“Government-related” Zeus spam continues

As we discussed in yesterday’s article, “Wrong transaction” hotel spam, the UAB Spam Data Mine now has an ability to provide early alerting when a new spam campaign is directly linking to executable files.

This morning we have a new example of this capability in the form of the two most recent installments of a long-running “government-related” Zeus campaign.

One of the two spammed destinations is:

alert-irs.com /00000700973770US.exe MD5 = 0691a4856713edc97664e60db735747c

This malware is currently showing a (12 of 43) detection rate at VirusTotal, as seen in this VirusTotal Report.

The other spammed destination is:

fdic-updates.com /system_update_07_28.exe MD5 = 7a0303fdb809ac0c1a84123b106992c2

This malware is currently showing a (8 of 43) detection rate at VirusTotal, as seen in this VirusTotal Report.

Both files are 172,032 bytes in size, but currently the FDIC one is showing a dramatically wider distribution via email than the IRS one, which may be an indication of “targeting” by the latter.

The FDIC version has been seen almost 500 times, despite the fact that the campaign is less than 45 minutes old as of this writing. Here is the count per 15 minute block seen in the UAB Spam Data Mine:

     5 | ACH and Wire transfers disabled.      | 2011-07-28 06:00:00     3 | Banking security update.              | 2011-07-28 06:00:00     1 | Update for your banking account.      | 2011-07-28 06:00:00   107 | ACH and Wire transfers disabled.      | 2011-07-28 05:45:00   138 | Banking security update.              | 2011-07-28 05:45:00   108 | Security update for banking accounts. | 2011-07-28 05:45:00   122 | Update for your banking account.      | 2011-07-28 05:45:00     1 | Banking security update.              | 2011-07-28 05:30:00     1 | Security update for banking accounts. | 2011-07-28 05:30:00     1 | ACH and Wire transfers disabled.      | 2011-07-28 05:15:00     1 | Banking security update.              | 2011-07-28 05:15:00     1 | Security update for banking accounts. | 2011-07-28 05:15:00

(Timestamps are US-Central Time, GMT -6)

The FDIC spam comes from email addresses that randomly associate these “usernames” with these “hostnames”. Everything in the first column was seen combined with everything in the second column.

admin            @   admin.fdic.govadminnistration  @   administration.fdic.govcunsumer         @   fdic.govFDIC             @   security.fdic.govfinance          @govdelivery      @information      @inspector        @news             @no-reply         @privacy_policy   @protection       @public           @report           @service          @stats            @support          @webannouncements @

Here’s what the email actually says:

Dear clients,
Your account ACH and Wire transactions have been
temporarily suspended for your settings, due to the
expiration of your security version. To download and install the
newest Updates, click here.

As soon as it is Applied, your transaction abilities will be fully restored.

Best regards,
Online security department
Federal Deposit Insurance Corporation

The IRS related spam came first:

     2 | Internal Revenue Service     | 2011-07-28 04:15:00     2 | Federal Tax payment rejected | 2011-07-28 04:00:00     2 | Your IRS payment rejected    | 2011-07-28 04:00:00     2 | Internal Revenue Service     | 2011-07-28 03:45:00

This is fairly typical spamming for this group. They like to make a new Zeus variant, populate it on a website, and then spam it very hard at the beginning of the East Coast business day. For example, here is the spam for:

“nacha-rejected.com”

     2 | Rejected transaction | 2011-07-27 05:30:00     1 | Canceled  payment    | 2011-07-27 05:15:00     2 | Canceled transaction | 2011-07-27 05:15:00     3 | Payment rejected     | 2011-07-27 05:15:00     5 | Rejected transaction | 2011-07-27 05:15:00     2 | Canceled transaction | 2011-07-27 05:00:00     8 | Canceled transfer    | 2011-07-27 05:00:00     5 | Payment canceled     | 2011-07-27 05:00:00     3 | Payment rejected     | 2011-07-27 05:00:00     4 | Rejected transaction | 2011-07-27 05:00:00    92 | Canceled  payment    | 2011-07-27 04:45:00    74 | Canceled transaction | 2011-07-27 04:45:00    84 | Canceled transfer    | 2011-07-27 04:45:00    60 | Payment canceled     | 2011-07-27 04:45:00    75 | Payment rejected     | 2011-07-27 04:45:00    57 | Rejected transaction | 2011-07-27 04:45:00     2 | Payment canceled     | 2011-07-27 04:30:00     1 | Payment rejected     | 2011-07-27 04:30:00     1 | Canceled transaction | 2011-07-27 04:15:00     2 | Payment canceled     | 2011-07-27 04:15:00

nacha-transactions.com

     1 | Payment rejected     | 2011-07-27 07:00:00     1 | Rejected transaction | 2011-07-27 06:45:00     4 | Canceled  payment    | 2011-07-27 06:30:00     2 | Canceled transfer    | 2011-07-27 06:30:00     1 | Payment canceled     | 2011-07-27 06:30:00     1 | Payment rejected     | 2011-07-27 06:30:00     1 | Canceled transaction | 2011-07-27 06:15:00     1 | Canceled transfer    | 2011-07-27 06:15:00     1 | Payment canceled     | 2011-07-27 06:15:00     1 | Payment rejected     | 2011-07-27 06:15:00

taxes-refund.com

     1 | Internal Revenue Service        | 2011-07-27 08:00:00     1 | U.S. Department of the Treasury | 2011-07-27 08:00:00     1 | Internal Revenue Service        | 2011-07-27 07:45:00     2 | Internal Revenue Service (IRS)  | 2011-07-27 07:45:00     2 | Payment IRS.gov                 | 2011-07-27 07:45:00     1 | Internal Revenue Service        | 2011-07-27 07:30:00     1 | IRS.gov                         | 2011-07-27 07:30:00     1 | U.S. Department of the Treasury | 2011-07-27 07:30:00

(source: CyberCrime & Doing Time)

Related Posts:

© 2011 Actual Security News. All rights reserved.