Watch Free Movie - Update Every Hour!

[Farelf]

For several weeks I have been seeing an increasing volume of 'news' spam with curiously mismatched subject and body - like http://www.spamcop.net/sc?id=z2108631583za...48196decd4d9b1z

"Subject: Steve Jobs' vital signs show weakening"

Body "Arnold Schwarzenegger quits as Governer"

The payload URLs are unrelated to either - Googling shows the single-line webpage descriptor "Watch Free Movie - Update Every Hour!". Some of these carried one (at least) of several exploits (fake CODEC being the most common). Hokay - botnet recruiting, understood. Many returned blameless scans (LinkScanner Online). Which is a worry. (Decoy or undetected exploit?) [incidentally - many of the spam claim to be "Using Opera's revolutionary e-mail client:" and kudos to SC for pulling the parser away from the Opera URL quite quickly - after a day or two at most the parser ignored it.]

Today's batch (larger than yesterday's) all scanned clean. Which is a real worry. What is going on? The payload URLs all seem to be different so it's not simple SEO.

Googling "Watch Free Movie - Update Every Hour!" produces pages and pages of hits with the same single line webpage descriptor (about 254 out of 537 hits and rising). So, I'm assuming these are all related. CastleCops notes a malware connection to spam in the "Free Movie" sites case - http://www.castlecops.com/p1107673-Watch_F...ur.html#1107673 (CAUTION - live links there). So, clean scans or not, it is probably still 'just' a malware distribution thing in which case the variation in exploits is a worry, as is the ability to effortlessly keep in front of/avoid LinkScanner.

Browsers (on some networks) can be redirected 'mid stream' using DNS exploits to malicious sites and maybe the utilization of that might require a whole army of different URLs (to avoid blocking) and none of those websites actually needs to be an exploit site in its own right (it would not even be seen when the redirection works), which is another possibility.

Ah well, paranoia shared is paranoia divided as many times. Or is that multiplied? I always get confused on that point.

[dra007]

I have been getting a dozen of these daily, you have to wonder why these idiots think it will eventually work with the like of us that take the precations and report them as well. But then again, I never thought I would figure them out, nor do I care to. I do want to see them magically vanish if that's too much to hope for. Maybe I have to use my magic wand?

[craigt]

Maybe I have to use my magic wand?

Personally I'd rather use my 'magic' baseball bat!

[Farelf]

I have been getting a dozen of these daily, you have to wonder why these idiots think it will eventually work with the like of us that take the precations and report them as well. But then again, I never thought I would figure them out, nor do I care to. I do want to see them magically vanish if that's too much to hope for. Maybe I have to use my magic wand?

Indeed, but you have to find the perpetrators first before inserting it. Congratulations on making the 65,000^th post by the way.

They don't mind being reported, their whole operation is diffused in both the 'servers' they send from and the lure sites towards which they direct the unwary, it is all too nebulous to be harmed by direct attack. A tiny proportion of our fellow internet users go to those places, an even smaller part of those end up infected so the perpetrators continue to grow their empire(s). A 'mastermind' botmaster and trojan writer was tracked down with much effort and prosecuted - and escaped even detention, the botnets erupted in celebration the very day he walked free¹ (may a Border-Leicester gore the little bugger in his Aotearoa fastness).

¹[on edit - mentioned here - http://forum.spamcop.net/forums/index.php?...ost&p=65624]

[Farelf]

These seem to have been replaced on 5 August by the CNN.com Daily Top 10 variety - http://www.spamcop.net/sc?id=z2133209229za...dd0b20e0457961z

These have multiple links (to the same infector site for each spam) and use actual CNN images which no doubt make them seem very convincing to those with "remote images" enabled on their browsers, especially actual CNN Daily Top 10 subscribers. See http://blog.mxlab.be/2008/08/04/cnn-daily-...osting-malware/ (and read the feedback which is really scary in terms of the lack of caution being displayed out in "the world" - and I'd have sworn that crocodile was looking the other way first time I loaded that page).

