REPOST - ORIGINALLY POSTED JANUARY 3, 2011
Brian Krebs posted an article on his blog this morning that documents a recent spam attack on U.S. government employees that occurred around christmas time.
http://krebsonsecurity.com/2011/01/white-house-ecard-dupes-dot-gov-geeks/
which has in-depth technical coverage at:
http://contagiodump.blogspot.com/2011/01/general-file-information-file-card.html
Using a very simple ruse of “Merry Christmas from the White House”, this message used the common “ecard” social engineering hook to push a ZeuS trojan variant to the unlucky recipient.
From a configuration standpoint, this ZeuS bot used the following command and control points, all of which are down as of this writing:
Configuration Files:
http:// patmarclean.us/flash/resny.bin
http:// rogersvillechamber.us/components/tmpny.bin
http:// ingunnanvik.no/templates/system/sysny.bin
http:// argentum.lv/modules/rssny.bin
Binary Updates:
http:// ingunnanvik.no/templates/system/botny.exe
Information Drops:
http:// 209.172.60.242/~newdowni/stat/gate_in.php
http:// someonesome.mobi/imgs_ctn/icon_sml/gate_in.php
http:// shock-world.mobi/zs/tmp/gate.php
It was poised to collect credentials from most major banks, but also includes site such as ebay, myspace, and microsoft, as well as online-payment processors, paypal and e-gold.
While these facts alone show similarities to infrastructure aspects of the “kneber” compromise that we documented back in February 2010, a very specific tie-in makes us believe that this attack was driven by operators that were also a part of the initial “kneber” compromise.
One domain in the original kneber data, “updatekernel.com” was tied specifically to a phishing email that used a spoofed address to push ZeuS to targeted government-employees, which Brian details here:
http://krebsonsecurity.com/2010/02/zeus–attack–spoofs–nsa–targets–gov–and–mil/
An interesting sidenote to this particular aspect of the kneber data was that the ZeuS bot that was involved with this phish had a second stage download of an executable called “stat.exe”. This malware was revealed to be a perl script converted to a stand-alone executable with the perl2exe tool.
This malware searched the local harddrive of the victim PC for xls,doc and pdf files, and uploaded them via FTP to:
packupdate.com
Which at the time, resided on a server in Belarus.
This current spam run, also downloaded a second-stage executable, called “pack.exe”, which was also:
- A perl2exe exectuable
- Searched the victim PC for all xls, doc and pdf files
- Uploaded stolen information to a server in Belarus, which resolved to “uploadpack.org”
So in this case, we have two executables, and three domain names, that have three converging elements, (pack, belarus and perl2exe)
When compared, these two files, separated by almost a year, are nearly identical in size:
Furthermore when analyzed with HBGary’s “fingerprint” tool, which looks for code similarities and “toolmarks”, a 95.8% match is indicated, with the only differing factors being the CPUID of the machine on which the malware was compiled:
This, because it is such a small and fairly unknown aspect of the kneber compromise, makes us think that this is indeed the same operator, who is again after documents pertaining to U.S. Government activities.
This evidence shows the continuing convergence of cyber-crime and cyber-espionage activites, and how they occassionally mirror or play off one another.
The question again, which we posed in our initial Kneber document, is:
Who is the end consumer of this information?
Alex Cox, Principal Research Analyst
