Online Virus / Malware News

[October 5 update at end of file]

The Storm worm marked its presence in early 2007 and became an infamous robot network primarily known for its spamming and phishing activities. Also known as Nuwar/Zhelatin/FakeAV/Peacomm, this bot reappeared early this year, distributed by fake AV software and Trojan downloaders. Storm is a major botnet when compared with many other spamming bots, due to the massive volumes of spam it sends from the victim’s machine. It also uses a fast-flux mechanism to hide its distribution areas. During our static analysis of the Storm executable, we observed it to be heavily obfuscated with an unknown packer and an infinite loop to halt its activity whenever it detects a debugging or virtual machine environment.

Storm’s spam campaign activity includes a variety of spam, with most related to online pharmacy scams and adult products. To get around, this botnet also includes malicious links to URLs that exploit several client vulnerabilities.

Our analysis of Storm confirmed and uncovered some of its unique characteristics, which help network intrusion prevention systems to implement reliable detection mechanisms for Storm’s control activity.

Static Analysis of the Storm Worm
We looked inside the variant we received in April 2010. In the initial part, this sample has various decryption routines. This binary starts with moving 0×5090 bytes to the heap and thereafter executing decryption routines to unpack the binary in stages.

After a complete execution of the loop, the binary is moved to the heap section and then decrypted:

This executable then copies itself as asam.exe into c:\windows, modifies the registry key to execute at Windows start-up, creates the process
asam.exe, and terminates itself.

Analysis of the HTTP Communications Code Within the Dropped File asam.exe

We reverse-engineered this Storm file and came across some of the unique characteristics of its control channel, which is based on base64-encoded, gzipped HTTP data. The code snippets below reveal our analysis of its HTTP communications.

URI Extensions in the POST Request
Hard-coded URI extensions and the URI length that is used in the POST request initiated by Storm:

Random Generation Functions to Form the URI Request Path

The next code snapshot shows the random character-generation function that generates 3 bytes of random alphabetical characters which are appended with the “.” to form the request URI path. Thereafter, the random generation function is called again to select any random extension from .jpg, .htm, and .gif, and completes the URI formation by appending it to the previously generated request path:

HTTP POST Request Header

These are the low-level details of how the POST request will look when the worm is executed on the machine:

As we figured out from the code above, this variant communicates with the bot master via an HTTP POST request. In examining the POST request code, another clue is the possible typo in the user-agent header, in which it is set to “Mozilla/4.0 (compatible; MSIE 6.0; Windoss NT 5.1; SV1).” (Note “Windoss” instead of Windows. This is a very good hint that Storm is in action; intrusion prevention systems can use this hint to detect Storm on the wire.) The botnet server then responds with the spam template used by the bot to send the spam.

All the preceding data from the server is base64 encoded. After decoding the response from the server, we found following spam template:

Once the bot client decodes this data, it uses the following looped SMTP engine code to send spam mails based on the spam template.

Let’s take a look at one of the spam mails generated by this bot:

More Uncovered Commands

Early variants of this bot had different components and separate binaries for carrying out specific commands; yet the one we analyzed seems to have all the control code embedded inside the single component. As seen in the code below, we found the downloader component, which downloads additional malware onto the system, and the updater component, which downloads the latest copy of the bot executable. Once any of these commands are detected in the server response, the bot allocates the heap to store the received data.

Scanning the Drive for Files
Storm also includes a routine to scan the drives for files with the following extensions:

.wab, .txt, .msg, .htm, .shtm, .stm, .xml, .dbx, .mbx, .mdx, .eml, .nch, .mmf, .ods, .cfg, .asp, .php, .pl, .wsh, .adb, .tbb, .sht, .xls, .oft, .win, .cgi, .mht, .dhtm, .jsp, .dat, .lst

It also searches for particular strings within these files, probably to extract the information about the host and email addresses contained in them:

