Anti Virus Softwares

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Thursday, 12 November 2009

Newest Zeus = NACHA: The Electronic Payments Association

Posted on 10:32 by Unknown
This morning I was meeting with some graduate students in the UAB Computer Forensics program to discuss what projects we would be running in the lab. When the topic of Zeus came up, we observed that we had seen no new spam on the IRS Zeus Campaign in the past 2.5 hours, which probably meant the bad guy was about to change his "look".

Sure enough, I came back from my morning meetings to find 150 copies of the newest Zeus distribution campaign. The new campaign pretends to be the National Automated Clearing House Association (NACHA), which is the group that manages the relationships between participating financial institutions. During the 3rd Quarter of 2009, they report that they brokered 3.77 billion transactions worth more than $7.3 trillion. I was observing this morning that the criminals know more about our financial networks than the average banking consumer who probably doesn't understand what NACHA is or how the organization works. When I shared this thought with Brian Krebs today, he commented "I assure you that the comptrollers of the companies being targeted by these criminals know who NACHA is!" (Krebs is the author of the Washington Post's Security Fix column, and a leader in researching this family of attacks.

In this case, the spam subject lines are:

Please review the transaction report
Rejected ACH transaction
Rejected ACH transaction, please review the transaction report
Unauthorized ACH transaction
Unauthorized ACH Transaction Report
Your ACH transaction was rejected
Your ACH transaction was rejected by The Electronic Payments Association

Sender names used in the spam, all with the email support@nacha.org, included:

ACH Network
Automated Clearing House (ACH)
Electronic Payments Association
NACHA
nacha.org
National Automated Clearing House Association

The email message itself reads:

Dear bank account holder,

The ACH transaction, recently initiated from your bank account (by you or any third party), was rejected by the Electronic Payments Association. Please review the transaction report by clicking the link below:

Unauthorized ACH Transaction Report


------------------------------------------------------------------

Copyright ©2009 by NACHA - The Electronic Payments Association



The website to which you are directed looks like this:



The Transaction Report is described on the website as a "self-extracting, pdf format" file, but is of course really a zbot infector.

The current version of the file is:
File size: 123392 bytes
MD5 : f8150d384940a3ddd24fa5333be0162b

A full Virus Total report is also available, showing 16 of 41 AV companies detecting this version of the malware.

The websites that we are seeing so far on this attack are . . .

