After I received an email from Jeff Carr warning about a spoofed email containing malware, I asked Jeff to send it along. It turns out that the attackers also used portions of a blog post by Brian Krebs as lure. What interesting is that the attack targeted .mil and .gov email addresses using text from Carr and Krebs about an earlier attack targeting .mil and .gov email addresses. A quick analysis of the sample indicated that it was Zeus and was beaconing to a known Zeus command and control server. However, the interesting part, for me, is what happened after getting compromised by Zeus, and I have to really thank Jeff for passing along the email because it led me to this stuff.
Around the same time news of the Kneber botnet broke and Netwitness linked the two attacks together. While much of the coverage of Kneber was hype-filled, the actual report by Netwitness is excellent and you can get a hype-free overview by Alex Cox, the guy who discovered it, here. The response of some of the AV vendors has been troubling. Essentially some said that this is nothing new, it’s just Zeus, and that there’s long been AV protection for Zeus. Netwitness responded stating that many AV’s actually did not detect the samples they analyzed.
The sample from the sample I analyzed the coverage was 18/41 on Virustotal.
The main issue for me was the use of Zeus to drop malware that focused on document removal and that it was used in conjunction with spear phishing attacks on .mil/gov email addresses. This second drop was 5/41 on Virustotal.
From the data it seems like the attackers were capturing whatever they could, not retrieving specific documents. That said, they managed to compromise the types of people they appeared to be after (in terms of who the phishing mails were sent to) and in a few cases managed to get some very interesting documents.
I think the broader issue is what Brian Krebs alluded to in the comments section of his blog – and Netwitness indicated this as well — that is if we believe that these crimeware types are squeezing all the monetary value they can out of their operations, what would they do with the type of information that has intelligence value but is not easily monetized in a traditional sense? And how better to obscure attribution that to use existing crimeware infrastructure for what appears to be more espionage that traditional crime?
I am keeping these as open questions because I am not sure how strong the connection is and tend to be cautious on these issues. But I do think it is an interesting case.
UPDATE: I’ve copied the report into this post.