@microsoft, rating@, f-secur, news, update, anyone@, bugs@, contract@, feste, gold-certs@, help@, info@, nobody@, noone@, kasp, admin, icrosoft, support, ntivi, unix, bsd, linux, listserv, certific, sopho, @foo, @iana, free -av, @messagelab, winzip, google, winrar, samples, abuse, panda, cafee, spam, pgp, @avp., noreply, local, root@, postmaster@

Detecting Storm Worm on the Wire
The majority of mail traffic over the Internet is spam. We need to detect these spam bots and try to keep them from proliferating. Our analysis provides good hints for detecting Storm traffic on the network. One high-confidence approach would be to correlate multiple suspicious events happening on the network within a short time. One example is a user-agent check for the typo we saw; we can correlate this with the multiple outbound DNS MX queries from the same source within a short time. An even more reliable detection would be to correlate those two events with a spontaneous increase in the outbound SMTP connections from the source. By following up on these hints we can increase our ability to detect Storm at the network gateway.

Update:
McAfee IPS Coverage Status
McAfee Intrusion Prevention (formerly IntruShield) has released coverage for the Storm bot under the attack ID 0×48804200 BOT: Storm Bot Activity Detected. McAfee customers with up-to-date installations are protected against this malware.

It looks like some of the recent success in taking down Zeus-using cybercriminals is coming to the United States. The FBI has recently announced that it has charged as many as 60 people and has arrested 10 as part of a global cyberfraud scam. Summaries of the incident can be found here, here, and here.

Zeus is one of the nastiest and most persistent pieces of malware we deal with. It steals banking logons, can act as a bot, and recently started targeting mobile devices, as well. Recently one of our McAfee Labs researchers, Chintan Shah, posted an excellent blog on the inner mechanisms of the Zeus Crimeware Toolkit; his article is definitely worth a read. You can also listen to a great AudioParasitics podcast episode in which my podcast-partner-in-crime Jim Walter and I discuss Zeus (also called Spy-Agent.bw).

If you are running any of our DAT-based security technologies and they are up to date, you are already enjoying excellent coverage against Zeus.

———- UPDATE October 1 —————

It now seems that Ukrainian authorities have taken action against individuals with suspected involvement in the Zeus cybercrime and money laundering network. The Ukrainian contingent seems to be associated with the more technical aspects of the infrastructure. Read detailed accounts here and here.

Let’s keep those arrests and takedowns coming and take back our Internet!

During the last six years, botnets have become one of the biggest threats to security professionals, businesses, and consumers. We at McAfee Labs have just released more information about how cybercriminals can use common social networks and common web applications, such as Twitter and XMPP-enabled applications like Google Talk, to take over a user’s computer.

As Web 2.0 services evolve, so do the efforts of botnet writers. They are rapidly adopting new technologies to increase the sophistication of their attacks. We have identified the following trends in botnets and social media:

• Twitter-controlled bots are the most prevalent example of using social media to receive and execute bot commands
• KreiosC2, though a proof-of-concept research tool, effectively demonstrates how LinkedIn and other social networks and applications can be used to control a botnet
• Protocol standards such as XMPP, used for authentication, presence, and messaging, can also be used by cybercriminals to communicate with botnets and execute malicious attacks

The dangers from controlling a bot or botnet through an application such as Twitter cannot be understated. Using widely adopted and deployed applications like Twitter to control a botnet effectively allows the attacker to hide in plain site by using an application or website that is allowed on most desktops worldwide. There’s nothing to it: Log into a Twitter account from a variety of Twitter applications (I’ll use TwitScoop) and send an update:

Then we send our command:

It really is as simple as that: decentralized, application-based control of one or many bots. Don’t try this at home: I ran this exercise from a private Twitter account with only one follower (my other Twitter account) in a research environment, so there was no danger!

The McAfee Labs research team has released a report that examines TwitterBots, KreiosC2, and XMPP as examples of how cybercriminals can use social networks as the new platform for botnet command, control, and attack.

During the last six years, botnets have become one of the biggest threats to security professionals, businesses and consumers. We at McAfee Labs have just released more information about how cybercriminals can use common social networks and common web applications, such as Twitter and XMPP-enabled applications like Google Talk to take over a user’s computer.

