The Pushdo group has been persistently spamming links to websites that attempt to install Zeus (Zbot) onto users PCs. In the last month they have used an American Bankers Association theme and an Outlook Update theme. Today we are going to look at another Zeus spam campaign and also examine some of the hidden elements of the attack served up by an exploit kit called FSPACK. The email below uses a 'photo' theme from another Zeus campaign that we observed last week.
This campaign is not just limited to email, we have also seen blog comment spam with similar content:
If the recipient clicks on the link, they are led to the web page below. This same web page design has been used in other campaigns in the past.
The File PhotoArchive.exe is the Zeus executable which users may be tricked into downloading and running.
Inside FS Pack
Many of the previous Pushdo campaigns have attempted to secretly install Zeus onto the end user’s machines by using a range of exploits that target vulnerable browsers and applications. Exploits are usually served by an exploit kit running on a different web server. The exploit is included in the campaign page via an IFrame with zero width and height, making it invisible to the user.
The IFrame source URL is commonly of the format http://[IP Address]/[Random Folder]/in.php. Over the last several months we have seen the source of these IFrames coming from IP addresses in the 109.95.114.X - 109.95.115.X range. Owned by a network named 'VISHCLUB'.
These exploits are served by an exploit kit known as FSPACK. FS Pack is not as advanced as some exploits kits in terms of statistics and logging, but by gaining access to the FS Pack administration pages we can get an idea of how successful these campaigns are for the Pushdo/Zeus group.
The random folder part in the URL changes often, usually each day and the previous folder used is removed from the web server. Each new folder seems to represent a new instance of FS Pack, with all of the stats starting from zero.
The text in the FSPACK admin web pages is in Russian, we have attempted to translate them into English in the screenshots below. These screenshots have been taken from the instance of FS Pack shown in the IFrame above. It has been up and running and serving exploits for nearly a day. In this time almost 40,000 unique users have been exposed to these exploits, and the Zeus file has been downloaded over 5000 times. These downloads do not include the PhotoArchive.exe file downloads that a user may be tricked into downloading and executing themselves. Many of these users will not even realize their browser has visited an exploit kit web page, as it has been loaded inside an invisible IFrame.
The admin home page of FS Pack shows stats on the number visits and downloads.
The browsers and OS sections shows the visitors by browser type and operating system respectively.
United States is clearly ahead in the number of visits.
The Referrers section shows the first 24 characters of the HTTP Referer received when the victim's browser loads the IFrame. This FS Pack has also been used to supply exploits for an earlier 'Facebook campaign' which accounts for just over 6000 of the hits.
Even a low paying pay-per-install affiliate program could offer around 10 cents an install, netting these criminals over $500 for the day. Obviously each Zeus install (being a Trojan horse designed to steal banking credentials) is capable of generating greater than 10 cents worth of revenue, just look here to see some of the cases where Zeus has been used to steal hundreds of thousands of dollars.
We cannot determine how many Zeus files were actually executed, as some users may have decided not to run them, others may have been stopped by anti-virus software. At the time we downloaded this variant of the Zeus file it was only detected by 11 out of 40 vendors on virustotal.com.
Once the Zeus file is executed it connects to 109.95.115.19, also part of VISHCLUB, to download an encrypted configuration file.
