not valid. Please, check the attached information and refer to Code R21 to get details about your company payment in transaction contacts section:

EFTPS: The Electronic Federal Tax Payment System

PLEASE NOTE: Your tax payment is due regardless of EFTPS online availability. In case of an emergency, you can always make your tax payment by calling the EFTPS.

IRS Notification.

And:

After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $468.32.

Please submit the tax refund request and allow us 6-9 days in order to process it.

A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline.

To access the form for your tax refund, please click here

Regards,
Internal Revenue Service

One of them even uses a fake Avira AV Digital Signature, supposedly issued by Verisign:

Another SpyEye spam is making the rounds while targeting Nike customers. This one repeats a common Bredolab and Zeus tactic of using an invoice attachment for some random purchase from the online store.

An excerpt of the email:

Dear Customer,

Good news! We have received your payment and your order will be processed EO202608527. Invoice (Details attached)

If you ordered a product and a product NikeStore.com custom NIKEiD, you will receive several bills:

- The first invoice that you receive includes all products NikeStore.com
- You Will Receive your NIKEiD invoice (s) shortly personalized NIKEiD Before the Product is Delivered To The Address That You Provided When Placing your order.
- You should receive an invoice for each product that you ordered NIKEiD.

You may call this a typical seasonal malware tactic, or just coincidence. But I think that old dogs never learn new tricks.

In recent years, malware developers have created “checks” against environments and common malware-analysis tools. If the malware detects a security application, the former will not execute or will execute a deceptive function.

I recently came across some common checks for:

• AdAware
• Debugger
• Kaspersky
• Sandbox Anubis
• Sandboxie
• Virtual Box
• Virtual PC
• VMware
• WireShark

Last week, I analyzed a sample that had two of these checks. During my behavioral analysis on a VMware machine, the malware would run fine but then didn’t perform any other activity. After some reverse-engineering of the sample, I came across the following strings:

SELECT * FROM Win32_VideoController
winmgmts:
ExecQuery
Description
VM Additions S3 Trio32/64
VirtualBox Graphics Adapter
VMware SVGA II

This simple check tells the malware whether the machine is running in a virtual environment.

When querying the system for the video controller, it checked the results against these virtual machines:

• VirtualBox (if the result was VirtualBox Graphics Adapter)
• VirtualPC (if the result was VM Additions S3 Trio32/64)
• VMware (if the result was VMware SVGA II video card)

The final check was for the presence of the product Sandboxie. The malware verified the result of the function:

GetModuleHandle(“SbieDll.dll”)

If it received a “true” as the result, it would perform differently than after a “false” result.

These checks may not be new tactics, but you should know that we are constantly investigating the possibility of malware authors using new techniques to try to thwart our analysis.

Most of the messages associated with the new spam campaign are linked to the Asprox botnet. This time, the focus is on FedEx. Most of the attachments start with either FedExDoc[randomnumbers].exe or FedExInvoice[randomnumbers].exe. Those attachments are recognized as the Bredolab Trojan, which will download the Zeus component.

This Zeus variant has a control host on hxxp://x5vsm5.ru, but also downloads from hxxp://trachsel.biz.

The targets of these samples are a large number of banks outside the United States. We still see common U.S. targets…

• Citibank
• Comerica
• USBank
• WellsFargo

and also some banks from Europe, the Middle East, Asia, and South America…

• Neue Bank (Liechtenstein)
• Arab Bank
• MyBank (Taiwan)
• BHI Bank (United Kingdom)
• NPBS (United Kingdom)
• Banco de Sabadell (Spain)

as well as several other banks.

Watch out for Zeus’ going global.

Some common phrases used in the email subject headers:

• Subject: Sales Dept
• Subject: Another candidate brought to you
• Subject: Summary of payments

These emails carried PWS-Zbot Trojan variants that are a part of the 2.x version of the Zeus botnet, and currently try to access the following URLs:

• hxxpS://193.104.{blocked}/box1/master.tmp
• hxxpS://193.104.{blocked}/box1/1.gif
• hxxpS://193.104.{blocked}/box1/update.php
• hxxpS://cisco-update-{blocked}.com/box1/1.gif (currently offline)

This variant also exhibits rootkit behavior, hooking Windows APIs to prevent users from seeing some of the files.

Examples of such hooks are:

This variant also uses HTTPS as the communication protocol with the remote servers to download encrypted data. In some instances, it was also found to patch termsrv.dll to bypass authentication while connecting to the machine via Remote Desktop.

The SSL Certificate used by the server is self-signed with default parameters and a date of July 13, exactly one month from today.

Further details of the Zbot or Zeus Trojan family are available at the Virus Information Library.