With these spam, the bogus links are *all* infector sites - and with a considerable persistence, one of the 6 August ones I saw is/was still up although possibly cleansed (LinkScanner has a memory - an added pain for those who are hacked). These sites however *are* a little tricky to scan with LS too, sometimes giving an initial clean scan and subsequently LS claiming an exploit. LinkScanner online's reading (where an actual exploit is detected as opposed to their "Known malware distributor" warning) is:

"DANGEROUS: LinkScanner Online has found

[Trojan Fake Codec]"

These seem to me to be all/mostly hacked sites but in great quantity - the volume of these spam has been going up daily, as did their precursor "Watch Free Movie" type, until replaced. Recruiting. I guess bigger botnets are in out future. I'll bet Charlie from "Numb3ers" could track the botmaster down - "the multi-phasic dimensional analysis of bimodal transactional differentials," I can hear him now. Or applied Chebyshev analysis (but that always comes out "0"). I need more sugar.

[on edit] And, just in, what appears to be an emerging "CNN" variant - CNN Alerts: My Custom Alert - http://www.spamcop.net/sc?id=z2133929126zd...42e3427c528c2az

[dra007]

I don't even let the images load when I see those CNN spam e-mails, which seem to have risen to about half my spam daily... I suppose it was my mistake to use the Kama Sutra oils on my magic wand.

[Farelf]

Fear not Dr. A, you are not suffering alone. Typical spammers - the carefully crafted illusion that these are legitimate, trustworthy messages (indeed they sail through many mere content filters) is instantly destroyed when they hit us with impossible quantities of the things.

Alternatively network wars may have gotten "real". I notice the "unsubscribe" links are legitimate. And a lot of people must be hitting that link at least, going by the sample of comments seen elsewhere. If any of those were actual subscribers to the proper services I guess there would be those who would benefit. Nah, corporate America doesn't play those sort of games, does it?

[Farelf]

No reports re the exploit/infector site in http://www.spamcop.net/sc?id=z2141453332ze...42d5f9342b6a9cz because softlayer.com was refusing notification.

Yet interprom cnncurrent page was/is still showing DANGEROUS: LinkScanner Online has found [Trojan Fake Codec] But We are a no-spam network.

H:\>nslookup interprom.su

...

Non-authoritative answer:

Name: interprom.su

Address: 67.228.189.128

H:\>whosip 67.228.189.128

WHOIS Source: ARIN

IP Address: 67.228.189.128

Country: USA - Minnesota

Network Name: NET-67-228-189-128

Owner Name: SoftLayer Technologies Inc.

From IP: 67.228.189.128

To IP: 67.228.189.191

Allocated: Yes

Contact Name: SoftLayer Technologies Inc.

Address: 1020 Toledo Ave. N, Golden Valley

Email: ipadmin[at]softlayer.com

Abuse Email: abuse[at]softlayer.com

Phone: +1-214-442-0605

Fax:

Something doesn't add up, does it? How long should it take to pull a hacked page and patch CPanel? Knowingly hosting exploits is actually worse than straight-out spamming in my book (it's a matter of the potential to cause harm, harm here being the multiplication of botnet elements, leading to yet more spam).

[btech]

As I recall, the rash of these exploited sites is due to a vulnerability in in the last Wordpress release, where file/link injection was occurring. I've seen several variations, from the 'best' folder to the CNN html. I believe the html based links are from password-hacked sites and the php based ones are link/file injection.

[Farelf]

...I believe the html based links are from password-hacked sites and the php based ones are link/file injection.

Thanks.

[Farelf]

Is there no end to their iniquity? Latest version comes pre-marked with **SPAМ** (sorry Hormel, just telling it) in the subject, just as inserted by some spam filters, with a highlighted link:

"If this email is not spam, click here to submit the signatures to FortiGuard - AntiSpam Service." pointing to our old friends nospammer.net - http://forum.spamcop.net/forums/index.php?showtopic=8278

Tracker http://www.spamcop.net/sc?id=z2147468501z4...f79e336023444fz

*Still* not completely sure just what that FortiGuard link might do but it is probably just mimicking what a real CNN alert would look like now they're subject to unprecedented scruitiny - or could be whitelisting 'something'. Another attempt at appearing legitimate or maybe going a little further? And yes, the customary exploit link appears elsewhere in the message too. Which the parser tends to overlook while running after the nospammer.net link (I unchecked reports to them) - but I don't think that is the 'real' purpose of the nospammer/FortiGuard inclusion - but you never know.