As Web 2.0 services evolve, so do the efforts of botnet writers. They are rapidly adopting new technologies to increase the sophistication of their attacks. We have identified the following trends in relation to botnets and social media:

-Twitter controlled bots are the most prevalent example of using social media to receive and execute bot commands
-KreiosC2, though a proof-of concept research tool, effectively demonstrates how LinkedIn and other social networks and applications can be used to control a botnet
-Protocol standards like XMPP, used for authentication, presence and messaging, can also be used by cybercriminals to communicate with botnets and execute malicious attacks

The danger’s from controlling a bot or botnet through an application like Twitter cannot be understated. Using WIDELY adopted and deployed applications like Twitter to control a botnet effectively allows the attacker to hide in plain site by using an application or website that is allowed on most desktops worldwide. It is as simple as logging into one’s Twitter account from a variety of Twitter applications (I’ll use TwitScoop) and sending an update:

Then we send our command…..

It really is as simple as that – decentralized, application-based control of one or many bots. BTW – This was done from a private Twitter account with only 1 follower (my other Twitter account) in a research environment so there was no danger!

Our research team has released a whitepaper that examines TwitterBots, KreiosC2 and XMPP as examples of how cybercriminals can use social networks as the new platform for botnet command, control and attack.

The Zeus botnet has been in the wild since 2007 and it is among the top botnets active today. This bot has an amazing and rarely observed means of stealing personal information–by infecting users’ computers and capturing all the information entered on banking sites. Apart from stealing passwords, this bot has variety of methods implemented for stealing identities and controlling victims’ computers.

Over the years Zeus has been released in a lot of versions, adding or changing functionality, and is highly flexible in its configuration. So this is just a snapshot of one version (1.2.7.19), giving an overview of its functionality.

In the first part of this blog I will disclose the process involved in building and distributing a Zeus botnet in the wild. In the second part, I will discuss how Zeus captures personal information by injecting code dynamically, and finally I’ll offer some thoughts on command and control.

Zeus serves as a heads up for all those who believe that banking transactions on HTTPS can never be intercepted.

Zeus builder toolkit

I’ve been busy researching how Zeus is built and distributed in the wild. It has been a pretty high-profile botnet since it was discovered, due to its high rate of infections. During our research activity I was able to get hold of a Zeus builder toolkit. It was priced at US$700 to $1,500 then; a few months later, a free version of this toolkit was public.

Building and Configuring Zeus Bot

The process of building and configuring the Zeus bot requires just a couple of steps.

Step 1)  Configuration specification:

Specifying all the static configuration parameters in the configuration file.



The “edit config” button will allow you to enter various parameters to control the botnet as  described below.

timer_logs : Time interval to upload the logs to server
timer_stats : Time interval to upload infection statistics to server
url_config : Server URL for fetching the config file
url_compip : Server URL for reporting the victim
encryption_key : Encryption key to encrypt config file
url_loader : URL for fetching latest version of the zeus.exe
url_server : Command and control server
file_webinjects: This parameter is the file name containing HTML web injection code.
AdvancedConfigs : URL for fetching the backup config file
WebFilters : Contains the masked list of URLs that should be monitored for capturing login credentials.
WebDataFilters: Contains the list of URLs that should be monitored for specific string matches. If patterns such as “Passw” or “login” is matched, data is captured and sent to C&C server, e.g., http://mail.rambler.ru/*” “passw;login”
WebFakes: URLs that should be redirected to the fake websites

TANGrabber:

Step 2) Building an encrypted configuration file

Let’s have a look what happens when we press the “Build config” button. The toolkit will build the final encrypted configuration file with an option to save it. This configuration file is then uploaded by the bot master on the C&C server.

Step 3) Building the bot executable

The bot master can build the Zeus executable with the “Build loader” button option.

Zeus Network Communications

When the bot is executed in a virtual machine, initially it communicates over HTTP and sends a GET request to the command and control server to retrieve the configuration file. The server replies with the requested configuration file. This request is made repeatedly on the basis of the timer value configured in the configuration file.

