September 15, 2010

Cash and "Labels and such" lead to ZEUS


Websense® Security Labs™ ThreatSeeker™ Network has detected another wave of Zeus malicious email messages. This campaign is related to the familiar "pharma" spam messages that we see everyday, with one exception. This campaign combines an HTML or ZIP attachment with a social engineering technique, similar to what we normally see in malicious email campaigns. For example, the message may state that $375 has been sent to a mail recipient's account, and include a link to view the transaction in the recipient's account. Opening the attachment results in a compromised user machine via an obfuscated JavaScript in the attached HTML file.  So far, we have seen this type of email with subjects like"Labels and such" and "Greetings from Rivermark Bill Payer!"

Websense customers are protected by the real-time protection for customers in our Advanced Classification Engine, ACE. 

Here is a screen shot of an email message with an HTML attachment: 


In the case of an HTML attachment, criminals use obfuscated JavaScript.  Content is encrypted with a commercially available HTML obfuscation tool.


When viewing the deobfuscated content we see that the script uses a meta refresh tag to redirect a user who views the attachment. The script checks which browser is used and only performs the redirection if one of the following browsers: Firefox (navigator.userAgent.indexof('Gecko')) or Chrome/Safari (navigator.userAgent.indexOf('KHTML')). 


A user who is using one of the affected browsers will get redirected to a pharmaceutical site like this one:


For email messages that have ZIP attachments, the ZIP file has coverage in VirusTotal - 5 /43. The "label.zip" file contains "label.exe" which is a copy of Zeus. The malware copies itself to "C:\Documents and Settings\user\Application Data\Ewca\refef.exe" and tries to access two sites located in the .ru zone. 

Here is a screen shot of the encrypted Zeus configuration file being downloaded after the malware injects itself into a legitimate process:


So far, we have seen more than 100,000 email messages like this.


Forcepoint-authored blog posts are based on discussions with customers and additional research by our content teams.

Read more articles by Forcepoint

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.