Jump to content
Sign in to follow this  
rconner

More malware distribution

Recommended Posts

Tracking link here.

Not very much labor expended on this trick (not even a goofy domain name), but it might work on some suckers. Spammer offers you a free login to get some "web tools" then when you go to the site you find that you must download a "secure login applet" (you guessed it, an EXE file).

SpamCop would not report because the ISP responsible for sending has closed out the incident, but I LARTed it manually to ntlworld.com where the site is hosted.

-- rick

Share this post


Link to post
Share on other sites

...It directed me to a URL that no longer seems to be available. According to the SpamCop parser, none of the abuse addresses ntlworld.com, so it very well may have been different from the URL you got in your copy of the spam.

Share this post


Link to post
Share on other sites

...It directed me to a URL that no longer seems to be available. According to the SpamCop parser, none of the abuse addresses ntlworld.com, so it very well may have been different from the URL you got in your copy of the spam.

Hmm...odd...Were you looking at my link, or at a version of the spam that you got yourself?

Just used my tracking link again (from the Forum post above) and reloaded the site (this time in a browser instead of curl) and it seems to be the same as I saw it before. The URL is htt p://82.3. 6.92/ (still online), and both SC and my local whois query seem to agree that it is in fact NTL (now aka Virgin Media). Message origin was traced to uchcago.edu (which responded to stop further reports).

The From address was given as "Free Web Tools" <fukeasian[at]finishhealth.com>

Does any of this match what you saw, Steve?

-- rick

[link broken]

Edited by Farelf

Share this post


Link to post
Share on other sites

Rick,

That little exploit is a lot smarter than you think. The click to download thing is a "blind"

  • it will start to download without clicking (IE7 with such actions supposedly prohibited)
  • ExpLabs LinkScanner doesn't detect the exploit

The phony "click here" ploy is known and was used by some of the postcard distributions.

My virus history now includes two lines with "Status - Infected" for Filename "82_3_6_92[1].htm" Virus Name "Downloader" (Primary Action "Clean Virus from file", Secondary action "Quarrantine infected file" :) )

I think there is a lesson here for all of us.

Share this post


Link to post
Share on other sites
That little exploit is a lot smarter than you think. The click to download thing is a "blind"

[*]it will start to download without clicking (IE7 with such actions supposedly prohibited)

Hmm... he must be browser-sniffing.

This is what I got from curl:

curl -i http://82.3.6.92/HTTP/1.1 200 OK
Server: nginx/0.5.17
Date: Tue, 21 Aug 2007 01:54:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
X-Powered-By: PHP/5.2.1

If you do not see the Secure Login Window please install our &lt;a href="/applet.exe"&gt;Secure Login Applet&lt;/a&gt;.

N.B. nginx ("Engine X") is a small-footprint web server written by Russians, often used for reverse proxies. I've seen it quite a bit in the signatures of botnet-hosted websites.

When I loaded the site using OmniWeb for Mac OS X, I got the same thing shown in the code box above (only rendered in the browser window, of coourse). When I switched OmniWeb to identify itself in the user-agent string as MSIE7, it did indeed push the code down to me as you said. OmniWeb couldn't run it of course since it is a Windows executable.

By the way, the ability to change user-agent strings (or make up your own) is one of the really cool features of OmniWeb that make it well worth the modest price you pay for it. OmniWeb also had really good pop-up and ad blocking long before anyone else.

-- rick

Share this post


Link to post
Share on other sites
[link broken]

Oops! Thank you Farelf for fixing this, I should have munged it myself before posting. Blame my case of food poisoning from the weekend (it was the Squid Curry I think).

-- rick

Share this post


Link to post
Share on other sites
Hmm... he must be browser-sniffing.
Yeah, I would have had a look to see what, if anything, was showing in the page code except at that precise moment, when anti-virus alerts started popping off in my face, my wireless mouse died. Spooky. My feeling is, whenever I really need the thing it goes on strike for 'More power, please' (dodgy but very polite recharge circuit built in Canada). Selective memory, I'm sure, but it certainly "feels" uncanny.

Share this post


Link to post
Share on other sites

Finally the exploit site is offline. This is one instance where the criminal would be wanting the host server (undoubtedly a 'bot) to stay up as long as it could (to recruit more zombies). Maybe this indicates that those attacking the domain registrations are doing some good - inasfar as this one used the literal address instead of a domain address when, all other things being equal, a domain address would be far better option in terms of hanging around to do its work regardless of the fate of the individual host servers. But if the bot herders are runing out of registrars ... Just a dream, I suppose (where's the emoticon for "wistful").

Share this post


Link to post
Share on other sites

I got a couple of these today with different target servers. Sorry, no trackers available yet. I quick reported them and they are still in the processing queue.

They claimed to be a from a Web Player (whatever that is) site and a cooking site.