Update: We have noticed that some reports refer to the current wave of PWS-Zbot as “Zeus v3.” To clarify: The current Zbot variants are generated by the “v2 toolkit” and its variants. The Zbot Trojan has evolved from the “v1 toolkit”–which generated the 1.x.x to 1.3.x variants–to the “v2 toolkit,” which underlies the current versions.

McAfee offers several of its products for a trial period. However, we want you to know that we have just found a brand new variant of the Bredolab Trojan that is spreading by email with the following characteristics:

Subject: “McAfee VirusScan Plus”
Message body: “Download a FREE 30-day Trial of MCAfee VirusScan Plus and Be Automaticaly Entered to Win.
Installation file attached”

If you are suspicious of misspellings in emails, you might have noticed that both “MCAfee” and “Automaticaly” are not correct. Another point is the attachment–we don’t send setup files for our products as email attachments! As you may have guessed by this point, the attachment is the Bredolab Trojan.

If you do want our trial version, you can find it here: http://www.mcafee.com/us/downloads/index.html

Some examples:
[##]Q8lD[/##]
[##]XMg=[/##]
[##]FJQCokA=[/##]
[##]QMlD[/##]

The suspicious file was limited in capabilities, but it had several common commands:
CMDRUN1
CMDRUN2
QUITBDR
DOWNFL1
DOWNFL2

These let it run commands on the machine, download files, and end the backdoor execution.

Again, just a regular HTTP bot, I thought, and I added the proper detection for it. Then I started to look on the other files in the package. There was a Word document with an attachment, a Microsoft Write document with an attachment, and a lot of scanning tools, such as portscan, domain user enumeration, etc.

Soon I recognized some of these tools, which I had used in the past for penetration testing (checking applications for security flaws), and finally I saw the complete picture: Those files were part of a pen-test operation.

Here’s how I assume it works:

• A victim receives a Word document with its own attachment, named Curriculum
• The attached file shows the Word document icon
• When opened, the attachment is actually an executable, the bot, that connects to a remote IP address in United States
• The command server gains control of the victim’s machine and does whatever it wants, such as downloading additional tools, and scanning the local network

This sample is constructed like a typical attack. Now I’ll tell you what’s really surprising about this package: It was sent by a security consulting company! I did some research, following IP addresses and other references, and found a legitimate vendor was the source. They even confirmed their involvement.

I can certainly understand the need to use remote control on a pen-test operation. However, even though I am not a legal specialist, I suspect that maintaining a botnet control server is not a good thing, even if you are working for a security vendor.

Besides offering a very poorly modified picture of the coach, this scam also contained a link to pictures of the fight. (“Clique aqui e veja as fotos.”)

The link, in fact, leads to another website:

hxxp://ml210-202-198-66.vdslpro.static.apol.com.tw/[REMOVED]/index.asp?

This link redirects to another website, which belongs to the Malaysian government (according the domain .GOV.MY ) and which appears to be hacked:

hxxp://kew.mida.gov.my/[REMOVED]agressao_dunga.exe

This file, which claims to contain photos related to the fight, is really a Trojan that we call PWS-Banker.gen.ad, which specializes in capturing banking credentials.

With the World Cup only nine days away, I bet we will see many more of these scams.

Oh, and I’ll also bet that Brazil will win again.

So, I decided to get enter into one of these work-from-home scams so I could post it here and hopefully help others at the same time. The scam itself will be separated into Days for better clarification.

Day 1: The Job Proposal

I got in my personal mailbox a spam that is quite common, at least since mid-2009.

Some excerpts:

You could work on Part-Time basis for SINOCHEM Corporation as a FINANCE CO-ORDINATOR in the United States/Canada or its environs which requires a great deal of trust and honesty. Meanwhile, this job is 100% tax free and there is no start up cost required. I am Mr. CHEN Guogang (Chief Financial Officer, Sinochem Corporations).
JOB DESCRIPTION:
1. Receive payment from Clients.
2. Cash Payments at your Bank.
3. Deduct 10% which will be your percentage/pay on Payment processed.
4. Forward balance after deduction of percentage and pay to any of the offices you will be instructed to do so later
(Payment is to be forwarded by WESTERN UNION Money Transfer).

10% from each transaction! For instance: you receive 5000 USD via checks on our Behalf. You will cash the Check and keep $500 (10% of $5000) for yourself! Anyway, your commission is a constant percentage which will be subjected to an increase of 15% and above based on your efficiency in services being rendered to the company.
If interested in this job, do fill the application form below send via e-mail to: SINOCEMJOB@AOL.COM

Now, putting this message through m Mental Debugging mode:

1. The company: SINOCHEM? Is it a fake or real company?

Unlike other scams that often create a whole fake infrastructure, including a functional fake company website, this one uses a real company as the lure. Sinochem is actually one of the largest companies in China.

