Don’t Update Your Email Settings
Bradley Anstis, 11/01/2010, posted in "Analysis"
Bradley Anstis is Director of Technology Strategy at M86 Security. Bradley has been with M86 Security (formerly Marshal) since early 2004. He re-established Marshal's R&D centre following the management ...more info
Bradley Anstis is Director of Technology Strategy at M86 Security. Bradley has been with M86 Security (formerly Marshal) since early 2004. He re-established Marshal's R&D centre following the management buy-out from NetIQ. As VP of Technology Strategy he is responsible for the development and improvement of M86 Security solutions, ensuring that M86 Security keeps ahead of emerging security trends and market requirements. Bradley is a 20-year veteran of the IT industry and previously held technical management positions with Protocom Development Systems and Citrix. ...less info
Pushdo is once again using a blended email and web attack to try and infect PCs with the Zeus (Zbot) Trojan Horse. This time the attack starts with a spam email claiming that your email settings have been changed and that to apply the new settings you must click on the link. The email and link are customized to the recipients email domain. We have seen Emails with the following subjects:
A new settings file for the <EMAIL> mailbox
For the owner of the <EMAIL> mailbox
The settings for the <EMAIL> were changed
The link in the email looks as if it goes to a location on the recipients domain but in fact it points to a web server on one of over 200 different domains hosting the page below. The recipient’s domain is included as a sub-domain in the actual URL. For example RECIPIENT_DOMAIN.com.host.com.
This page is designed to look like a legitimate Outlook Web Access page and it is customized for the recipient.
The link ‘USER-settings-file.exe’ in the center of the page begins with the user name portion of the recipients email address and links to the file settings-file.exe. As with many past Pushdo campaigns, this file is the Zeus Trojan Horse.
Invisible to the user is an IFrame pointing to an IP address hosting the ‘FSPACK’ Exploit kit. Once this IFrame is loaded the exploit kit delivers a malicious PDF that exploits three vulnerabilities in Adobe PDF products, and a Flash exploit. These exploits download the Zeus file onto the victims’ PC. On this server we also found exploits targeting Internet Explorer, however these were not sent to our Firefox browser.
This attack is particularly crafty because of the personalised nature of both the email and the website, also many users will be used to using Outlook Web Access and may think that this settings update is a legitimate function.
Subscribe via RSS or via email
