- Jan 8, 2011
- 22,361
MMPC: Upatre: Emerging Up(d)at(er) in the wild
Recently, we started seeing Win32/Upatre being distributed in the wild.
As we see in this next chart, the concentration of infections is in the United States with 96% of total infections, followed by the UK, Canada, and Australia. The high rate of infections in the US may be due to the spam distribution methods, such that infections are being reported via online email services.
We have seen this malware distributed via spam campaigns with email attachments such as the following:
The <variable names> can be domains, company and individual names, or may be just random letters or words.
- USPS_Label_<random number>.zip
- USPS - Missed package delivery.zip
- Statement of Account.zip
- <number>-<number>.zip
- TAX_<variable names>.zip
- Case_<random number>.zip
- Remit_<variable names>.zip
- ATO_TAX.zip
- ATO_TAX_<variable names>.zip
Furthermore, based upon the telemetry, Win32/Upatre is also distributed via exploits kits - such as those delivered via Java and PDF-related exploits.
Figure 3: Upatre and Zbot infection