The bot sends the information of the infected computer to the control server according to the “url_server” parameter specified in the configuration file.

One interesting observation

Upon closer analysis of the Zeus network communications, we have come across an interesting similarity between the GET response from the server and the next POST request sent by the bot.

For sample 1:

For sample 2:

As observed above, we see this similarity in the initial part of the GET response from the server and the POST request from the bot, starting at the third byte after the HTTP header ends. We have made similar observations with the older versions of the Zeus bot. This consistent trait is something we can use to implement generic detection for this bot on a network gateway!

HTML injection on SSL-secured banking transactions

As banking websites evolved, they have added an extra layer of security to mitigate keystroke-logging attacks. On the other hand, continuously evolving malwares have also come out with new techniques to bypass these security measures and steal login credentials. Password-stealing botnets such as Zeus now use HTML code-injection techniques, whereby a bot on the infected computer injects HTML code into the legitimate web pages of the banking site to request additional personal information not required during the transactions. This lures the users into inputting more credentials than required. They are captured by the bot and posted to the Zeus bot masters command and control server.

Before injecting into HTML pages, the targeted site looks like this:

After injecting into HTML pages, same targeted site looks like this:

This shows even forms that are supposed to be HTTPS encrypted can be manipulated by a bot to entice the user into typing arbitrary amounts of personal information, which can be captured (using key logging) and sent off to the C&C master.

Heuristic detection for web injection activity:

Another technique that can be used is detecting the difference in the HTML form fields.  The idea is to detect the change in the number of HTML form fields while accessing the banking site and when the data is posted on the server. This can be detected on the Network gateway. In the case of Zeus, as the banking sites are accessed over HTTPS, the perimeter device needs to be armed with SSL man-in-the-middle functionality to detect this form of network traffic.

Intercepting mouse clicks and capturing virtual keyboard screenshots

Banking websites have come up with the virtual keyboard technique to mitigate the keystroke-logging attacks. Zeus counterattacks this security feature by capturing the screenshots on each mouse click. Each click will be intercepted and a screenshot captured that will be sent to the drop server which is then combined sequentially to extract the entered password as shown below.

Analysis of the decrypted configuration file

Once a machine is infected with the Zeus bot, you can use the Zeus decoder tool available here to decrypt the encrypted config file.

Let‘s take a look at the decrypted config file. We see the HTML injection code that this bot has added into it.

http://172.16.230.183/bt.exe

http://172.16.230.183/gate.php

!*.microsoft.com/*

!http://*myspace.com*

https://www.gruposantander.es/*

!http://*odnoklassniki.ru/*

!http://vkontakte.ru/*

@*/login.osmp.ru/*

@*/atl.osmp.ru/*

https://banking.*.de/cgi/ueberweisung.cgi/*

*&tid=*

*&betrag=*

https://internetbanking.gad.de/banking/*

KktNrTanEnz

https://www.citibank.de/*/jba/mp#/SubmitRecap.do

SYNC_TOKEN=*

https://www.mybank.com/loginform.asp

(Fake banking URL that I added while building the config file.)

HTML injection code in the config file:

Following is the abbreviated list of banking sites targeted by this bot; it’s found in the decrypted configuration file.

