rconner Posted August 20, 2007 Share Posted August 20, 2007 Tracking link here. Not very much labor expended on this trick (not even a goofy domain name), but it might work on some suckers. Spammer offers you a free login to get some "web tools" then when you go to the site you find that you must download a "secure login applet" (you guessed it, an EXE file). SpamCop would not report because the ISP responsible for sending has closed out the incident, but I LARTed it manually to ntlworld.com where the site is hosted. -- rick Link to comment Share on other sites More sharing options...
turetzsr Posted August 21, 2007 Share Posted August 21, 2007 ...It directed me to a URL that no longer seems to be available. According to the SpamCop parser, none of the abuse addresses ntlworld.com, so it very well may have been different from the URL you got in your copy of the spam. Link to comment Share on other sites More sharing options...
rconner Posted August 21, 2007 Author Share Posted August 21, 2007 ...It directed me to a URL that no longer seems to be available. According to the SpamCop parser, none of the abuse addresses ntlworld.com, so it very well may have been different from the URL you got in your copy of the spam. Hmm...odd...Were you looking at my link, or at a version of the spam that you got yourself? Just used my tracking link again (from the Forum post above) and reloaded the site (this time in a browser instead of curl) and it seems to be the same as I saw it before. The URL is htt p://82.3. 6.92/ (still online), and both SC and my local whois query seem to agree that it is in fact NTL (now aka Virgin Media). Message origin was traced to uchcago.edu (which responded to stop further reports). The From address was given as "Free Web Tools" <fukeasian[at]finishhealth.com> Does any of this match what you saw, Steve? -- rick [link broken] Link to comment Share on other sites More sharing options...
Farelf Posted August 21, 2007 Share Posted August 21, 2007 Rick, That little exploit is a lot smarter than you think. The click to download thing is a "blind" it will start to download without clicking (IE7 with such actions supposedly prohibited) ExpLabs LinkScanner doesn't detect the exploit The phony "click here" ploy is known and was used by some of the postcard distributions. My virus history now includes two lines with "Status - Infected" for Filename "82_3_6_92[1].htm" Virus Name "Downloader" (Primary Action "Clean Virus from file", Secondary action "Quarrantine infected file" ) I think there is a lesson here for all of us. Link to comment Share on other sites More sharing options...
rconner Posted August 21, 2007 Author Share Posted August 21, 2007 That little exploit is a lot smarter than you think. The click to download thing is a "blind" [*]it will start to download without clicking (IE7 with such actions supposedly prohibited) Hmm... he must be browser-sniffing. This is what I got from curl: curl -i http://82.3.6.92/HTTP/1.1 200 OK Server: nginx/0.5.17 Date: Tue, 21 Aug 2007 01:54:59 GMT Content-Type: text/html Transfer-Encoding: chunked X-Powered-By: PHP/5.2.1 If you do not see the Secure Login Window please install our <a href="/applet.exe">Secure Login Applet</a>. N.B. nginx ("Engine X") is a small-footprint web server written by Russians, often used for reverse proxies. I've seen it quite a bit in the signatures of botnet-hosted websites. When I loaded the site using OmniWeb for Mac OS X, I got the same thing shown in the code box above (only rendered in the browser window, of coourse). When I switched OmniWeb to identify itself in the user-agent string as MSIE7, it did indeed push the code down to me as you said. OmniWeb couldn't run it of course since it is a Windows executable. By the way, the ability to change user-agent strings (or make up your own) is one of the really cool features of OmniWeb that make it well worth the modest price you pay for it. OmniWeb also had really good pop-up and ad blocking long before anyone else. -- rick Link to comment Share on other sites More sharing options...
rconner Posted August 21, 2007 Author Share Posted August 21, 2007 [link broken] Oops! Thank you Farelf for fixing this, I should have munged it myself before posting. Blame my case of food poisoning from the weekend (it was the Squid Curry I think). -- rick Link to comment Share on other sites More sharing options...
Farelf Posted August 21, 2007 Share Posted August 21, 2007 Hmm... he must be browser-sniffing.Yeah, I would have had a look to see what, if anything, was showing in the page code except at that precise moment, when anti-virus alerts started popping off in my face, my wireless mouse died. Spooky. My feeling is, whenever I really need the thing it goes on strike for 'More power, please' (dodgy but very polite recharge circuit built in Canada). Selective memory, I'm sure, but it certainly "feels" uncanny. Link to comment Share on other sites More sharing options...
Farelf Posted August 21, 2007 Share Posted August 21, 2007 Finally the exploit site is offline. This is one instance where the criminal would be wanting the host server (undoubtedly a 'bot) to stay up as long as it could (to recruit more zombies). Maybe this indicates that those attacking the domain registrations are doing some good - inasfar as this one used the literal address instead of a domain address when, all other things being equal, a domain address would be far better option in terms of hanging around to do its work regardless of the fate of the individual host servers. But if the bot herders are runing out of registrars ... Just a dream, I suppose (where's the emoticon for "wistful"). Link to comment Share on other sites More sharing options...