2. So, Who is Mr. Chen Guogang? Did he REALLY send me this Job offer?

Mr. Chen Guogang is also a real person and is in fact the CFO of Sinochem. Now the next logical question – did he really send the Job offer?

A couple of things to think about here. First, why would the CFO of a real company contact anyone directly by email to offer a job? Second, why would the CFO would use an AOL email? Yes, it is an scam!

The original email asked a couple of questions, such as Name, Full Home Address, Age, Phone and email”¦which I replied to be very thankful for the opportunity since I was unemployed”¦:)

Day 2: The Job Confirmation!

One day after I sent it, I received an email back, with subject and Job Confirmation from the same AOL email: Chen Guogang sinocemjob@aol.com, which actually seemed to be using Gmail as the mail relay at the time.

An excerpt:

“let me personally congratulate you on your new job appointment to this noble companies,You can have my Job as a Part time one, it requires no time and can be easily done by just anyone.
I will notify you immediately funds are coming your way as I will implore you to check your email for regular updates.
It is important to confirm the receipt of every message received from us and a quick response to every update from henceforth is of high importance.”

Ok, so now I have a Job! Well, a part job that can be done by anyone”¦how good for my morale! But that is ok, at least I have a job! So I replied again.

Day 3: It’s Pay Day!

The 3rd email exchanged was about the Payment.

The subject is: PAYMENT SENT OUT

Some excerpts:

“Your honesty and prudent maters in handling of cash, financial transaction for this company, You are to take all records of received funds and their disbursement in a log book.

The first payment should be delivered to you this week, Do keep an eye on your email in the am for the instructions to be carried out upon the receipt of the payments.”

So, after I replied to all emails and proved that I am a good and honest employee, they will now start to send me the checks!

At this point I should start to receive, at least one time, but could be 2 or 3 times, fake or even fraudulent checks, which I would then get 10% to keep and forward the 90% to somewhere via Western Union. The trick here is that they required me to receive the check, deposit into my account, keep 10% and then send 90% out”¦BUT IN THE SAME DAY!! This means that I would not be able to wait until the check cleared and that is how the scam works, because by the time the check bounces back, my money would be already out”¦

Day 4: It is Pay Back time”¦

Feeling that I had enough info, I decided to reply to Mr Chen:

“ Hello Mr. Chen,

Once more, thank you for the opportunity. I was thinking here and that since I am quite low on cash, I decided to keep the first check as an advanced payment for my next services.
Hope that it works!”

Unfortunately I didn’t receive any email back after this one”¦I guess I was fired”¦:)

That sounds like an irresistable idea! Though it also sounds too good to be true. As you can imagine, there is something wrong here. Instead of flying for a buck, you may end up with several fewer hundred dollars in your bank account.

This example is the most recent seasonal spam targeting Brazilians. In the image below you can see the pitch.

When you click on the image, which is hosted at hxxp://dhroot.hpg.com.br/images/danosse.jpg, you’ll follow a link that will attempt to download a Trojan from hxxp://www.medcitybuilders.com/plugins/system/[REMOVED]/. This Trojan is a downloader that will copy a password-stealing malware that targets the customers of Brazilian banks. The malware is currently hosted at hxxp://www.radfahrschule.at/html/modules/PagEd/browsepics/[REMOVED].

In Brazil we say “there is no such thing as free dinner.” In the States there’s no free lunch. In this case we can also see that there are no free air tickets.

Once again our topic is Brazilian malware authors. Yes, the dumb ones I keep running up against.

One of the recent versions of the PWS-Banker Trojan being distributed via spam has an interesting feature. First, let’s recall how those malwares usually spread:

This version of PWS-Banker, besides grabbing passwords and screenshots, will also download Microsoft MSN Messenger. Or an app that at least looks like Messenger.

When you enter your username and password and click enter, the app will exit. But, in the background it will message all your contacts on your behalf, sending nice notes with links.

Now, let’s play The Seven Errors Game. Below are two MSN Messenger login screens. (One is in Portuguese and the other is in English, but that is not one of the errors.)

and

Unfortunately I am not really being fair with you, because only one of the seven errors can be seen visually. The other six are found only by behavioral analysis.

Here are the answers, starting from the top and working downward.

1) The windows are different, and you can see the minimize/maximize/close buttons are different
2) The help icon is the same, but when you click on it, no option is clickable
3) The dropbox on the login name doesn’t work
4) The status drop box doesn’t work
5,6,7) The check boxes don’t work

Next time something unexpected pops up on your screen, don’t enter your data right away. Check and recheck before you believe it’s real.