Not sure they really have to try that hard - going by Didier Stevens' "Get it infected Here" experiment - or how to recruit for botnets at 6 cents a unit.

[Farelf]

Keen haters of this botnet recruiting 'genre' will have noted a change to msnbc.com - BREAKING NEWS: ... replacing the CNN stuff (but otherwise much the same).

The latest revolting turn of events is the return of the "CNN Daily Top 10" but with links to all different exploit sites (instead of just the one) and many more (legitimate) CNN links. The parser sometimes/maybe often gets sidetracked into resolving the CNN links then drops into the (once) familiar "too many links" fug. Net result, hosts receive no routine heads up that sites in their netspace have been hacked (or are owned by the ungodly in whatever way. I was noticing many of the 'one trick pony' types lead to a site where the exploit page had already been taken down, weekends excepted, indicating to me they had been hacks).

But it looks like it will actually resolve a few of the baddies other times (different "if reported today" results when viewing through the tracking link). Then some would get reported.

http://www.spamcop.net/sc?id=z2162017334za...0a5be365a14150z

As I have indicated before, these exploit sites deserve much more attention than the commercial spamvertized websites. They are actively trying to (ultimately) make our lives much worse. Not to mention the innocent (too innocent) people whose computers they infect with the consequent multiple undesirable results.

This new variety is probably/may be large enough to slip through filters with the 'too big for spam' rule which were fairly common last time I looked. {sigh} those were the days.

[Farelf]

And then they were gone. Folded their tents in the night and faded away before dawn. No more of this particular 'genre' seen. Ran out of hacked/complicit sites? (They were starting to be shut down or to have their hacked page pulled quite quicky after a time). Ran out of budget? (Recalling a figure of 6 cents each compromised machine). Met their recruitment targets? (Heaven help us.) Filtered out of existence? (But how to do that without killing the real newsletters in quantity?) Tracked down and eliminated? (If only ... there again, giving the bird to the networks may not be the most peaceful of pastimes.)

There are 'similar' things going out in lesser numbers - like http://www.spamcop.net/sc?id=z2167630586za...aa46a299897556z which may have bugging capability (call on a remote image) and surely point to a nasty - http://www.virustotal.com/analisis/7c0bd73...67d6580137b4fde - should anyone care to download and/or run the thing (LinkScanner OnLine gives no warning about the target 'page'). And these's others which go to a possible exploit site of unknown puissance (via a redirection, again without LinkScanner alarm) instead of going directly to the download/run executable (these are most like the type seen at the beginning of this topic but, so far, without the trademark disassociation of subject and body). But these are less deceptive than the CNN and MSNBC ones which stole actual subjects, 'From:' addresses, formatting and content from the real news services to cloak their 'special' target sites.

Anyway, I'm guessing they'll be back, sometime. Not the first time they've been around (vague memories) so certainly unlikely that it's the last. And cycle times tend to shorten ... But I'm surprised they're gone so quickly this time. Divine intervention? Maybe only a test run? KnujOn, CastleCops/Complainterator deserve a vote of thanks?

[Farelf]

Aagh. Another CNN one over the weekend. But just the one. And loads more of the 'new' ones, apparently to an exploit sites containing like .../video_3.exe (except LinkScanner online invariably recognizes nothing there for these ones). Example - http://www.spamcop.net/sc?id=z2183626635z6...d4e3ced51c60edz

Well, I'm not alone What is this? and spam from the botnet, for the botnet - Michael Roberts has made a bit of a project out of studying and classifying these things and details them in their many-splendored variety with far more endeavor, science, knowledge and (yes) humor than have I. And he offers up some interesting thoughts and hypotheses along the way.

For many of us, spam and spammers are principally useful only in offering a way-point on the personal scale of delectability somewhere between fresh dingo droppings and a brown bear's bung-stopper - yet, as Sun Tzu pointed out, one must know the enemy to prevail against him even half the time. In such spirit are these offerings made.

[Farelf]

Well, yes, one way or another, botnets have increased to the beginning of September, according to Bot Count90-Days (Shadowserver). Resistance is futile say the 'Borg. But far more interesting than the alternative.