GraemeL Posted August 21, 2007 Share Posted August 21, 2007 I got a couple of these today with different target servers. Sorry, no trackers available yet. I quick reported them and they are still in the processing queue. They claimed to be a from a Web Player (whatever that is) site and a cooking site. My 1st reaction was that it was probably a morph of the Storm worm. I fed it into VirusTotal and it appears to be something else (with apologies for the formatting): Antivirus Version Last Update Result AhnLab-V3 2007.8.22.0 2007.08.21 - AntiVir 7.4.1.62 2007.08.21 WORM/Zhelatin.Gen Authentium 4.93.8 2007.08.20 Possibly a new variant of W32/Fathom.2-based!Maximus Avast 4.7.1029.0 2007.08.20 - AVG 7.5.0.484 2007.08.20 Downloader.Tibs.7.D BitDefender 7.2 2007.08.21 - CAT-QuickHeal 9.00 2007.08.21 (Suspicious) - DNAScan ClamAV 0.91 2007.08.21 - DrWeb 4.33 2007.08.21 Trojan.Packed.142 eSafe 7.0.15.0 2007.08.20 Suspicious Trojan/Worm eTrust-Vet 31.1.5076 2007.08.21 Win32/Sintun.AC Ewido 4.0 2007.08.21 - FileAdvisor 1 2007.08.21 - Fortinet 2.91.0.0 2007.08.21 - F-Prot 4.3.2.48 2007.08.20 W32/Fathom.2-based!Maximus F-Secure 6.70.13030.0 2007.08.21 - Ikarus T3.1.1.12 2007.08.21 - Kaspersky 4.0.2.24 2007.08.21 - McAfee 5101 2007.08.20 - Microsoft 1.2803 2007.08.21 - NOD32v2 2473 2007.08.21 - Norman 5.80.02 2007.08.21 - Panda 9.0.0.4 2007.08.21 - Prevx1 V2 2007.08.21 - Rising 19.37.12.00 2007.08.21 - Sophos 4.20.0 2007.08.21 Mal/Dorf-E Sunbelt 2.2.907.0 2007.08.21 VIPRE.Suspicious Symantec 10 2007.08.21 Trojan.Packed.13 TheHacker 6.1.8.171 2007.08.21 - VBA32 3.12.2.2 2007.08.21 MalwareScope.Worm.Nuwar-Glowa.1 VirusBuster 4.3.26:9 2007.08.20 - Webwasher-Gateway 6.0.1 2007.08.21 Worm.Zhelatin.Gen Additional information File size: 114648 bytes MD5: a6aa170889347b23e035d9fb06873155 SHA1: 17beeaa70307625d6bec48bdbe3c6de3438d46d2 Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics. Looks like other malware producers have noticed the success of the Storm social engineering approach and decided to throw their own variation into the mix. Edit to add - The target boxes were both on cable connections, one in the US and one in Argentina. Second edit to add- Always check SANS before doing any research. SANS diary entry says it is a Storm morph. You can read it: here Link to comment Share on other sites More sharing options...
qjvgpuryy Posted August 21, 2007 Share Posted August 21, 2007 I think I'm seeing the same things, only from 'Cat Lovers' and 'Downloader Heaven' (among others). I'd post some tracking URLs, but I haven't received the e-mail notice back yet. Link to comment Share on other sites More sharing options...
Farelf Posted August 21, 2007 Share Posted August 21, 2007 Me too - one with subject "Please Confirm" conveying an invitation to follow the (literal address - US) link to fix up my membership with something known as "Ringtone Heaven" just now. Of course I saw through their fiendish plot in an instant. Little could they know I am the last male under 90 years of age anywhere in the western world who doesn't have a cell/mobile phone or whatever they call the things these days (seems telephony has vanishingly little to do with it in any event). Incidentally, even when submitting through the website page it is taking an age for the report history to update. Parsing and report clearance seem to be progressing normally though, no undue delay there. [added] Oh, by the way, the exploit on the target site in this instance was recognized by LinkScanner. I would certainly not be relying on that though, nor on any supposed security features of any Windows browser, far less on anyone's AV defitions to save you. Never follow the links! Link to comment Share on other sites More sharing options...
qjvgpuryy Posted August 22, 2007 Share Posted August 22, 2007 Little could they know I am the last male under 90 years of age anywhere in the western world who doesn't have a cell/mobile phone or whatever they call the things these days (seems telephony has vanishingly little to do with it in any event). That must make me second to last. Link to comment Share on other sites More sharing options...
rconner Posted August 22, 2007 Author Share Posted August 22, 2007 Little could they know I am the last male under 90 years of age anywhere in the western world who doesn't have a cell/mobile phone or whatever they call the things these days (seems telephony has vanishingly little to do with it in any event)I just asked my cell provider to block all SMS in or out in order that I could escape the spam. Getting all this extra unknown and unwanted stuff with a cell phone reminded me of the old Monty Python episode where you got a free hundredweight of dung with every book-of-the-month-club purchase; this offer was in the fine print "...so as not to affect sales." -- rick Link to comment Share on other sites More sharing options...
Farelf Posted August 23, 2007 Share Posted August 23, 2007 ...Incidentally, even when submitting through the website page it is taking an age for the report history to update. Parsing and report clearance seem to be progressing normally though, no undue delay there. ...The slow history update was one thing fixed in the maintenance session which followed that post. Member report history seems to be back to fairly well immediate update. That must make me second to last. We're the last of the Luddites David. Is the Butlerian jihad ("Dune", etc.) seeming a little less of a fantasy or what?...Getting all this extra unknown and unwanted stuff with a cell phone reminded me of the old Monty Python episode where you got a free hundredweight of dung with every book-of-the-month-club purchase; this offer was in the fine print "...so as not to affect sales."...Heh heh. The receiver had to pay for SMS for a (brief) while in Oz. Can you imagine? Just as whacky, the websites now refusing access to Firefox browsers (and other browsers using specific advertisement blocking add-ins). I'm hearing refusal to accept/view advertisements described as "theft". While I'm "on a roll" with the science fiction theme, this is getting really close to the "Gravy Planet" (aka "The Space Merchants") scenario by Cyril Kornbluth and Fred Pohl (1952) - think the back-drop to the city scenes in "Bladerunner". Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.