Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« E-Profiteers Ready for Disaster | Main | OMG! A Spammer Lied! »

September 01, 2008

Malware Spam for a September Morn

Ah, it's a new month, and here in the U.S., we have the Labor Day holiday. Except for those whose holiday is being stolen by the Gustav hurricane, there will be lots of picnics, ball games, and end-of-summer parties. In the meantime, your email inbox is filling up with the usual crappage.

On the malware lure front, a long-running e-card scam is continuing, as the perps take over additional web sites to host their downloadable deliveries. New this morning are a couple of strange malware lure samples whose Subject: lines drop the names of—ta-da—Obama and McCain. The actual Subject: lines I've seen don't make much sense, but what else is new?

  • Obama Announces for President -- In Hit Show '24'
  • McCain, Obama: Cosmo Cover Also Tasteless, Offensive
  • Obama Promises Change for a Nation, Change For a Twenty

The messages encourage you to follow a link to a hijacked web site, where the crooks have inserted a page named index98.html. A visit to the page automatically downloads video98.exe (for which VirusTotal shows a very high recognition rate). Whether or not the auto-download works, a visitor to the page (why are you doing that?) sees the following:

Malware site prompt to download video codec

What looks like a dialog box is actually an absolute-positioned div element—a Dynamic HTML technique used by some to create content that is draggable around the browser window. Unlike a real dialog box, however, if you try to drag this one beyond the edge of the browser window, it is clipped by the browser window. In the meantime, the image of the video viewer—and that's all it is: an image—is an animated .gif image with the spinner spinning away, as if the player is "tapping its foot" waiting for the visitor to act.

What strikes me most about this page, however, is the choice of page title, which appears in the browser window's titlebar. It's either a leftover from some other campaign, or it's the final "grabber" to encourage visitors to download that malware loader...I mean, video codec.

But the email messages were about politics. As if politics and porn are somehow related....

Posted on September 01, 2008 at 09:45 AM