October 5th, 2008
Posted in Uncategorized
It looks like the Cutwail Botnet is attempting to increase it’s size at the moment. While checking our spam honeypot network for any interesting new attacks, I found a sample of a new attack with the latest version of the Trojan. In fact, it’s so new that many of the major Anti-Virus companies don’t have definitions against it as I write this post. I submitted the sample to
virustotal which is an excellent resource for classifying suspicious files and showing the definition coverage from various companies. Here’s a screen shot showing the coverage.
Only 5 out of 36 companies detected the file submitted, indicating it’s very new! The sample I analyzed above was from 71.175.135.88 which appears to be a member of the Cutwail Botnet and it’s busy recruiting new members which can then be used to send spam. I should point out that it’s a high volume attack as over 15% of all messages to the honey pot contain this malware. – keep in mind that the honey pot receives huge volumes of spam!
So, what does it do? The file attached to the e-mail is Statement_1.zip and it contains a malicious file named Statement_1.doc.exe. Running it in a sandbox environment, shows that it copies itself to a file named rs32net.exe and then adds it to the registry so it will be automatically run on system startup. It also sends a http GET request to 208.66.194.240, 208.66.195.71 and 216.195.55.50 on port 80 to download additional files and to register itself as a new bot with command and control. It then attempts to connect to mailservers to verify it can send before attempting to send on the same message with the malware payload.
The current campaign spreading the malware, tries to convince the recipient that they have been a victim of credit card fraud and the statement with fraudulent transactions have been attached. Here’s a sample e-mail and Subject lines being used include “Security Department”, “Credit Card Fraud Involving”, “Fraud Transactions”, “Fraud Defense”, “Dear Holder”, “Information of Your Transactions” and “You the Account Statement”.
Greating and salutations
Dear Credit Card Holder:
Please be aware that a credit card fraud involving your credit card
has been registered by our security department. For your information,
we are sending you the account statement that includes all transactions
made with your credit card from 01.09.2008 through 03.09.2008.
Please take a note of the last three transactions on the list,
which have been recognized as fraudulent.
We highly recommend you to inform us of the transactions you have
made personally. Thus, you will help us and yourself to resolve this issue
as soon as possible.
An MS Word document containing your account statement in is enclosed
in the archive attached to this message.
Take care of yourself
Selma Rosenberg
Manager of Credit Card Fraud Defense
Update: On Tuesday morning I noticed a change to the malware being delivered. The latest Trojan downloader was not identified by most major AV solutions and it behaved differently. It downloaded the files loader.exe and install.exe from soft-side.net and mncpssa.org. It also attempted to check a block of IP addresses of a corporation on port 445.
Update 2: On Wednesday morning around 5am, the attached Trojan was changed again. Only 3 AV solutions identified it but with general names e.g. “Suspicious File”, “Suspected of Malware” and “New Malware.ix”. I wonder if it will change again tomorrow?
Tags: botnet, cutwail, fraud, trojan
August 17th, 2008
Posted in Uncategorized
I thought it worth discussing the spam e-mails being sent related to the conflict in Georgia. So far, our spam traps show two very different types of spam mailings related to the issue which appear to have very different purposes.
The most recent messages I’ve seen are in German and originate from the Cutwail botnet. Typically spam messages are used to promote a product or aim to infect even more machines. Interestingly, in this case it’s neither – it’s a political message which actually links to a youtube video of a Fox News broadcast.
The Subject line is “Wahrheit uber Goergien Konflikt” which translates as the “Truth about Georgia Conflict”. It makes claims that YouTube have manipulated the visitor numbers so that the video isn’t popular (which I doubt). It goes on to state that we are not “media puppets” and we are opposed to “propaganda in the media” and that the information should be spread like a fire. I’ve removed the actual link to the video as I don’t want to promote traffic to it. Here’s a single sample of the message which originated from 77.35.27.101 which is listed on the CBL as associated with Cutwail. Although we’ve seen high volumes of these hit spam traps.
Subject: Wahrheit uber Georgien Konflikt
Ein kleines Madchen spricht die Wahrheit uber georgische Angriffe:
http://youtube.com/watch?v=i_removed_the_link
(YouTube manipuliert den Aufrufzahler und lasst dieses Video nicht popular werden)
2000 Tote innerhalb von 2 Tagen durch georgischen Angriff – RIP
Fur alle Kinder, Frauen, Manner die durch georgische Angriffe ermordet wurde starten wir diese Aktion.
Wir sind gegen Propaganda in deutschen Medien!
Wir sind keine Medien-Marionetten.
Wir wollten die WAHRHEIT! Wir sind das Volk!
Verbreite diese Nachricht wie ein Lauffeuer! (Emails, Blogs, Foren, ICQ)
Zusammen sind wir stark.
The second spam e-mail referencing Georgia appears to be coming from the Mega-D Botnet. There were reports that this could be a new botnet but the samples I’ve seen show infections of Mega-D so I’d need to see further evidence to support that claim although I couldn’t rule it out completely. Rather than spreading a political message, this spam links to malware to cause further infections. It looks like it’s simply leveraging a hot topic to socially engineer people to click on it rather than spread a political message. Gary Warner over at UAB (University of Alabama at Birmingham) has an excellent Anti-Spam blog and gives an analysis of this spam message.
It’s clever in that the subject line claims to be from the BBC NEWS. This may sound familiar to the CNN/MSNBC fake headline spam which was sent from the Rustock Botnet but it’s not at all related other than borrowing some social engineering ideas. A sample originated from 81.190.91.93 which is listed on the CBL as being infected as a Mega-D bot. The headers of the message also share heuristic type features of that particular botnet such as a forged header and a ratware singature. The message sent is as follows with the addition of an image of the President if viewed in a HTML mail user agent.
Subject: BBC NEWS.
Last news! Saakashvili (president of Georgia) the gay! See it now!
http://website_removed.com/upload1/upload.php
Broadcasting House,
Portland Place,
London,
W1A 1AA
It’s not suprising that Botnets would leverage a major current affair event to try and get a recipient to read it. What did interest me was the fact that both Rustock and Mega-D are both using news agencies and both Cutwail and Mega-D are both using the Georgia conflict in their messages. There’s an overlap in the social engineering techniques used by the different Botnets as they learn from each other what appears to work. Another interesting point is that the spam from Mega-D is pro-Russian and the spam from Cutwail is pro-Georgian so it’s probably unlikely that the latter is under the control of the RBN (Russian Business Network).
Tags: botnet, cutwail, mega-d, spam
