Digital Degenerate

Currently we are witnessing an influx of malware pretending to come from the US Chamber of Commerce. The emails are using a strong banner complete with the Chamber's logo as well as a footer that gives the Chamber's address and other information. The somewhat cryptic message suggests that they may have a good, mutually beneficial, professional partnership for the recipient's business, and all of the pertinent info is supplied in the attachment "USChamber[dot]zip".

The attachment is of course a rather aggressive piece of malware that opens a backdoor onto the victim's system and begins to download further malicious payloads once it is established. Once it has a foothold, it attempts to contact two other domains - jokeins[dot]com and agrofond[dot]com. From both of these places it then makes a "get" request for a file by the name of start[dot]exe. This file is the ever-popular, and ubiquitous Zeus. Once Zeus begins to run, it spawns a process by the name of miuf[dot]exe which in turn launches a keylogger and starts trying to make many outbound connections in classic Zeus style by pinging a different pseudo-random domain name every couple of seconds on port 80 until it finds one that is active from which to receive instructions, domains such as gzdyhtiyhxbve21d10mvdrjtbzftpucyjq[dot]org.

Zeus also sends out a handful of UDP packets to an equal number of unique IP addresses each with 72 bytes of data. These are originating from a random local port to a destination port unique to the recipient IP address. This is possibly to announce itself to other members of the botnet that the victim would now belong to.
AppRiver is currently blocking all known variants of this attack.