https://online.wellsfargo.com/signon*

https://www.paypal.com/*/webscr?cmd=_account

https://www.paypal.com/*/webscr?cmd=_login-done*

https://www#.usbank.com/internetBanking/LoginRouter

https://easyweb*.tdcanadatrust.com/servlet/*FinancialSummaryServlet*

https://www#.citizensbankonline.com/*/index-wait.jsp

https://onlinebanking.nationalcity.com/OLB/secure/AccountList.aspx

https://www.suntrust.com/portal/server.pt*parentname=Login*

https://www.53.com/servlet/efsonline/index.html*

https://web.da-us.citibank.com/*BS_Id=MemberHomepage*

https://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome

https://online.wamu.com/Servicing/Servicing.aspx?targetPage=AccountSummary

https://onlinebanking#.wachovia.com/myAccounts.aspx?referrer=authService

https://resources.chase.com/MyAccounts.aspx

https://bancaonline.openbank.es/servlet/PProxy?*

https://extranet.banesto.es/*/loginParticulares.htm

https://banesnet.banesto.es/*/loginEmpresas.htm

https://empresas.gruposantander.es/WebEmpresas/servlet/webempresas.servlets.*

https://www.gruposantander.es/bog/sbi*?ptns=acceso*

https://www.bbvanetoffice.com/local_bdno/login_bbvanetoffice.html

https://www.bancajaproximaempresas.com/ControlEmpresas*

https://www.citibank.de*

https://probanking.procreditbank.bg/main/main.asp*

https://ibank.internationalbanking.barclays.com/logon/icebapplication*

https://ibank.barclays.co.uk/olb/x/LoginMember.do

https://online-offshore.lloydstsb.com/customer.ibc

https://online-business.lloydstsb.co.uk/customer.ibc

https://www.dab-bank.com*

http://www.hsbc.co.uk/1/2/personal/internet-banking*

https://www.nwolb.com/Login.aspx*

https://home.ybonline.co.uk/login.html*

https://home.cbonline.co.uk/login.html*

https://welcome27.co-operativebank.co.uk/CBIBSWeb/start.do

https://welcome23.smile.co.uk/SmileWeb/start.do

https://www.halifax-online.co.uk/_mem_bin/formslogin.asp*

This toolkit comes with a control panel installation that is typically used to track the botnet infections. This is a PHP application that can be run on a web server along with the other required database software (MYSQL). It also enables the attacker to remotely control and send commands to the victims’ computers.

I opened one of the scripts that came with this toolkit and I found the bot can be given the following commands:

$_COMMANDS_LIST = array

(

‘reboot‘ => ‘Reboot computer.’,

‘kos‘ => ‘Kill OS.’,

‘shutdown‘ =>  ‘Shutdown computer.’,

‘bc_add [service] [ip] [port]‘ => ‘Add backconnect for [service] using server witn address [ip]:[port].’,

‘bc_del [service] [ip] [port]‘ => ‘Remove backconnect for [service] (mask is allowed) that use connection to [ip]:[port] (mask is allowed).’,

‘block_url [url]‘   => ‘Disable access to [url] (mask is allowed).’,

‘unblock_url [url]‘ => ‘Enable access to [url] (mask is allowed).’,

‘block_fake [url]‘   => ‘Disable executing of HTTP-fake/inject with mask [url] (mask is allowed).’,

‘unblock_fake [url]‘ => ‘Enable executing of HTTP-fake/inject with mask [url] (mask is allowed).’,

‘rexec [url] [args]‘   => ‘Download and execute the file [url] with the arguments [args] (optional).’,

‘rexeci [url] [args]‘ => ‘Download and execute the file [url] with the arguments [args] (optional) using interactive user.’,

‘lexec [file] [args]‘ => ‘Execute the local file [file] with the arguments [args] (optional).’,

‘lexeci [file] [args]‘ => ‘Execute the local file [file] with the arguments [args] (optional) using interactive user.’,

‘addsf [file_mask...]‘ => ‘Add file masks [file_mask] for local search.’,

‘delsf [file_mask...]‘ => ‘Remove file masks [file_mask] from local search.’,

‘getfile [path]‘ => ‘Upload file or folder [path] to server.’,

‘getcerts’ => ‘Upload certificates from all stores to server.’,

‘resetgrab’ => ‘Upload to server the information from the protected storage, cookies, etc.’,

‘upcfg [url]‘ => ‘Update configuration file from url [url] (optional, by default used standard url)’,

‘rename_bot [name]‘ => ‘Rename bot to [name].’,

‘getmff’ => ‘Upload Macromedia Flash files to server.’,

‘delmff’ => ‘Remove Macromedia Flash files.’,

’sethomepage [url]‘ => ‘Set homepage [url] for Internet Explorer.’

We found an interesting feature of this toolkit during the botnet building process: If the bot master accidently infects his own computer, he can remove the botnet with the “Remove spyware from this system” button. Too bad that command isn’t available to Zeus’ victims.

Over the weekend I had the chance to put some work into my lowbie dwarf paladin named Boulderbrain. I was at the Stormwind bank minding my own business when I suddenly get this whisper:

Now normally I simply ignore most whispers I get in-game (other times I simply don’t notice them) but this one caught my attention. Zooming in I think you will see why:

This message is telling me that Blizzard suspects my account of using third-party tools to cheat and would I go to their website, login, and check my account settings. In actuality this is an “attacker” pretending to be a Blizzard GameMaster, and the website itself is a phishing site:

This particular fake was hosted on an IP address that had a pretty questionable report. (HINT, HINT use our SiteAdvisor browser plug in!) World of Warcraft has millions of users worldwide, making attacks and techniques like this very common. Many players (myself included) have taken the additional step of using two-factor authentication (commonly called 2FA or simply tokens), which can add an additional layer of protection to your logon credentials:

The addition of the 2FA pin makes it extremely difficult to break into or pop the account itself. (It’s like adding a secondary token to your bank logon.) OK, now granted I got the free Core Hound pup with it, but it also has a sweet iPhone app that generates the 2FA code!

Now what were those third-party apps the original phish may have alluded to? Bots most likely. As anyone who follows this blog is aware, bots refer to robots, usually malicious in nature, but they simply automate tasks. Some of the more popular bots for World of Warcraft are farming and leveling bots. They are designed for pretty much what you would guess: They automate the “farming” of a variety of materials (later sold for in-game gold) or even honor (honor points can be used to purchase in-game items). These bots can also automate the process of leveling your character. Some examples:

and also:

Should your account be found to be using any of these, it will get banned–as it violates Blizzard’s terms of service. Credential and logon theft is one of the biggest areas of malware we at McAfee Labs deal with on a daily basis. Make sure you stay updated, properly configured and be cautious of in-game messages!

And level-up old school–the account you save may be your own!

Yesterday we discovered a new Zeus campaign.

Most of the messages associated with the new spam campaign are linked to the Asprox botnet. This time, the focus is on FedEx. Most of the attachments start with either FedExDoc[randomnumbers].exe or FedExInvoice[randomnumbers].exe. Those attachments are recognized as the Bredolab Trojan, which will download the Zeus component.

This Zeus variant has a control host on hxxp://x5vsm5.ru, but also downloads from hxxp://trachsel.biz.

The targets of these samples are a large number of banks outside the United States. We still see common U.S. targets…

• Citibank
• Comerica
• USBank
• WellsFargo

and also some banks from Europe, the Middle East, Asia, and South America…

• Neue Bank (Liechtenstein)
• Arab Bank
• MyBank (Taiwan)
• BHI Bank (United Kingdom)
• NPBS (United Kingdom)
• Banco de Sabadell (Spain)

as well as several other banks.

Watch out for Zeus’ going global.

The Anti-Malware engine is a critical and core piece of the McAfee anti-malware solutions. As with any core technology, the engine must be rock-solid stable, fast, and functionally rich.

A new McAfee Labs whitepaper outlines these engine technologies and values, covering both endpoint and gateway uses. Beyond introductions to malware detection methodologies–ranging from exact detection to heuristics, and technologies from exploit detection to cloud-based detection, the new paper especially outlines McAfee’s approach to Cooperative Anti-Malware on Endpoint and Gateway. “Cooperative” in this case refers to the added value of combining anti-malware on the endpoint and on the gateway: a true defense-in-depth strategy in action.

In this defense-in-depth implementation we have engine technologies that are optimized for the endpoint and the gateway, respectively, and both are connected through our Global Threat Intelligence back-end, or “cloud.” This combination allows strict enforcement and the highest proactive catch rates at the network perimeter, keeping the majority of threats outside of your network, and effectively and accurately protecting the desktops in an enterprise as well.

Download and read it now!

This blog was updated at 1.15 pm Pacific time on Aug. 26.

McAfee Labs has detected a new strain of spam in the wild that is not only a sophisticated forgery of a Newegg purchase receipt, but there is also some indication that the botnet may be attempting to abuse Newegg’s password reset system to further the scam.