nacha.org.corefirstid.com
nacha.org.corefirstid.eu
nacha.org.corefirstid3.com
nacha.org.corefirstid4.com
nacha.org.corefirstid5.com
nacha.org.corefirstid8.com
nacha.org.fffazsa.co.uk
nacha.org.fffazsa.me.uk
nacha.org.fffazsa.org.uk
nacha.org.fffazsf.co.uk
nacha.org.fffazsf.me.uk
nacha.org.fffazsf.org.uk
nacha.org.fffazss.co.uk
nacha.org.fffazss.me.uk
nacha.org.fffazss.org.uk
nacha.org.fffazsx.co.uk
nacha.org.fffazsx.me.uk
nacha.org.fffazsx.org.uk
nacha.org.fstpproid01.com
nacha.org.fstpproid02.com
nacha.org.fstpproid03.com
nacha.org.fstpproid04.com
nacha.org.fstpproid08.com
nacha.org.fstpproid09.com
nacha.org.fstpproid10.com
nacha.org.fstpproid12.com
nacha.org.fstpproid15.com
nacha.org.modsftp01.com
nacha.org.modsftp03.com
nacha.org.modsftp04.com
nacha.org.modsftp05.com
nacha.org.redaczxj.co.uk
nacha.org.redaczxj.me.uk
nacha.org.redaczxj.org.uk
nacha.org.redaczxk.co.uk
nacha.org.redaczxk.me.uk
nacha.org.redaczxk.org.uk
nacha.org.redaczxm.co.uk
nacha.org.redaczxm.me.uk
nacha.org.redaczxm.org.uk
nacha.org.redaczxn.me.uk
nacha.org.redaczxn.org.uk
nacha.org.redaczxs.co.uk
nacha.org.redaczxs.me.uk
nacha.org.tttteacb.co.uk
nacha.org.tttteacb.me.uk
nacha.org.tttteacb.org.uk
nacha.org.tttteacf.co.uk
nacha.org.tttteacf.me.uk
nacha.org.tttteacg.co.uk
nacha.org.tttteacg.org.uk
nacha.org.tttteack.co.uk
nacha.org.tttteack.me.uk
nacha.org.tttteack.org.uk
nacha.org.tttteacx.co.uk
nacha.org.tttteacx.me.uk
nacha.org.tttteacx.org.uk
nacha.org.tyeen.me.uk
nacha.org.tyeep.me.uk
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in zbot | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • From Russia, With Love . . . new Postcard spam spies on your PC
    Isn't it nice to have friends who send you postcards? The UAB Spam Data Mine is especially fortunate in that way. Beginning the evenin...
  • Happy New Year! Here's a Virus! (New Year's Postcard malware)
    I've been busy this week looking at the various defacements (see ComputerWorld , and ABC News ) and other cyber attacks (see yesterday...
  • ACH Spammer switches to Shortened URLs
    For many weeks now the spammers behind one particular malware family have been fighting a running battle to keep their malware-hosting domai...
  • Tempting Photo Attachments Lead to Fake AV
    One of today's largest malicious spam campaigns continued an occasional theme we've been seeing for a few weeks. A subject line, fo...
  • Indictments reveal $77 Million in Illegal Pill Sales
    Congratulations to the Daytona Beach FBI, US Attorney Robert O'Neill, and their colleagues at IRS and FDA. The Daytona Beach News report...
  • Most Dangerous Cities for Cyber Crime?
    Symantec Riskiest Cybercrime Cities Symantec released a study today in conjunction with Sperling's Best Places today. According to thei...
  • Morocco based "Team Evil" reroutes prominent Israeli websites
    After more than 10,000 websites being defaced in protest of Israeli actions in Gaza, Morrocco-based defacement team "Team Evil" ha...
  • Minipost: Google v. Pacific WebWorks
    I blogged recently about the "Google Jobs" scammers who were abusing Twitter, Blogspot, Google Reader, and spaces.live.com by crea...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • WIRED: November Jargon Watch & Forensics?
    One of my NASA buddies (hi, Lisa!) dropped by last week for coffee and to catch up on the world of information management. When I introduce...

Categories

  • Blogs
  • Calendar
  • china
  • Communities
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • Drivers
  • email
  • Excel 2007
  • facebook
  • fake av
  • Features
  • Firewall
  • Gadgets
  • gumblar
  • Hardware
  • Hotmail
  • IE7
  • Internet Explorer 7
  • koobface
  • law enforcement
  • malware
  • Microsoft
  • Outlook
  • pharmaceuticals
  • phishing
  • PowerPoint 2007
  • public policy
  • Ready Boost
  • ReadyBoost
  • Security
  • Sidebar
  • Software
  • spam
  • Tutorials
  • twitter
  • twitter malware
  • USB
  • Virtual PC
  • Vista
  • waledac
  • Wallpaper
  • Websites
  • Windows
  • Windows Live
  • Windows Vista
  • Word 2007
  • zbot

Blog Archive

  • ►  2013 (17)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ▼  2009 (93)
    • ►  December (12)
    • ▼  November (11)
      • IRS Spam Campaign leads to low detection malware
      • Beware Weekend Facebook Scam!
      • Some Jerk posted your photo - and now you're infec...
      • UAB Spam Data Mine finds Social Security Statement...
      • Fake Flash Player Zbot spread by "Your Domain"
      • Running out of Money Mules?
      • Zeus: Same Criminal, New Spam Infrastructure
      • Newest Zeus = NACHA: The Electronic Payments Assoc...
      • The $9 Million World-Wide Bank Robbery
      • Zeus / Zbot Malware moves Back to IRS
      • Zeus Malware Moves to Myspace
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (7)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ►  2008 (109)
    • ►  December (7)
    • ►  November (17)
    • ►  October (12)
    • ►  September (10)
    • ►  August (23)
    • ►  July (14)
    • ►  June (3)
    • ►  May (8)
    • ►  April (6)
    • ►  March (2)
    • ►  February (3)
    • ►  January (4)
  • ►  2007 (37)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  April (2)
    • ►  March (2)
    • ►  February (2)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile