The Zbot keylogger campaign-of-the-month targets users of AOL Instant Messenger (AIM) with a message that claims to be an update notification for users of the instant messaging client application. Users unfortunate enough to click through the link in the email message to download what they think is something called “aimupdate_126.96.36.1995.exe” will be in for a rude awakening.
The malicious page delivers its payload whether or not a victim clicks the link to get executable file: It opens an iframe to a site that attempts to use vulnerable versions of Adobe Reader to push the Zbot keylogger down to the victim’s computer, then execute it, within a few moments of the page loading.
The address of the iframed page resides in a particularly sketchy corner of the net. The network the IP address is part of, known as AS50369, goes by the name VISHCLUB-as Kanyovskiy Andriy Yuriyovich. Sure sounds a lot like someone’s name for their phishing gang. The same network has been in use for the past week delivering payloads on well-worn Outlook Web Access and HMRC Zbot download pages.
Seriously, though: Vishclub? Is that the best the Russian hackers can come up with? It sounds like what you’d call a fisherman’s smoking lounge on the Baltic coast, where thick clouds of cheap tobacco is the only thing that can overpower the putrid stench of rotting seafood.
The fake page has the outward appearance of a page hosted by AOL, but it clearly isn’t the real deal. Once you take a closer look, the site and its social engineering tricks begin to smell a bit like day-old fishwrap, as well.
To begin with, AOL doesn’t release update “patch” applications for AIM. When they have a new release, you download the whole application’s installer. The current version sizes up at about 7MB; The Trojan is only around 130KB. In addition, the true AIM installer carries a digital signature from AOL LLC, the parent company. This one has no such signature.
The link to the download uses a URL that begins with “update.aol.com” but is followed by the malicious domain name, which is a six- to seven-random-character word followed by .com.pl (which indicates the domain was registered as a business in Poland, but isn’t necessarily hosted there). There are dozens of URLs in use that lead to identical looking pages, and each one points to at least 15 IP addresses at different Web hosting firms.
Like many of the previous Zbot campaigns (such as those targeting the IRS, CDC, Visa, and other organizations, as well as software programs like Microsoft Outlook, or Web sites such as Facebook), the URL contains the email address to which the original message was sent; That email address appears near the top of the browser window. That’s social engineering trick number one, and you can easily see that it’s possible to manipulate this data simply by putting a different email address in the URL string.
Regular users of AOL Instant Messenger might know that the current, real version (as I write this) is 188.8.131.52, but the version number in this bogus message is 184.108.40.2065.
The fake page contains the following text:
AOL has released an update for AOL Instant Messenger (AIM) which fixes several major bugs. This update is critical and provides you with the latest version of the AIM and offers the highest levels of stability and security.
• File Name: aimupdate_220.127.116.115.exe
• File Size: 131 KB
• Supported Operating Systems: Windows 2000; Windows 98; Windows ME; Windows NT; Windows Server 2003; Windows XP; Windows Vista
Once downloaded, this “aimupdate” file carries a generic program icon, and is only around 125KB to 135KB in size (the size varies because Zbot Trojans are padded with variable amounts of random junk data so they’re harder to identify).
The script invokes the browser to load Adobe Reader, then pushes a file called “pdf.pdf” down to the Reader. That file is built to attack the Collab overflow exploit (CVE-2007-5659), the util.printf overflow exploit (CVE-2008-2992), and the getIcon exploit (CVE-2009-0927) in order to force the operating system to download and execute files.
And, when in doubt about a software update, go to the software maker’s Web site yourself; Don’t follow fishy, phishy update links you receive via email, or elsewhere.