Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« It's Tough to Be Opaque on a Transparent Internet | Main | Spammer Makes a Funny »

July 14, 2008

Another Day, Another Load [Updated 2]

I've been busy today away from the spam world, but I just wanted to comment briefly on a couple of items I saw in circulation.

The first is a modern variation on the 419 advance-fee scam. Instead of some prince bequeathing millions to me because he died in a car accident while on vacation without a will or living heirs (sheesh), this is a short and sweet invitation to the gullible and greedy:

From: <david@[removed].com>
Subject: ATM CARD

This is to officially inform you that ATM Card with a fund worth $6.8 Million Dollars has been accredited in your favor, Please Contact Mrs. Linda Hill (lindhill@[removed].net) With the following,

Full Name:
Delivery Address:
Age:
Occupation:
Phone Number:
Country:

Best Regards.
Senator David Mark

Needless to say, the email address of my supposed contact person is at a free email hosting service. And a Google search of "Senator David Mark" shows it to be a longtime email scam name for a variety of 419 and other "offers."

Too bad. I could use $6.8 mill about now. What I'd really like to do is take that card and try to empty it in one visit...and watch the ATM implode.

Second, and more bizarre is the following:

Subject: Cheap fuel available in Texas

Magic Johnson dies of AIDS at 49
http://[removed].ru/main.html

Aside from the disconnect between Subject: and body, the message displays a level of cruelty that is downright sick. The destination Russian web site uses no fewer than three ways to try to download view.exe:

  1. Through a clickable link on the page surrounding an image (only) of a YouTube knock-off video player (complete with added animated .gif spinner and words encouraging you to click to play the video).
  2. An automatic <META> refresh tag.
  3. A hidden iframe that loads and runs a JavaScript script to exploit old Internet Explorer vulnerabilities as a way to download and then run the file.

Obviously, the execution of this campaign is rather slapdash—not something usually associated with the Storm business. The scripting isn't anything interesting, and the view.exe file is already recognized by over 70% of the VirusTotal tests. Even so, those who might fall for this sick gag would be least likely to have up-to-date PCs—or know to check with real news sites.

Well, back to the grindstone to see if I can ever catch up on my behind.

UPDATE (14Jul2008/11:00PDT): The second item above has some company. Not as sick content-wise, but perhaps even more alluring to the unaware:

Subject: New Star Wars movie to be released

Your friends have requested you to join them online
http://[removed].org/main.html

Same malware loading scheme as above. I suppose we'll see a ton of unrelated variations on the theme. The only thing that the email messages have in common is the URL to a page named main.html.

UPDATE (16Jul2008/09:25PDT): The campaign continues, with additional disconnects between Subject: line and message body, probably just selected at random from lists inside the bot's spamming program. Things like:

Subject: Rat poison found in bottled waters

Our boss just screwed her real good
http://www.[removed].com.br/about.html

The destination URL for this one now ends in about.html. The page, itself, tries to load watch.exe via the same three methods described above. On the other hand, the crook has now attempted to obfuscate the JavaScript delivered to the hidden iframe. He managed to find a huge obfuscation library, and uses 400 lines of JavaScript code ultimately to generate a very simple script—the same one described above to exploit woefully unpatched PCs.

Posted on July 14, 2008 at 07:13 PM