In less than 1 percent of the cases, the spammers appear to be taking advantage of the password reset option on the Newegg website to generate an email to the victim announcing that a password reset is required. This ruse cannot be used to determine if an account exists because the Newegg site returns the same text if you request a password reset on an actual or nonexistent account. So directory harvesting does not appear to be the attackers’ goal. Newegg’s password reset option is not protected by any sort of CAPTCHA authentication unless the account has received multiple requests for a password reset, so this process could be scripted as part of the spam campaign. The password reset request does not actually reset the password unless the recipient clicks on the email that is sent and even then the password reset request does not indicate the account has been compromised. In all likelihood this scam is designed to make the recipient anxious by suggesting an unauthorized individual has attempted to access the account.

Anxiety and frustration are common emotions exploited by spam and phishing messages to make a victim click on a malware link without thinking. One common trick is to send a purchase confirmation email to a recipient, who is likely to click on the attachment or the link because he or she is afraid or is convinced that someone has already hacked the account. To continue the scam: The victims receive a forged Newegg purchase receipt shortly after seeing the legitimate password reset notice. If recipients are anxious about account tampering, they may be willing to release a quarantined spam message that claims to be a purchase receipt because they feel their accounts may have been compromised.

This spam mail appears to be associated with the Cutwail botnet, which is the second-most prolific botnet in detected infections. (Rustock is number one.) Cutwail has the highest number of infections detected in Russia, India, and Brazil. We do not know if every recipient of a Newegg spam has received a password reset notification before the spam mail arrived, but McAfee TrustedSource™ has detected a 233 percent increase over the average mail flow coming from Newegg IP addresses today.

The spam mail not only mimics the look and feel of a Newegg email, but also forges the RFC 821–received headers to pretend that it originated from Newegg servers. The email contains an HTML attachment that uses obfuscated JavaScript to forward the victim to a domain which attempts to deliver fake anti-virus software or other malware to the recipient.

This is a powerful scam: It combines forgery techniques to fool the victims, techniques to fool the filters, and outright abuse of the Newegg corporate infrastructure to scare the recipients of the malicious emails. Techniques like this are not new, but the combination of three in one package is rare. Administrators should be aware of this campaign and inform their users not to be fooled by the purchase receipt. Users who want to check their Newegg accounts should not use any links in an email but should go straight to newegg.com.

Newegg says it is investigating this issue to determine any customer impact and that it is researching any actions the company may need to take to help its customers avoid phishing scams that take advantage of their brand.

McAfee Labs detected a new wave of the PWS-Zbot (a.k.a Zeus) spam campaign this week.

Some common phrases used in the email subject headers:

• Subject: Sales Dept
• Subject: Another candidate brought to you
• Subject: Summary of payments

These emails carried PWS-Zbot Trojan variants that are a part of the 2.x version of the Zeus botnet, and currently try to access the following URLs:

• hxxpS://193.104.{blocked}/box1/master.tmp
• hxxpS://193.104.{blocked}/box1/1.gif
• hxxpS://193.104.{blocked}/box1/update.php
• hxxpS://cisco-update-{blocked}.com/box1/1.gif (currently offline)

This variant also exhibits rootkit behavior, hooking Windows APIs to prevent users from seeing some of the files.

Examples of such hooks are:

This variant also uses HTTPS as the communication protocol with the remote servers to download encrypted data. In some instances, it was also found to patch termsrv.dll to bypass authentication while connecting to the machine via Remote Desktop.

The SSL Certificate used by the server is self-signed with default parameters and a date of July 13, exactly one month from today.

Further details of the Zbot or Zeus Trojan family are available at the Virus Information Library.

Update: We have noticed that some reports refer to the current wave of PWS-Zbot as “Zeus v3.” To clarify: The current Zbot variants are generated by the “v2 toolkit” and its variants. The Zbot Trojan has evolved from the “v1 toolkit”–which generated the 1.x.x to 1.3.x variants–to the “v2 toolkit,” which underlies the current versions.