Thanks for the malware sample!

Here at the X-Force, we catch our fair share of malware from random spammers and phishers just as any corporate or home user does. Today we dive into one of these attacks to show how it works and what these guys are after.
This poorly crafted email phising attack was sent to us courtesy of:
Received: from ([189.55.XXX.XXX])
It contained a simple link to a website hosting “Secret files” according to the domain name:
Most emails come through with some type of trickery in order entice the end user into clicking on their malicious links. However sometimes a simple link with a subject of RE:FW: is the best method to evade spam filters.
Let's have a look at the contents of this URL to see what's really going on:

Nice obfuscation technique - inside the xx.xx is the needed eval to decode the contents of this script. Once de-obfuscated the nasty script rears its ugly face, and here is a small snippet of the exploit pack used, which is included in the Zeus botnet toolkit:

This is the piece of the script that sets up an iframe to download a malicious PDF file, containing exploits for util.printf, Collab.collectEmailInfo, app.doc, Collab.getIcon, and media.newPlayer. This is not the only attack vector in the script, but it's probably the most successful of the bunch. This PDF contains shellcode which forces Reader to download and execute the payload of the attack.
The payload is a variant of the Zeus (also known as Zbot) trojan configured to monitor the infected PC's web browsing and intercept credentials for over 20 online banks based in the US. When the Zeus binary is downloaded and executed, it connects to a server based in Russia to download an encrypted configuration file. This configuration file contains a list of target sites and some HTML and JavaScript that gets injected into the web browser in order to capture the victim’s bank information. The data is uploaded to a server in Russia.
When executed, this copy of Zeus, like most variants, copies itself to %System32%\sdra64.exe and configures itself to run automatically by using the HKLM\Software\Microsoft\Windows NT\winlogon\userinit value in the Registry – this allows it to start even when the computer is rebooted in Safe Mode, making it difficult to remove manually. The malware also constantly monitors the key and any attempt to change it will be reverted.
When sdra64.exe is executed, it gets loaded into the process space of services.exe in order to hide from prying eyes and personal firewall software. It then connects to the configured C&C server to download the encrypted configuration file. There is an excellent analysis with more details on how Zeus works at
More About Zeus
Zeus is very popular in the underground for collecting online bank logins and social networking site credentials. It's sold on forums as a kit that includes a configuration tool, sample configurations, a web-based exploit pack, and a web-based command and control (C&C) server.
The configuration component, known as Zeus Builder, allows the user to build a specific configuration into a Zeus trojan binary:
The information built into the bot binary itself includes the location of the C&C server and the URL of the encrypted configuration file. The encrypted configuration file is stored on the server separately – this allows it to be updated by the attackers without generating a new bot binary.
The bot binary itself is encoding using a randomized packing/unpacking routine. This means that each generated copy is different. This was done in an attempt to evade AntiVirus products. Many attackers will further protect the executable with other protectors and "cryptors" in order to avoid detection by AV products. The sample that targeted us was only detected by 7 out of 41 engines – an 17% detection rate.
Even though we think it's great when cyber criminals will deliver new samples of exploits and malware directly to us to analyze, this attack does highlight the risk that all Internet users face when reading email. This attack was easy for us to spot, but hackers have been known to use craftier methods to hide attacks in email.
To be safe, you shouldn’t click links you find in emails. This includes emails from your bank or social networking sites. It's safer to use browser bookmarks to go to sites you use often – when you get a notification from a site you use, go directly to that site and avoid clicking the link in the email. It could save you from an infection. Also, make sure your AntiVirus software is always up-to-date.


3 Responses to “c0decstuff”

  • اهم شركات نقل العفش والاثاث بالدمام والخبر والجبيل اولقطيف والاحساء والرياض وجدة ومكة المدينة المنورة والخرج والطائف وخميس مشيط وبجدة افضل شركة نقل عفش بجدة نعرضها مجموعة الفا لنقل العفش بمكة والخرج والقصيم والطائف وتبوك وخميس مشيط ونجران وجيزان وبريدة والمدينة المنورة وينبع افضل شركات نقل الاثاث بالجبيل والطائف وخميس مشيط وبريدة وعنيزو وابها ونجران المدينة وينبع تبوك والقصيم الخرج حفر الباطن والظهران
    شركة نقل عفش بجدة
    شركة نقل عفش بالمدينة المنورة
    شركة نقل عفش بالرياض
    شركة نقل عفش بالدمام
    شركة نقل عفش بالطائف
    شركة نقل عفش بمكة

  • Hello All
    I'm offering following hacking services
    ..hacking Tools
    ..Spamming Tools
    ..Scam pages
    ..spam tools scanners make your own tools

    Other hacking svs
    ..Western union Trf
    ..wire bank trf / debit cards hacking /tracing
    ..Mobile hacking / mobile spam

    fully proof work
    Availability 24/7 only given below addresses
    Contact info
    Icq: 718684828
    Skype: live:Salvrosti

  • Help me thank HACKINTECHNOLGY after being scammed of $1500 he helped me find my cheating husband he
    helped hack his whatsapp gmail and kik and i got to know that he was cheating on me , in less than 24 hours
    he helped me out with everything HACKINTECHNOLOGY
    is trust worthy and affordable contact HACKINTECHNOLOGY@GMAIL.COM

What's on Your Mind...

Thank f' u C0mment