My 1st reaction was that it was probably a morph of the Storm worm. I fed it into VirusTotal and it appears to be something else (with apologies for the formatting):

Antivirus	  Version	  Last Update	  Result
AhnLab-V3	  2007.8.22.0	2007.08.21	-
AntiVir	7.4.1.62	2007.08.21	WORM/Zhelatin.Gen
Authentium	4.93.8	2007.08.20	Possibly a new variant of W32/Fathom.2-based!Maximus
Avast	4.7.1029.0	2007.08.20	-
AVG	7.5.0.484	2007.08.20	Downloader.Tibs.7.D
BitDefender	7.2	2007.08.21	-
CAT-QuickHeal	9.00	2007.08.21	(Suspicious) - DNAScan
ClamAV	0.91	2007.08.21	-
DrWeb	4.33	2007.08.21	Trojan.Packed.142
eSafe	7.0.15.0	2007.08.20	Suspicious Trojan/Worm
eTrust-Vet	31.1.5076	2007.08.21	Win32/Sintun.AC
Ewido	4.0	2007.08.21	-
FileAdvisor	1	2007.08.21	-
Fortinet	2.91.0.0	2007.08.21	-
F-Prot	4.3.2.48	2007.08.20	W32/Fathom.2-based!Maximus
F-Secure	6.70.13030.0	2007.08.21	-
Ikarus	T3.1.1.12	2007.08.21	-
Kaspersky	4.0.2.24	2007.08.21	-
McAfee	5101	2007.08.20	-
Microsoft	1.2803	2007.08.21	-
NOD32v2	2473	2007.08.21	-
Norman	5.80.02	2007.08.21	-
Panda	9.0.0.4	2007.08.21	-
Prevx1	V2	2007.08.21	-
Rising	19.37.12.00	2007.08.21	-
Sophos	4.20.0	2007.08.21	Mal/Dorf-E
Sunbelt	2.2.907.0	2007.08.21	VIPRE.Suspicious
Symantec	10	2007.08.21	Trojan.Packed.13
TheHacker	6.1.8.171	2007.08.21	-
VBA32	3.12.2.2	2007.08.21	MalwareScope.Worm.Nuwar-Glowa.1
VirusBuster	4.3.26:9	2007.08.20	-
Webwasher-Gateway	6.0.1	2007.08.21	Worm.Zhelatin.Gen
Additional information
File size: 114648 bytes
MD5: a6aa170889347b23e035d9fb06873155
SHA1: 17beeaa70307625d6bec48bdbe3c6de3438d46d2
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

Looks like other malware producers have noticed the success of the Storm social engineering approach and decided to throw their own variation into the mix.

Edit to add -

The target boxes were both on cable connections, one in the US and one in Argentina.

Second edit to add-

Always check SANS before doing any research. :P

SANS diary entry says it is a Storm morph. You can read it: here

Edited by GraemeL

Share this post


Link to post
Share on other sites

I think I'm seeing the same things, only from 'Cat Lovers' and 'Downloader Heaven' (among others). I'd post some tracking URLs, but I haven't received the e-mail notice back yet.

Share this post


Link to post
Share on other sites

Me too - one with subject "Please Confirm" conveying an invitation to follow the (literal address - US) link to fix up my membership with something known as "Ringtone Heaven" just now. Of course I saw through their fiendish plot in an instant. Little could they know I am the last male under 90 years of age anywhere in the western world who doesn't have a cell/mobile phone or whatever they call the things these days (seems telephony has vanishingly little to do with it in any event).

Incidentally, even when submitting through the website page it is taking an age for the report history to update. Parsing and report clearance seem to be progressing normally though, no undue delay there.

[added] Oh, by the way, the exploit on the target site in this instance was recognized by LinkScanner. I would certainly not be relying on that though, nor on any supposed security features of any Windows browser, far less on anyone's AV defitions to save you. Never follow the links!

Edited by Farelf

Share this post


Link to post
Share on other sites

Little could they know I am the last male under 90 years of age anywhere in the western world who doesn't have a cell/mobile phone or whatever they call the things these days (seems telephony has vanishingly little to do with it in any event).

That must make me second to last. :lol:

Share this post


Link to post
Share on other sites
Little could they know I am the last male under 90 years of age anywhere in the western world who doesn't have a cell/mobile phone or whatever they call the things these days (seems telephony has vanishingly little to do with it in any event)
I just asked my cell provider to block all SMS in or out in order that I could escape the spam.

Getting all this extra unknown and unwanted stuff with a cell phone reminded me of the old Monty Python episode where you got a free hundredweight of dung with every book-of-the-month-club purchase; this offer was in the fine print "...so as not to affect sales."

-- rick

Share this post


Link to post
Share on other sites
...Incidentally, even when submitting through the website page it is taking an age for the report history to update. Parsing and report clearance seem to be progressing normally though, no undue delay there. ...
The slow history update was one thing fixed in the maintenance session which followed that post. Member report history seems to be back to fairly well immediate update.

That must make me second to last. :lol:

We're the last of the Luddites David. Is the Butlerian jihad ("Dune", etc.) seeming a little less of a fantasy or what?
...Getting all this extra unknown and unwanted stuff with a cell phone reminded me of the old Monty Python episode where you got a free hundredweight of dung with every book-of-the-month-club purchase; this offer was in the fine print "...so as not to affect sales."...
Heh heh. The receiver had to pay for SMS for a (brief) while in Oz. Can you imagine? Just as whacky, the websites now refusing access to Firefox browsers (and other browsers using specific advertisement blocking add-ins). I'm hearing refusal to accept/view advertisements described as "theft". While I'm "on a roll" with the science fiction theme, this is getting really close to the "Gravy Planet" (aka "The Space Merchants") scenario by Cyril Kornbluth and Fred Pohl (1952) - think the back-drop to the city scenes in "Bladerunner".

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×