Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« Fake BBB Malware Lure | Main | The Mysterious Parcel Syndrome »

December 27, 2011

Post-Christmas Malware Lure

This one has all the hallmarks of a so-called script kiddie. It's school holiday time for lots of teenagers around the world, so it's not unusual to see a rise in what these kids think is clever fooling around to earn some pocket money. Ultimately, the email link (if it had been executed properly) leads the unsuspecting recipient to the old main.php program, which serves up a boatload of obfuscated JavaScript malware loading code.

To get the recipient all riled up, the crook employs a common tactic:

Subject: Re:IRS NOTIFICATION:-Complaint against your business af8d0a35bfd97efb

Nothing like invoking the tax folks to get the adrenalin flowing.

The message body goes horribly wrong in the way it had been deployed, but here's what shows up in my email client:

308389540413

852-78-0055
<!--We regret_to_inform_you, that link--> goo.gl/[removed]

The HTML commented part looks like the start of boilerplate code, complete with a mail merge-like placeholder (the underscored bit). From the looks of it, the kid screwed up the composition of the body and didn't test before deploying (Kids!). He (or she) did insert an active URL, using a Google URL shortener, but not as a clickable link. To save you the trouble of copying the URL and pasting it into a browser, the journey continues through a freshly-minted domain containing further redirection until your browser lands at an India-based server hosting the main.php program. That's where the JavaScript looks for all the usual Windows security holes.

At the same time, the malware lure campaign using a phony contract as bait continues. Today's installment makes it sound like the contract process has gone further until the latest snafu:

Subject: The variant of the contract you've offered has been delcined.

After our legal department studied this contract carefully, they've noticed the following mismatches with our previous arrangements. We've composed a preliminary variant of the new contract, please study it and make sure that all the issues are matching your interests
NEW_Contract.doc 20kb


With Respect
Jorge Prescott


MD5 check sum: 8c46c46c4138ce9a52180726c413338c

As before, the link is not to an attached document but to a Russian server hosting the main.php code.

Ya de yadda.

Posted on December 27, 2011 at 12:13 PM