Pwnd… and pwnd again

Image (4) sash.png for post 19659

Your faithful home PC falling victim to a trojan once is bad enough, like this person’s zombied box busily spamming out stock pump ‘n’ dumps attached in what’s fast becoming every evil-doer’s favorite file format, PDF:

Pwnd (PDF spam)

But how unlucky do you have to be to play host to two trojans at the same time? Pretty freakin’ unlucky, I think you’ll agree. But it is apparently not impossible, as demonstrated by one hapless Windows user in Poland (though this is of course by no means the only sample to hit our spam traps):

Pwnd again (PDF spam and Troj/SpamToo-AR)

Yup. It’s the same PDF-based campaign, being distributed by some unknown botnet owner, but this time with an added bonus: the “web site not found” message at the bottom was added by yet another bot, the family of which we call Troj/SpamToo. This little beauty hooks into the Windows networking code at a low enough level that it can add banners of the spammer’s choice to the end of every email the user sends, as well as to the end of web forum posts, instant messages, and so on. The important point is that this banner appears in the legitimate communications of infected users and, aside from the actual content, appears to be from them personally (victim’s forum post screenshot). And it happens entirely without the user’s knowledge — at least until his or her friends and/or coworkers reply to ask why the user is recommending they purchase Viagra online at greatly reduced prices.

In this case, however, the trojan was unable to download the banner from the compromised server in question, so it dropped the error page in there instead. Not particularly smart, but it does give us a big clue as to exactly what piece of malware was responsible: the filename “zupacha.php” in the URL is uncannily similar to the file “zupacha.exe” we detect as Troj/SpamToo-AR, don’t you think? A little googling reveals that the likely author of this particular instance of suckware is a Russian hacker known as “$ash” (or if he isn’t, he definitely was selling it for $3,000 on his web site, along with a widely used browser exploit toolkit called MPack, $50/hour DDOS services, and other treacherous tools [screenshot]). And it seems probable that this unfortunate user’s PC was trying to download the latest spammy banner from, and probably report its recent clandestine activities to, a botnet command-and-control web interface called ZUnker (README screenshot), here addressable as /zp/zupacha.php. Cute.

I’ve not had much chance to poke through the ZUnker PHP source code yet; perhaps I’ll blog more about that later. But for now I’ll leave you with this particularly charming code snippet:

ZUnker source snippet

Note to Polish dude: that means you.